Re: Detecting covert data channels?

[jeremy () deities org]

The key question here is 'why?' If your goal is detection and forensics then collecting batches of data for statistical 
analysis is likely to be both possible and the best approach. You'll want to analyze the data in multiple dimensions to 
look for anomalies across volume, targets, protocol structure, sequencing, fragmentation, metadata, etc. (Remember you 
covert channel may not be in the data at all it may be as subtle as the timing of when the packets arrive or the order)
For this approach I'd tend to use tcpdump and various custom scripts doing the batch analysis.

If your goal is to prevent data leakage or generally prevent unmonitored communications then I think that detection is 
mostly moot. Instead you should focus on prevention. In this case, analyze what you can and what you care about and 
normalize the rest. All covert channels I can think of rely on using parts of the data streams that are not used for 
the core protocol goals. Therefore normalizing traffic rates, header fields, sequencing, fragmentation, etc will simply 
remove the opportunity for almost all covert channels.
You will, of course, still need the forensic approach above if you want to increase your confidence but as you find 
each possible channel you'll probably only need to modify your normalization to remove it.

-J

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------