Design and Detection of Network Covert Channels- An Overview R.Rajamenakshi Department of Computer Science Avinashilingam Deemed University, Coimbatore ,India menakshi@cdac.in Dr.G.Padmavathi Department of Computer Science Avinashilingam Deemed University, Coimbatore ,India ganapathi.padmavathi@gmail.com Abstract Sensitive information leakage is increasing due to wide spread use of internet and technology. The attackers find new ways to exfiltrate data that pose threat to data security and privacy. Here our focus is on the covert information leakage over the network that exploits the various network protocols and their behavior. Information leak over covert channels exploit a variety of protocols of network protocols including Wireless, mobile and virtualized cloud platforms etc. Current network security solutions like IDS, IPS, firewalls etc. are not designed to handle these type of attacks. These type of attacks are dynamic in nature and mimics the legitimate traffic behavior, there by posing a challenge to detect and prevent. This article presents comprehensive review of the network covert channel, design, detection and mitigation. We have reviewed the classification of covert channels based on the attacks I. I NTRODUCTION Sensitive data leakage over the networked environment is on the rise with the increasing network traffic. With attackers finding new ways to exfiltrate data, there is a threat to security and privacy of sensitive data irrespective of the storage. Steganography and cryptography have become the techniques of the past that used to image, audio or video files etc.to embed information. Inadvertent data leak arising due to human errors and application flaws, malicious data leak due to insider actions, stealthy software and covert channels, legitimate information flow give rise to information leak. Network Covert channels are class of attacks where the attackers exploit the network protocol entities that are not intended for carrying information between any two ends, leaks sensitive information over the media. Here the attackers optimally select or control the entities of the exploited channel that the communication between the two ends appears normal and there by evades security. Lubacz [3]details on the security breaches and the data compromise over the network in the year 2011. Most of these attacks are command and control attacks over the network. Here the host machines were compromised either by phishing attacks or implanting a malware on the victim computer. [1],[2] discusses sensitive data leakage of the defense and Justice departments in US and ’Operation Twins’ in the last decade leading to data and financial loss. Zander et.al [15] presents a comprehensive survey of the possible protocol exploits both in LAN and Wireless networks. This type of attack demonstrates the extent to which the protocol structure, features and their behavior be exploited for staging information leak attacks. Lampson, the first to use the term covert channel defines it as a channel that are neither designed not intended to transfer information. Cabuk [5] defines it as a communication channel that violates a security policy by using a shared resource in ways for which they were not initially designed. Covert communication happens when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. Cabuk [5] described it as a subclass of information hiding technique where the sensitive information is hidden in a media that are neither designed nor intended to transfer information.[1] emphasizes the threat posed by these channels pose in a trusted distributed systems that allows leak of confidential information. Network covert shells are used by the attackers to communicate to with compromised hosts. Researchers are exploring various possibilities to detect, identify, prevent and mitigate both storage and timing channels. The primary focus of this work is to study and understand the network covert channels, design, and detection and further the challenges. Lubacz [3] coined the word Network steganography that focuses on embedding information using network protocols and behavior. The choice of the carrier for embedding and hiding information depends on the popularity, capacity and robustness of the carrier. Network steganography utilizes control elements and their basic functionalities of the communication protocols to transmit secret data over a network that appears as legitimate transmissions. In this kind of transmission, both the sender and the receiver need to agree on a mechanism using which the data is sent over the network. Lampson referred this communication channel that was established to transmit or leak the information as covert channel; as these channel are not intended for communication. Here the covert channel and protocol steganography are interchangeably used terms meaning the same. The information leak over covert channels are on the rise due to the following reasons: • There is no limitation on the amount of data that can be hidden, International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016 821 https://sites.google.com/site/ijcsis/ ISSN 1947-5500