Philip Branch

A survey of covert channels and countermeasures in computer network protocols

Covert channels are used for the secret transfer of information. Encryption only protects communication from being decoded by unauthorised parties, whereas covert channels aim to hide the very existence of the communication. Initially, covert channels were identified as a security threat on monolithic systems i.e. mainframes. More recently focus has shifted towards covert channels in computer network protocols. The huge amount of data and vast number of different protocols in the Internet seems ideal as a high-bandwidth vehicle for covert communication. This article is a survey of the existing techniques for creating covert channels in widely deployed network and application protocols. We also give an overview of common methods for their detection, elimination, and capacity limitation, required to improve security in future computer networks.

Timely and continuous machine-learning-based classification for interactive IP traffic

Machine Learning (ML) for classifying IP traffic has relied on the analysis of statistics of full flows or their first few packets only. However, automated QoS management for interactive traffic flows requires quick and timely classification well before the flows finish. Also, interactive flows are often long-lived and should be continuously monitored during their lifetime. We propose to achieve this by using statistics derived from sub-flows—a small number of most recent packets taken at any point in a flows lifetime. Then, the ML classifier must be trained on a set of sub-flows, and we investigate different sub-flow selection strategies. We also propose to augment training datasets so that classification accuracy is maintained even when a classifier mixes up client-to-server and server-to-client directions for applications exhibiting asymmetric traffic characteristics. We demonstrate the effectiveness of our approach with the Naive Bayes and C4.5 Decision Tree ML algorithms, for the identification of first-person-shooter online game and VoIP traffic. Our results show that we can classify both applications with up to 99% Precision and 95% Recall within less than 1 s. Stable results are achieved regardless of where within a flow the classifier captures the packets and the traffic direction.

Comparative analysis of evolving software systems using the Gini coefficient

Software metrics offer us the promise of distilling useful information from vast amounts of software in order to track development progress, to gain insights into the nature of the software, and to identify potential problems. Unfortunately, however, many software metrics exhibit highly skewed, non-Gaussian distributions. As a consequence, usual ways of interpreting these metrics — for example, in terms of “average” values — can be highly misleading. Many metrics, it turns out, are distributed like wealth — with high concentrations of values in selected locations. We propose to analyze software metrics using the Gini coefficient, a higherorder statistic widely used in economics to study the distribution of wealth. Our approach allows us not only to observe changes in software systems efficiently, but also to assess project risks and monitor the development process itself. We apply the Gini coefficient to numerous metrics over a range of software projects, and we show that many metrics not only display remarkably high Gini values, but that these values are remarkably consistent as a project evolves over time.

Modeling interactive behaviour of a video based multimedia system

We report on the statistics of user behaviour obtained during a semester of student usage of our video-on-demand based multimedia system. The statistics show that interactive behaviour is adequately modelled by exponential distributions, but that a better match is obtained from lognormal distributions. From the statistics we develop a model of interactive behaviour that consists of a Markov chain of video interactions overlaid by a Poisson process generating other interactions. We show that the model performs quite well, and provided caution is exercised, Markov processes are adequate models of interactive behaviour.

Experimental validation of the random waypoint mobility model through a real world mobility trace for large geographical areas

User mobility models are used in simulations of mobile communications systems to study characteristics of network performance. One of the models which is in common use is the Random Waypoint Model (RWP). The RWP is a simple mobility model based on random destinations, speeds and pause times. The RWP is often criticised as not representing how humans actually move. Paradoxically, validation against real mobility data is seen as being difficult due to the impracticalities of obtaining real mobility data.We give details of a real world user movement trace from which we obtained data about one individuals destinations, travel routes, average speed and rest times whilst moving throughout a city-wide area. We present results from this real life data and use it to validate some of the key characteristics of the RWP. In this paper we consider the RWP as a model of user mobility in networks that cater for a large geographical area - such as a city.

Rapid identification of Skype traffic flows

In this paper we present results of experimental work using machine learning techniques to rapidly identify Skype traffic. We show that Skype traffic can be identified by observing 5 seconds of a Skype traffic flow, with recall and precision better than 98%. We found the most effective features for classification were characteristic packet lengths less than 80 bytes, statistics of packet lengths greater than 80 bytes and inter-packet arrival times. Our classifiers do not rely on observing any particular part of a flow. We also report on the performance of classifiers built using combinations of two of these features and of each feature in isolation.

Covert channels and countermeasures in computer network protocols [Reprinted from IEEE Communications Surveys and Tutorials]

Covert channels are used for the secret transfer of information. Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim to hide the very existence of the communication. Initially, covert channels were identified as a security threat on monolithic systems such as mainframes. More recently, focus has shifted toward covert channels in computer network protocols. The huge amount of data and large number of different protocols in the Internet is ideal as a high-bandwidth vehicle for covert communication. This article provides an overview of the existing techniques for creating covert channels in widely deployed network protocols, and common methods for their detection, elimination, and capacity limitation.

ARMA(1,1) modeling of Quake4 Server to client game traffic

Modeling traffic generated by Internet based multiplayer computer games has attracted a great deal of attention in the past few years. In part this has been driven by a need to simulate correctly the network impact of highly interactive online game genres such as the first person shooter (FPS). Packet size distributions and autocorrelation models are important elements in the creation of realistic traffic generators for network simulators such as ns-2 and OMNET++. In this paper we show that ARMA(1,1) models capture the time series behaviour of Quake4 game traffic well. We also show that the random component of the ARMA models (the innovations) have distributions that appear to change little as the number of players increases.

Extrapolating server to client IP traffic from empirical measurements of first person shooter games

Modelling traffic generated by Internet based multiplayer computer games has attracted a great deal of attention in the past few years. In part this has been driven by a desire to properly simulate the network impact of highly interactive online game genres such as the first person shooter (FPS). Packet size distributions are an important element in the creation of plausible traffic generators for network simulators such as ns-2 and omnet++. In this paper we present a simple technique for creating representative packet size distributions for N-player FPS games based on empirically measured traffic of 2- and 3-player games. We illustrate the likely generality of our approach using data from Half-Life, Half-Life Counterstrike, Half-Life 2, Half-Life 2 Counterstrike, Quake III Arena and Wolfenstein Enemy Territory.

Covert channels in multiplayer first person shooter online games

Covert channels aim to hide the existence of communication between two or more parties. Such channels typically utilise pre-existing (overt) data transmissions to carry hidden messages. Internet-based covert channels often encode new information into unused (or loosely specified) IP packet header fields, or the time intervals between IP packet arrivals. We propose a novel covert channel embedded within the traffic of multiplayer, first person shooter online games. We encode covert bits as slight, yet continuous, variations of a playerpsilas characterpsilas movements. Movement information is propagated to all clients attached to a given game server, yet the channel remains covert so long as the variations are visually imperceptible to the human players. A modified version of Quake III Arena is used to demonstrate our concept. We empirically analyse the covert channelpsilas bit rate, and compare the statistical characteristics of unmodified game traffic with those of game traffic carrying covert information.