Re: Covert Channels

[Frank Knobbe <fknobbe () knobbeits com>]

On Wed, 2002-10-23 at 17:04, Michal Zalewski wrote:
> [...] would it be possible to, with same
> level of coverage and accuracy, cover newer and newer covert channel
> techniques just like we cover new attack methods? The answer: yes, to a
> point where covert channels are sophisticated enough to mimick valid
> traffic to a level that is simply indistinguishable for a human or machine
> without reading person's mind. There's no such issue with attack detection
> IDSes, because attacks can be distinguished as a valid traffic, but only
> to a degree, whereas covert channels can be *made of* valid traffic,
> simple as that.


uuh... the perfect sentence. I think it's agreed that current IDS' look
for signatures of (invalid) data. As you said, a covert channel is
comprised of valid data. But, doesn't that valid data have some
properties that could characterize it as a possible covert channel?

I think it was Jose who used the example of a rogue broker accessing
websites in a certain order. While valid traffic, shouldn't it be
possible to detect that behavior? Not on first occurrence of course,
such a covert channel detector would have to watch traffic for a while.
And yes, the amount of data captured by the detector (data meaning
certain properties of valid data, such as time of day, length,
repetitive pattern, etc) would probably be enormously huge. One would
have to gather so much data that it may become not feasible, but not
impossible?

Frank

Attachment: signature.asc
Description: This is a digitally signed message part