Protocol Proxy: An FTE-based Covert Channel
This addresses the need for undetectable communication in hostile network environments, offering an alternative to existing covert channels with incremental improvements in stealth.
The paper tackles the problem of covert communication in hostile networks by developing a format transforming encryption (FTE)-based covert channel that tunnels TCP traffic through protected static UDP protocols, resulting in a very low probability of detection and guaranteed delivery.
In a hostile network environment, users must communicate without being detected. This involves blending in with the existing traffic. In some cases, a higher degree of secrecy is required. We present a proof-of-concept format transforming encryption (FTE)-based covert channel for tunneling TCP traffic through protected static protocols. Protected static protocols are UDP-based protocols with variable fields that cannot be blocked without collateral damage, such as power grid failures. We (1) convert TCP traffic to UDP traffic, (2) introduce observation-based FTE, and (3) model interpacket timing with a deterministic Hidden Markov Model (HMM). The resulting Protocol Proxy has a very low probability of detection and is an alternative to current covert channels. We tunnel a TCP session through a UDP protocol and guarantee delivery. Observation-based FTE ensures traffic cannot be detected by traditional rule-based analysis or DPI. A deterministic HMM ensures the Protocol Proxy accurately models interpacket timing to avoid detection by side-channel analysis. Finally, the choice of a protected static protocol foils stateful protocol analysis and causes collateral damage with false positives.