On the Performance of Anomaly Detection Systems Uncovering Traffic Mimicking Covert Channels
نویسندگان
چکیده
Anomaly Detection Systems aim to construct accurate network traffic models with the objective to discover yet unknown malicious network traffic patterns. In this paper, we study the use of the same methods in order to create a covert channel which is not discovered by Anomaly Detection Systems and can be used to exfiltrate (malicous) traffic from a network. The channel is created by imitating current network traffic behaviour as detected by passive network analysis. Moreover, we present methods for calculating thresholds for the bandwidth of the channel such that, with high probability, the resulting traffic falls within the margins of the Anomaly Detection System under consideration. We also present results of practical experiments with commonly used Anomaly Detection Systems showing the practical applicability of our approach. Keywords—Anomaly Detection; Mimicry; Covert Channel;
منابع مشابه
Purdue University Graduate School Thesis Acceptance
Cabuk, Serdar Ph.D., Purdue University, December, 2006. Network Covert Channels: Design, Analysis, Detection, and Elimination. Major Professors: Carla E. Brodley and Eugene H. Spafford. Indirect communication channels have been effectively employed in the communications world to bypass mechanisms that do not permit direct communication between unauthorized parties. Such covert channels emerge a...
متن کاملGraduate School Thesis Acceptance
Cabuk, Serdar Ph.D., Purdue University, December, 2006. Network Covert Channels: Design, Analysis, Detection, and Elimination. Major Professors: Carla E. Brodley and Eugene H. Spafford. Indirect communication channels have been effectively employed in the communications world to bypass mechanisms that do not permit direct communication between unauthorized parties. Such covert channels emerge a...
متن کاملMoving dispersion method for statistical anomaly detection in intrusion detection systems
A unified method for statistical anomaly detection in intrusion detection systems is theoretically introduced. It is based on estimating a dispersion measure of numerical or symbolic data on successive moving windows in time and finding the times when a relative change of the dispersion measure is significant. Appropriate dispersion measures, relative differences, moving windows, as well as tec...
متن کاملSummary-Invisible Networking: Techniques and Defenses
Numerous network anomaly detection techniques utilize traffic summaries (e.g., NetFlow records) to detect and diagnose attacks. In this paper we investigate the limits of such approaches, by introducing a technique by which compromised hosts can communicate without altering the behavior of the network as evidenced in summary records of many common types. Our technique builds on two key observat...
متن کاملMimic: An active covert channel that evades regularity-based detection
To counter the threat of leaks of sensitive and mission-critical information, high-security facilities employ multi-level security mechanisms in which information flows are prevented from high-security systems to lower-security systems. For networks, this includes the monitoring of all incoming and outgoing traffic, high-grade encryption for all data communication, intrusion detection systems, ...
متن کامل