Despite extensive research, timing channels
(TCs) are still known as a principal category of threats that aim to leak and
transmit information by perturbing the timing or ordering of events. Existing
TC detection approaches use either signature-based approaches to detect known
TCs or anomaly-based approach by modeling the legitimate network traffic in
order to detect unknown TCs. Un-fortunately, in a software-defined networking
(SDN) environment, most existing TC detection approaches would fail due to factors
such as volatile network traffic, imprecise timekeeping mechanisms, and
dynamic network topology. Furthermore, stealthy TCs can be designed to mimic
the legitimate traffic pattern and thus evade anomalous TC detection. In this
paper, we overcome the above challenges by presenting a novel framework that
harnesses the advantages of elastic re-sources in the cloud. In particular, our
framework dynamically configures SDN to enable/disable differential analysis
against outbound network flows of different virtual machines (VMs). Our
framework is tightly coupled with a new metric that first decomposes the timing
data of network flows into a number of using the discrete wavelet-based
multi-resolution transform (DWMT). It then applies the Kullback-Leibler divergence
(KLD) to measure the variance among flow pairs. The appealing feature of our
approach is that, compared with the existing anomaly detection approaches, it
can detect most existing and some new stealthy TCs without legitimate traffic
for modeling, even with the presence of noise and imprecise timekeeping
mechanism in an SDN virtual environment. We implement our framework as a
prototype system, OBSERVER, which can be dynamically deployed in an SDN
environment. Empirical evaluation shows that our approach can efficiently
detect TCs with a higher detection rate, lower latency, and negligible
performance overhead compared to existing approaches.
References
[1]
Anonymous (2015) The Gray-World Team. http://gray-world.net/projects.shtml
[2]
United States Government Accountability Office (2010) Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance. Report to Congressional Requesters GAO-10-606.
[3]
Salem, M.B., Hershkop, S. and Stolfo, S.J. (2008) A Survey of Insider Attack Detection Research. In: Stolfo, S.J., Ed., Insider Attack and Cyber Security: Beyond the Hacker, Springer, New York, 1-19.
[4]
Ristenpart, T., Tromer, E., Shacham, H. and Savage, S. (2009) Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Cloud. Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, 9-13 November 2009, 199-212. http://dx.doi.org/10.1145/1653662.1653687
[5]
Gianvecchio, S. and Wang, H. (2007) Detecting Covert Timing Channels: An Entropy-Based Approach. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, 29 October-2 November 2007, 211-230. http://dx.doi.org/10.1109/TDSC.2010.46
[6]
Shah, G., Molina, A. and Blaze, M. (2006) Keyboards and Covert Channels. Proceedings of the 15th USENIX Security Symposium, Vancouver, 31 July-4 August 2006, 59-75.
[7]
Gianvecchio, S., Wang, H., Wijesekera, D. and Jajodia, S. (2008) Model-Based Covert Timing Channels: Automated Modeling and Evasion. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection, Cambridge, 15-17 September 2008, 211-230. http://dx.doi.org/10.1007/978-3-540-87403-4_12
[8]
Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.R., Schulz, S. and Katzenbeisser, S. (2009) Hide and Seek in Time: Robust Covert Timing Channels. Proceedings of the 14th European Conference on Research in Computer Security, Saint-Malo, 21-23 September 2009, 120-135. http://dx.doi.org/10.1007/978-3-642-04444-1_8
[9]
Cabuk, S. (2006) Network Covert Channels: Design, Analysis, Detection, and Elimination. PhD thesis, Purdue University, West Lafayette.
[10]
Berk, V., Giani, A. and Cybenko, G. (2005) Covert Channel Detection Using Process Query Systems. Proceedings of FLOCON-CERT, Pittsburgh, 20-22 September 2005.
[11]
Cabuk, S. (2004) IP Covert Timing Channels: Design and Detection. Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington DC, 25-29 October 2004, 178-187. http://dx.doi.org/10.1145/1030083.1030108
[12]
Kreutz, D., Ramos, F.M.V., Verissimo, P., Rothenberg, C.E., Azodolmolky, S. and Uhlig, S. (2014) Software-Defined Networking: A Comprehensive Survey. Computing Research Repository, 103, 14-76. http://dx.doi.org/10.1109/JPROC.2014.2371999
[13]
Anonymous (2011) Timekeeping in VMware. http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf
[14]
Broomhead, T., Cremean, L., Ridoux, J. and Veitch, D. (2010) Virtualize Everything but Time. Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, Vancouver, 4-6 October 2010, 451-464.
[15]
Ramsbrock, D., Wang, X. and Jiang, X. (2008) A First Step towards Live Bot Master Trace Back. Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, MA, 15-17 September 2008, 59-77. http://dx.doi.org/10.1007/978-3-540-87403-4_4
[16]
Murdoch, S.J. (2008) Covert Channel Vulnerabilities in Anonymity Systems. PhD Thesis, University of Cambridge, Cambridge.
[17]
Wang, X. and Reeves, D.S. (2011) Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking. IEEE Transactions on Dependable and Secure Computing, 8, 434-449. http://dx.doi.org/10.1109/TDSC.2010.35
[18]
Wang, X., Chen, S. and Jajodia, S. (2005) Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet. Proceedings of the 12th ACM Conference on Computer Communications Security, Alexandria, 7-10 November 2005, 81-91. http://dx.doi.org/10.1145/1102120.1102133
[19]
Kang M.H., Moskowitz I.S. and Lee D.C. (2007) A Network Version of the Pump. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, 8-10 May 1995, 144-154. http://dx.doi.org/10.1109/SECPRI.1995.398929
[20]
Wang, X. and Reeves, D.S. (2003) Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Inter-packet Delays. Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington DC, 27-30 October 2003, 20-29. http://dx.doi.org/10.1145/948109.948115
[21]
Jia, W., Tso, F.P., Ling, Z., Fu, X., Xuan, D. and Yu, W. (2013) Blind Detection of Spread Spectrum Flow Watermarks. International Journal of Security and Communication Networks (SCN), 6, 257-274. http://dx.doi.org/10.1002/sec.540
[22]
Jansen, W. and Granc, T. (2011) SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing. National Institute of Standards & Technology, Gaithersburg.
Wang, R., Butnariu, D. and Rexford, J. (2011) Open Flow-Based Server Load Balancing Gone Wild. Proceedings of the 11th USENIX Conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services, Berkeley, 29 March 2011, 12-17.
[25]
Blahut, R.E. (1972) Computation of Channel Capacity and Rate-Distortion Functions. IEEE Transactions on Information Theory, 18, 460-473. http://dx.doi.org/10.1109/TIT.1972.1054855
[26]
Giffin, J., Greenstadt, R., Litwack, P., and Tibbetts, R. (2002) Covert Messaging through TCP Timestamps. Proceedings of the 2nd International Conference on Privacy Enhancing Technologies, San Francisco, 14-15 April 2002, 194-208. http://dx.doi.org/10.1007/3-540-36467-6_15
[27]
Wang, X., Chen, S. and Jajodia, S. (2007) Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, 20-23 May 2007, 116-130. http://dx.doi.org/10.1109/SP.2007.30
[28]
Saltaformaggi, B., Xu, D., and Zhang, X. (2013) Busmonitor: A Hypervisor-Based Solution for Memory Bus Covert Channels. Proceedings of the 6th European Workshop on Systems Security, Prague, 14 April 2013, 1040-1042.
[29]
Wu, Z., Xu, Z. and Wang, H. (2012) Whispers in the Hyper-Space: High-Speed Covert Channel Attacks in the Cloud. Proceedings of the 21st USENIX Conference on Security Symposium, Bellevue, 8-10 August 2012, 159-173. http://dx.doi.org/10.1109/TNET.2014.2304439
[30]
Peng, P., Ning, P. and Reeves, D.S. (2006) On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques. Proceedings of the 27th IEEE Symposium on Security and Privacy, Oakland, 21-24 May 2006, 335-349. http://dx.doi.org/10.1109/SP.2006.28
[31]
Jin, J. and Wang, X. (2009) On the Effectiveness of Low-Latency Anonymous Network in the Presence of Timing Attack. Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Lisbon, 29 June-2 July 2009, 429-438. http://dx.doi.org/10.1109/DSN.2009.5270306
[32]
Le Blond, S., Choffnes, D., Zhou, W., Druschel, P., Ballani, H. and Francis, P. (2013) Towards Efficient Traffic-Analysis Resistant Anonymity Networks. Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM, Hong Kong, 12-16 August 2013, 303-314. http://dx.doi.org/10.1145/2486001.2486002
[33]
Zhang, D., Askarov, A. and Myers, A. (2011) Predictive Mitigation of Timing Channels in Interactive Systems. Proceedings of the 18th ACM Computer and Communication Security Conference, Chicago, 17-21 October 2011, 563-574. http://dx.doi.org/10.1145/2046707.2046772
[34]
Askarov, A., Zhang, D. and Myers, A. (2010) Predictive Black-Box Mitigation of Timing Channels. Proceedings of the 17th ACM Computer and Communication Security Conference, Chicago, 4-8 October 2010, 297-307. http://dx.doi.org/10.1145/1866307.1866341
[35]
Liu, A., Chen, J.X. and Wechsler, H. (2013) Detecting Covert Timing Channels in a Networked Virtual Environment. Proceedings of the 9th IFIP WG 11.9 International Conference on Digital Forensics, Orlando, 28-30 January 2013, 273-288.
[36]
Liu, A., Chen, J.X. and Yang, L. (2011) OBSERVER: An Real-Time System to Detect Covert Channels in a Highly Virtualized Environment. In: Butts, J. and Shenoi, S., Eds., Critical Infrastructure Protection V, Springer, Berlin, 151-164.
[37]
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S. and Turner, J. (2008) Open Flow: Enabling Innovation in Campus Networks. Computer Communication Review, 38, 69-74. http://dx.doi.org/10.1145/1355734.1355746
[38]
Shaw, E., Fischer, L. and Rose, A. (2009) Insider Risk Evaluation and Audit. Department of Defense Personnel Security Research Center, TR 09-02. http://www.dhra.mil/perserec/reports/tr09-02.pdf
[39]
Cummings, A., Lewellen, T., McIntire, D., Moore, A. and Trzeciak, R. (2012) Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. Software Engineering Institute, Carnegie Mellon University, CMU/SEI-2012-SR-004. http://resources.sei.cmu.edu/asset_files/SpecialReport/2012_003_001_28137.pdf
[40]
Sherry, J. and Ratnasamy, S. (2012) A Survey of Enterprise Middlebox Deployments. Technical Report UCB/EECS-2012-24, EECS Department, University of California, Berkeley.
Addison, P.S. (2002) The Illustrated Wavelet Transform Handbook. CRC Press, Taylor & Francis Group, Boca Raton.
[43]
Haar, A. (1910) Zur Theorie der orthogonalen Funktionensysteme. Mathematische Annalen, 69, 331-371. http://dx.doi.org/10.1007/BF01456326
[44]
Deza, E. and Deza, M.M. (2009) Encyclopedia of Distances. 2nd Edition, Springer, Berlin.
[45]
Kullback, S. and Leibler, R. (1951) On Information and Sufficiency. Annals of Mathematical Statistics, 22, 79-86. http://dx.doi.org/10.1214/aoms/1177729694
[46]
Kullback, S. (1997) Information Theory and Statistics. Dover Publications, New York.
[47]
Lin, J., Keogh, E., Wei, L. and Lonardi, S. (2007) Experiencing SAX: A Novel Symbolic Representation of Time Series. Data Mining and Knowledge Discovery, 15, 107-144. http://dx.doi.org/10.1007/s10618-007-0064-z
Anonymous (2015) Real Time Application Interface Official Website. http://www.rtai.org/index.php
[53]
Anonymous (2015) Using the RDTSC Instruction for Performance Monitoring. http://www.ccsl.carleton.ca/~jamuir/rdtscpm1.pdf
[54]
Hollander, M. and Wolfe, D.A. (1999) Nonparametric Statistical Methods. 2nd Edition, Wiley-Interscience, New York.
[55]
Welch, B.L. (1938) The Significance of the Difference between Two Means When the Population Variance Are Unequal. Biometrika, 29, 350-362. http://dx.doi.org/10.1093/biomet/29.3-4.350
[56]
Gasior, W. and Yang, L. (2012) Exploring Covert Channel in Android Platform. Proceedings of the 2012 International Conference on Cyber Security, Washington DC, 26-28 Jun 2012, 173-177. http://dx.doi.org/10.1109/CyberSecurity.2012.29
[57]
Karamitopoulos, L. and Evangelidis, G. (2009) A Dispersion-Based PAA Representation for Time Series. Proceedings of the 2009 WRI World Congress on Computer Science and Information Engineering, Los Angeles, March 31-April 2 2009, 490-494. http://dx.doi.org/10.1109/CSIE.2009.622
[58]
Soltesz, S., Potzl, H., Fiuczynski, M.E., Bavier, A. and Peterson, L. (2007) Container-Based Operating System Virtualization: A Scalable, High-Performance Alternative to Hypervisors. SIGOPS Operating Systems Review, 41, 275-287. http://dx.doi.org/10.1145/1272998.1273025