© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138) IJRAR19K1370 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 513 AN OFFLINE AND EFFICIENT STORAGE COVERT CHANNEL DETECTION MECHANISM Vibhor Kumar Vishnoi, Assistant Professor Department of Computer Science & Engineering, Roorkee College of Engineering, Roorkee, India Abstract : A covert channel is a communication way that`s accustomed illicitly transfer data, so breaking the protection policy of a system. A network covert channel is a covert communication by hiding covert messages into overt network packets. Any shared resource will probably be used as a covert channel. In recent years with the development of various hiding methods, network covert channel has become a new kind of threat for network security. A covert channel is an unintended design within legitimate communication whose motto is to leak information as a part of rudimentary protocols. In fact, most detection systems can detect hidden data in the payload, but struggle to cope with data hidden in the IP and TCP packet headers. The vast number of protocols on the internet seems ideal as a high- bandwidth vehicle for covert communication. Due to unwanted and malicious nature of covert channel applications and as it poses a serious security threat to the network, it is recommended to detect covert channels efficiently. This paper presents a review of TCP/IP covert channel design and their detection scheme and presents a proposed method based on Naïve-Bayesian classifier to detect covert channels in TCP ISN and IP ID fields of TCP/IP packet. IndexTerms - TCP/IP covert channel, storage channel, Timing channel, TCP, IP, network security. I. INTRODUCTION Since Lampson proposed the concept of covert channel in 1973, covert channel has been taken as an important issue in the field of information security [1]. According to Lampson “a communication channel is covert if it is neither designed nor intended to t ransfer information at all”. Later work defines a covert channel as “a communication channel that allows a process to transfer information in a manner that violates the system’s security policy” [2]. This definition is now more commonly accepted. Initially, covert channels were identified as a security threat on monolithic systems i.e. mainframes but recently focus has shifted towards covert channels in computer network protocols. A common analogy employed for discussing the dynamics of covert communications is one known as the “prisoner’s problem” [3]. It involves two prisoners, called here for Simplicity Alice and Bob, who need to communicate with each other in order to devise an escape plan. It also involves a warden, Wendy, who oversees all inter-prisoner communications, and can monitor them in one of two ways:  She can examine all messages, and let them pass or deny them based on what she sees. This is a passive approach.  She can modify the message slightly to make sure it is not precisely what was sent, without changing the meaning of the message. By modifying the message it is assumed that she might frustrate any attempt of embedding a secret message in the communication. This is an active approach. Ideally, the prisoners find a way to communicate which doesn’t raise suspicion from the warden. But the warden must accept that there is a risk that some covert communication may be attempted, and pose a hypothesis of how it might function. A covert channel is different from cryptography as its main aim is to hide the existence of transmission whereas cryptography does not hide the existence of message but transform it in a form that is only readable by the receiver. In cryptography, there is no intention to hide communication. The covert channel in computer network protocols and steganography are closely related but often confused. Steganography involves hiding information in the audio, visual, or textual content. While steganography requires some form of content as a cover, covert channel requires some network protocol as a carrier. As network covert channels are communication channels that are not designed nor intended to exist, the communication streams must be embedded inside authorized channels. They may be based on existing protocols from OSI low layers (e.g.: IP, TCP, UDP) to OSI high layers (e.g.: HTTP, SMTP). The general idea of covert channels relies on the idea that information can be transferred in redundant or unused fields of network protocols. The reliability, speed, and robustness of communication protocols allow for the implementation of such channels over networks. Since network security analysts first started thinking about covert channel communication, two terms have been introduced, storage and timing covert channels. In storage covert channel, one of the processes directly or indirectly writes to a particular storage location whereas other process reads from that location. A number of tools employ TCP, IP, ICMP, and HTTP protocols to establish storage covert channels. In these protocols, unused fields are used to transmit the information. In a way, steganography can be seen as a form of storage covert channel. The timing covert channel involves modifying the time characteristics to hide information. Specifically, it can be done by modulating inter-packet delays. In this paper, we pay our attention to detect covert channels related to TCP ISN and IP ID fields. The remainder of this paper is organized as follows. Sec. 2, provides various ways for embedding covert information in TCP/IP protocol. Sec. 3, presents some covert channel detection mechanisms. Sec. 4 and 5 present the problem statements and the proposed solution respectively. Sec. 6, concludes the whole paper. II. STORAGE COVERT CHANNEL IN TCP/IP PROTOCOLS In the next subsections, a non-exhaustive summary is given of known techniques to establish covert channels over TCP/IP protocols. We give an estimation of the theoretical efficiency of each mechanism and provide empirical observations for some of them.