A Pattern-based Survey and Categorization of Network Covert Channel Techniques

TL;DR

This paper provides a comprehensive survey of network covert channel techniques, reducing them to 11 core patterns, and introduces a pattern-based framework for analysis, optimization, and countermeasure development.

Contribution

It introduces a hierarchical pattern catalog for covert channels, enabling systematic analysis, adaptation, and the development of generalized countermeasures.

Findings

69.7% of techniques fall into four main patterns

Most techniques are variations of a few core patterns

Pattern-based approaches facilitate countermeasure development

Abstract

Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.e. most of the techniques we surveyed are very similar. We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: While many current countermeasures were developed for specific channels, a pattern-oriented approach allows to apply one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.