Hidden channel. About side channels
480 rub. | 150 UAH | $7.5 ", MOUSEOFF, FGCOLOR, "#FFFFCC",BGCOLOR, "#393939");" onMouseOut="return nd();"> Dissertation - 480 RUR, delivery 10 minutes, around the clock, seven days a week and holidays
Kogos Konstantin Grigorievich. A method for counteracting information leakage through covert channels based on changing the lengths of transmitted packets: dissertation... Candidate of Technical Sciences: 05.13.19 / Kogos Konstantin Grigorievich;[Place of defense: Federal State Autonomous Educational Institution of Higher Professional Education "National Research Nuclear University" MEPhI "]. - Moscow, 2015. - 116 p.
Introduction
1 Study of ways to build and counteract information leakage through covert channels in packet data networks 11
1.1 Approaches to identifying covert channels 11
1.2 Covert channels in packet data networks 19
1.3 Countering information leakage through hidden channels
1.3.1 Identification of covert channels 24
1.3.2 Covert channel analysis 30
1.3.3 Bandwidth limiting and covert channel suppression 33
1.3.4 Detection of covert channels 37
1.3.5 Countering information leakage through network covert channels 39
1.4 Conclusions 41
2 Methodology for analyzing and assessing the capacity of covert channels when introducing methods for limiting capacity 43
2.1 Estimation of the maximum throughput of a covert channel for stream traffic encryption 43
2.2 Estimation of the maximum throughput of a covert channel with block encryption of traffic 47
2.3 Methodology for analyzing and assessing the capacity of covert channels in conditions of counteraction 51
2.4 Conclusions 57
3 A method for limiting the capacity of covert channels by increasing the length of transmitted packets 58
3.1 A method to counteract information leakage by randomly increasing the lengths of transmitted packets 58
3.2 Estimation of the capacity of a covert channel in conditions of counteraction 59
3.3 Construction of a covert channel in which the lengths of transmitted packets take on uniformly distributed values 62
3.4 Estimation of the capacity of a covert channel, in which the lengths of transmitted packets take on uniformly distributed values 67
3.5 Estimation of the capacity of a covert channel with a given error level, at which the lengths of transmitted packets take on uniformly distributed values 68
3.6 Conclusions 70
4 Method for limiting the capacity of covert channels by generating fictitious traffic 71
4.1 Method of counteracting information leakage by generating fictitious traffic 71
4.2 Estimating the capacity of a covert channel for deterministic generation of fictitious traffic 73
4.3 Estimating the capacity of a covert channel with random generation of fictitious traffic 79
4.4 Conclusions 86
5 Application of developed methods for limiting the capacity of covert channels 87
5.3 Implementation of the results of dissertation work 95
5.4 Conclusions 97
Conclusion 98
List of abbreviations and symbols 100
References 101
Introduction to the work
Relevance of the work. At the present stage of development of information technology and the mass introduction of computer technology into various fields and spheres of human activity, the relevance of information security problems is constantly increasing, on the quality of the solution of which the successful functioning of government and commercial organizations largely depends.
At present and in the foreseeable future, the trend of widespread use of packet data networks will continue, which, in turn, makes very significant the threat of an intruder’s secret use of the features of the IP protocol for the covert transmission of restricted access information via communication channels that go beyond the boundaries of the informatization objects on which it is being processed.
The need to create and constantly improve methods to counteract information leakage through so-called covert channels is also due to the fact that such channels can be built using traditional methods of network protection, consisting of firewalling, traffic tunneling, etc. Research shows that this threat persists even when transmitting information in encrypted form. According to the domestic standard GOST R 53113.2-2009, information related to packet sizes and time intervals between their appearance can be used to organize a covert channel in conditions of tunneling and traffic encryption. The issues of analysis of covert channels are dealt with by such domestic and foreign scientists as Anikeev M.V., Grusho A.A., Matveev S.V., Timonina E.E., Zander S., Kabuk S., Kemmerer R.A., Lampson B.W., Millen J.C. and others.
The significance of the dissertation work is confirmed by the List of priority problems of scientific research in the field of information security of the Russian Federation (paragraphs 45, 48, 74), the presence in the GOST R ISO/IEC 15408-2-2013 standard of a class of functional requirements relating to the limitation and suppression of covert channels, and also regulated by GOST R 53113 approach to countering information leakage through hidden channels.
The threat under consideration, associated with the leakage of information through hidden channels, is given particular relevance by the well-known research results, according to which an adversary who knows the control scheme in the security system can create a hidden channel invisible to the controlling entity, both for controlling a software and hardware agent in a computer system, and and for communication between software and hardware agents in an open environment.
A method to ensure that there are no network covert channels in the system,
is to build and maintain closed, trusted software and hardware
avg. The introduction of an intruder's agent into such systems should be impossible at any stage
their life cycle. At the same time, due to the widespread use of imported equipment
And software, such a method is often practically impossible to implement, since the agent
the intruder can be injected at both end and intermediate nodes along the path
following traffic. Transmitting data over communication channels in encrypted form does not solve
the problem of information leakage through certain classes of network covert channels. At the same time,
examination of even known code to detect software bookmarks
represents a labor-intensive scientific and technical task and becomes practically
impossible when frequent changes are made to the software. Thus,
implementation of the considered approach to prevent leakage of information on
network covert channels, is a non-trivial task and not in every system can be
brought to practical implementation. Another way to exclude conditions
The functioning of network covert channels consists in normalizing the parameters of packet data transmission, that is, in sending fixed-length packets with fixed headers at regular intervals, which leads to a significant decrease in the efficiency of using the bandwidth of communication channels and an increase in the cost of their use.
For the above reasons, in accordance with GOST R 53113.1-2008, in cases where regulatory authorities or the owner of information allow the possibility of leakage of certain volumes of data, it is recommended to use methods for limiting the capacity of covert channels. Such methods are applicable if the capacity of the covert channel can be limited to a value less than the established permissible value. The feasibility of using these methods is confirmed by data from IBM, according to which it is permissible to operate covert channels with a capacity of up to 0.1 bit/s, but in some cases there may be potential covert channels with a capacity of up to 100 bit/s. The application of the considered methods in practice, in contrast to methods for suppressing covert channels, makes it possible to ensure high effective throughput of the communication channel and flexibly manage the operational and cost characteristics of telecommunication systems. This approach allows you to reliably limit the capacity of a wide class of covert channels, regardless of the method of their organization. To construct such methods, it is necessary to obtain and study estimates of the capacity of covert channels operating in the absence and use of countermeasures.
In addition, assessing the capacity of covert channels and assessing the danger posed by their covert functioning is one of the stages in determining the degree of danger of a covert channel in accordance with GOST R 53113.1-2008.
In this work, covert channels based on changing the lengths of transmitted packets are investigated, since, on the one hand, such channels can be built under conditions of traffic encryption, on the other hand, their throughput can be significantly higher than the time throughput of channels. Despite the fact that there are known ways to implement the analyzed methods of countering information leakage through covert channels by increasing the length of packets and generating fictitious traffic, there are no recommendations for choosing the values of the parameters of these methods, and estimates of the residual capacity of covert channels under counteraction conditions are also unknown. Therefore, this work, devoted to the development and research of methods for countering information leakage through covert channels based on changing the lengths of transmitted packets, is relevant and is of both scientific and practical interest.
The purpose of the dissertation work is to increase the security of information systems by developing a method for limiting the capacity of covert channels based on changing packet lengths.
In accordance with the stated goal, the following tasks are solved in the dissertation work:
analysis of existing methods for constructing covert channels in packet data networks and ways to counter them;
development of a methodology for analyzing and assessing the capacity of covert channels when applying countermeasures;
development and evaluation of quantitative characteristics of methods for counteracting information leakage through covert channels based on changing packet lengths by randomly increasing packet lengths, deterministic and random generation of fictitious traffic.
Main research methods The methods used in the work are methods of information theory, probability theory, differential and integral calculus.
Scientific novelty dissertation work is as follows.
1. A methodology has been proposed for analyzing and assessing the capacity of covert channels using information theory methods under conditions of their limitations, allowing, in
Unlike existing approaches, investigate the dependence of the characteristics of covert channels on the parameters of the countermeasure method.
Methods have been developed to counteract information leakage through covert channels based on changing the lengths of transmitted packets by randomly increasing them, deterministic and random generation of fictitious traffic, which differ from the known ones in that they are applicable in the case where the presence of a covert channel with an acceptable value in the information system is allowed bandwidth.
For the first time, estimates of the capacity of covert channels based on changes in the lengths of transmitted packets were obtained in the absence of counteraction and in conditions of preventing information leakage.
Theoretical significance present:
methods of counteracting information leakage through covert channels based on changing packet lengths by randomly increasing the lengths of packets to be sent, deterministic and random generation of fictitious traffic;
methodology for analyzing and assessing the capacity of covert channels when applying methods for limiting capacity;
formulas for calculating the parameter values of the proposed countermeasures, in which the throughput of the covert channel does not exceed a given value.
Practical significance present:
methods for limiting the capacity of covert channels based on changing packet lengths by randomly increasing the lengths of packets to be sent, deterministic and random generation of fictitious traffic;
estimation of the maximum throughput of a covert channel based on changes in the lengths of transmitted packets, in the absence of counteraction in the conditions of stream and block traffic encryption;
methodology for analyzing and assessing the capacity of a covert channel in the context of the introduction of countermeasures;
software tools for calculating the parameter values of the proposed countermeasures, allowing to reduce the residual capacity of the covert channel to a given value.
Implementation results research. Practical significance of the results
dissertation is confirmed by three acts of implementation. The methods developed by the author to counteract information leakage through hidden channels were introduced into the activities of Gollard CJSC to modernize the Sito software package, designed for
suppression of the functioning of hidden logical channels. The results of the dissertation work were also introduced into the research and development work carried out by Information Protection LLC. The theoretical results of the dissertation were introduced into the educational process of the department of “Cryptology and Discrete Mathematics” of the National Research Nuclear University MEPhI as part of the training course “Cryptographic Protocols and Standards”.
Publications and testing of work. The results of the dissertation work are presented in 15 published and equivalent works, including five scientific articles in publications included in the List of leading peer-reviewed scientific journals, four scientific articles in indexed journals international system scientific citations Scopus, of which one is in a journal indexed by the international scientific citation system Web of Science, there are also two certificates of state registration computer programs. The results of the work were presented at conferences and seminars at various levels, including:
23rd and 24th scientific and technical conferences “Methods and technical means of ensuring information security” (St. Petersburg, 2014, 2015);
XXII All-Russian Scientific and Practical Conference “Problems of Information Security in the Higher Education System” (Moscow, 2015);
scientific and practical seminar at the Center for Special Developments of the Ministry of Defense of the Russian Federation (Moscow, 2015);
14th All-Russian conference “Siberian scientific school-seminar with international participation “Computer security and cryptography” SIBECRYPT’15 (Novosibirsk, 2015);
The International Conference on Open and Big Data OBD 2015 (Rome, Italy, 2015);
The 5th International Conference on IT Convergence and Security ICITCS 2015 (Kuala Lumpur, Malaysia, 2015);
The 2nd Workshop on Emerging Aspects in Information Security EAIS’15 (Lodz, Poland, 2015);
The 8th International Conference on Security of Information and Networks SIN 2015 (Sochi, 2015).
Main provisions submitted for defense:
assessment of the maximum throughput of covert channels based on changes in packet lengths for stream and block traffic encryption;
methodology for analyzing and assessing the capacity of covert channels when introducing methods for limiting capacity;
methods of counteracting information leakage through covert channels based on changing packet lengths by randomly increasing the lengths of transmitted packets, deterministic and random generation of fictitious traffic;
expressions for calculating the parameter values of the proposed methods for countering information leakage through covert channels and recommendations for their selection.
Structure and scope of work. The dissertation consists of an introduction, five sections, a conclusion, a bibliography including 148 titles, and two appendices. The thesis is presented on 114 pages with 27 figures and 12 tables, not including appendices.
Counteracting information leakage through hidden channels
Indirect Covert Memory Channel Design Data can also be hidden in padding a frame or packet with irrelevant information if the length of the frame or packet must be at least a certain value. For example, such hidden data transfer is possible when using the Ethernet protocol, in which frames must be padded to a minimum length of 60 bytes. If the protocol's terms of use do not provide specific values for the padding bytes, then any data may be used. Similarly, hidden transmission of information can be organized for the IPv4, IPv6 and TCP protocols.
Changing recipient addresses in sequentially transmitted packets to build a covert channel was proposed by the authors. The sum of all bits of the transmitted packet is proposed to be used for the hidden transmission of information by the author. Information can be conveyed by changing the order in which N packets are transmitted through X TCP protocol streams. If we imagine that packets are balls and flows are urns, then the presented hidden channel is directly related to the problem of placing N balls into X urns. The deliberate removal by the sender of some packets to be sent is used to build a low-bandwidth covert channel in .
Hidden statistical channels are analyzed in detail by the authors. An example of a covert statistical channel would be the transmission of some unlikely packet within a time interval predetermined by the attacker.
Hidden information can be transmitted by changing the packet transmission rate. The capacity of such a covert channel is equal to log2r bits during one
time interval, where r is the number of different packet transmission rates. A binary covert channel based on packet transmission speed has been studied by the authors.
For the first time, it was proposed to use the lengths of interpacket intervals to organize covert channels in. The authors proposed the JitterBug technology for constructing binary covert channels based on changing the lengths of inter-packet intervals. Another scheme for covert information transmission using interpacket interval lengths was studied in. The authors gave recommendations for choosing the values of encoding parameters at which the throughput of the covert channel takes on the greatest value. A hidden channel is proposed, based on changing the lengths of inter-packet intervals, the probability of detection of which is approximately equal to 9%, the probability of a type II error does not exceed 0.5%.
The authors proposed reordering the sequence of packets to be sent on the sender's side to build a covert channel. Since there is n! ways to reorder n packets, then the throughput of such a channel is equal to (log2 n!) / n bits per packet.
In the covert channel described by the author, the sender sends a large number of requests to the server to transmit a "1" or does nothing to transmit a "0". After each time interval, the recipient sends requests to the server and measures the time of the response signal to restore the transmitted information.
The authors developed a hidden channel based on the fact that the processor temperature is directly proportional to the number of processed packets per unit of time, and system clock deviations depend on the processor temperature. During each time slot, the hidden sender either sends packets to the intermediate node or is idle. The hidden receiver estimates the deviation of the system clock of the intermediate node by analyzing the timestamp values in the packets received from it, for example, using the Timestamp fields of the headers of the received TCP protocol packets. A number of works have proposed schemes for embedding distinctive information into the lengths of interpacket intervals to track traffic passing through proxy servers and anonymous networks.
For the first time, it was proposed by the authors to change the length of link-level frames for covert transmission of information: the sender and recipient know the rule according to which each byte of a hidden message corresponds to a certain frame length. Thus, 256 different frame lengths are required to describe all possible byte values of the transmitted message. Such covert channels require special attention, as it is further shown that their throughput can exceed 1% and 0.1% of the communication channel capacity when using the IPv4 and IPv6 network layer protocols, respectively.
The authors proposed a covert channel in which the sender and receiver share a periodically updated matrix whose elements are unique, unordered packet lengths. The sender uses the bits of the secretly transmitted message to determine the row of the matrix and randomly selects the length of the packet from this row, the recipient finds the length of the received packet in the matrix and restores the bits of the transmitted message using the row number.
The proposed scheme has been improved by the authors: before starting the covert transmission of information, the sender and recipient form a dynamically updated directory of packet lengths, recording the lengths of traffic packets characteristic of the absence of a covert channel. To covertly transmit a message, the sender sends a packet, the length of which is selected from a directory using an algorithm known to the sender and recipient. The length of the next packet is equal to the sum of the length of the previous packet and the number corresponding to the bits of the secretly transmitted message. This scheme is improved by significantly reducing the capacitive and time complexity of decoding, since the recipient does not store the entire directory. The authors proposed sharing the lengths and information content of packets to build a covert channel with high throughput.
The presented schemes for covert information transmission using changes in packet lengths are, on the one hand, difficult to detect, on the other hand, they can have a fairly high throughput in comparison with covert channels in time. This is due to the fact that covert time channels are noisy channels, since the packet travel time is a random variable, and also because the probability of packet loss is non-zero.
Estimation of the maximum throughput of a covert channel for block traffic encryption
Traffic encryption is a traditional way to protect restricted information transmitted over a network, however, covert channels based on changing packet lengths, studied in this work, can be built under conditions of traffic encryption. As a rule, due to the large volume of encrypted data, as well as the need to support high encryption and decryption speeds, symmetric encryption algorithms are used to ensure the confidentiality of transmitted data. Based on the principle of information processing, a distinction is made between stream and block symmetric encryption algorithms. This subsection is devoted to estimating the maximum throughput of covert channels based on changes in the lengths of transmitted packets when stream traffic is encrypted. The use of stream encryption methods to protect traffic was studied, for example, by the authors.
When using stream encryption algorithms, the length of the message does not change, so a hidden channel constructed as follows was chosen for research. Let the packet lengths take values on the set Nt +L \Nj h, fixed, LGN. Then the hidden channel has the greatest capacity, in which, to transmit the symbol “/”, the sender sends a packet of length 1fix+K r є „-і U(0), neN is the parameter of the hidden channel, Nx is the set of natural numbers from 1 to x. To estimate the capacity of the hidden channel v, here and below, a method is chosen based on assessing the mutual information of random variables X, 7, which describe the input and output characteristics of the hidden channel, respectively: H(Y\X) = - Y, P"U) E A"" (/Wlo82A«(/ b) conditional entropy of the random variable 7 relative to the random variable X, pex(i) - the probability of sending the symbol “/”, Peа(i) - the probability of recognition by the recipient of the symbol “/”, рба(і\І) - the conditional probability of the recipient recognizing the character “/” when sending the character “/”.
With an equally probable choice of symbols transmitted over a hidden channel, the entropy of the random variable 7 is determined by the value of the hidden channel parameter n and is equal to
Obviously, as the value of n increases, both the average length of transmitted packets and the number of bits carried by the transmission of one packet over a covert channel increases. The average time t of packet transmission is determined by the expression: what is achieved when the average length of transmitted packets is equal to. Thus, the capacity v of the covert channel is determined by the following
To find the value of the hidden channel parameter n as a function of the countermeasure method parameter a, at which the expression takes the greatest value, it is proposed to move from the discrete variable n to the continuous variable n, defined on the half-interval ll, + oo). The function of the variable n is defined and continuous on a given set, which makes it possible to find the extremum by differentiating the given function. Derivative of function v; by variable n is determined as follows
Note that the covert channel parameter n takes integer values, so the actual value of the covert channel parameter n0 must be chosen as follows:
As a rule, lfix determines the sum of the lengths of the headers of the network and link levels of the open systems interaction model. So, for example, when using IPv4 as a network layer protocol, the sum of the lengths of the network and link layer headers takes a value of at least 34 bytes if the link layer technology is Ethernet. The same value when using the IPv6 protocol is 54 bytes. Then, as can be seen from Table 8, when streaming traffic is encrypted using the IPv4 protocol, the throughput of the covert channel is maximum at n = 138 and reaches approximately 0.021/?, when using the IPv6 protocol, the throughput of the covert channel is maximum at n = 201 and reaches approximately 0.014/ ?, Where /? - communication channel capacity. Table 8 - Bandwidth of covert channels with stream traffic encryption
These results confirm the relevance of research into methods for counteracting information leakage through covert channels, as they show that with a communication channel capacity of 1 Gbit/s, a covert channel with a capacity of more than 10 Mbit/s can be built.
In block data encryption, the plaintext is divided into blocks of equal size determined by the encryption algorithm, which are encrypted independently using cipher substitution. Decryption occurs in the same way. Thus, if 1Ш is the length of the block, then the plaintext before encryption begins must have a length that is a multiple of 1Ш. Methods for padding plaintext to the required length are described, for example, in. Since the new domestic standard for the encryption algorithm is a symmetric block cipher with block sizes of 64 and 128 bits, the results obtained below are also applicable in the case of encrypting a communication channel using the specified algorithm. If the plaintext has length /0, then after encryption the length of the ciphertext
Since with this method of constructing a covert channel, increasing the length of packets to values that are multiples of 1N does not lead to errors, then H(Y\X) = 0. Obviously, as the value of n increases, both the average length of transmitted packets and the number of bits increase, which is carried by the transmission of one packet over a covert channel. Then the average time t of packet transmission is determined by the expression:
Construction of a covert channel in which the lengths of transmitted packets take on uniformly distributed values
According to the reasoning given above, the expression / (&) takes on the greatest value when choosing the parameter b equal to one. With this choice of the value of the covert channel parameter b, the covert channel is constructed as follows: to transmit the symbol “/”, the sender sends a packet of length 1fiKs+K /є-L U(0), n is the covert channel parameter. IN
In this case, the introduction of counteraction leads to errors, and the probability of correct recognition of the transmitted symbol by the recipient is equal. a + \ With this choice of the value of the covert channel parameter b, the conditional probabilities of recognition by the recipient of the transmitted symbol take on the following values:
The covert channel parameter n takes integer values, so the actual value of the covert channel parameter n0 must be chosen as follows:
Thus, in this subsection, the residual throughput of a covert channel based on changing packet lengths is estimated, with a random increase in the lengths of the packets to be sent. A necessary condition for constructing the studied covert channel is a uniform distribution over the set of lengths of transmitted packets. The best scheme for constructing a covert channel, in terms of the value of the residual capacity, was selected. However, the error level when transmitting data over the constructed covert channel is equal to
If there is an acceptable error level, the parameters of the covert channel must be chosen differently, which will lead to a decrease in its throughput. In the next subsection, the residual capacity of the covert channel is studied in the presence of an acceptable level of errors when transmitting data over the covert channel and uniform distribution over a set of lengths of transmitted packets.
Estimating the capacity of a covert channel with a given error level, at which the lengths of transmitted packets take on uniformly distributed values
The previous subsection provides an estimate of the maximum capacity of the covert channel, at which the lengths of transmitted packets are uniformly distributed over a certain set, which is achieved when the covert channel parameter b is equal to one. However, with this method of constructing a covert channel, the probability of correct recognition of the transmitted symbol is only. The error rate can be an important parameter, since the use of covert channels often leads to the leakage of critical information such as cryptographic keys, passwords, and so on. Let the value p be specified - the permissible error level when transmitting data over a covert channel. Then the value of the covert channel parameter b should be chosen equal to
Thus, in this subsection we investigated a covert channel, during the construction of which the lengths of transmitted packets take on uniformly distributed values, and the error level does not exceed a specified value. The best coding scheme, in terms of the value of the residual capacity of the covert channel, was selected, taking into account the requirements. The residual capacity of the covert channel under counteraction conditions is estimated.
This section develops a method to counteract information leakage through covert channels in packet data networks by randomly increasing the length of each packet. With a known implementation scheme this method Countermeasures remained an unsolved problem: estimating the residual capacity of the covert channel when countermeasures were introduced. Increasing the length of packets does not lead to desynchronization of the sender and recipient, however, covert channels that are resistant to this countermeasure method must be built in a special way proposed in the work.
An estimate is given of the maximum throughput of a covert channel based on changes in packet lengths with a random increase in the lengths of packets to be sent. Particular attention is paid to the capacity of covert channels, in which the lengths of transmitted packets take on uniformly distributed values, and the level of errors during data transmission. The results obtained make it possible to apply the proposed countermeasure method by randomly increasing the lengths of packets to be sent, given the acceptable capacity of the covert channel, minimizing the additional load on the communication channel. 4 Method for limiting the capacity of covert channels by generating fictitious traffic
This section is devoted to the development and research of a method for countering information leakage through covert channels by generating fictitious traffic. Two methods of generating fictitious traffic are proposed: deterministic and random. For both cases, expressions are obtained for estimating the residual capacity of a binary covert channel during synchronization by sending packets of a special type.
With deterministic generation of fictitious traffic, after transmitting k packets with information content, a fictitious packet of random length is sent, k is a parameter of the counteraction method responsible for the frequency of sending fictitious packets. The effective capacity of the communication channel when introducing this countermeasure method is equal to
Estimating the capacity of a covert channel with random generation of fictitious traffic
Due to the complexity of the analytical dependencies connecting the values of the parameters of the covert channel and the countermeasures method, only in some cases it is possible to obtain formulas for estimating the value of the parameter of the countermeasures method; in other cases, it is necessary to use calculated data, visualization methods or other approaches, depending on the countermeasure method being studied and the type hidden channels.
This section provides recommendations on the selection of parameter values for developed methods for leaking restricted access information through covert channels based on changes in the lengths of transmitted packets. Due to the fact that in some cases it is necessary to determine the values of the parameters of the developed countermeasure methods to limit the capacity of a covert channel using a calculation method using complex analytical dependencies, software tools have been implemented to calculate the necessary parameter values of the proposed countermeasures methods to prevent the leakage of restricted access information, reducing the additional load to the communication channel. Two certificates of state registration of computer programs were obtained, presented in Appendices 1, 2, which allow you to automate the selection of parameter values for countermeasures methods by randomly increasing the lengths of packets and generating fictitious traffic, respectively.
Let's consider a method for counteracting information leakage through covert channels based on changing the lengths of transmitted packets by increasing them randomly, proposed in the third section of the dissertation. Summarizing the obtained dependencies, we obtain three cases for which the capacity of hidden channels under counteraction conditions is determined: - for the channel that has the highest capacity when counteraction is introduced (K1): - for the channel that has the highest capacity when counteraction is introduced and the condition that the length transmitted packets take uniformly distributed values (K2): (2L+a-l - for the channel that has the highest capacity when counteraction is introduced, and the conditions that the lengths of transmitted packets take uniformly distributed values and the error level does not exceed a specified value (K3): +
The values of the parameters of the countermeasures method by randomly increasing the lengths of transmitted packets to limit the capacity of these covert channels are proposed to be determined by calculation. Table 12 shows the relationship between the values of the covert channel parameters, the covert channel capacity and the countermeasures method parameter.
In some applications, the case of interest is when the lengths of transmitted packets take values on a given set. Let us assume that when constructing a covert channel, the lengths of transmitted packets are uniformly distributed on the set N,_,\N,_,. In 1fshs+- 1 counteraction conditions, the covert channel should be organized as follows: to transmit the symbol “/” the sender sends a packet of length /є Ж, Z GJV, U(0), where Wt =Nt +(;+1fe_1 \ Nj +й_1, b - parameter of the hidden channel, bL. From the results obtained in the third section of the dissertation, it follows that the capacity v of the hidden channel constructed in this way is maximum when b = 1 and is determined by the following expression: Let the value of the permissible capacity of the hidden channel be given such that the operation of covert channels with a lower capacity is considered harmless.Let cc0 be the value of the parameter a at which the equality is satisfied: It follows that the equality is satisfied: - = -bfix+b-1 + a0). (98) After transformation we obtain: v0(a0+l)ln2 VoK27 n2 v Zln2
Thus, a formula has been obtained for calculating the required value of the parameter of the countermeasures method, in which the capacity of the constructed covert channel does not exceed the specified value. However, with this method of organizing a covert channel, that is, the probability of correct recognition of the transmitted symbol is only a + 1 channel, errors are introduced. The error rate is an important parameter, since the use of covert channels often leads to the leakage of critical information such as cryptographic keys, passwords, and so on. Let the value of rosh be specified - the permissible level of errors when transmitting data over a covert channel. Then from the results obtained in the third section of the dissertation, it follows that the value of the covert channel parameter b should be chosen equal to
This section provides recommendations for choosing the parameters of the proposed methods for countering information leakage through covert channels. Due to the fact that in some cases it is necessary to determine the values of the parameters of the developed countermeasure methods to limit the capacity of a covert channel using a calculation method using complex analytical dependencies, software tools have been implemented to calculate the necessary parameter values of the proposed countermeasures methods to prevent the leakage of restricted access information, reducing the additional load to the communication channel. Two certificates of state registration of computer programs were obtained that automate countermeasures by randomly increasing packet lengths and generating fictitious traffic, respectively. The results of implementing the results of the dissertation work are presented.
Attempts to hide the very fact of transmitting information have a long history. Methods of hiding the very fact of transmitting information are called steganography. Historically, “invisible” ink, dot photo inserts, etc. were used for steganography. This direction has received a second life in our time due to the widespread use of data networks.
The term “covert channel” appeared. The concept of a covert channel was first introduced by Lampson in 1973. A channel is called hidden if it was not designed or intended to transmit information in an electronic data processing system. Thus, the term covert channels refers more to intra-computer telecommunications.
Currently, there are many utilities and tools for implementing steganographic information hiding. In this regard, the acute problem of detecting the transmission of hidden information in communication channels and, in particular, detecting leaks of confidential data.
In any set of information, be it an executable program, a graphic image or a network protocol, there are ways to transfer additional “hidden” data. This possibility exists at almost all levels of the OSI model. Tunneling tools that use service headers of the TCP/UDP network layer protocols are widely known.
The main field for using covert channels is local networks with Internet access.
The covert channel gets its name from the fact that it is hidden from the access control systems of even secure operating systems, since it does not use legitimate transmission mechanisms such as read and write, and therefore cannot be detected or controlled by hardware security mechanisms. which form the basis of secure operating systems.
Traditionally, covert channels are characterized as memory channels or time channels.
Hidden channel from memory- processes interact due to the fact that one can directly or indirectly write information to a certain memory area, and the second can read it. Typically this means that processes with different security levels have access to some resource (for example, some disk sectors).
Hidden channel bytime- one process sends information to another, modulating its own use of system resources (for example, CPU time) in such a way that the operation affects real time response observed by the second process.
The simplest hidden memory channel is the ability to display at the Low level the names of directories and files created at the High level. In this case, information can be transmitted in file names that are selected in accordance with a pre-agreed code, in file attributes in which information can be encoded, file sizes, file modification dates, etc. And finally, the existence of a file with a given name carries a bit of information from the top level to the bottom.
Another example of a memory channel is the encoding of information in the stored settings of any public resources of subjects of the High and Low levels. Settings made at the High level are observable at the Low level and, therefore, can carry information expressed in a pre-agreed code.
Covert time channels first began to be seriously considered in 1976, when one of the creators of the Multics secure operating system, Millen, demonstrated to his colleagues a covert time channel implemented on isolated High and Low machines. Both machines were connected to some ROM shares, there were no other channels or connections between them. There were Trojan horses in the High and Low subsystems. At the High level, the Trojan Horse, when pressing letters on the keyboard, modulated the ROM library busy time intervals with a special code. The busy time of the library at the upper level was scanned by requests to the library with a “Trojan Horse” at the lower level. The resulting hidden time channel made it possible to print in real time information received through the hidden channel from the keyboard of the High level subsystem.
A hidden channel for transmitting information over the Internet is built by inscribing a message instead of the last bit of a digitized image, which is transmitted as a legal message. Since the last bit has little effect on the quality of the image, the transmission of information is hidden from the subject conducting the interception and allowing the transmission of only legal images. A well-known method for combating this steganography method is to change the image format, for example, using compression. This method destroys a hidden channel of the specified type.
An example of a covert channel in a similar problem is the covert channel in the TCP/IP protocol. The ISN field in the TCP protocol is used to organize communication between the client and the remote server. The size of this field is 32 bits. Using this field, for example in n packages, it is possible to carry out covert transmission.
One of the ways to organize a covert channel is to rearrange network packets in a certain way. In this case, a sequence of bits is transmitted based on predetermined characteristics.
Another way to organize a covert channel is to use electronic digital signature algorithms. S.V. Belim and A.M. Fedoseev in 2007 conducted a study and proved the possibility of creating covert channels within the framework of the electronic digital signature algorithm GOST R 34.10-2001.
Particularly worth highlighting are two examples of time channels that use the ability to change the duration of occupancy in the operation of the central processor. In the first example, the sender of information changes the CPU busy time during each fragment of time allocated for its work. For example, to transmit 0 and 1, one length of time encodes 1 and the other length encodes 0. In another case, the sender uses time intervals between accesses to the processor.
Intercepting information transmitted through covert channels is very difficult. It seems that only technological difficulties arise here related to the registration and analysis of rapidly occurring processes in computer systems. At the same time, it has been proven that it is possible for a manufacturer to create bookmarks in hardware systems that can communicate with each other “invisibly” for most security tools.
In the case of using steganography methods, the solution to the problem of identifying hidden messages seems to be more optimistic. An example of successful detection of steganographic insertions is the use of a covert channel in the ISN field of the TCP protocol mentioned above.
The most effective way to combat hidden channels is to destroy them. For example, in the above examples of hidden channels for releasing information when using the RS-232 interface, embedding between the High and Low levels a device that translates bytes and randomizes the delay of setting the signal to upper level, visible at the lower level, allows you to completely destroy any deterministic hidden channel in time and significantly damage the hidden statistical channel. Similar methods are successfully used to protect against covert channels during the covert transmission of information through open systems.
Modern specialized methods for detecting steganographic information hiding are based on detecting deviations of the statistical characteristics of the observed information (file types, messages) from its expected model. General disadvantage statistical methods of steganalysis is that building an accurate mathematical model of a container - a possible carrier of hidden information - is an extremely complex and currently unsolved problem. Moreover, the main limitation existing methods is that they all allow hidden information to be discovered after the fact.
In Russia, the development of a scientific methodology for organizing the fight against covert channels in information networks was announced at the end of 2006. Russian scientists have developed a mathematical model for constructing covert channels, assessing their capacity and methods for combating them.
In 2008, the Russian Federation adopted GOST R 53113.1 “Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions."
In 2009, GOST R 53113.2 “Protection of information technologies and automated systems from information security threats implemented using covert channels” was adopted. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels.”
Currently, all sources covering information security issues contain information disclosed by Mr. Snowden about hidden channels for obtaining information and devices for secret access to information (receipt, removal) deliberately introduced into various technical means of the NSA.
What is the solution to this problem in our country? Analyzing the modern domestic regulatory framework, we can highlight the following documents regulating the issues of identifying and combating hidden channels:
GOST R 53113.1-2008 “Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions";
GOST R 53113.2-2009 “Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels.”
In accordance with GOSTs, the term “hidden channel” is defined as a communication channel not intended by the developer of an information technology system and automated systems, which can be used to violate security policies.
The following security policy violations can be implemented using covert channels:
- Threat of malware and data injection.
- Threat of the intruder issuing commands to the agent to perform its functions .
- Threat of leakage of cryptographic keys, passwords (unauthorized access to them) or individual information objects.
The creation of a hidden channel and the influence of an intruder on protected information resources in accordance with the above model is carried out in the following order:
- 1. In the normal operation mode, work with protected information resources is carried out in the prescribed manner, subjects with authorized access to them carry out processing in accordance with the established rules for access control. The inspector shows that there are no security policy violations.
- 2. The means for processing protected information resources contains a pre-maliciously introduced agent of a security violator, which does not show its activity and does not in any way detect its presence in this IT (AS).
- 3. At the moment of time required by the intruder, the agent is given a command from the security intruder to activate and perform its functional load. The command can be issued both via standard IT communication channels (AC), if such a connection is possible (for example, via the Internet), or remotely (for example, using radio channels), if the intruder’s agent has such a possibility.
- 4. The embedded agent of the security violator implements its functional load, while the channel of information interaction between the violator and the embedded agent can be hidden from the inspector.
- 5. After achieving the assigned task, the agent’s work is completed independently or at the command of the intruder.
How to work to identify hidden channels?
From a “theory” point of view, the process of identifying a covert channel includes the following steps:
1. Assessment of the architecture of the system under study and the communication channels available in it (both existing and potential channels are subject to consideration). Assessing the architecture of a system involves identifying all the communication channels (information interaction) available in it and analyzing the interaction of its components for their potential use to organize a covert channel. As a result of such an analysis, system components should be identified in which covert channels could potentially be used.
2. Identification of possible ways of exchanging hidden information between the intruder and his alleged agent in the system. This work is performed on the basis of the general scheme of the covert channel operating model. For each of the protected assets, it is necessary to identify which subjects have access to them and, at the same time, are isolated from the external environment, but have the opportunity to interact with individual subjects from the external environment (it must be taken into account that this kind of interaction is controlled by the owner of the assets and can be observed by a potential violator ).
3. Assessing the danger of identified hidden channels for the organization’s protected assets. After identifying hidden channels, it is necessary to assess how feasible they are and how dangerous they are for the organization’s protected assets. For the assessment, the most critical indicators are: the volume of assets, the estimated capacity of the covert channel and the time interval during which the assets retain value. All parameters are quantifiable and can be used in appropriate analytical reports. Based on this assessment, channels that do not pose a real threat to assets are considered non-hazardous.
4. Deciding on the advisability of countering each of the identified hidden channels (minimizing the level of risk).
It is proposed to use the following protective measures:
- reduction/limitation of the information transmission channel capacity (regarding covert channels);
- architectural solutions for building a system;
- monitoring the effectiveness of system protection.
In conclusion, I would like to turn to methods for identifying hidden channels. According to GOST, two methods are proposed:
- statistical method;
- signature method.
The method of identifying covert channels based on signature analysis is similar to the method used by antivirus software to search for malware. Given a set of known implementations of covert channels, a signature is generated for each of them. The data stream is searched for such signatures. Based on the results of this work, a conclusion is drawn about the absence or presence of hidden channels in the system and the option for its implementation.
Thus, to summarize, we can say that we are getting a new round of information confrontation “intruder - security administrator”, which introduces into our lives both new technologies and methods of attack, as well as new means and methods of protection.
I would like to end the article with these thoughts:
What if we look at the materials disclosed by Snowden from this angle? IN Lately A number of automated systems have appeared for which ensuring confidentiality is not a priority at all, for example, automated production management systems and technological process. Violation of the availability and performance of such a system can lead to even more severe consequences for the state or than the leak of confidential or classified information. What is also aggravating is that the vast majority of the element base for such systems is produced and supplied from abroad, and it is technically impossible to carry out a full range of measures to search for possible hidden channels and embedded devices for the entire list of imported elements. And as it became known, foreign-made technical equipment can be full of unpleasant “surprises.”
We cannot ignore the widespread development of the Internet, and its use as a transport for connecting various corporate and industrial networks, which automatically allows an external attacker to gain control access to an embedded embedded device or module.
There is something to think about and work on. The issue of identifying hidden channels in automated systems of organizations is becoming a pressing issue, regardless of the level of the organization and its form of ownership. A secret is a secret because it is known to a limited circle of people. Plus, you can add to this the presence (reception) of negative emotions when someone maliciously damages your information infrastructure, the security of which you were confident. And a spoiled mood is not the worst thing if the business process in the organization may suffer.
About hidden, secret, side channels. And not only. (Part 1)
V.A. Galatenko
About hidden channels
This is not the first time Jet Info has addressed the topic of hidden channels. In 2002, a separate issue was dedicated to it (see,), so this work assumes that the reader is familiar with the basics of this area of knowledge; otherwise, it is recommended to re-read the article (for example, here - editor's note at CITForum.ru). However, the author would like to note from the very beginning that the topic of hidden channels in its traditional interpretation seems to him somewhat far-fetched and formal. Covert channel research peaked in the mid-1980s with the publication of the Department of Defense's Orange Book, which mandated covert channel analysis beginning with Security Class B2. As a result, the fight against hidden channels began mainly not for the sake of real security, but for the sake of successful certification. In addition, covert channels, due to their generally random association with classes B2 and above, have been studied almost exclusively in the context of multi-level security policies, with the obligatory mention of HIGH and LOW subjects, non-influence models and other intricacies. All this is infinitely far from the real problems of typical modern information systems, and the published results are for the most part obvious and are of neither theoretical nor, especially, practical interest. The article explains the conceptual reasons for this state of affairs.
As was said earlier, we see the following as the root cause of the existence of hidden channels and the impossibility of eliminating them with the traditional approach to building information systems. Since such formal security models, such as the well-known Bell-LaPadula model, delimit access “in principle”, but do not contain the concept of time and do not regulate competition for resources, that is, situations when “in principle, a resource can be used, but at the moment it is impossible - he is busy", with any distribution of access rights, various kinds of signaling events and, in particular, collisions due to competition can be used to organize covert channels.
In the mid-1980s, a systematic methodology for identifying covert channels from memory was proposed (see), the key element of which is the matrix of shared resources. In a network environment, on the Internet, there are as many legal shared resources as you like - for example, space allocated to users on public sites. You can use both the header fields of IP packets (for example, the checksum is an excellent candidate for this role) and the initial sequence numbers when establishing TCP interaction (see). Practical covert channels can also be organized by time, for example, encoding a unit by sending a packet at a certain time interval of milliseconds (see).
With the advent of powerful multiprocessor systems with shared memory, the bandwidth of covert channels has jumped to megabits per second and continues to increase with increasing hardware speed (see). This, of course, is a serious problem, but to solve it it is enough to abandon the division of such systems between subjects with different levels of clearance.
The problem of hidden channels is a manifestation of a more general problem of the complexity of modern information systems. In complex systems there were, are and will be hidden channels, so you need to fight the cause, not the effect. In its most general form, the method of dealing with the complexity of systems can be formulated as “carrying out an object-based approach with physical boundaries between objects.” Processors should not be shared not only between subjects, but also between control threads. The user network must be physically separated from the administrative network. Generally speaking, system components should not trust each other: the processor may not trust the memory, the network card may not trust the processor, etc. When suspicious activity is detected, components must raise an alarm and apply other protective measures (for example, a disk controller can encrypt files, a network controller can block communications, etc.). In general, in a war it’s like in a war. If it is impossible to organize physical boundaries, you should use virtual ones, formed primarily by cryptographic means. A more detailed presentation of these issues can be found in the work.
Hidden channels can not only be identified, but also eliminated or made noisy “without looking.” As explained in, various types of normalizers are used for this, smoothing the processor load, power consumption, computation time of certain functions, network traffic, etc. For example, the Asbestos operating system kernel, in response to a request to create a port, returns a new port with an unpredictable name, since the ability to create ports with given names may serve as a covert channel.
The overhead of normalization can be high, which can significantly slow down the functioning of legitimate entities, so a reasonable compromise must be sought and found between information security and the functional usefulness of systems. From the point of view of dealing with complexity, hidden channels have the following unpleasant property. Shared resources present at any level of the information system, starting from the lowest, hardware, can be used at all higher levels, up to the application level, to organize information leakage. A centralized arbiter of memory access in a multiprocessor system, a second-level cache shared by several processors, a memory management device - all of this can serve as a leak channel. Thus, when analyzing covert channels, it is necessary to consider the system as a whole. Attempting to conduct so-called composite certification, where a system is assessed based on previously conducted tests of individual modules or levels, leads to the omission of covert channels. The problem is compounded by the fact that in the description of individual modules or levels, necessary details may be omitted as unimportant. It would seem, what difference does it make how the queue of instructions selected by the microprocessor for execution is arranged? However, this may also be important for the safe operation of the application (see). An operating system that has successfully passed certification when tested on bare metal hardware contains hidden channels of noticeable throughput when running under the control of a virtual machine monitor. In general, the shared resource is the same pea that a real princess will feel through any number of feather beds. And this must be remembered.
The covert channel approach is actively used to assess the degree of imperfection in the implementation of such protective services as anonymizers and their networks, as well as traffic replenishment. This seems natural, since anonymization and traffic enrichment are types of normalization designed to eliminate hidden channels. If the normalization turned out to be imperfect, then hidden channels remain. How imperfect? As big as the information leak. The imperfection of anonymizers can be assessed as the capacity of hidden channels for leaking information about the sender and/or recipient (see). For individual anonymizers, it is possible to obtain an exact value, for networks of anonymizers - an upper estimate.
Current trends suggest that an increasing portion of Internet traffic is being encrypted (see ). Encryption protects the contents and headers of packets; packet padding prevents information from being obtained by analyzing their size. However, cryptography itself does not protect against analysis of the behavior of packets, that is, their distribution over time, as a result of which user privacy may suffer. In addition, timing analysis of SSH traffic greatly simplifies unauthorized access to user passwords. Traffic replenishment at the link layer is an effective protective measure against such analysis. The data flow in the channel takes on a predetermined character. Some packets are delayed and dummy data is sent into the channel when needed. That's basically it. In practice, it is quite difficult to implement replenishment so that the observed traffic exactly follows a predefined distribution, so that the attacker is still able to correlate the replenished payload traffic. The imperfection of the replenishment implementation can be assessed as the capacity of the covert channel based on the variation of inter-packet intervals. It turns out that under ideal conditions, this covert channel allows for practical use. Fortunately, in a real busy network with many data streams, the high level of noise in the channel makes it difficult for an attacker to act.
The use of covert channels to assess the degree of imperfection of the architecture and/or implementation of security services seems to be a very promising area of research.
The authors of the work were able to find a beautiful application of data transmission methods characteristic of covert time channels in wireless sensor networks. One of the main problems of sensor networks is reducing energy consumption. If binary values are transmitted over a wireless network in the usual way, then we can assume that this requires energy proportional to their logarithm. However, values can also be transmitted silently: send a start bit, causing the recipient to turn on the counter, wait the time corresponding to the value, and send a stop bit. As a result, energy is saved, but time is wasted (proportional to the value), but the transmission can be optimized - silence is perfectly multiplexed, cascaded and quickly forwarded.
Of course, the described method of data transmission belongs to the category of funny wonders. Overall, covert channels are now almost exclusively an academic-certification field. In this context, an interesting work is in which the problem of completeness of covert channel analysis is explored. The concept is introduced full set hidden channels, the elements of which together generate the maximum possible hidden information leakage (an analogue of the complete set can be a basis in a vector space). As hidden channels are identified, their totality can be checked for completeness (using the criteria formulated in the criteria) and as a result, an assessment of the potential for information leakage can be obtained. Another very important aspect of the work is the description of the architectural approach to building systems that facilitates the analysis of covert channels. Identifying hidden channels one by one in an arbitrary information system is a futile task; It makes sense to construct systems in some regular way and then subject them to systematic analysis taking into account their specificity.
In practice, neither attackers nor information security vendors pay any noticeable attention to covert channels. The reason is that in modern information systems there are more than enough “crude” vulnerabilities that can be easily exploited, so both attackers and defenders prefer the path of least resistance, which is quite natural. The former exploit obvious “holes”, the latter try to cover them up.
Consumers also have no time for hidden channels - they would like to fight off worms and viruses hand-to-hand, and find money for last year’s snow in packaging labeled “intrusion prevention systems with known signatures.” And also patiently listen to the lectures of the manufacturers of leaky software for the lack of discipline in managing numerous corrective patches for this very software.
There are two pieces of news regarding vulnerabilities, both good. The first is that there are fewer security problems with the underlying software, so attackers are more actively exploiting application vulnerabilities. The second news is that there are many applications. But there is also phishing and other methods of moral and psychological influence... Therefore, the time for hidden channels, if it comes, will not be very soon.
To understand how modest a place hidden channels occupy among other information security problems, even if we limit ourselves only to software defects, it is advisable to consider the classification of such defects proposed in the article in the context of developing tools for static analysis of source codes in order to identify errors that can lead to vulnerabilities.
Defects in software can be introduced intentionally or due to negligence. The first are divided into malicious and non-malicious. Malicious defects are backdoors, logic bombs, and time bombs; non-malicious - covert channels (memory or time) and inconsistent access paths.
Defects introduced unintentionally are divided into:
data validation errors (addressing errors, including buffer overflows, poor quality checks of parameter values, incorrect placement of checks, inadequate identification/authentication);
abstraction errors (object reuse, internal representation disclosure);
asynchronous defects (concurrency problems including run-ahead situations, active and passive deadlocks, gaps between check and use times, and multiple references to the same object);
inappropriate use of subcomponents (resource leakage, misunderstanding of distribution of responsibilities);
functionality errors (defects in handling exception situations, other security defects).
To understand how security defects can be introduced into software intentionally, but not maliciously, consider the hidden channel that is created in the disk controller when optimizing request servicing using the elevator algorithm (disk requests are processed not in the order of arrival, but as the rod with heads reaches the requested blocks, see the article, which presents a systematic approach to identifying covert channels over time). A malicious sender of information can influence the order and, therefore, the processing time of requests, controlling the direction of movement of the bar with heads by issuing its own requests to the disk in a certain order. Here, the role of a shared resource that allows (malicious) targeted influence is the common queue of requests to disk blocks, as well as current position and the direction of movement of the rod. It is natural to consider this defect to have been introduced intentionally, but not maliciously, since the hidden channel was formed not due to an implementation error, but as a result of a design decision made aimed at optimizing the functioning of the system.
The largest and practically important group of defects introduced through negligence are errors in data validation, or more precisely, insufficient control of input data before using it. Developing methods for preventing or identifying such errors is a task of paramount practical importance. And hidden channels can wait...
About secret channels
As noted in the work, the so-called multidimensional information security is currently becoming established, when attempts are being made to take into account the entire range of interests (sometimes conflicting with each other) of all subjects of information relations, as well as all types of information system configurations, including decentralized ones that do not have a single control center.
Security depends on the subject. The user has his own security, the content provider has his own (and the user can be considered an enemy here). New security aspects are emerging, such as digital rights management. This trend is especially evident in the use of secret channels.
Let us recall (see) that non-standard channels of information transmission are considered hidden. Non-standard methods of transmitting information through legal channels (referred to in this context as wrapping channels) are called secret (subliminal channels) or steganographic (stego channels) channels. General information about them is given in the article. Backchannels are used when there is a legal communication channel, but something (for example, security policy) prohibits certain information from being transmitted through it.
Note that there are two important differences between covert and secret channels. Firstly, contrary to the name, no one is trying to hide the existence of hidden channels; they simply use entities that were not originally intended for this purpose and were created for other purposes to transmit information. On the contrary, a secret channel exists only until the enemy finds out about it. Secondly, it is believed that the time for transmitting information via a covert channel is not limited. In contrast, the transmission time of a covert channel is determined by the characteristics of the wrapping channel. For example, if a graphic image is used to secretly transmit information, then only what can be placed in this image can be transmitted without violating secrecy.
In general, covert channels are much more practical than covert channels because they have a legal basis - the wrapping channel. Covert (rather than covert) channels are the most suitable means for controlling a hostile multi-agent system. But it’s not just attackers who need them. Secret channels can be effectively used by content providers who embed hidden “digital watermarks” into it and want to control its distribution and consumer compliance with digital rights. Another example that has become a classic is the use of a secret channel by British Prime Minister Margaret Thatcher, who, in order to find out which of her ministers was guilty of information leaks, distributed to them versions of one document with different word spacing.
Of course, under very general assumptions, secret channels cannot not only be eliminated, but even detected (for example, in a compressed JPEG image there will always be room for hidden information). In relation to both hidden and secret channels, the statement “You can always send a bit” given in the article is true.
A meaningful question is about the capacity and stability of such channels, which are determined not only by the bandwidth of the wrapping channel and the noise characteristics in it, but also by the maximum size of the payload (hidden) load, as well as the detector function of the admissibility of the transmitted information (see, for example, the article and sources cited in it, among which we will highlight the work).
The problem of secret channels has long been fruitfully studied from the perspective of information theory; many theoretically interesting and practically important results have been obtained. Let's pay attention to the possibility and effectiveness sharing hidden and secret channels in a network environment. Thus, the work describes the implementation of a network of anonymizers (see) using HTTP servers and clients. Web surfing serves as an enveloping channel. HTTP servers act as nodes in the anonymizer network, and interaction between them is carried out through hidden channels in HTTP/HTML through the mediation of unsuspecting clients (primarily using means of redirecting requests and active content, built, for example, into advertising banners, present on the visited Web page). As a result, it is possible to achieve not only the impossibility of association between the sender and recipient of messages, but also to realize a stronger property - secrecy (even in the presence of a global observer). Web surfers, who turn out to be unwitting intermediaries, add to the anonymity pool to be analyzed, thereby making it difficult for the observer to obtain useful information.
(Of course, both attackers and security developers are aware of the opportunities and challenges associated with using HTTP as a wrapper channel. For example, the article describes a learning system called Web Tap that detects anomalies in outgoing HTTP transactions.)
Let us also note the obvious connection between the intelligence of built-in agents (or elements of a multi-agent system) and the required bandwidth of secret or covert channels for interacting with them. The note provides an example of a highly intelligent Trojan program, which is an expert system built into a trusted (with multi-level security policy) strategic system for managing military supplies and troop movements and is capable of determining from supplies and movements whether offensive military operations are likely to begin next week. If similar program will transmit just one bit of information (possible/impossible) every day, this will prove to be very valuable for strategic planning. At the same time, according to the formal requirements of the Orange Book, covert channels with a bandwidth of less than one bit per ten seconds may not be considered at all when auditing trusted systems. (It’s a rare case when the Orange Book makes some concessions and, as it turns out, in vain.)
The moral is that when analyzing secret and covert channels in general and their capacity in particular, one must take into account the specifics of information systems, the value of information and the semantics of interaction. Otherwise, the results of the analysis risk being meaningless.
About side channels
Side channels can be considered a special case of hidden channels. The role of (unwitting) transmitters in such channels is played by standard components of information systems, and the role of receivers is played by external observers using appropriate equipment. Most often, side channels are used to measure the time of visible operations (time attacks on RSA have become commonplace), their energy consumption and/or side effects. electromagnetic radiation and interference (PEMIN), but acoustic channels can also be used for attacks, whether we are talking about a digital lock of a safe or a personal computer processor processing a secret key (see).
Side channels are perhaps the most visible manifestation of the multifaceted nature of modern information security. As a rule, the role of attackers on information systems (information content, bank cards, SIM cards of cell phones, etc.) is their owners, who have considerable time and appropriate tools. Combined with the fundamental impossibility of controlling physical access, these factors make side-channel attacks especially dangerous.
The targets of attacks using side channels most often are the cryptographic components of information systems, or more precisely, their secret keys. For example, the article describes a splitting attack on cell phone SIM cards (more precisely, on the COMP128 algorithm used to authenticate users and generate session keys), carried out by measuring energy consumption in order to clone these cards. The attack was refined to such an extent that only eight measurements with adaptively selected input data are sufficient to determine a secret 128-bit key! That is, an attacker only needs to obtain a SIM card for just a minute.
The danger of attacks based on differential analysis of energy consumption is very clearly illustrated in the article. In 1998, Bruce Schneier wrote that the galaxy did not have enough silicon, and the Sun did not have enough lifetime, to implement a brute force attack on the secret key (112 bits) of the 3DES algorithm. The minimum key length in the AES algorithm is 128 bits, but a successful differential power analysis attack on an unprotected chip implementing AES can be carried out in less than three minutes - from the start of measurements to the end of the analysis.
A fundamental solution to the problem of side channels is possible if the following fundamental principle is observed: the transaction data that can be obtained from side channels must be statistically independent from the input and output data and restricted information. Since systems with very limited resources most often have to be protected from attacks using side channels, correct, complete implementation of the cardinal principle is a very difficult task. Operation time is relatively easy to normalize, energy consumption is more difficult, but also possible (see, for example, PEMIN) - even more difficult. In practice, systems are strengthened “to the best of their ability” (which is typical for modern information security in general), and motivated attackers are left with plenty of opportunities for effective attacks.
Literature
HER. Timonina -- Hidden channels (review). -- Jet Info, 2002, 11
A. Galatenko - About hidden channels and more. -- Jet Info, 2002, 11
R.A. Kemmerer -- A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later. - Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC"02). -- IEEE, 2002
E. Tumoian, M. Anikeev - Network Based Detection of Passive Covert Channels in TCP/IP. - Proceedings of the IEEE Conference on Local Computer Networks 30th Anniversary (LCN"05). -- IEEE, 2005
S. Cabuk, C.E. Brodley, C. Shields - IP Covert Timing Channels: Design and Detection. - Proceedings of the CCS"04. -- ACM, 2004
P.A. Karger, H. Karth -- Increased Information Flow Needs for High-Assurance Composite Evaluations. - Proceedings of the Second IEEE International Information Assurance Workshop (IWIA"04). -- IEEE, 2004
V.B. Betelin, S.G. Bobkov, V.A. Galatenko, A.N. Godunov, A.I. Grunthal, A.G. Kushnirenko, P.N. Osipenko -- Analysis of trends in the development of hardware and software and their impact on information security. - Sat. articles edited by Academician of the Russian Academy of Sciences V.B. Betelina. - M.: NIISI RAS, 2004
P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazieres, F. Kaashoek, R. Morris - Labels and Event Processes in the Asbestos Operating System. - Proceedings of the SOOP"05. -- ACM, 2005
Y. Zhu, R. Bettati - Anonymity v.s. Information Leakage in Anonymity Systems. - Proceedings of the 25th IEEE International Conference on Distributed Computing Systems (ICDCS"05). -- IEEE, 2005
B. Graham, Y. Zhu, X. Fu, R. Bettati - Using Covert Channels to Evaluate the Effectiveness of Flow Confidentiality Measures. - Proceedings of the 2005 11th International Conference on Parallel and Distributed Systems (ICPADS"05). -- IEEE, 2005
Y. Zhu, R. Sivakumar -- Challenges: Communication through Silence in Wireless Sensor Networks. - Proceedings of the MobiCom "05. -- ACM, 2005
R. Browne -- An Entropy Conservation Law for Testing the Completeness of Covert Channel Analysis. - Proceedings of the CCS"94. -- ACM, 1994
S. Weber, P.A. Karger, A. Paradkar -- A Software Flaw Taxonomy: Aiming Tools At Security. - Proceedings of the Conference on Software Engineering for Secure Systems - Building Trustworthy Applications (SESS"05). -- ACM, 2005
J.C. Wray -- An Analysis of Covert Timing Channels. -- IEEE, 1991
V.B. Betelin, V.A. Galatenko, M.T. Kobzar, A.A. Sidak, I.A. Trifalenkov -- Review of protection profiles built on the basis of the "General Criteria". Specific requirements for security services. -- "Information Technology Security", 2003, 3
K. Loepere -- Resolving Covert Channels with a B2 Class Secure System. --Honeywell Information Systems.
J.J. Harmsen, W. A. Pearlman -- Capacity of Steganographic Channels. - Proceedings of the MM-SEC"05. -- ACM, 2005
I.S. Moskowitz, L. Chang, R. Newman - Capacity is the Wrong Paradigm. - Proceedings of the 2002 Workshop on New Security Paradigms. --ACM, 2002
M. Bauer -- New Covert Channels in HTTP. Adding Unwitting Web Browsers to Anonymity Sets. - Proceedings of the WPES "03. -- ACM, 2003
K. Borders, A. Prakash -- Web Tap: Detecting Covert Web Traffic. - Proceedings of the CCS"04. -- ACM, 2004
D. Slater -- A note on the Relationship Between Covert Channels and Application Verification. --Computer Sciences Corporation, 2005
K. Tiri, I. Verbauwhede - Simulation Models for Side-Channel Information Leaks. - Proceedings of the DAC 2005. -- ACM, 2005
J.R. Rao, P. Rohatgi, H Scerzer, S. Tinguely - Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards. - Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P"02). -- IEEE, 2002
R. Muresan, C. Gebotys - Current Flattening in Software over Hardware for Security Applications. - Proceedings of the CODES+ISSS"04. -- ACM, 2004
V. Roth, U. Pinsdorf, J. Peters - A Distributed Content-Based Search Engine Based on Mobile Code. - Proceedings of the 2005 ACM Symposium on Applied Computing (SAC"05). -- ACM, 2005
M. Carvalho, T. Cowin, N. Suri, M. Breedy, K. Ford - Using Mobile Agents as Roaming Security Guards to Test and Improve Security of Hosts and Networks. - Proceedings of the 2004 ACM Symposium on Applied Computing (SAC"04). -- ACM, 2004
T. Pedireddy, J.M. Vidal -- A Prototype MultiAgent Network Security System. - Proceedings of the AAMAS "03. -- ACM, 2003
R. Menezes -- Self-Organization and Computer Security. - Proceedings of the 2005 ACM Symposium on Applied Computing (SAC"05). -- ACM, 2005
J. Page, A. Zaslavsky, M. Indrawan - Countering Agent Security Vulnerabilities using an Extended SENSE Schema. - Proceedings of the IEEE/WIC/ACM International Conference on Intelligent Agent Technology (IAT"04). -- IEEE, 2004
J. Page, A. Zaslavsky, M. Indrawan - Countering Security Vulnerabilities in Agent Execution using a Self Sxecuting Security Examination. - Proceedings of the AAMAS "04. -- ACM, 2004
J. Ameiller, S. Robles, J.A. Ortega-Ruiz -- Self-Protected Mobile Agents. - Proceedings of the AAMAS "04. -- ACM, 2004
M. Christodorescu, S. Jha - Testing Malware Detectors. - Proceedings of the ISSTA "04. -- ACM, 2004
M. Christodorescu, S. Jha, S.A. Seshia, D. Song, R.E. Bryant -- Semantics-Aware Malware Detection. - Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P"05). -- IEEE, 2005
J.A.M. McHugh, F.P. Deek -- An Incentive System for Reducing Malware Attacks. -- Communications of the ACM, 2005, 6
J.V. Harrison -- Enhancing Network Security By Preventing User-Initiated Malware Execution. - Proceedings of the International Conference on Information Technology Coding and Computing (ITCC"05). -- IEEE, 2005
A. Bohra, I. Neamtiu, P. Gallard, F. Sultan, L. Iftode - Remote Repair of Operating System State Using Backdoors. - Proceedings of the International Conference on Autonomic Computing (ICAC"04). -- IEEE, 2004
F. Sultan, A. Bohra, S. Smaldone, Y. Pan, P. Gallard, I. Neamtiu, L. Iftode - Recovering Internet Service Sessions from Operating System Failures. -- IEEE Internet Computing, 2005, March/April
J.B. Grizzard, S. Krasser, H.L. Owen, G.J. Conti, E.R. Dodson -- Towards an Approach for Automatically Repairing Compromised Network Systems. - Proceedings of the Third IEEE International Symposium on Network Computing and Applications (NCA"04). -- IEEE, 2004
A. Goel, K. Po, K. Farhadi, Z. Li, E. de Lara - The Taser Intrusion Recovery System. - Proceedings of the SOSP "05. -- ACM, 2005
J. Levine, J. Grizzard, H. Owen - A Methodology to Detect and Characterize Kernel Level Rootkit Exploits Involving Redirection of the System Call Table. - Proceedings of the Second IEEE International Information Assurance Workshop (IWIA"04). -- IEEE, 2004
C. Kruegel, W. Robesrtson, G. Vigna - Detecting Kernel-Level Rootkits Through Binary Analysis. - Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC"04). -- IEEE, 2004
H. Xu, W. Du, S.J. Chapin -- Detecting Exploit Code Execution in Loadable Kernel Modules. - Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC"04). -- IEEE, 2004
Y.-M. Wang, D. Beck, B. Vo, R. Roussev, C. Verbowski - Detecting Stealth Software with Strider GhostBuster. - Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN"05). -- IEEE, 2005
S. Ring, D. Esler, E. Cole - Self-Healing Mechanisms for Kernel System Compromises. - Proceedings of the WOSS "04. -- ACM, 2004
M. Laureano, C. Maziero, E. Jamhour - Intrusion Detection in Virtual Machine Environments. - Proceedings of the 30th EUROMICRO Conference (EUROMICRO"04). -- IEEE, 2004
M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A.C. Snoeren, G.M. Voelker, S. Savage - Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. - Proceedings of the SOSP "05. -- ACM, 2005
S. Ring , E. Cole -- Taking a Lesson from Stealthy Rootkits. -- IEEE Security & Privacy, 2004, July/August
W. Shi, H.-H.S. Lee, G. Gu, L. Falk -- An Intrusion-Tolerant and Self-Recoverable Network Service System Using a Security Enhanced Chip Multiprocessor. - Proceedings of the Second International Conference on Autonomic Computing (ICAC"05) -- IEEE, 2005
Introduction.
1 Analysis of existing intrusion detection methods.
1.1 Basic concepts.
1.2 Typical structure of IDS.
1.3 Intrusion detection methodologies.
1.4 Detection of abuse.
1.4.1 String matching.
1.4.2 Use of expert systems.
1.4.3 Analysis of transitions between states.
1.4.4 Data mining methods.
1.5 Anomaly detection.
1.5.1 Statistical methods.
1.5.2 Predicting behavior.
1.5.3 Data mining methods.
1.5.4 Neural network methods.
1.5.5 Detecting anomalies in system call sequences.
1.6 Classification of IDS.
1.7 Goals and objectives of the study.
1.8 Conclusions.
2 Development of a model of an intrusion detection system based on HMM.
2.1 Information from the theory of HMM.
2.1.1 Basic definitions.
2.1.2. Setting standard tasks related to SMM.
2.1.3 Solving the estimation problem.
2.1.4 Solving the recognition problem.
2.1.5 Solving the learning problem.
2.1.6 Application of scaling in HMM algorithms.
2.1.7 Solving the learning problem for multiple sequences of observations.
2.2 Operating principle of the COA model.
2.2.1 General scheme COA.
2.2.2 Stages of system operation.
2.2.3 Selecting the audit subsystem to use.
2.2.4 Formation of a profile of the normal behavior of the process.
2.2.5 Algorithm for detecting anomalies in process operation.
2.3 Study of the possibility of operation of the developed COA as part of a comprehensive IDS.
2.4 Conclusions.
3 Experimental study of the intrusion detection system model
3.1 Description of the test database.
3.1.1 Rationale for choosing a test database.
3.1.2 Process data 1рг.
3.1.3 Named process data.
3.1.4 xlock process data.
3.1.5 Login process data.
3.1.6 ps process data.
3.1.7 inetd process data
3.1.8 Stide process data.
3.2 Illustration of the operation of the anomaly detection algorithm using data from the named process as an example:.
3.3 Study of the dependence of intrusion detection efficiency on the selected number of HMM states.
3.3.1 Statement of the research problem.
3.3.2 lpr process.
3.4 Discussion of experimental results.
3.5 Conclusions.
4 Development of a parallel learning algorithm for SMM.
4.1 Known solutions to speed up SMM training.
4.2 Justification of the possibility of effectively organizing parallel computing in the SMM learning algorithm.
4.2.1 Analysis of the HMM learning algorithm for single sequences of observations.
4.2.2 Analysis of the learning algorithm for multiple observation sequences.
4.3 Development of a parallel HMM learning algorithm.
4.4. Theoretical evaluation of the efficiency of a parallel algorithm.
4.5 Features of the software implementation of the parallel SMM learning algorithm.
4.5.1 Selection of means of implementation.
4.5.2 Description of software implementation.
4.5.3 Experimental confirmation of the functional correspondence of parallel and sequential implementations of the HMM learning algorithm.
4.6 Conclusions.
5 Experimental study of the effectiveness of the parallel HMM learning algorithm.
5.1 Experimental conditions.
5.2 Study of the efficiency of the parallel HMM learning algorithm on a network cluster.
5.3 Study of the efficiency of the parallel SMM learning algorithm on a multiprocessor cluster.
5.4 Conclusions.
Introduction of the dissertation (part of the abstract) on the topic "Development of algorithmic and software tools that increase the efficiency of intrusion detection based on the use of hidden Markov models"
Due to the improvement of computing technology and the rapid growth of telecommunications technologies, there is an increase in the complexity of the software used. In such conditions, the analysis of developed programs from a security point of view becomes more difficult. According to the US National Institute of Standards and Technology (NIST), while the number of reported vulnerabilities in widely used software was dozens per year before 1996, in 2004 this figure reached 2356, in 2005 - 4914, and in 2006 - 6600.
The growing number of software vulnerabilities makes it important not only to take preventive countermeasures such as using firewalls and deception systems, but also the implementation of intrusion detection systems (IDS), which can actively counter attempts at unauthorized access. At the same time, it is obvious that over time, IDS, based entirely on the use of updated databases of signatures of known intrusions, will not be able to guarantee the prompt detection of intrusions based on newly discovered vulnerabilities.
The latest issue of the SANS Institute's annual newsletter, reflecting the ten most important trends in the development of information security, predicts a further increase in the exploitation of previously unknown vulnerabilities (0-day vulnerabilities), as well as an increase in the number of compromised nodes global network, allowing attackers to carry out distributed attacks and subsequently make it difficult to find the source of the intrusion. In such conditions, the development of new approaches to intrusion detection, ensuring timely detection of an intrusion, regardless of the presence of its exact signature, becomes relevant.
Relevance of the topic
The main problem faced by developers of modern intrusion detection systems (IDS) is the low efficiency of existing mechanisms for detecting fundamentally new types of intrusions, the signs of which have not been studied and are not included in signature databases. The anomaly detection theory developed in recent years, designed to solve this problem, is not widely used due to the low reliability of the methods used. Systems built on the basis of this theory are characterized by unacceptable high level false positives.
Recently, more effective intrusion detection methods have become widespread, based on the analysis of sequences of system calls received by the operating system kernel. Among them, one of the most promising directions is the use of hidden Markov models (HMMs) to describe a model of the profile of the normal behavior of a process and detect deviations from this profile, indicating a possible invasion. Methods based on the use of HMMs are superior to other methods in detection efficiency, but require the use of more labor-intensive algorithms.
Thus, the task of researching and improving the approach to intrusion detection using HMM is relevant.
The goal of the work is to develop an intrusion detection method based on an approach that involves the use of HMMs to describe process profiles. The developed method makes it possible to reduce the training time of HMMs for their more effective use in solving intrusion detection problems.
Based on the main goal of this work, a list of tasks to be solved is determined:
1) Develop a model of an intrusion detection system.
2) Develop algorithms for generating profiles of the normal behavior of processes in the form of HMMs and detecting intrusions with their help.
3) Develop a parallel learning algorithm to reduce the training time of SMM.
4) Conduct an experimental study and comparative analysis of the sequential and parallel SMM learning algorithm.
The research uses methods of probability theory and mathematical statistics, mathematical modeling, theory of algorithms, and theory of parallel computing. Computer modeling was widely used, including using independently developed software.
Main results submitted for defense
1) The IDS model, based on detecting anomalies in sequences of system calls coming from controlled processes, uses profiles of the normal behavior of controlled processes in the form of HMMs. The model is based on a method that allows you to localize an anomaly caused by an intrusion, accurate to a system call, based on the conditional probability of its occurrence.
2) A parallel, scalable HMM learning algorithm for multiple observation sequences that allows HMM training to be faster than the currently widely used sequential Baum-Welch algorithm.
The scientific novelty of the work is as follows:
An intrusion detection method has been developed that uses profiles of the normal behavior of controlled processes in the form of HMMs. The method allows you to localize an anomaly caused by an intrusion, accurate to a system call, based on the conditional probability of its occurrence.
A scalable parallel HMM learning algorithm for multiple sequences of observations has been developed, implemented using MPI technology. The implementation of the parallel algorithm demonstrates performance close to the theoretical limit even when working on inexpensive network clusters deployed on Fast Ethernet type computer networks.
Practical significance and implementation of work results
The practical significance of the results of the dissertation is as follows:
A model of an intrusion detection system has been developed, based on the detection of anomalies in sequences of system calls coming from controlled processes. The principles embedded in the system make it possible to detect intrusions whose signs (signatures) are not known a priori.
A parallel algorithm for training SMMs has been developed, which allows reducing their training time. The algorithm can be used in other HMM applications, for example, in speech recognition, optical text recognition, and genetics.
A parallel program for fast training of SMM has been developed that provides performance close to the theoretical limit even when run on low-cost network clusters.
The main results of the research were used at the Department of Information Technology Security of the Technological Institute of the Southern Federal University in Taganrog when performing a number of research and development work for a government customer, scientific research supported by a grant
RFBR, as well as a joint grant from the Ministry of Education and Science of the Russian Federation and the German Academic Exchange Service (DAAD).
The reliability of the results obtained is confirmed by the completeness and correctness of the theoretical justifications and the results of experiments carried out using the programs developed in the dissertation.
Publications
There are 12 publications on the topic of the dissertation, including 11 scientific articles and abstracts and one certificate of registration of a computer program. Three articles were published in the journal “Izvestia of the Taganrog State Radio Engineering University (TRTU)” for 2003-2005. from the list recommended by the Higher Attestation Commission of the Russian Federation for publishing the results of dissertations.
The main results of the work were reported and discussed at:
1) International scientific and practical conferences “Information Security”, Taganrog, 2002, 2003, 2004 and; 2005
2) XXXIII regional youth conference “Problems of theoretical and applied mathematics”, Yekaterinburg, 2002.
3) Conferences of the teaching staff of the Taganrog State Radio Engineering University, Taganrog, 2004 and 2005.
4) Seminar of fellows of the Mikhail Lomonosov program, Bonn (Germany), 2005.
5) International conference"Computer Science and Information Technologies", Karlsruhe (Germany), 2006.
Structure and scope of the dissertation
The dissertation consists of an introduction, five chapters, a conclusion, a list of sources used (113 titles) and an appendix. The total volume of work is 158 pages. The work contains graphic material in the amount of 19 drawings and contains 28 pages of appendices.
Conclusion of the dissertation on the topic "Methods and systems of information security, information security", Anikeev, Maxim Vladimirovich
5.4 Conclusions
1) An experimental study of the effectiveness of the parallel HMM learning algorithm on a network cluster was carried out. Research data demonstrates the possibility of implementing the algorithm on inexpensive network clusters with a small number of nodes, while achieving speedup values close to the theoretical limit.
2) In studies using a multiprocessor cluster, a close to linear increase in acceleration is observed until it reaches a practical limit. This indicates the high efficiency of using computing resources during parallelization.
Conclusion
In accordance with the set goals, as a result of the research and development carried out, the following main scientific results were obtained:
1) An IDS model has been developed, based on the detection of anomalies in sequences of system calls coming from controlled processes. The principles embedded in the system make it possible to detect intrusions whose signs (signatures) are not known a priori. The model uses profiles of normal behavior of controlled processes in the form of HMMs. The model is based on a method that allows you to localize an anomaly caused by an intrusion, accurate to a system call, based on the conditional probability of its occurrence. The possibility of integrating the model into a complex IDS has been explored.
2) An experimental study was carried out on the dependence of intrusion detection efficiency indicators on the selected number of HMM states. It has been established that the HMM learning process often converges to a local minimum of the objective function. This fact further complicates the learning process, since there is an additional need to find a value for the number of states that provides the necessary levels of probabilities of correct detection and false positives. Thus, the task of reducing SMM training time becomes even more urgent.
3) A parallel scalable HMM learning algorithm has been developed, which allows training faster than the currently widely used sequential Baum-Welch algorithm for multiple observation sequences, as well as its software implementation based on MPI technology. The algorithm can be used in other HMM applications, for example, in speech recognition, optical text recognition, and genetics.
4) An experimental study of the effectiveness of the parallel HMM learning algorithm was carried out. Research data demonstrates the possibility of implementing the algorithm on inexpensive network clusters with acceleration close to the theoretical limit.
List of references for dissertation research Candidate of Technical Sciences Anikeev, Maxim Vladimirovich, 2008
1. National Institute of Standards and Technology. E-resource. -Available: http://nvd.nist.gov.
2. The ten most important security trends of the coming year / Edited by S. Northcutt et al. - SANS Institute, 2006. - 3 p. - Available: http://www.sans.org/resources/10securitytrends.pdf.
3. Kumar, S. Classification and detection of computer intrusions: PhD thesis. -Purdue university, 1995. - 180 p.
4. Lukatsky, A. V. Detection of attacks. - St. Petersburg: BHV-Petersburg, 2001. -624 p.
5. Miloslavskaya, N. G., Tolstoy, A. I. Intranets: intrusion detection: Textbook. manual for universities. - M.: Unity-Dana, 2001. - 587 p.
6. Lundin, E., Jonsson, E. Survey of intrusion detection research: Technical report No. 02-04. - Goteborg: Chalmers University of Technology, 2002 - 43 p.
7. Denning, D. E. An intrusion-detection model // IEEE Transaction on software engineering. - 1987. -No. 2. - P. 222-232.
8. Hansen, S. E., Atkins, E. T. Automated system monitoring and notification with swatch // Proc. 7 System Administration Conference (LISA 93). - Monterey. - 1993. - P. 101-108.
9. Abramov, E. S. Development and research of methods for constructing attack detection systems: dis. . Ph.D. tech. Sciences: 05.13.19 - Taganrog, 2005. - 140 p.
10. Abramov, E. S. Development of methods for functional testing of SOA // Collection of scientific papers of the XI All-Russian scientific conference “Problems of information security in the higher school system.” - M.: MEPhI, 2004.
11. Wu, S., Manber, U. Fast text searching with errors. Technical report TR 91-11. -Tucson: Univ. of Arizona, 1991. - 18 p.
12. Lindqvist, U., Porras, P. A. Detecting computer and network misuse through the production-based expert system toolset (P-BEST) // Proc. 1999 IEEE Symposium of Security and Privacy, Oakland, California, May 1999. - IEEE Contr. Soc., 1999, -P. 141-161.
13. Snort - the de facto standard for intrusion detection/prevention. - 2006. - Available: http://snort.org
14. Snort™ user manual. 2.6.0. - Sourcefire, Inc., 2006. - Available: http://snort.Org/docs/snortmanual/2.6/snortmanual.pdf
15. Habra, N., Le Charlier, V., Mounji, A., Mathieu, I. ASAX: Software architecture and rule-based language for universal audit trail analysis // European Symposium on Research in Computer Security (ESORICS). - 1992. - P. 435450.
16. Porras, P. A., Neumann, P. G. Emerald: Event monitoring enabling responses to anomalous live disturbances. -Proc. 20th National Information Systems Security Conference. - Baltimore: NIST/NCSC, 1997. - P. 353-365.
17. Vigna, G., Eckmann S. T., Kemmerer, R. A. The STAT tool suite // Proc. DISCEX 2000. - IEEE Press, 2000.
18. Ilgun, K., Kemmerer, R. A., Porras, P. A. State transition analysis: a rule-base intrusion detection approach // IEEE Trans. Software Engineering. - No. 3, Vol. 21.- 1995.- P. 181-199.
19. Sun, J. BSM security auditing for Solaris servers. GIAC security essentials certification practical. - 2003. - 12 p. - Available: http://www.giac.org/practical/gsec/JohnSunGSEC.pdf
20. Eckmann, S. T., Vigna, G., Kemmerer, R. A. STATL: An attack language for state-based intrusion detection. - 2000. -24 p. - Available: http://citeseer.ist.psu.edu/452116.html
21. Kumar, S., Spafford, E. H. A pattern-matching model for misusefUintrusion detection. //Proc. 17 National Computer Security Conference. - 1994. - P. 11-21.
22. Lee, W., Stolfo, S. J., Mok, K. W. Adaptive Intrusion-Detection: A Data Mining Approach // Artificial Intelligence Review. - 2000. - Vol. 14, No. 6.-P. 533-567.
23. Fink, G., Levitt, K. Property-based testing of privileged programs // Proc. 10th Annual Computer Security Applications Conference. - IEEE, 1994. - P. 154-163.
24. Ko, C., Fink, G., Levitt, K. Automated detection of vulnerabilities in privileged programs by execution monitoring // Proc. 10th Annual Computer Security Applications Conference. - IEEE Comp. Soc. Press, 1994. - P. 134144.
25. Forrest, S., Hofmeyr, S. A., Somayaji, A., Longstaff, T. A. A sense of self for Unix processes // Proc. 1996 IEEE Symposium on Security and Privacy. - IEEE Comp. Soc. Press, 1996. - P. 120-128.
26. Ghosh, A. K., Wanken, J., Charron, F. Detecting anomalous and unknown intrusions against programs // Proc. Annual Computer Security Applications Conference (ACSAC"98), December 1998. - 1998. - P. 259-267.
27. Eslcin, E. et al. Adaptive model generation for intrusion detection. I I Proc. ACMCCS Workshop on Intrusion Detection and Prevention, Athens, Greece, 2000. - 2000. - Available: http://citeseer.ist.psu.edu/eskinOOadaptive.html.
28. Okazaki, Y., Sato, L, Goto, S. A new intrusion detection method based on process profiling. //Proc. IEEE Symposium on Applications and the Internet (SAINT"02). - 2002. - P. 82-91.
29. Cho, S.-B. Incorporating soft computing techniques into a probabilistic intrusion detection system. // IEEE Transactions on Systems, Man, and Cybernetics, Part C. - Vol. 32, No.2, 2002. - P. 154-160.
30. Yin, Q., Shen, L., Zhang, R., Li, X. A new intrusion detection method based on behavioral model. //Proc. 5 World Congress on Intelligent Control and Automation, June 15-19, 2004, Hangzhou, P. R. China. - 2004. - P. 4370-4374.
31. Gudkov, V., Johnson, J. E. New approach for network monitoring and intrusion detection // CoRR. - 2001. - Vol. cs.CR/0110019. - Available: http://arxiv.org/abs/cs.CR/0110019.
32. Gudkov, V., Johnson, J. E. Multidimensional network monitoring for intrusion detection // CoRR. - 2002. - Vol. cs.CR/0206020. - Available: http://arxiv.org/abs/cs.CR/0206020.
33. Barford, P., Plonka, D. Characteristics of network traffic flow anomalies // Proc. 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, California, USA, November 1-2, 2001. - ACM, 2001. - P. 69-73.
34. Smaha, S. E. Haystack: an intrusion detection system // Proc. 4th IEEE Aerospace Computer Security Applications Conference. - Orlando, FL: IEEE, 1988. -P. 37-44.
35. Lane, T., Brodley, C. E. Sequence matching and learning in anomaly detection for computer security // Proc. AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management. - 1997. - P. 43-49.
36. Lane, T., Brodley, C. E. An application of machine learning to anomaly detection // Proc. of the 12th National Information Systems Security Conference. - Vol. 1. - Gaithersburg, MD: NIST, 1997. - P. 366-380.
37. Lane, T. Filtering techniques for rapid user classification // Proc. AAAI-98/ICML-98 Joint Workshop on AI Approaches to Time-series Analysis. - Menlo Park, CA: AAAI Press, 1998. - P. 58-63.
38. Lane, T., Brodley, C. E. Temporal Sequence Learning and Data Reduction for Anomaly Detection // Proc. 5th ACM Conference on Computer and Communications Security. - Assoc. for Computing Machinery, 1998. - P. 150158.
39. Lane, T. Hidden Markov models for human/computer interface modeling // Proc. IJCAI-99 Workshop on Learning About Users. - 1999. - P. 35-^4.
40. Debar, H., Becker, M., Siboni, D. A neural network component for an intrusion detection system // Proc. 1992 IEEE Comp. Soc. Symposium on Research in Security and Privacy. - Los Alamos, CA: IEEE Comp. Soc. Press, 1992. -P. 240-250.
41. Cannady, J. Artificial neural networks for misuse detection // Proc. 1998 National Information Systems Security Conference (NISSC"98). - 1998. - P. 443-456.
42. Sidorov, I. D., Anikeev, M. V. Neural network detection of anomalous user behavior in console mode of Linux OS // Proceedings of the VI International Scientific and Practical Conference "Information Security". - Taganrog: TRTU, 2004. - pp. 159-161.
43. Tumoian, E., Anikeev, M. Network-based detection of passive covert Channels in TCP/IP // LCN *05: Proc. IEEE Conf. on Local Computer Networks. - Washington, DC: IEEE Comp. Soc., 2005 - P. 802-809.
44. Elman, J. L. Finding structure in time // Cognitive Science. - 1990. - Vol. 14, No. 2. - P. 179-211.
45. Fink, G., Ko, C., Archer, M., Levitt, K. Towards a property-based testing environment with applications to security-critical software // Proceedings of the 4th Irvine Software Symposium. - 1994. - P. 39-48.
46. Warrender, C., Forrest, S., Pearlmutter, B. A. Detecting intrusions using system calls: alternative data models // Proc. IEEE Symposium on Security and Privacy. - Oakland, CA: IEEE Comp. Soc., 1999. - P. 133-145.
47. Hofmeyr, S. A., Forrest, S., Somayaji, A. Intrusion detection using sequences of system calls // Journal of Computer Security. - 1998. - Vol. 6, No. 3. -P. 151-180.
48. Cohen, W. W. Fast effective rule reduction // Machine Learning: the 12th Intl. Conference. - Morgan Kaufmann, 1995. - P. 115-123.
49. Yin, Q.-B. et al. Intrusion detection based on hidden Markov model. -Proc. 2nd Intl. Conference on Machine Learning and Cybernetics. Xi"an, November. 2003. - IEEE, 2003. - Vol. 5. - P. 3115-3118.
50. Wespi, A., Dacier, M., Debar, H. An intrusion-detection system "based" on the TEIRESIAS pattern-discovery algorithm // Proc. EICAR"99. - Aalborg, Denmark: Aalborg Universitet, 1999.- P. 1-15.
51. Rigoutsos, I., Floratos, A. Combinatorial pattern discovery in biological sequences: the TEIRESIAS algorithm // Bioinformatics. - 1998. - Vol.14, No. 1. -P. 55-67.
52. Marceau, C. Characterizing the behavior of a program using multiple-length N-grams // Proc. 2000 workshop on New security paradigms. - Ballycotton, County Cork, Ireland: ACM Press, 2000. - P. 101-110.
53. Ghosh, A., Wanken, J., Charron, F. Detecting anomalous and unknown intrusions against programs // Proc. 1998 Annual Computer Security Applications Conference (ACSAC"98). - Los Alamitos, CA: IEEE Comp. Soc, 1998. - P. 259-267.
54. Ghosh, A., Schwartzbard, A., Schatz, M. Learning program behavior profiles for intrusion detection // Proc. 1st USENIX Workshop on Intrusion Detection and Network Monitoring. - 1999. -P. 51-62.
55. Yeung, D., Ding, Y. Host-based intrusion detection using dynamic and static behavioral models // Pattern Recognition. - 2002. - Vol. 36. - P. 229243.
56. Al-Subaie, M., Zulkernine, M. Efficacy of hidden Markov models of overthrown neural networks in anomaly intrusion detection // Proc. 30 Annual International Computer Software and Applications Conference (COMPSAC). - Chicago: IEEE CS Press, 2006. - P. 325-332.
57. Heberlein, L. T. Network security monitor. Final report. - Davis, CA: UC Davis, 1993. - 53 p. - Available: http://seclab.cs.ucdavis.edu/papers/NSM-final.pdf.
58. Paxson, V. Bro: a system for detecting network intruders in real-time // Computer Networks (Amsterdam, Netherlands: 1999). - 1999. - Vol. 31, No. 23-24.-P. 2435-2463.
59. Ilgun, K. USTAT: a real-time intrusion detection system for UNIX // Proc. 1993 IEEE Symposium on Research in Security and Privacy. - Oakland, CA: IEEE Comp. Soc, 1993. - P. 16-28.
60. Staniford-Chen, S. et al. GrIDS - A graph-based intrusion detection system for large networks // Proc. 19th National Information Systems Security Conference. - 1996. - P. 361-370.
61. Jou, Y. F., Gong, F., Sargor, C., Wu, S. F., Cleaveland, W. R. Architecture design of a scalable intrusion detection system for the emerging network infrastructure. Technical Report CDRL A005. - Releigh: North Carolina State University, 1997. - 42 p.
62. Somayaji, A., Forrest, S. Automated response using system-call delays // Proc. USENIX Security Syposium. - Denver: USENIX, 2000. - P. 185-197.
63. Rabiner, JI. R. Hidden Markov models and their application in selected applications in speech recognition: a review // TIIER. - 1989. - vol. 77, no. 2. -WITH. 86-120.
64. Baum, L. E., Sell, G. R. Growth functions for transformations and manifolds // Pacific Journal of Mathematics. - 1968. - Vol. 27, No. 2. - P. 211-227.
65. Sun, J. BSM Security Auditing for Solaris Servers. - Bethesda, Mayland: SANS, 2003. - 12 p. - Available: http://www.securitydocs.com/go/2329.
66. The Linux BSM project E-resource. - 2001. - Available: http://linuxbsm.sourceforge.net.
67. TrustedBSD - OpenBSM E-resource. - 2006. - Available: http://www.trustedbsd.org/openbsm.html.
68. Trusted Computer System Evaluation Criteria, DoD 5200.28-STD. - Fort Meade, MD: National Computer Security Center, 1985. - 116 p. - Available: http://csrc.nist.gov/publications/history/dod85.pdf.
69. Computer Immune Systems - Data Sets and Software E-resource. - Albuquerque, NM: University of New Mexico, 2004. - Available: http://www.cs.unm.edu/~immsec/data-sets.htm.
70. Baras, J. S., Rabi, M. Intrusion detection with support vector machines and generative models. Technical report TR 2002-22. - College Park: University of Maryland, 2002. - 17 p.
71. Hoang, X. D., Hu, J., Bertok, P. A multi-layer model for anomaly intrusion detection using program sequences of system calls. -Proc. ICON"2003. The 11th IEEE Conference on Networks. - IEEE, 2003. - P. 531-536.
72. Raj wade, A. Some experiments with hidden Markov models. Technical report. - University of Florida, 2005. - 18 p. - Available: http://www.cise.ufl.edu/~avr/HMM.pdf.
73. Gtinter, S., Bunlce, H. Optimizing the number of states, training iterations and Gaussians in an HMM-based handwritten word recognizer // Proc. 7th Int. Conf. on Document Analysis and Recognition, Edinburgh, Scotland. - 2003. - Vol. 1. - P. 472-476.
74. Anikeev, M. V. Selection of a sufficient number of states in hidden Markov models for solving anomaly detection problems // Izvestia TSU. -2005. -No. 9. -WITH. 133.
75. Anikeev, M. V. Anomaly detection method based on hidden Markov models with the search for the optimal number of states // Proceedings of the VII International Scientific and Practical Conference "Information Security". - Taganrog, TRTU: 2005. - pp. 58-60.
76. Noise reduction in speech application / Edited by G. M. Davis. - Boca Raton, FL: CRC Press LLC, 2002. - 432 p.
77. Ronzhin, A. JL, Karpov, A. A., Lee, I. V. SIRIUS system for automatic recognition of Russian speech // Scientific and theoretical journal “Artificial Intelligence”. - 2005. - No. 3. - P. 590-601.
78. Eickeller, S., Mtiller, S., Rigoll, G. Recognition of JPEG compressed face images based on statistical methods // Image and Vision Computing. - 2000. - Vol. 18. -P. 279-287.
79. Elms, A. J., Procter, S., Illingworth, J. The advantage of using and HMM-based approach for faxed word recognition // International Journal on Document Analysis and Recognition (IJDAR). - 1998. - No. 1(1). - P. 18-36.
80. Kulp, D., Haussler, D., Reese, M. G., Eeckman, F. H. A generalized hidden Markov model for the recognition of human genes in DNA // Proc. 4th Int. Conf. on Intelligent Systems for Molecular Biology. - 1996. - P. 134-142.
81. Henderson, J., Salzberg, S., Fasman, K. H. Finding genes in DNA with a hidden Markov model // Journal of Computational Biology. - 1997. - Vol. 4, No. 2. -P. 127-142.
82. Mottl, V.V., Muchnik, I.B. Hidden Markov models in structural analysis of signals. -M.: Fizmatlit, 1999. - 352 p.
83. Turin, W., van Nobelen, R. Hidden Markov modeling of flat fading channels // IEEE Journal on Selected Areas is Communications. - 1998. - Vol. 16. -P. 1809-1817.
84. Nechyba, M. C., Xu, Y. Stochastic similarity for validating human control strategy models // IEEE Trans. Robotics and Automation. - 1998. - Vol. 14, Issue 3, -P. 437-451.
85. Mangold, S., Kyriazakos, S. Applying pattern recognition techniques based on hidden Markov models for vehicular position location in cellular networks // Proc. IEEE Vehicular Technology Conference. - 1999. - Vol. 2. - P. 780-784.
86. Chari, S. N., Cheng, P. C. BlueBoX: a policy-driven host-based intrusion detection system // ACM Trans, on Information and System Security. - 2003. - Vol. 6. - P. 173-200.
87. Kang, D.-K., Fuller, D., Honavar, V. Learning classifiers for misuse detection using a bag of system calls representation // Lecture Notes in Computer Science. -2005, -Vol. 3495. -P. 511-516.
88. Valdes, A., Skinner, K. Probabilistic alert correlation // Lecture Notes in Computer Science. - 2001. - Vol. 2212. -P. 54-68.
89. Goldman, R. P., Heimerdinger, W., Harp, S. A. Information modeling for intrusion report aggregation // Proc. of the DARPA Information Survivability Conference and Exposition (DISCEX II). -Anaheim: IEEE Comp. Soc., 2001. - P. 329-342.
90. Cuppens, F., Miége, A. Alert correlation in a cooperative intrusion detection framework // IEEE Symposium on Security and Privacy. - 2002. -P. 187-200.
91. Turin, W. Unidirectional and parallel Baum-Welch algorithms // IEEE Trans. Of Speech and Audio Processing. - 1998. - Vol. 6, issue 6. - P. 516523.
92. Espinosa-Manzo, A., López-López, A., Arias-Estrada, M. O. Implementing hidden Markov models in a hardware architecture // Proc. Intl. Meeting of Computer Science ENC "01, Aguascalientes, Mexico, September 15-19 2001. -Vol. II. -2001. -P. 1007-1016.
93. Anikeev, M., Makarevich, O. Parallel implementation of Baum-Welch algorithm // Proc. Workshop on Computer Science and Information Technologies (CSIT"2006), Karlsruhe, Germany, September 28-29, 2006. - Vol. 1. - Ufa: USATU, 2006. - P. 197-200.
94. Message Passing Interface E-resource. - 2007. - Available: http://www-unix.mcs.anl.gov/mpi.
95. Argonne National Laboratory. Mathematics and computer science division. E-resource. - 2007. - Available: http://www.mcs.anl.gov.
96. MPICH2 home page. E-resource. - 2007. - Available: http://www-unix.mcs.anl.gov/mpi/mpich.
97. S. Gary, M., Johnson, D. Computing machines and difficult problems. - M.: Mir, 1982. - 412 p.
98. ITU-TS Recommendation Z.120: Message-sequence chart (MSC), 04/2004. - Geneva: International Telecommunication Union, 2004. - 136 p.
99. Shpakovsky, G. I., Serikova, N. V. Programming for multiprocessor systems in the MPI standard. - Minsk: BSU, 2002. - 323 p.
Please note that the scientific texts presented above are posted for informational purposes only and were obtained through original dissertation text recognition (OCR). Therefore, they may contain errors associated with imperfect recognition algorithms. There are no such errors in the PDF files of dissertations and abstracts that we deliver.