Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Mark Crosbie (mcrosbieCUP.HP.COM)
Date: Wed Apr 18 2001 - 12:47:37 CDT
In message <13126.96.36.199.167.987607159.squirrelwww.loria.fr>, Matthieu Huin
>This is why I think the best way to detect a covert channel isn't
>network-based but host-based IDS : look for a strange, unknown program being
>launched at startup . If the potentially infected host is also having a lot
Ahh yes, the mythical "strange, unknown program" is an elusive beast
to catch, even given an IDS with built-in 20-20 Hindsight (tm) :-)
Some ideas for covert channels on a host system could be:
1. The existence/non-existence of a file or directory.
2. The permission bits on a file/dir.
3. The file/dir name or a subset of the name
4. The fact that a process is/is not running
5. The process name of a process.
6. Percentage of CPU used by a process (e.g. <50%, >50%)
7. Current process memory footprint (as reported by top)
8. Number of open file descriptors
9. Number of child processes of a given process
10. etc etc etc
Gathering the data on these types of activity or system state is
relatively straightforward. Kernel audit data, file and directory
checksums and a kernel statistics profiler will reveal most of the
state data that could be used for a covert channel.
But analyzing that data - whew! A misuse detector system would have a
tough time coming up with rules that were specific enough to detect
the covert channel and yet would not flood the admin with spurious
A statistical anomaly detector may detect strange goings on (e.g. files
reappearing in directories at somewhat predictable intervals), but the
beauty of a covert channel is that you can reduce the rate of
information leakage so that it falls far below the noise threshold of
any anomaly-based IDS.
-- Mark Crosbie http://www.hp.com/security/products/ids HP Praesidium IDS/9000 Product Architect Hewlett-Packard MS 47 LA 19447 Pruneridge Avenue mcrosbiecup.hp.com Cupertino, CA 95014 (408) 447-2308
>of unexpected traffic going back and forth ( icmp for Loki, Ack packets for >AckCmd, traffic aimed at port 80 although there's no webserver on that host >... ), then you can almost be sure a covert channel is up . > >Now, I might be wrong on some points, be nice enough to signal them =) > >Matthieu Huin >Elève-Ingénieur des Mines de Nancy & DEA d'informatique à l'Université Nancy >II > >PS : I am working on an application of pattern matching to intrusion >detection . A "beta" version of my report is online at >http://eleves.mines.u-nancy.fr/~huin/fake/filtres.html . Comments very >welcomed ! ( unfortunately the report is in french, sorry ... ) > >