Download - aes journals

JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
ELIMINATING TCP/IP STEGANOGRAPHY USING
ACTIVE WARDEN
1
MS. S .R. DESHMUKH, 2 PROF. D. M. DAKHANE
1, 2
Department Of Computer Science & Engineering And IT,
Sipna’s College Of Engineering & Technology , SGB Amravati University,
Amravati, Maharashtra, India.
[email protected], [email protected]
ABSTRACT : Steganography is a technique of hiding a data so that no-one can understand that data is passing
from one place to another .There are many types of steganography such as image steganography, audio
steganography, video steganography and so on. But this paper is about detecting steganography in TCP & IP
.Here we are making use of active warden for that. In particular, we concentrate on structured carriers with
objectively defined semantics, such as the TCP/IP protocol suite rather than on the subjective or unstructured
carriers such as images that dominate the information hiding literature.
KEYWORDS: Channel Communication, Covert Storage Channel, Active Warden, Network Security
1. INTRODUCTION
Three different aspects in information hiding system
contend with each other: capacity, security,
robustness. Capacity refers information to be hidden
in the cover medium security to an eavesdropper’s
inability to detect hidden information and robustness
to amount of modification the stego medium can
withstand before an adversary can destroy hidden
information.
Information hiding generally relates to both
watermarking and steganography. Watermarking
system’s primary goal is to achieve a high level
robustness-that is it should be impossible to remove
watermark without degrading the data object’s
quality. Steganography on the other hand strives for
high security and capacity which often entails that
hidden information is fragile. Generally information
is hidden in to a channel which is not easy to detect
such as covert channels. The term covert channel was
introduced by Butler Lampson [1], although with a
slightly different definition to later common usage.
He described the generic problem of preventing a
program from leaking information it processes but,
spurred on by government imposed military
standards, most following research dealt with the
problem of multilevel secure systems. In these,
information is categorized at confidentiality levels
and the system enforces a policy that only individuals
rated at that level or higher may read the item.
Another model is multilateral security, where
information is placed into compartments and may
only flow between them in approved ways. Both of
these are examples of mandatory access control
systems, where the system administrator sets the
policy, in contrast to discretionary access control
systems, where the owner of a data item is permitted
to choose how access to that item is restricted. Covert
channels can exist in all mandatory access control
systems which restrict information flow, so are
relevant to both confidentiality and integrity policies,
as described in the US Department of Defense (DoD)
requirements for covert channel analysis [2] (the
“Light-Pink Book”). In systems which aim to
preserve confidentiality, covert channels can leak
information to unauthorized individuals, while in the
case of a mandatory integrity policy, covert channels
can be used to introduce unauthorized changes to
protected objects. However, the remainder of
discussion will concentrate on confidentiality
policies.
2. LITERATURE REVIEW
Extensive work has been done to devise better
detection methods to detect only covert channel
either on live wire or on a dataset. The method
proposed in [3] is based on detecting covert shells by
monitoring the unusual traffic in the network stream.
Detection in covert timing channels proposed in [4] is
based on packet inter-arrival and the whole process is
modeled as Poisson's distribution.
In [5], Anderson discusses both passive wardens,
which monitor traffic and report when some
unauthorized traffic is detected and active wardens,
who try to remove any information that could
possibly be embedded in traffic that passes by. In [5],
Anderson shows that there are methods ‘more
contrived than practical’ where embedded data could
survive a pass through an active warden.
Active wardens have been an area of postulation
since Simmons [6] introduced
the Prisoners’
Problem in 1983. Simmons presents Alice and Bob
as prisoners that collectively wish to plan their
escape. However, since they are in separate areas of
ISSN: 0975 – 6760| NOV 10 TO OCT 11 | VOLUME – 01, ISSUE - 02
Page 28
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
the prison, all of their communication must pass
through the warden, Willy. If Willy sees any attempts
at secret communication in their messages, he will
stymie their efforts by not allowing them to
communicate in the future. Thus, Alice and Bob must
use a subliminal channel to communicate their escape
plan without alerting Willy. Since Willy knows that
Alice and Bob may wish to communicate secretly, he
must carefully analyze all correspondence between
Alice and Bob, but he must do so without
perceptively altering their message or incurring a
noticeable time delay. In this context, Simmons
defined a subliminal channel as a communications
channel whose very existence is undetectable to a
warden.
Active wardens have been discussed on several
occasions [5,6,7,8,9] to actively block the creation of
subliminal channels, but to date, there have been no
published implementations of this type of warden.
Meanwhile, firewalls are a routinely used form of
active warden that is targeted at blocking
unauthorized network access.
3. DIFFERENT METHODS FOR DETECTION
Detection methods [10] for covert channels
embedded in various protocols are relatively a new
area of research. Covert channel detection is to
actively monitor the illegal information flow or
covert channel in the network stream. Covert
Channel Identification is to identify a couple of
resources used for covert channeling, especially this
happen in the case of storage based covert channels.
Focus in the proposed work is on active monitoring
the malicious activity on the network stream and not
the identification of resources. Various authors across
the globe have categorized detection into following
categories listed below:
A. Signature Based Detection:
It involves searching specific pre-defined patterns in
the network stream and when the pattern appears, it
triggers an alarm process. Best example for kind of
channel it can detect is NetCat - which is a reverseshell communication between the internal network
and a public network.
B. Protocol Based Detection
It involves searching the protocols for anomalies or
violations while monitoring the network stream. This
requires understanding the protocol specification
described in their RFC's and detector must be
knowledgeable to scan covert vulnerable fields in the
protocol header. The best example for channel that
can be found is Covert_TCP tool which manipulates
sequence number field in TCP and IP ID in IPv4
packet for the covert communication.
C. Behavioral Based Detection
It involves creation of user profiles and reference
profiles with respect to network stream in a
legitimate environment. These reference profiles are
later applied to the production environment for lateral
comparison of real time user profiles with reference
profiles. Best instance is writing arbitrary data in any
packet using stenographic techniques.
D. Other Approaches
Other approaches include detection based on the data
mining principles like neural network and scenario
based Bayes interference. Neural network approach
involves training the network for `t' period until
required accurate values to trigger the alarm process
by the detection engine. In scenario based Bayes
interference, a system is setup to check whether each
suspicious matched signature (hypothetical attack)
found in the monitored data stream is part of a global
set (symptoms). Then use each global set to calculate,
with a Bayes inference, the probability for a known
attack to be on hold knowing the P (Hypothetical
attack / Symptoms) probability. If the detection
engine finds a suspicious scenario whose probability
value is greater than a set threshold, an alarm process
is triggered by the detection engine.
4. ACTIVE WARDEN
An active warden is allowed to modify (slightly) the
data being sent between the prisoners. Mild
modification of text which does not alter its semantic
content (say, replacing words with close synonyms)
is an example of an active warden being active. The
active warden must not modify data so much that
innocent communication would be foiled.
5. TCP/IP BASED STEGNOGRAPHY
A common failing of previous steganography
proposals is the production of fields with values
drawn from a different probability distribution to that
which would be generated by unmodified TCP/IP
implementations. In some cases, it is even outside the
relevant specifications. For this reason, to design
steganography techniques or to detect their use, it is
necessary to be familiar with both the applicable
standards and the details of their implementation.
This section gives an overview of the TCP/IP
standards and related work from a steganography
encoding perspective. The basic TCP/IP protocol is
specified in RFC 793 [10] and RFC 791 [11].
There are extensions to it (e.g., the TCP Extensions
for High Performance, in RFC 1323 [12]) that specify
additional header options; these also give some scope
for steganography coding. IP itself does not aim to
provide any stream reliability guarantees, but rather
allows client protocols on a host to transport blocks
of data (datagram’s) from a source to a destination,
both specified by fixed-length addresses. One
noteworthy feature of IP, for our purposes, is that it
allows the fragmentation and reassembly of long
datagram. TCP, on the other hand, does aim to
provide a reliable channel to its clients. It is
connection-oriented, and keeps its reliability
properties even over networks that exhibit packet
loss, reordering and duplication. Its features for
implementing reliability and flow control give scope
for steganography coding. A protocol header can
serve as a carrier for a steganography covert channel
ISSN: 0975 – 6760| NOV 10 TO OCT 11 | VOLUME – 01, ISSUE - 02
Page 29
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
if a header field can take one of a set of values, each
of which appears plausible to our passive warden.
The warden should not be able to distinguish whether
the header was generated by an unmodified protocol
stack or by a steganography encoding mechanism. In
this section we examine which TCP/IP header fields
have more than one plausible value, and look at the
bandwidth available in each of them for use by a
steganography coding scheme.
6. IMPLEMENTATION
Algorithm below gives a picture of the detection
process. Here we are using protocol analyzer method
for detection of covert channel.
Algorithm for Detection Engine
Step 1: Capture TCP and IP packets from Network
Interface from user specified network device
Step 2: Store the packet.
Step 3: Analyze the header on covert vulnerable
fields
Step 4: If vulnerabilities are found then log the entry
as a covert.
Step 5: Change these existing values with some new
values & forward the packet
This paper is only about elimination of storage covert
channels in TCP/IP and not others.
7. CONCLUSION
Covert Channel is the strongest threat in
communication which should be decommissioned.
Conclusion is to build system to detect the activity of
covert channel in a small scale LAN. Thus the system
described in this paper is able to detect TCP/IP
storage covert channel. Because TCP/IP contains
most of the fields which can be used to secret data.
Thus this system is very much useful for securing our
network from use of TCP/IP as a covert channel
because it may happen that someone will use this
channel to send message through it.
8. REFERENCES
[1]B. W. Lampson, “A note on the confinement
problem,” in Proc. of the Communications of the
ACM, no. 16:10, pp. 613–615, October 1973.
[2] V. D. Gligor. DoD NCSC-TG-030 A Guide to
Understanding Covert Channel Analysis of Trusted
Systems (Light-Pink Book). National Computer
Security Center, November 1993.
[3] Sarder Cabuk,Carla Brodley,Clay Sheilds, IP
Covert Channel Detection, ACM Transaction on
Information and System Security, Vol 12, Article 22,
Apr 2009.
[4] Sarder Cabuk, Carla Brodley, Clay Sheilds, IP
Covert Timing Channels : Design and Detection,
CCS' 04, Oct 2004.
[5]R. J. Anderson and F. A. P. Petitcolas, “On the
limits of steganography,” IEEE Journal of Selected
Areas in Communications, vol. 16, no. 4, pp. 474–
481, May 1998, Special Issue on copyright and
privacy protection.
[6] G. J. Simmons, “The prisoners’ problem and the
subliminal channel,” in Advances in Cryptography:
Proceedings of Crypto-83, D. Chaum, Ed. Aug. 1983,
pp. 51–67, Plenum Press, New York and London,
1984.
[7]R. J. Anderson, “Stretching the limits of
steganography,” Springer Lecture Notes in Computer
Science, pp. 39–48, 1996, Special Issue on
Information Hiding.
[8]S. Craver, “On public-key steganography in the
presence of an active warden,” in Proceedings of the
Second Information Hiding Workshop, Apr. 1998.
[9]N. F. Johnson and S. Jajodia, “Steganalysis: The
investigation of hidden information,” in Proceedings
of the IEEE Information Technology Conference,
Sept. 1998.
[10] J. Postel. Transmission Control Protocol. RFC
793, IETF, September 1981.
[11] J. Postel. Internet Protocol. RFC 791, IETF,
September 1981.
[12] V. Jacobson, R. Braden, and D. Borman. TCP
extensions for high performance. RFC 1323, IETF,
May 1992
ISSN: 0975 – 6760| NOV 10 TO OCT 11 | VOLUME – 01, ISSUE - 02
Page 30