Eliminating Tcp/Ip Steganography Using Active Warden
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
ELIMINATING TCP/IP STEGANOGRAPHY USING ACTIVE WARDEN
1MS. S .R. DESHMUKH, 2 PROF. D. M. DAKHANE
1, 2 Department Of Computer Science Engineering And IT,
Sipna’s College Of Engineering Technology , SGB Amravati University,
Amravati, Maharashtra, India.
,
ABSTRACT :Steganography is a technique of hiding a data so that no-one can understand that data is passing from one place to another .There are many types of steganography such as image steganography, audio steganography, video steganography and so on. But this paper is about detecting steganography in TCP & IP .Here we are making use of active warden for that. In particular, we concentrate on structured carriers with objectively defined semantics, such as the TCP/IP protocol suite rather than on the subjective or unstructured carriers such as images that dominate the information hiding literature.
KEYWORDS: Channel Communication, Covert Storage Channel, Active Warden, Network Security
ISSN: 0975 –6760| NOV 10 TO OCT 11 | VOLUME – 01, ISSUE - 02 Page 1
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
1. INTRODUCTION
Three different aspects in information hiding system contend with each other: capacity, security, robustness. Capacity refers information to be hidden in the cover medium security to an eavesdropper’s inability to detect hidden information and robustness to amount of modification the stego medium can withstand before an adversary can destroy hidden information.
Information hiding generally relates to both watermarking and steganography. Watermarking system’s primary goal is to achieve a high level robustness-that is it should be impossible to remove watermark without degrading the data object’s quality. Steganography on the other hand strives for high security and capacity which often entails that hidden information is fragile. Generally information is hidden in to a channel which is not easy to detect such as covert channels. The term covert channel was introduced by Butler Lampson [1], although with a slightly different definition to later common usage. He described the generic problem of preventing a program from leaking information it processes but, spurred on by government imposed military standards, most following research dealt with the problem of multilevel secure systems. In these, information is categorized at confidentiality levels and the system enforces a policy that only individuals rated at that level or higher may read the item. Another model is multilateral security, where information is placed into compartments and may only flow between them in approved ways. Both of these are examples of mandatory access control systems, where the system administrator sets the policy, in contrast to discretionary access control systems, where the owner of a data item is permitted to choose how access to that item is restricted. Covert channels can exist in all mandatory access control systems which restrict information flow, so are relevant to both confidentiality and integrity policies, as described in the US Department of Defense (DoD) requirements for covert channel analysis [2] (the “Light-Pink Book”). In systems which aim to preserve confidentiality, covert channels can leak information to unauthorized individuals, while in the case of a mandatory integrity policy, covert channels can be used to introduce unauthorized changes to protected objects. However, the remainder of discussion will concentrate on confidentiality policies.
2. LITERATURE REVIEW
Extensive work has been done to devise better detection methods to detect only covert channel either on live wire or on a dataset. The method proposed in [3] is based on detecting covert shells by monitoring the unusual traffic in the network stream. Detection in covert timing channels proposed in [4] is based on packet inter-arrival and the whole process is modeled as Poisson's distribution.
In [5], Anderson discusses both passive wardens, which monitor traffic and report when some unauthorized traffic is detected and active wardens, who try to remove any information that could possibly be embedded in traffic that passes by. In [5], Anderson shows that there are methods ‘more contrived than practical’ where embedded data could survive a pass through an active warden.
Active wardens have been an area of postulation since Simmons [6] introduced the Prisoners’ Problem in 1983. Simmons presents Alice and Bob as prisoners that collectively wish to plan their escape. However, since they are in separate areas of the prison, all of their communication must pass through the warden, Willy. If Willy sees any attempts at secret communication in their messages, he will stymie their efforts bynot allowing them to communicate in the future. Thus, Alice and Bob must use a subliminalchannel to communicate their escape plan without alerting Willy. Since Willy knows that Alice and Bob may wish to communicate secretly, he must carefully analyze all correspondence between Alice and Bob, but he must do so without perceptively altering their message or incurring a noticeable time delay. In this context, Simmons defined a subliminal channel as a communications channel whose very existence is undetectable to a warden.
Active wardens have been discussed on several occasions [5,6,7,8,9] to actively block the creation of subliminal channels, but to date, there have been no published implementations of this type of warden. Meanwhile, firewalls are a routinely used form of active warden that is targeted at blocking unauthorized network access.
3.DIFFERENT METHODS FOR DETECTION
Detection methods [10] for covert channels embedded in various protocols are relatively a new area of research. Covert channel detection is to actively monitor the illegal information flow or covert channel in the network stream. Covert Channel Identification is to identify a couple ofresources used for covert channeling, especially this happen in the case of storage based covertchannels. Focus in the proposed work is on active monitoring the malicious activity on thenetwork stream and not the identification of resources. Various authors across the globe havecategorized detection into following categories listed below:
A. Signature Based Detection:
It involves searching specific pre-defined patterns in the network stream and when the pattern appears, it triggers an alarm process. Best example for kind of channel it can detect is NetCat - which is a reverse-shell communication between the internal network and a public network.
B. Protocol Based Detection
It involves searching the protocols for anomalies or violations while monitoring the network stream. This requires understanding the protocol specification described in their RFC's and detector must be knowledgeable to scan covert vulnerable fields in the protocol header. The bestexample for channel that can be found is Covert_TCP tool which manipulates sequence number field in TCP and IP ID in IPv4 packet for the covert communication.
C. Behavioral Based Detection
It involves creation of user profiles and reference profiles with respect to network stream in a legitimate environment. These reference profiles are later applied to the production environment for lateral comparison of real time user profiles with reference profiles. Best instance is writing arbitrary data in any packet using stenographic techniques.
D. Other Approaches
Other approaches include detection based on the data mining principles like neural network and scenario based Bayes interference. Neural network approach involves training the network for `t' period until required accurate values to trigger the alarm process by the detection engine. In scenario based Bayes interference, a system is setup to check whether each suspicious matchedsignature (hypothetical attack) found in the monitored data stream is part of a global set (symptoms). Then use each global set to calculate, with a Bayes inference, the probability for a known attack to be on hold knowing the P (Hypothetical attack / Symptoms) probability. If the detection engine finds a suspicious scenario whose probability value is greater than a set threshold, an alarm process is triggered by the detection engine.
4. ACTIVE WARDEN
An active wardenis allowed to modify (slightly) the data being sent between the prisoners. Mild modification of text which does not alter its semantic content (say, replacing words with close synonyms) is an example of an active warden being active. The active warden must not modify data so much that innocent communication would be foiled.
5. TCP/IP BASED STEGNOGRAPHY
A common failing of previous steganography proposals is the production of fields with values drawn from a different probability distribution to that which would be generated by unmodified TCP/IP implementations. In some cases, itis even outside the relevant specifications. For this reason, to design steganography techniques or to detect their use, it is necessary to be familiar with both the applicable standards and the details of their implementation. This section gives an overview of the TCP/IP standards and related work from a steganography encoding perspective. The basic TCP/IP protocol is specified in RFC 793 [10] and RFC 791 [11].
There are extensions to it (e.g., the TCP Extensions for High Performance, in RFC 1323 [12]) that specify additional header options; these also give some scope for steganography coding. IP itself does not aim to provide any stream reliability guarantees, but rather allows client protocols on a host to transport blocks of data (datagram’s) from a source to a destination, both specified by fixed-length addresses. Onenoteworthy feature of IP, for our purposes, is that it allows the fragmentation and reassembly of long datagram. TCP, on the other hand, does aim to provide a reliable channel to its clients. It is connection-oriented, and keeps its reliability properties even over networks that exhibit packet loss, reordering and duplication. Its features forimplementing reliability and flow control give scope for steganography coding. A protocol header can serve as a carrier for a steganography covert channel if a header field can take one of a set of values, each of which appears plausible to our passive warden. The warden should not be able to distinguish whether the header was generated by an unmodified protocol stack orby a steganography encoding mechanism. In this section we examine which TCP/IP header fields have more than one plausible value, and look at the bandwidth available in each of them for use by a steganography coding scheme.
6. IMPLEMENTATION
Algorithm below gives a picture of the detection process. Here we are using protocol analyzer method for detection of covert channel.
Algorithm for Detection Engine
Step 1: Capture TCP and IP packets from Network Interface from user specified network device
Step 2: Store the packet.
Step 3: Analyze the header on covert vulnerable fields
Step 4: If vulnerabilities are found then log the entry as a covert.
Step 5: Change these existing values with some new values & forward the packet
This paper is only about elimination of storage covert channels in TCP/IP and not others.
7.CONCLUSION
Covert Channel is the strongest threat in communication which should be decommissioned. Conclusion is to build system to detect the activity of covert channel in a small scale LAN. Thus the system described in this paper is able to detect TCP/IP storage covert channel. Because TCP/IP contains most of the fields which can be used to secret data. Thus this system is very much useful for securing our network from use of TCP/IP as a covert channel because it may happen that someone will use this channel to send message through it.
8. REFERENCES
[1]B. W. Lampson, “A note on the confinement problem,” in Proc. of the Communications of the ACM, no. 16:10, pp. 613–615, October 1973.
[2] V. D. Gligor. DoD NCSC-TG-030 A Guide to Understanding Covert Channel Analysis of Trusted Systems (Light-Pink Book). National Computer Security Center, November 1993.
[3] Sarder Cabuk,Carla Brodley,Clay Sheilds, IP Covert Channel Detection, ACM Transaction on Information and System Security, Vol 12, Article 22, Apr 2009.
[4] Sarder Cabuk, Carla Brodley, Clay Sheilds, IP Covert Timing Channels : Design and Detection, CCS' 04, Oct 2004.
[5]R. J. Anderson and F. A. P. Petitcolas, “On the limits of steganography,” IEEE Journal of Selected Areas in Communications, vol. 16, no. 4, pp. 474–481, May 1998, Special Issue on copyright and privacy protection.
[6] G. J. Simmons, “The prisoners’ problem and the subliminal channel,” in Advances in Cryptography: Proceedings of Crypto-83, D. Chaum, Ed. Aug. 1983, pp. 51–67, Plenum Press, New York and London, 1984.
[7]R. J. Anderson, “Stretching the limits of steganography,” Springer Lecture Notes in Computer Science, pp. 39–48, 1996, Special Issue on Information Hiding.
[8]S. Craver, “On public-key steganography in the presence of an active warden,” in Proceedings of the Second Information Hiding Workshop, Apr. 1998.
[9]N. F. Johnson and S. Jajodia, “Steganalysis: The investigation of hidden information,” in Proceedings
of the IEEE Information Technology Conference, Sept. 1998.
[10] J. Postel. Transmission Control Protocol. RFC 793, IETF, September 1981.
[11] J. Postel. Internet Protocol. RFC 791, IETF, September 1981.
[12] V. Jacobson, R. Braden, and D. Borman. TCP extensions for high performance. RFC 1323, IETF, May 1992
ISSN: 0975 –6760| NOV 10 TO OCT 11 | VOLUME – 01, ISSUE - 02 Page 1
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
ISSN: 0975 –6760| NOV 10 TO OCT 11 | VOLUME – 01, ISSUE - 02 Page 1