Research on Covert Channel Construction Method Based on HTTP Protocol Combination

doi:10.3969/j.issn.1671-1122.2020.06.007

Abstract

Abstract:

Aiming at the problem that the existing covert storage channel has a low concealment, and the covert timing channel has a high bit error rate and a low transmission rate, a covert channel construction method combining HTTP protocol behaviors is proposed. In the method, HTTP requests are sent by simulating a browser application and allocated dynamically among different browsers, the concealed information is embedded by means of mathematical combination. The access object, the packet time interval and the packet length are also dynamically adjusted to improve the concealment of channel. At the same time, the channel is based on the reliable transmission of TCP protocol, so that it is not affected by the network jitter, thus ensuring the reliability of the channel. The experimental results show that the proposed method can resist the application signature based detection method, protocol fingerprint detection method and combined model detection method, and has strong concealment. It can adjust the concealment and channel capacity according to the application scenario.

Key words: covert channel, mathematical combination coding, HTTP protocol

CLC Number:

TP309

CHEN Cheng, LUO Senlin, WU Qian, YANG Peng. Research on Covert Channel Construction Method Based on HTTP Protocol Combination[J]. Netinfo Security, 2020, 20(6): 57-64.

Figures/Tables 10

References 14

[1]	COPPERSMITH D. The Data Encryption Standard(DES) and Its Strength Against Attacks[J]. IBM Journal of Research and Development, 1994,38(3):243-250.
[2]	WANG Yongji, WU Jingzheng, ZENG Haitao, et al. Covert Channel Research[J]. Journal of Software, 2010,21(9):2262-2288.
	王永吉, 吴敬征, 曾海涛, 等. 隐蔽信道研究[J]. 软件学报, 2010,21(9):2262-2288.
[3]	GIRLING C G. Covert Channels in LAN’s[J]. IEEE Transactions on Software Engineering, 1987,13(2):292-296.
[4]	LOW S H, MAXEMCHUK N F, BRASSIL J T, et al. Document Marking and Identification Using Both Line and Word Shifting [C]//IEEE. 4th Annual Joint Conference of the IEEE Computer and Communication Societies, April 2-6, Boston, MA, USA. New Jersey: IEEE, 1995: 853-860.
[5]	BROWN E, YUAN B, JOHNSON D, et al. Covert Channels in the HTTP Network Protocol: Channel Characterization and Detecting Man-in-the-Middle Attacks[J]. Journal of Information Warfare, 2010,9(3):26-38.
[6]	LUO Xiapu, CHAN E W W, ZHOU Peng, et al. Robust Network Covert Communications Based on TCP and Enumerative Combinatorics[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(6):890-902.
[7]	WANG Fei, HUANG Liusheng, MIAO Haibo, et al. A Novel Distributed Covert Channel in HTTP[J]. Security & Communication Networks, 2014,7(6):1031-1041.
[8]	CABUK S, BRODLEY C E, SHIELDS C. IP Covert Timing Channels: Design and Detection [C]//ACM. 11th ACM Conference on Computer and Communications Security, October 18-20, 2004, Washington DC, USA. New York: ACM, 2004: 178-187.
[9]	SHAH G, MOLINA A, BLAZE M. Keyboards and Covert Channels[EB/OL]. https://www.mendeley.com/catalogue/89442cba-faaa-3d0a-a936-2a0b989a8bb1, 2019 -5-11.
[10]	QIAN Yuwen, ZHAO Bangxin, KONG Jianshou, et al. Robust Covert Timing Channel Based on Web[J]. Journal of Computer Research and Development, 2011,48(3):423-431.
	钱玉文, 赵邦信, 孔建寿, 等. 一种基于Web的可靠网络隐蔽时间信道的研究[J]. 计算机研究与发展, 2011,48(3):423-431.
[11]	KWECKA Z. Application Layer Covert Channel Analysis and Detection[D]. Edinburgh: Napier University, 2006.
[12]	DUSI M, CROTTI M, GRINGOLI F, et al. Tunnel Hunter: Detecting Application-layer Tunnels with Statistical Fingerprinting[J]. Computer Networks, 2009,53(1):81-97.
[13]	GUO Chuanchuan. Research and Implementation on the System of Storage Network Covert Channels Detection[D]. Chengdu: University of Electronic Science and Technology of China, 2016.
	郭川川. 存储式网络隐蔽信道检测研究与实现[D]. 成都:电子科技大学, 2016.
[14]	LIU Yayi, GHOSAL D, ARMKNECHT F, et al. Robust and Undetectable Steganographic Timing Channels for i.i.d. Traffic [C]//ACM. 12th International Conference on Information Hiding, June 28-30, 2010, Calgary, AB, Canada. New York: ACM, 2010: 193-207.

U_i	B₁	B₂	B₃	B₄
0000	5	0	0	0
0001	4	1	0	0
0010	4	0	1	0
0011	4	0	0	1
0100	3	2	0	0
0101	3	0	2	0
0110	3	0	0	2
0111	2	1	1	0
1000	2	1	0	1
1001	2	0	1	1
1010	2	3	0	0
1011	2	0	3	0
1100	2	0	0	3
1101	2	2	1	0
1110	2	1	0	2
1111	2	1	2	0

文件类型	丢包率
	5%	10%	15%
txt	0%	0%	0%
Word	0%	0%	0%

λ	N
λ	4	8	16
10	69.3 bit/s	134.2 bit/s	188.3 bit/s
20	36.4 bit/s	69.6 bit/s	101.4 bit/s
30	27.7 bit/s	50.9 bit/s	73.2 bit/s
40	22.1 bit/s	38.7 bit/s	55.3 bit/s

方法	应用签名检测	协议指纹技术	组合模型检测
本文方法	0%	3%	2%
文献[7]	0%	4%	4%
文献[11]	100%	63%	100%

方法	丢包率
方法	5%	10%	15%
本文方法	0%	0%	0%
文献[7]	4%	7%	12%
文献[11]	0%	0%	0%