چكيده به لاتين
At the age of the Internet with a variety of advantages, it has brought along a series of threats such as leak of confidential information. The covert channel allows the data to be leaked to an invalid and anonymous receiver. In this thesis, the basic concepts of covert channels, production methods of storage and timing covert channels and the confrontation of covert channels are described and their methods are compared against each other. Detection methods such as neural network, support vector machine and Markov chain method are explained in this report. The main challenge facing all of these detection methods is that they are only functional on a particular protocol and a special channel of that protocol. In this thesis, a framework is proposed to identify different types of storage covert channels on different transmission layer protocols, using patterns matching on the offset from the packet data. The proposed method has two general modes: In the first mode, for each of these patterns, values at a special offset from the first byte are examined. If one of these patterns match the packet, based on the matching pattern, value of the packet will be examined at a special offset. If an abnormality is detected, the packet is marked as suspicious. This package is then examined in a sliding window with other packages of that connection. In the second mode, a counter is considered for counting patterns matching with packets. Then the counter counts to the threshold size pattern and get checked in a window of packets. If the counting of occurrences in that window is over threshold, the packet may contain hidden data. The inclusiveness of this approach is based on the use of a pattern to identify storage covert channels. This approach is fast, considering that only a specific segment within each packet is considered. To evaluate the proposed method, eight scenarios were designed. These scenarios try to smuggle system information, by generating a storage covert channel. The following fields are used to generate a storage covert channel: the first sequence number, the urgent pointer and reserved bits in the TCP protocol, and the ICMP data field. The interconnected scenario is packed with 1,250,000 packets for the final evaluation of the scenarios. 20% of these packets are created based on the use of four storage covert channel that carry the hidden information. The proposed method has an accuracy of 96.62% and a false positive rate of 3.89% with sliding window size of 3 packet and the size of 800 packet window for the integration scenario.
Keywords: Covert Channel, Covert Channel Detection, Information Leakage, Storage Covert Channel, Information Security
