Empirically derived analytic models of wide-area TCP connections
IEEE/ACM Transactions on Networking (TON)
IP covert timing channels: design and detection
Proceedings of the 11th ACM conference on Computer and communications security
Model-Based Covert Timing Channels: Automated Modeling and Evasion
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Towards quantification of network-based information leaks via HTTP
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Quantifying Information Leaks in Outbound Web Traffic
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Detecting algorithmically generated malicious domain names
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Netalyzr: illuminating the edge network
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Quantitatively analyzing stealthy communication channels
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
An Entropy-Based Approach to Detecting Covert Timing Channels
IEEE Transactions on Dependable and Secure Computing
Hi-index | 0.00 |
DNS queries represent one of the most common forms of network traffic, and likely the least blocked by sites. As such, DNS provides a highly attractive channel for attackers who wish to communicate surreptitiously across a network perimeter, and indeed a variety of tunneling toolkits exist [7, 10, 13-15]. We develop a novel measurement procedure that fundamentally limits the amount of information that a domain can receive surreptitiously through DNS queries to an upper bound specified by a site's security policy, with the exact setting representing a tradeoff between the scope of potential leakage versus the quantity of possible detections that a site's analysts must investigate. Rooted in lossless compression, our measurement procedure is free from false negatives. For example, we address conventional tunnels that embed the payload in the query names, tunnels that repeatedly query a fixed alphabet of domain names or varying query types, tunnels that embed information in query timing, and communication that employs combinations of these. In an analysis of 230 billion lookups from real production networks, our procedure detected 59 confirmed tunnels. For the enterprise datasets with lookups by individual clients, detecting surreptitious communication that exceeds 4 kB/day imposes an average analyst burden of 1-2 investigations/week.