Victim-Aware Adaptive Covert Channels


We investigate the problem of detecting advanced covert channel techniques, namely victim-aware adaptive covert channels. A covert channel is considered victim-aware when the attacker mimics the content of victim’s legitimate communication, such as application-layer metadata, in order to evade detection from a security monitor. In this paper, we show that victim-aware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions, thereby exposing a lack of detection mechanisms against this threat. We first propose a toolchain, Chameleon, to create synthetic datasets containing victim-aware adaptive covert channel traffic. Armed with Chameleon, we evaluate state-of-the-art detection solutions and we show that they fail to effectively detect stealthy attacks. Finally, we propose HoneyTraffic, a deception-based detection solution for this threat, which generates network messages containing honey tokens, while mimicking the victim’s communication. Our approach detects victim-aware adaptive covert channels by observing inconsistencies in such tokens, which are induced by the attacker attempting to mimic the victim’s traffic.

Conference paper
Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm)