Abstract
The Internet constitutes actually one of the main communication platforms for cybercriminals and terrorists to exchange secret messages and hidden information. The use of clear or non-encrypted network traffic to communicate over the Internet allows steganalysis process and surveillance agencies to easily identify the presence of secret messages and hidden information, and classify the involved entities as potential cyber criminals or terrorists. However, covert channels can be an efficient and remedial communication solution for cybercriminals and terrorists to exchanged secret messages and hidden information. In fact, most covert channels attempt to send clear and non- encrypted messages embedded in the fields of network packets in order to offer robust communication channels against steganalysis. Nevertheless, covert channels are an immense cause of security concern and are classified as a serious threat because they can be used to pass malicious messages. This explains why detection and elimination of covert channels are considered a big issue that faces security systems and needs to be addressed. In this paper, a novel approach for detecting a particular type of covert channels is discussed. The covert channel uses the IP Record route option header in network IP packets to send secret messages and hidden information. The paper demonstrates that this type of covert channels is not robust enough against steganalysis. The proposed detection approach is based on the IP Loose source route option header. Conducted experiments show that the proposed approach is simple and straightforward to implement and can contribute to identifying malicious online activities of cyber criminals and terrorists.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Yuwen, Q., Huaju, S., Chao, S., Xi, W., Linjie, L.: Network covert channel detection with cluster based on hierarchy and density. Procedia Eng. 29, 4175–4180 (2012)
Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. (CSUR) 47, 50 (2015)
Craver, S.: On public-key steganography in the presence of an active warden. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 355–368. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49380-8_25
Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutor. 9, 44–57 (2007)
Hammouda, S., Maalej, L., Trabelsi, Z.: Towards optimized TCP/IP covert channels detection, IDS and firewall integration. In: 2008 New Technologies, Mobility and Security, pp. 1–5 (2008)
Elsadig, M.A., Fadlalla, Y.A.: Survey on covert storage channel in computer network protocols: detection and mitigation techniques. Int. J. Adv. Comput. Netw. Secur. 6(3), 11–17 (2016)
Lampson, B.W.: A note on the confinement problem. Commun. ACM 16, 613–615 (1973)
Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2 (1997)
Barroso, L., Santos, M.: A review on covert techniques
Dakhane, D.M., Deshmukh, P.R.: Active warden for TCP sequence number base covert channel. In: 2015 International Conference on Pervasive Computing (ICPC), pp. 1–5 (2015)
Fall, K.R., Stevens, W.R.: TCP/IP Illustrated, Volume 1: The Protocols, 2nd edn. Addison-Wesley Professional, Boston (2011)
Luo, X., Chan, E.W.W., Chang, R.K.C.: TCP covert timing channels: design and detection. In: International Conference on Dependable Systems & Networks, USA (2008)
Cai, Z., Zhang, Y.: Integrated covert channel countermeasure model in MLS networks. In: International Conference on Information Engineering and Computer Science, China (2009)
Kaur, J., Wendzel, S., Meier, M.: Countermeasures for covert channel-internal control protocols. In: 10th International Conference on Availability, Reliability and Security (ARES), France, pp. 422–428 (2015)
Elsadig, M.A., Fadlalla, Y.A.: A balanced approach to eliminate packet length-based covert channels. In: Proceedings of the 4th IEEE International Conference on Engineering Technologies and Applied Sciences (ICETAS), Bahrain (2017)
Elsadig, M.A., Fadlalla, Y.A.: Network protocol covert channels: countermeasures techniques. In: Proceedings of the 9th IEEE-GCC Conference and Exhibition (GCCCE) (2017)
Elsadig, M.A., Fadlalla, Y.A.: Packet length covert channel: a detection scheme. In: The 1st International Conference on Computer Applications & Information Security (ICCAIS), Saudi Arabia (2018)
Epishkina, A., Kogos, K.: A random traffic padding to limit packet size covert channels. In: 2015 Federated Conference on Computer Science and Information Systems (FedCSIS), pp. 1107–1111 (2015)
Trabelsi, Z., El-Sayed, H., Frikha, L., Rabie, T.: Traceroute based IP channel for sending hidden short messages. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 421–436. Springer, Heidelberg (2006). https://doi.org/10.1007/11908739_30
CommView tool. www.tamos.com
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Saidi, F., Trabelsi, Z., Ghézela, H.B. (2020). An Approach for Thwarting Malicious Secret Channel: The Case of IP Record Route Option Header-Based Covert Channels. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-41568-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41567-9
Online ISBN: 978-3-030-41568-6
eBook Packages: Computer ScienceComputer Science (R0)