Reporting Insider Threats via Covert Channels

2013 IEEE Security and Privacy Workshops Pub Date : 2013-05-23 DOI:10.1109/SPW.2013.30

David N. Muchene, Klevis Luli, Craig A. Shue

{"title":"Reporting Insider Threats via Covert Channels","authors":"David N. Muchene, Klevis Luli, Craig A. Shue","doi":"10.1109/SPW.2013.30","DOIUrl":null,"url":null,"abstract":"Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 IEEE Security and Privacy Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SPW.2013.30","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 19

Abstract

Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.

查看原文本刊更多论文

通过秘密渠道报告内部威胁

受信任的内部人员背叛组织可能会造成重大伤害。除了拥有访问组织资源和信息的特权外，这些用户可能熟悉围绕有价值资产的防御。组织中的计算机系统需要一种机制来交流可疑活动，使恶意的内部人员(甚至外部人员)难以检测或阻止。在这项工作中，我们在以太网帧中提出了一个隐蔽通道，允许计算机系统报告其他不相关网络通信中的活动。隐蔽通道利用以太网和IP数据包使用的成帧方法的差异，将隐藏信息附加到IP数据包中，并将其传输给组织的管理员。这种隐形通信即使是高级攻击者也很难阻止，因为它利用了不相关的通信。此外，由于传输与以太网帧绑定，因此通信不能遍历网络路由器，从而防止安全信息离开组织。我们引入了隐蔽通道，将其合并到一个工作原型中，并将其与入侵检测系统相结合，以显示其对安全事件报告的承诺。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 IEEE Security and Privacy Workshops

自引率

0.00%

发文量