Xingsi Zhong

Jonathan Oakley, Lu Yu, Xingsi Zhong et al.

In a hostile network environment, users must communicate without being detected. This involves blending in with the existing traffic. In some cases, a higher degree of secrecy is required. We present a proof-of-concept format transforming encryption (FTE)-based covert channel for tunneling TCP traffic through protected static protocols. Protected static protocols are UDP-based protocols with variable fields that cannot be blocked without collateral damage, such as power grid failures. We (1) convert TCP traffic to UDP traffic, (2) introduce observation-based FTE, and (3) model interpacket timing with a deterministic Hidden Markov Model (HMM). The resulting Protocol Proxy has a very low probability of detection and is an alternative to current covert channels. We tunnel a TCP session through a UDP protocol and guarantee delivery. Observation-based FTE ensures traffic cannot be detected by traditional rule-based analysis or DPI. A deterministic HMM ensures the Protocol Proxy accurately models interpacket timing to avoid detection by side-channel analysis. Finally, the choice of a protected static protocol foils stateful protocol analysis and causes collateral damage with false positives.

Richard R. Brooks, Lu Yu, Yu Fu et al.

Many systems are partially stochastic in nature. We have derived data driven approaches for extracting stochastic state machines (Markov models) directly from observed data. This chapter provides an overview of our approach with numerous practical applications. We have used this approach for inferring shipping patterns, exploiting computer system side-channel information, and detecting botnet activities. For contrast, we include a related data-driven statistical inferencing approach that detects and localizes radiation sources.

Yu Fu, Zhe Jia, Lu Yu et al.

Both enterprise and national firewalls filter network connections. For data forensics and botnet removal applications, it is important to establish the information source. In this paper, we describe a data transport layer which allows a client to transfer encrypted data that provides no discernible information regarding the data source. We use a domain generation algorithm (DGA) to encode AES encrypted data into domain names that current tools are unable to reliably differentiate from valid domain names. The domain names are registered using (free) dynamic DNS services. The data transmission format is not vulnerable to Deep Packet Inspection (DPI).

Xingsi Zhong, Yu Fu, Lu Yu et al.

Malware is constantly evolving. Although existing countermeasures have success in malware detection, corresponding counter-countermeasures are always emerging. In this study, a counter-countermeasure that avoids network-based detection approaches by camouflaging malicious traffic as an innocuous protocol is presented. The approach includes two steps: Traffic format transformation and side-channel massage (SCM). Format transforming encryption (FTE) translates protocol syntax to mimic another innocuous protocol while SCM obscures traffic side-channels. The proposed approach is illustrated by transforming Zeus botnet (Zbot) Command and Control (C&C) traffic into smart grid Phasor Measurement Unit (PMU) data. The experimental results show that the transformed traffic is identified by Wireshark as synchrophasor protocol, and the transformed protocol fools current side-channel attacks. Moreover, it is shown that a real smart grid Phasor Data Concentrator (PDC) accepts the false PMU data.