• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.4
• /
• pp.1927-1943
• /
• 2016

Jitterbug is a passive network covert timing channel supplying reliable stealthy transmission. It is also the basic manner of some improved covert timing channels designed for higher undetectability. The existing entropy-based detection scheme based on training sample binning may suffer from model mismatching, which results in detection performance deterioration. In this paper, a new detection method based on the feature of Jitterbug covert channel traffic is proposed. A fixed binning strategy without training samples is used to obtain bins distribution feature. Coefficient of variation (CV) is calculated for several sets of selected bins and the weighted mean is used to calculate the final CV value to distinguish Jitterbug from normal traffic. Furthermore, the timing window parameter of Jitterbug is estimated based on the detected traffic. Experimental results show that the proposed detection method can achieve high detection performance even with interference of network jitter, and the parameter estimation method can provide accurate values after accumulating plenty of detected samples.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.8
• /
• pp.3550-3566
• /
• 2020

As a widely used way to exfiltrate information, wireless covert channel (WCC) brings a serious threat to communication security, which enables the wireless communication process to bypass the authorized access control mechanism to disclose information. Unlike the covert channel on the network layer, wireless covert channels on the physical layer (WCC-P) is a new covert communication mode to implement and improve covert wireless communication. Existing WCC-P scheme modulates the secret message bits into the Gaussian noise, which is also called covert digital communication system based on the joint normal distribution (CJND). Finding the existence of this type of covert channel remains a challenging work due to its high undetectability. In this paper, we exploit the square autocorrelation coefficient (SAC) characteristic of the CJND signal to distinguish the covert communication from legitimate communication. We study the sharp increase of the SAC value when the offset is equal to the symbol length, which is caused by embedding secret information. Then, the SAC value of the measured sample is compared with the threshold value to determine whether the measured sample is CJND sample. When the signal-to-noise ratio reaches 20db, the detection accuracy can reach more than 90%.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.4
• /
• pp.1866-1883
• /
• 2019

As the youngest branch of information hiding, network covert timing channels conceal the existence of secret messages by manipulating the timing information of the overt traffic. The popular model-based framework for constructing covert timing channels always utilizes cumulative distribution function (CDF) of the inter-packet delays (IPDs) to modulate secret messages, whereas discards high-order statistics of the IPDs completely. The consequence is the vulnerability to high-order statistical tests, e.g., entropy test. In this study, a rich security model of covert timing channels is established based on IPD chains, which can be used to measure the distortion of multi-order timing statistics of a covert timing channel. To achieve rich security, we propose two types of covert timing channels based on nested lattices. The CDF of the IPDs is used to construct dot-lattice and interval-lattice for quantization, which can ensure the cell density of the lattice consistent with the joint distribution of the IPDs. Furthermore, compensative quantization and guard band strategy are employed to eliminate the regularity and enhance the robustness, respectively. Experimental results on real traffic show that the proposed schemes are rich-secure, and robust to channel interference, whereas some state-of-the-art covert timing channels cannot evade detection under the rich security model.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.20 no.8
• /
• pp.1422-1430
• /
• 2016

Researches for oceans are limited to military purpose such as underwater sound detection and tracking system. Underwater acoustic communications with low-probability-of-interception (LPI) covert characteristics were received much attention recently. Covert communications are conducted at a low received signal-to-noise ratio to prevent interception or detection by an eavesdropper. This paper proposed optimal covert communication model based on direct sequence spread spectrum for underwater environments. Spread spectrum signals may be used for data transmission on underwater acoustic channels to achieve reliable transmission by suppressing the detrimental effect of interference and self-interference due to jamming and multipath propagation. The characteristics of the underwater acoustic channel present special problems in the design of covert communication systems. To improve performance and probability of interception, we applied BCJR(Bahl, Cocke, Jelinek, Raviv) decoding method and the direct sequence spread spectrum technology in low SNR. Also, we compared the performance between conventional model and proposed model based on turbo equalization by simulation and lake experiment.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.3
• /
• pp.81-90
• /
• 2003

The presence of the intrusion is judged by intrusion detection system based on the audit log and the Performance of this system depends on how correctly and effectively it has been described about the intrusion pattern with audit log. In this paper, the relativity concerning intrusion is demonstrated among the information those are ‘System call, Network packet and Syslog’ and the related pattern of the state-transition-based method and those rule-based pattern is identified. By applying this correlation to them, the accuracy rate of detection was able to be improved. Especially, the availability of detection with correlation pattern through Covert Channel detection test has been substantiated.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.14 no.1
• /
• pp.35-45
• /
• 2004

In explosively increasing internet environments, information security is one of the most important consideration. Nowadays, various security solutions are used as such problems countermeasure; IDS, Firewall and VPN. However, basically internet has much vulnerability of protocol itself. Specially, it is possible to establish a covert channel using TCP/IP header fields such as identification, sequence number, acknowledge number, timestamp and so on. In this Paper, we focus cm the covert channels using identification field of IP header and the sequence number field of TCP header. To detect such covert channels, we used Support Vector Machine which has excellent performance in pattern classification problems. Our experiments showed that proposed method could discern the abnormal cases(including covert channels) from normal TCP/IP traffic using Support Vector Machine.

• Journal of the Korea Society for Simulation
• /
• v.31 no.4
• /
• pp.11-22
• /
• 2022

Unlike a short-range, a long-range underwater acoustic communication(UWAC) uses low frequency signal and deep sound channel to minimize propagation loss. In this case, even though communication signals are modulated using a covert transmission technique such as spread spectrum, it is hard to conceal the existence of the signals. The unconcealed communication signal can be utilized as active sonar signal by enemy and presence of underwater vehicles may be exposed to the interceptor. Since it is very important to maintain stealthiness for underwater vehicles, the detection probability of friendly underwater vehicles should be considered when interceptor utilizes our long-range UWAC signal. In this paper, we modeled a long-range UWAC environment for analyzing the detection performance of underwater vehicles and proposed the region of interest(ROI) setup method and the measurement of detection performance. By computer simulations, we yielded parameters, analyzed the detection probability and the detection performance in ROI. The analysis results showed that the proposed detection performance analysis method for underwater vehicles could play an important role in the operation of long-range UWAC equipment.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.11
• /
• pp.5588-5613
• /
• 2018

Virtualization technology has been widely applied in the area of computer security research that provides a new method for system protection. It has been a hotspot in system security research at present. Virtualization technology brings new risk as well as progress to computer operating system (OS). A multi-level perception security model using virtualization is proposed to deal with the problems of over-simplification of risk models, unreliable assumption of secure virtual machine monitor (VMM) and insufficient integration with virtualization technology in security design. Adopting the enhanced isolation mechanism of address space, the security perception units can be protected from risk environment. Based on parallel perceiving by the secure domain possessing with the same privilege level as VMM, a mechanism is established to ensure the security of VMM. In addition, a special pathway is set up to strengthen the ability of information interaction in the light of making reverse use of the method of covert channel. The evaluation results show that the proposed model is able to obtain the valuable risk information of system while ensuring the integrity of security perception units, and it can effectively identify the abnormal state of target system without significantly increasing the extra overhead.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.4
• /
• pp.739-751
• /
• 2019

Security in embedded devices has become a significant issue. Threats on the sup-ply chain, like using counterfeit components or inserting backdoors intentionally are one of the most significant issues in embedded devices security. To mitigate these threats, high-level security evaluation and certification more than EAL (Evaluation Assurance Level) 5 on CC (Common Criteria) are necessary on hardware components, especially on the cryptographic module such as AES. High-level security evaluation and certification require detecting covert channel such as backdoors on the cryptographic module. However, previous studies have a limitation that they cannot detect some kinds of backdoors which leak the in-formation recovering a secret key on the cryptographic module. In this paper, we present an expanded definition of backdoor on hardware AES module and show how to detect the backdoor which is never detected in Verilog HDL using model checker NuSMV.