In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
Eleventh International Network Conference (INC 2016)
Title: On the Performance of Anomaly Detection Systems Uncovering Traffic Mimicking Covert Channels
Author(s): Johannes Bouche, Denis Hock, Martin Kappes
Keywords: Anomaly Detection, Mimicry, Covert Channels, Snort
Abstract: Anomaly Detection Systems aim to construct accurate network traffic
models with the objective to discover yet unknown malicious network
traffic patterns. In this paper, we study the use of the same methods
in order to create a covert channel which is not discovered by Anomaly
Detection Systems and can be used to exfiltrate (malicous) traffic
from a network. The channel is created by imitating current network
traffic behaviour as detected by passive network analysis. Moreover,
we present methods for calculating thresholds for the bandwidth of the
channel such that, with high probability, the resulting traffic falls
within the margins of the Anomaly Detection System under
consideration. We also present results of practical experiments with
commonly used Anomaly Detection Systems showing the practical
applicability of our approach.
Download count: 1203
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.