Auto-adapting Stealth Communication Channels

Presented at DEF CON 13 (2005), July 29, 2005, 2 p.m. (20 minutes)

Intrusion detection systems and firewalls generally follow one of two methods of attack detection, signature or anomaly.  Signature detection detects known attacks and anomaly detection covers unusual activity (with the hope that it will discover new attacks).  Often what is detected by the IDS or firewall is not the original attack, but rather the communication that occurs afterwards.  Known methods are easily picked up by signature detection, new methods are either picked up by anomaly detection or have a limited lifespan (signatures are created to detect them).  That leads us to the dilemma of trying to create a covert communication scheme with no (easily) detectable pattern and one that does not cause statistical anomalies. The key to solving this dilemma is to use a scheme that is not consistent in its appearance and adapts itself to match its current surroundings.  The traffic on one network will very from that on another network.  This means that what will look unusual or out of place on one network might not look so strange on another.  By analyzing the conditions that exist on a network and then adapting the communication scheme to fit in with those conditions, a well camouflaged communication channel can be created. This talk covers the concepts for such a communication system.  It will cover the development and research being performed currently as well as providing a moderately technical discussion of the background concepts for such a system.

Presenters:

  • Daniel Burroughs
    Daniel Burroughs is currently an Assistant Professor in the College of Engineering at the University of Central Florida. His current research involves the development of the Florida Department of Law Enforcement Data Sharing Consortium and the development of a undergraduate security engineering program at UCF. His past work at the Institute for Security Technology Studies at Dartmouth College focused on using target tracking techniques to correlate data from multiple IDS and other sensors spread over large scale networks.

Links:

Similar Presentations: