A new concept, the security level difference of a covert channel, is presented, which means the security level span from the sender to the receiver of the covert channel. Based on this, the integrated criteria for cov...A new concept, the security level difference of a covert channel, is presented, which means the security level span from the sender to the receiver of the covert channel. Based on this, the integrated criteria for covert channel auditing are given. Whereas TCSEC (Trusted Computer System Evaluation Criteria) or CC (Common Criteria for Information Technology Security Evaluation) only use the bandwidth to evaluate the threat of covert channels, our new criteria integrate the security level difference, the bandwidth sensitive parameter, bandwidth, duration and instantaneous time of covert channels, so as to give a comprehensive evaluation of the threat of covert channels in a multilevel security system.展开更多
A covert channel is an information channel that is used by the computer process to exfiltrate data through bypassing security policies.The DNS protocol is one of the important ways to implement a covert channel.DNS co...A covert channel is an information channel that is used by the computer process to exfiltrate data through bypassing security policies.The DNS protocol is one of the important ways to implement a covert channel.DNS covert channels are easily used by attackers for malicious purposes.Therefore,an effective detection approach of the DNS covert channels is significant for computer systems and network securities.Aiming at the difficulty of the DNS covert channel identification,we propose a DNS covert channel detection method based on a stacking model.The stacking model is evaluated on a campus network and the experimental results show that the detection based on the stacking model can detect the DNS covert channels effectively.Besides,it can identify unknown covert channel traffic.The area under the curve(AUC)of the proposed method reaches 0.9901,which outperforms existing detection methods.展开更多
Aiming at the problem that virtual machine information cannot be extracted incompletely, we extend the typical information extraction model of virtual machine and propose a perception mechanism in virtualization syste...Aiming at the problem that virtual machine information cannot be extracted incompletely, we extend the typical information extraction model of virtual machine and propose a perception mechanism in virtualization system based on storage covert channel to overcome the affection of the semantic gap. Taking advantage of undetectability of the covert channel, a secure channel is established between vip and virtual machine monitor to pass data directly. The vip machine can pass the control information of malicious process to virtual machine monitor by using the VMCALL instruction and shared memory. By parsing critical information in process control structure, virtual machine monitor can terminate the malicious processes. The test results show that the proposed mechanism can clear the user-level malicious programs in the virtual machine effectively and covertly. Meanwhile, its performance overhead is about the same as that of other mainstream monitoring mode.展开更多
Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert cha...Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert channd's algorithms of the IPv4 and IPv6 are presented, which enable automatic channeling upon IPv4/v6 nodes with non-IPv4-compatible address, and the key transmission is achieved by using this channel in the embedded Internet terminal. The result shows that the covert channel's algorithm, which we implemented if, set correct, the messages of this covert channel might go through the gateway and enter the local area network.展开更多
By analyzing the basic properties of unitary transformations used in a quantum secure direct communication (QSDC) protocol, we show the main idea why a covert channel can be established within any QSDC channel which e...By analyzing the basic properties of unitary transformations used in a quantum secure direct communication (QSDC) protocol, we show the main idea why a covert channel can be established within any QSDC channel which employs unitary transformations to encode information. On the basis of the fact that the unitary transformations used in a QSDC protocol are secret and independent, a novel quantum covert channel protocol is proposed to transfer secret messages with unconditional security. The performance, including the imperceptibility, capacity and security of the proposed protocol are analyzed in detail.展开更多
Covert channel of the packet ordering is a hot research topic.Encryption technology is not enough to protect the security of both sides of communication.Covert channel needs to hide the transmission data and protect c...Covert channel of the packet ordering is a hot research topic.Encryption technology is not enough to protect the security of both sides of communication.Covert channel needs to hide the transmission data and protect content of communication.The traditional methods are usually to use proxy technology such as tor anonymous tracking technology to achieve hiding from the communicator.However,because the establishment of proxy communication needs to consume traffic,the communication capacity will be reduced,and in recent years,the tor technology often has vulnerabilities that led to the leakage of secret information.In this paper,the covert channel model of the packet ordering is applied into the distributed system,and a distributed covert channel of the packet ordering enhancement model based on data compression(DCCPOEDC)is proposed.The data compression algorithms are used to reduce the amount of data and transmission time.The distributed system and data compression algorithms can weaken the hidden statistical probability of information.Furthermore,they can enhance the unknowability of the data and weaken the time distribution characteristics of the data packets.This paper selected a compression algorithm suitable for DCCPOEDC and analyzed DCCPOEDC from anonymity,transmission efficiency,and transmission performance.According to the analysis results,it can be seen that DCCPOEDC optimizes the covert channel of the packet ordering,which saves the transmission time and improves the concealment compared with the original covert channel.展开更多
When an inaudible sound covert channel(ISCC)attack is launched inside a computer system,sensitive data are converted to inaudible sound waves and then transmitted.The receiver at the other end picks up the sound signa...When an inaudible sound covert channel(ISCC)attack is launched inside a computer system,sensitive data are converted to inaudible sound waves and then transmitted.The receiver at the other end picks up the sound signal,from which the original sensitive data can be recovered.As a forceful countermeasure against the ISCC attack,strong noise can be used to jam the channel and literally shut down any possible sound data transmission.In this paper,enhanced ISCC is proposed,whose transmission frequency can be dynamically changed.Essentially,if the transmitter detects that the covert channel is being jammed,the transmitter and receiver both will switch to another available frequency and re-establish their communications,following the proposed communications protocol.Experimental results show that the proposed enhanced ISCC can remain connected even in the presence of a strong jamming noise source.Correspondingly,a detection method based on frequency scanning is proposed to help to combat such an anti-jamming sound channel.With the proposed countermeasure,the bit error rate(BER)of the data communications over enhanced ISCC soars to more than 48%,essentially shutting down the data transmission,and thus neutralizing the security threat.展开更多
This paper proposes the concept of transaction-type covert storage channels, which are caused by database storage resources. It also proposes that the mode of auditing those channels be based on the transactions. Next...This paper proposes the concept of transaction-type covert storage channels, which are caused by database storage resources. It also proposes that the mode of auditing those channels be based on the transactions. Next, the paper analyzes and resolves the two problems arising from auditing the use of transaction-type covert storage channels in database systems: namely, the relationship between channel variables, which are altered (or viewed) by the transaction and satisfy integrity constraints in DBMS, and database states; and the circumvention of covert storage channel audit in DBMS.展开更多
Covert timing channels(CTC)exploit network resources to establish hidden communication pathways,posing signi cant risks to data security and policy compliance.erefore,detecting such hidden and dangerous threats remain...Covert timing channels(CTC)exploit network resources to establish hidden communication pathways,posing signi cant risks to data security and policy compliance.erefore,detecting such hidden and dangerous threats remains one of the security challenges. is paper proposes LinguTimeX,a new framework that combines natural language processing with arti cial intelligence,along with explainable Arti cial Intelligence(AI)not only to detect CTC but also to provide insights into the decision process.LinguTimeX performs multidimensional feature extraction by fusing linguistic attributes with temporal network patterns to identify covert channels precisely.LinguTimeX demonstrates strong e ectiveness in detecting CTC across multiple languages;namely English,Arabic,and Chinese.Speci cally,the LSTM and RNN models achieved F1 scores of 90%on the English dataset,89%on the Arabic dataset,and 88%on the Chinese dataset,showcasing their superior performance and ability to generalize across multiple languages. is highlights their robustness in detecting CTCs within security systems,regardless of the language or cultural context of the data.In contrast,the DeepForest model produced F1-scores ranging from 86%to 87%across the same datasets,further con rming its e ectiveness in CTC detection.Although other algorithms also showed reasonable accuracy,the LSTM and RNN models consistently outperformed them in multilingual settings,suggesting that deep learning models might be better suited for this particular problem.展开更多
Despite extensive research, timing channels (TCs) are still known as a principal category of threats that aim to leak and transmit information by perturbing the timing or ordering of events. Existing TC detection appr...Despite extensive research, timing channels (TCs) are still known as a principal category of threats that aim to leak and transmit information by perturbing the timing or ordering of events. Existing TC detection approaches use either signature-based approaches to detect known TCs or anomaly-based approach by modeling the legitimate network traffic in order to detect unknown TCs. Un-fortunately, in a software-defined networking (SDN) environment, most existing TC detection approaches would fail due to factors such as volatile network traffic, imprecise timekeeping mechanisms, and dynamic network topology. Furthermore, stealthy TCs can be designed to mimic the legitimate traffic pattern and thus evade anomalous TC detection. In this paper, we overcome the above challenges by presenting a novel framework that harnesses the advantages of elastic re-sources in the cloud. In particular, our framework dynamically configures SDN to enable/disable differential analysis against outbound network flows of different virtual machines (VMs). Our framework is tightly coupled with a new metric that first decomposes the timing data of network flows into a number of using the discrete wavelet-based multi-resolution transform (DWMT). It then applies the Kullback-Leibler divergence (KLD) to measure the variance among flow pairs. The appealing feature of our approach is that, compared with the existing anomaly detection approaches, it can detect most existing and some new stealthy TCs without legitimate traffic for modeling, even with the presence of noise and imprecise timekeeping mechanism in an SDN virtual environment. We implement our framework as a prototype system, OBSERVER, which can be dynamically deployed in an SDN environment. Empirical evaluation shows that our approach can efficiently detect TCs with a higher detection rate, lower latency, and negligible performance overhead compared to existing approaches.展开更多
The conception of multilevel security (MLS) is commonly used in the study of data model for secure database. But there are some limitations in the basic MLS model, such as inference channels. The availability and data...The conception of multilevel security (MLS) is commonly used in the study of data model for secure database. But there are some limitations in the basic MLS model, such as inference channels. The availability and data integrity of the system are seriously constrained by it′s 'No Read Up, No Write Down' property in the basic MLS model. In order to eliminate the covert channels, the polyinstantiation and the cover story are used in the new data model. The read and write rules have been redefined for improving the agility and usability of the system based on the MLS model. All the methods in the improved data model make the system more secure, agile and usable.展开更多
With its wider acceptability,cloud can host a diverse set of data and applications ranging from entertainment to personal to industry.The foundation of cloud computing is based on virtual machines where boundaries amo...With its wider acceptability,cloud can host a diverse set of data and applications ranging from entertainment to personal to industry.The foundation of cloud computing is based on virtual machines where boundaries among the application data are very thin,and the potential of data leakage exists all the time.For instance,a virtual machine covert timing channel is an aggressive mechanism to leak confidential information through shared components or networks by violating isolation and security policies in practice.The performance of a covert timing channel(covert channel)is crucial to adversaries and attempts have been made to improve the performance of covert timing channels by advancing the encoding mechanism and covert information carriers.Though promising,the redundancy of the covert message is mainly overlooked.This paper applies three encoding schemes namely run-length,Huffman,and arithmetic encoding schemes for data compression of a virtual machine covert timing channel by exploiting redundancy.Accordingly,the paper studies the performance of such channels according to their capacity.Unfortunately,we show that these encoding schemes still contain redundancy in a covert channel scenario,and thereby a new encoding scheme namely optimized Runlength encoding(OptRLE)is presented that greatly enhances the performance of a covert timing channel.Several optimizations schemes adopted by OptRLE are also discussed,and a mathematical model of the behavior of an OptRLE-based covert timing channel is proposed.The theoretical capacity of a channel can be obtained using the proposed model.Our analysis reveals that OptRLE further improves the performance of a covert timing channel,in addition to the effects of the optimizations.Experimental result shows how OptRLE affects the size of covert data and the capacity of covert timing channels,and why the performance of the covert timing channel is improved.展开更多
基金the National Natural Science Foundation of China (No. 60773049)the Natural Science Foundation of Jiangsu Province (No. BK2007086)+1 种基金the Fundamental Research Project of the Natural Science in Colleges of Jiangsu Province (No. 07KJB520016)the Person with Ability Project of Jiangsu University (No. 07JDG053), China
文摘A new concept, the security level difference of a covert channel, is presented, which means the security level span from the sender to the receiver of the covert channel. Based on this, the integrated criteria for covert channel auditing are given. Whereas TCSEC (Trusted Computer System Evaluation Criteria) or CC (Common Criteria for Information Technology Security Evaluation) only use the bandwidth to evaluate the threat of covert channels, our new criteria integrate the security level difference, the bandwidth sensitive parameter, bandwidth, duration and instantaneous time of covert channels, so as to give a comprehensive evaluation of the threat of covert channels in a multilevel security system.
基金National Key Research and Development Project(2016QY04W0901)and(2016QY04W0903).
文摘A covert channel is an information channel that is used by the computer process to exfiltrate data through bypassing security policies.The DNS protocol is one of the important ways to implement a covert channel.DNS covert channels are easily used by attackers for malicious purposes.Therefore,an effective detection approach of the DNS covert channels is significant for computer systems and network securities.Aiming at the difficulty of the DNS covert channel identification,we propose a DNS covert channel detection method based on a stacking model.The stacking model is evaluated on a campus network and the experimental results show that the detection based on the stacking model can detect the DNS covert channels effectively.Besides,it can identify unknown covert channel traffic.The area under the curve(AUC)of the proposed method reaches 0.9901,which outperforms existing detection methods.
基金Supported by the National High Technology Research and Development Program of China (863 Program) (2009AA012200)Henan Province Science and Technology Funding Projects ( SP09JH11158)
文摘Aiming at the problem that virtual machine information cannot be extracted incompletely, we extend the typical information extraction model of virtual machine and propose a perception mechanism in virtualization system based on storage covert channel to overcome the affection of the semantic gap. Taking advantage of undetectability of the covert channel, a secure channel is established between vip and virtual machine monitor to pass data directly. The vip machine can pass the control information of malicious process to virtual machine monitor by using the VMCALL instruction and shared memory. By parsing critical information in process control structure, virtual machine monitor can terminate the malicious processes. The test results show that the proposed mechanism can clear the user-level malicious programs in the virtual machine effectively and covertly. Meanwhile, its performance overhead is about the same as that of other mainstream monitoring mode.
基金Supported by the National Natural Science Foun-dation of China (90104005 ,66973034)
文摘Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert channd's algorithms of the IPv4 and IPv6 are presented, which enable automatic channeling upon IPv4/v6 nodes with non-IPv4-compatible address, and the key transmission is achieved by using this channel in the embedded Internet terminal. The result shows that the covert channel's algorithm, which we implemented if, set correct, the messages of this covert channel might go through the gateway and enter the local area network.
基金Supported by the National Natural Science Foundation of China under Grant Nos.61170272, 61272514, 61003287, and 61070163Asia Foresight Program under National Natural Science Foundation of China under Grant No.61161140320+4 种基金the Specialized Research Fund for the Doctoral Program of Higher Education under Grant No.20100005120002the Fok Ying Tong Education Foundation under Grant No.131067the Shandong Provincial Natural Science Foundation, China under Grant No.ZR2011FM023the Shandong Province Outstanding Research Award Fund for Young Scientists of China under Grant No.BS2011DX034the Fundamental Research Funds for the Central Universities under Grant No.BUPT2012RC0221
文摘By analyzing the basic properties of unitary transformations used in a quantum secure direct communication (QSDC) protocol, we show the main idea why a covert channel can be established within any QSDC channel which employs unitary transformations to encode information. On the basis of the fact that the unitary transformations used in a QSDC protocol are secret and independent, a novel quantum covert channel protocol is proposed to transfer secret messages with unconditional security. The performance, including the imperceptibility, capacity and security of the proposed protocol are analyzed in detail.
基金This work is sponsored by the National Natural Science Foundation of China Grant No.61100008Natural Science Foundation of Heilongjiang Province of China under Grant No.LC2016024+1 种基金Natural Science Foundation of the Jiangsu Higher Education Institutions Grant No.17KJB520044Six Talent Peaks Project in Jiangsu Province No.XYDXX-108.
文摘Covert channel of the packet ordering is a hot research topic.Encryption technology is not enough to protect the security of both sides of communication.Covert channel needs to hide the transmission data and protect content of communication.The traditional methods are usually to use proxy technology such as tor anonymous tracking technology to achieve hiding from the communicator.However,because the establishment of proxy communication needs to consume traffic,the communication capacity will be reduced,and in recent years,the tor technology often has vulnerabilities that led to the leakage of secret information.In this paper,the covert channel model of the packet ordering is applied into the distributed system,and a distributed covert channel of the packet ordering enhancement model based on data compression(DCCPOEDC)is proposed.The data compression algorithms are used to reduce the amount of data and transmission time.The distributed system and data compression algorithms can weaken the hidden statistical probability of information.Furthermore,they can enhance the unknowability of the data and weaken the time distribution characteristics of the data packets.This paper selected a compression algorithm suitable for DCCPOEDC and analyzed DCCPOEDC from anonymity,transmission efficiency,and transmission performance.According to the analysis results,it can be seen that DCCPOEDC optimizes the covert channel of the packet ordering,which saves the transmission time and improves the concealment compared with the original covert channel.
基金This work was supported partly by the National Natural Science Foundation of China under Grant No.61971200partly by Zhejiang Lab under Grants No.2021LE0AB01 and No.2021PC0AC01+3 种基金partly by the Major Scientific Research Project of Zhejiang Lab under Grant No.2021LE0AC01partly by the Key Technologies R&D Program of Jiangsu(Prospective and Key Technologies for Industry)under Grant No.BE2021003partly by the National Key Research and Development Program of China under Grant No.2019QY0705by the Guangdong Provincial Key Laboratory of Short-Range Wireless Detection and Communication under Grants No.2014B030301010 and No.2017B030314003.
文摘When an inaudible sound covert channel(ISCC)attack is launched inside a computer system,sensitive data are converted to inaudible sound waves and then transmitted.The receiver at the other end picks up the sound signal,from which the original sensitive data can be recovered.As a forceful countermeasure against the ISCC attack,strong noise can be used to jam the channel and literally shut down any possible sound data transmission.In this paper,enhanced ISCC is proposed,whose transmission frequency can be dynamically changed.Essentially,if the transmitter detects that the covert channel is being jammed,the transmitter and receiver both will switch to another available frequency and re-establish their communications,following the proposed communications protocol.Experimental results show that the proposed enhanced ISCC can remain connected even in the presence of a strong jamming noise source.Correspondingly,a detection method based on frequency scanning is proposed to help to combat such an anti-jamming sound channel.With the proposed countermeasure,the bit error rate(BER)of the data communications over enhanced ISCC soars to more than 48%,essentially shutting down the data transmission,and thus neutralizing the security threat.
文摘This paper proposes the concept of transaction-type covert storage channels, which are caused by database storage resources. It also proposes that the mode of auditing those channels be based on the transactions. Next, the paper analyzes and resolves the two problems arising from auditing the use of transaction-type covert storage channels in database systems: namely, the relationship between channel variables, which are altered (or viewed) by the transaction and satisfy integrity constraints in DBMS, and database states; and the circumvention of covert storage channel audit in DBMS.
基金This study is financed by the European Union-NextGenerationEU,through the National Recovery and Resilience Plan of the Republic of Bulgaria,Project No.BG-RRP-2.013-0001.
文摘Covert timing channels(CTC)exploit network resources to establish hidden communication pathways,posing signi cant risks to data security and policy compliance.erefore,detecting such hidden and dangerous threats remains one of the security challenges. is paper proposes LinguTimeX,a new framework that combines natural language processing with arti cial intelligence,along with explainable Arti cial Intelligence(AI)not only to detect CTC but also to provide insights into the decision process.LinguTimeX performs multidimensional feature extraction by fusing linguistic attributes with temporal network patterns to identify covert channels precisely.LinguTimeX demonstrates strong e ectiveness in detecting CTC across multiple languages;namely English,Arabic,and Chinese.Speci cally,the LSTM and RNN models achieved F1 scores of 90%on the English dataset,89%on the Arabic dataset,and 88%on the Chinese dataset,showcasing their superior performance and ability to generalize across multiple languages. is highlights their robustness in detecting CTCs within security systems,regardless of the language or cultural context of the data.In contrast,the DeepForest model produced F1-scores ranging from 86%to 87%across the same datasets,further con rming its e ectiveness in CTC detection.Although other algorithms also showed reasonable accuracy,the LSTM and RNN models consistently outperformed them in multilingual settings,suggesting that deep learning models might be better suited for this particular problem.
文摘Despite extensive research, timing channels (TCs) are still known as a principal category of threats that aim to leak and transmit information by perturbing the timing or ordering of events. Existing TC detection approaches use either signature-based approaches to detect known TCs or anomaly-based approach by modeling the legitimate network traffic in order to detect unknown TCs. Un-fortunately, in a software-defined networking (SDN) environment, most existing TC detection approaches would fail due to factors such as volatile network traffic, imprecise timekeeping mechanisms, and dynamic network topology. Furthermore, stealthy TCs can be designed to mimic the legitimate traffic pattern and thus evade anomalous TC detection. In this paper, we overcome the above challenges by presenting a novel framework that harnesses the advantages of elastic re-sources in the cloud. In particular, our framework dynamically configures SDN to enable/disable differential analysis against outbound network flows of different virtual machines (VMs). Our framework is tightly coupled with a new metric that first decomposes the timing data of network flows into a number of using the discrete wavelet-based multi-resolution transform (DWMT). It then applies the Kullback-Leibler divergence (KLD) to measure the variance among flow pairs. The appealing feature of our approach is that, compared with the existing anomaly detection approaches, it can detect most existing and some new stealthy TCs without legitimate traffic for modeling, even with the presence of noise and imprecise timekeeping mechanism in an SDN virtual environment. We implement our framework as a prototype system, OBSERVER, which can be dynamically deployed in an SDN environment. Empirical evaluation shows that our approach can efficiently detect TCs with a higher detection rate, lower latency, and negligible performance overhead compared to existing approaches.
文摘The conception of multilevel security (MLS) is commonly used in the study of data model for secure database. But there are some limitations in the basic MLS model, such as inference channels. The availability and data integrity of the system are seriously constrained by it′s 'No Read Up, No Write Down' property in the basic MLS model. In order to eliminate the covert channels, the polyinstantiation and the cover story are used in the new data model. The read and write rules have been redefined for improving the agility and usability of the system based on the MLS model. All the methods in the improved data model make the system more secure, agile and usable.
基金supported by the National Key Research and Development Program of China under Grant No.2017YFB0202103.
文摘With its wider acceptability,cloud can host a diverse set of data and applications ranging from entertainment to personal to industry.The foundation of cloud computing is based on virtual machines where boundaries among the application data are very thin,and the potential of data leakage exists all the time.For instance,a virtual machine covert timing channel is an aggressive mechanism to leak confidential information through shared components or networks by violating isolation and security policies in practice.The performance of a covert timing channel(covert channel)is crucial to adversaries and attempts have been made to improve the performance of covert timing channels by advancing the encoding mechanism and covert information carriers.Though promising,the redundancy of the covert message is mainly overlooked.This paper applies three encoding schemes namely run-length,Huffman,and arithmetic encoding schemes for data compression of a virtual machine covert timing channel by exploiting redundancy.Accordingly,the paper studies the performance of such channels according to their capacity.Unfortunately,we show that these encoding schemes still contain redundancy in a covert channel scenario,and thereby a new encoding scheme namely optimized Runlength encoding(OptRLE)is presented that greatly enhances the performance of a covert timing channel.Several optimizations schemes adopted by OptRLE are also discussed,and a mathematical model of the behavior of an OptRLE-based covert timing channel is proposed.The theoretical capacity of a channel can be obtained using the proposed model.Our analysis reveals that OptRLE further improves the performance of a covert timing channel,in addition to the effects of the optimizations.Experimental result shows how OptRLE affects the size of covert data and the capacity of covert timing channels,and why the performance of the covert timing channel is improved.
