On Wed, 2002-10-23 at 17:04, Michal Zalewski wrote: > [...] would it be possible to, with same > level of coverage and accuracy, cover newer and newer covert channel > techniques just like we cover new attack methods? The answer: yes, to a > point where covert channels are sophisticated enough to mimick valid > traffic to a level that is simply indistinguishable for a human or machine > without reading person's mind. There's no such issue with attack detection > IDSes, because attacks can be distinguished as a valid traffic, but only > to a degree, whereas covert channels can be *made of* valid traffic, > simple as that. uuh... the perfect sentence. I think it's agreed that current IDS' look for signatures of (invalid) data. As you said, a covert channel is comprised of valid data. But, doesn't that valid data have some properties that could characterize it as a possible covert channel? I think it was Jose who used the example of a rogue broker accessing websites in a certain order. While valid traffic, shouldn't it be possible to detect that behavior? Not on first occurrence of course, such a covert channel detector would have to watch traffic for a while. And yes, the amount of data captured by the detector (data meaning certain properties of valid data, such as time of day, length, repetitive pattern, etc) would probably be enormously huge. One would have to gather so much data that it may become not feasible, but not impossible? Frank
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 15:51:46 PDT