Thesis Abstracts 2003

Research and Graduate Studies Electrical and Computer Engineering

Detecting Covert Tunnels Within the Hypertext Transfer Protocol

By: Capt Ken Bendelier

Supervisor: Dr. G.S. Knight

Abstract

Over the last decade, governments, educational institutions, business and home users have become increasingly reliant on the services provided by the Internet. Originally conceived to provide reliable and redundant data communications for the United States military, the Internet had expanded well beyond its initial envisioned purpose. Once popular for e-mail and file transfers, the Internet has become a key tool in information sharing, collaboration, commerce, recreation and communications.

A key factor in the explosive growth of the Internet has been realization of the World Wide Web (WWW). Providing an easy to use and consistent graphical user interface, the WWW has taken the Internet from the world of a complex and difficult to use set of applications and protocols and made it possible for novice and non-technical users to experience the wealth of information available online. The key protocol underlying the WWW, the Hypertext Transfer Protocol (HTTP), ensures WWW users can share any type of information, with anyone, anywhere at any time in an efficient and reliable manner.

As a result of the wealth of information available via the WWW, business and other institutions have provided employees access to the WWW from internal networks.
In addition, external users may be granted access to an organization’s internal WWW servers to benefit from informational, e-commerce or communication services provided by the organization via the WWW.

One drawback to the provision of these services is the inherent vulnerability associated with connecting to the Internet. Private networks, previously enjoying the safety provided by isolation, have become increasingly vulnerable to the threats to data availability, integrity and confidentiality as these networks are increasingly connected to the Internet. Recent news headlines provide many examples of corporations and government institutions falling victim to malicious use.

To provide a measure of security for these Internet connected systems, a number of tools have been developed. Key among these are the firewall and the intrusion detection system (IDS). Designed to block or warn of unwanted network traffic, when properly configured, these systems can reduce the risk posed by external threats.

However, to allow users to enjoy the benefits of the Internet, some network traffic must be allowed to pass through these security systems. This exposes internal systems to external threats. A key threat is that posed by covert tunnels, whereby malicious traffic is passed through security systems by misusing protocols that are normally permitted to pass the firewall.

The focus of this thesis is the detection of covert tunnels which utilize the HTTP. Given the volume and variance in the data passed using HTTP and given that many firewalls are configured to allow HTTP to pass, this is an attractive channel in which to hide a covert channel.

Work in this thesis starts with the capture and analysis of real-time HTTP traffic, with the aim of finding trends and characteristics of this “normal” traffic. Subsequently, the same analysis is performed on traffic generated by a number of freely available HTTP tunnel implementations. Features, trends and characteristics that may differentiate tunnel and normal HTTP traffic are examined. Using statistical methods, the technique is able to discriminate between the legitimate and malicious use of HTTP.