Patent Grant
11861025
Exemplary embodiments relate generally to a system and method for receiving and processing packets of data over a TCP/IP network.
Two of the most important communication protocols used on the Internet and other similar networks are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). Together, the TCP and IP protocols form core protocols of the larger Internet protocol suite used on packet-switched networks. That protocol suite is commonly referred to as the TCP/IP protocol because of the widespread adoption and implementation of the TCP and IP protocols.
The TCP/IP protocol was developed for the United States Advanced Research Projects Agency (ARPA). The TCP/IP protocol is a set of rules that enable different types of network-enabled or networked devices to communicate with each other. Those network devices communicate by using the TCP/IP standard, or format, to transfer or share data. TCP/IP rules are established and maintained by the Internet Engineering Task Force (IETF). The IETF is an international community of network designers, operators, vendors, and researchers concerned with the Internet's architecture and operation. The IETF's mission is to produce technical and engineering documents that influence the way people design, use and manage the Internet with the goal of improving its operations and efficiencies. These documents include protocol standards, best current practices and information updates of various kinds, and are commonly referred to as Request for Comments (RFC).
TCP can be used to establish a bi-directional connection between two clients wherein activity begins with a request for information made by one client to another client. A “client” is any program or application that initiates requests for, or sends information from, one remote location to another. As used herein, the term “client” may refer to such applications including, but not limited to, web browsers, web servers, file transfer protocol (FTP) programs, electronic mail programs, line printer (LPR) programs also known as print emulators, mobile phone apps, telnet programs also known as terminal emulators, and the like, all of which may operate conceptually in an application layer.
TCP software accepts requests and data streams directly from clients and other daemons, sequentially numbering the bytes, or octets, in the stream during the time the connection is active. When required, the TCP software breaks the data stream into smaller pieces called segments (sometimes referred to as datagrams or packets generally) for transmission to a requesting client. The protocol calls for the use of checksums, sequence numbers, timestamps, time-out counters and retransmission algorithms to ensure reliable data transmission. [RFC 793, 1981]
The IP layer actually performs the communication function between two networked hosts. The IP software receives data segments from the TCP layer, ensures that the segment is sized properly to meet the requirements of the transmission path and physical adapters (such as Ethernets and CTCs). IP changes the segment size if necessary by breaking it down into smaller IP datagrams, and transmits the data to the physical network interface or layer of the host. [RFC 791, 1981]
The software that manages handling the TCP/IP RFCs may be referred to as a TCP/IP protocol stack. It may be referred to as a stack because the different protocols are often layered into this type of organization. A TCP/IP stack may have the following layers: 1) Link drivers, 2) ARP, 3) IP, 4) TCP, 5) SSL/TLS, and 6) Applications. Inbound data may transfer from layer 1 to layer 6 in turn and outbound data may take the reverse direction going from layer 6 to 1.
Depending on the implementation, these different layers can operate under the same process, or can function independently. Within the IP layer, there are several separate operational functions: 1) address resolution, 2) routing, 3) fragmentation, and 4) protocol isolation. Again, inbound data may use these functions from 1 to 4 in secession and outbound data may go in reverse order from 4 to 1.
A frame of inbound data may work its way through the stack. The inbound data may be broken down until the final payload that is destined for an application is exposed. Once the application completes operating upon the information, the response may once again be passed to the stack. On the outbound operation, additional tags and headers may be constructed that will be required to deliver the information back to its origin.
The highly defined, structured, and open nature of TCP/IP protocol stacks does not lend itself to preventing actions intended to be performed covertly (hereinafter also “covert actions”) from being readily observed. Once it has been established that a payload of data which the user desire to remain covert (hereinafter also a “covert payload”) can arrive at a host destination, it would be advantageous to establish how such a covert payload may be processed without being readily observed.
The present invention is directed to a system and method for accepting and processing a covert payload that avoids ready detection and observation by the receiving host. The information containing the covert payload may be intercepted within a lower level of the processing stack. A process of execution may be performed which bypasses the section of stack processing that normally opens the communication to ready observation. In this way, a covert action may be inserted into the host system without ready detection.
Further features and advantages of the systems and methods disclosed herein, as well as the structure and operation of various aspects of the present disclosure, are described in detail below with reference to the accompanying figures.
Novel features and advantages of the present invention, in addition to those mentioned above, will become apparent to those skilled in the art from a reading of the following detailed description in conjunction with the accompanying drawings wherein identical reference characters refer to identical parts and in which:
Various embodiments of the present invention will now be described in detail with reference to the accompanying drawings. In the following description, specific details such as detailed configuration and components are merely provided to assist the overall understanding of these embodiments of the present invention. Therefore, it should be apparent to those skilled in the art that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present invention. In addition, descriptions of well-known functions and constructions are omitted for clarity and conciseness.
Embodiments of the invention are described herein with reference to illustrations of idealized embodiments (and intermediate structures) of the invention. As such, variations from the shapes of the illustrations as a result, for example, of manufacturing techniques and/or tolerances, are to be expected. Thus, embodiments of the invention should not be construed as limited to the particular shapes of regions illustrated herein but are to include deviations in shapes that result, for example, from manufacturing.
Data Flow
An incoming payload or portion of an IP datagram that contains covert data 310 may arrive through an electrical interface and pass to the IP layer 210 for processing. This covert data 310 may enter the IP layer 210 and appear the same as other network traffic 312.
Covert insertion of information into a remote system may require the active operation of a robust implementation of a TCP/IP protocol stack 110. This implementation may be one where the source is tightly controlled, either through proprietary means, or by careful and undisclosed modifications to open source availability.
All data flow in and out of the TCP/IP stack 110 must conform correctly to all known standards of operation in order to allow such data flow to pass therethrough successfully. By providing consistent operation, the containment of covert data 310 may be masked by normal operations. Inbound and outbound data is first and foremost properly structured IP datagrams, or low-level address resolution in nature. These datagrams may contain higher level requirements and may match and conform to layers such as TCP or UPD, for example without limitation.
Any arriving covert payload 310 must be contained within the normal dataflow 312 of the TCP/IP stack 110. Covert data 310 that does not conform to recognized protocols will normally be isolated and exposed. While there are numerous methods that may be used for transmission, the covert payload 310 that appears part of normal data flow 312 will be unnoticed and unobtrusive. It is possible to contain covert information 310 directly within a standard transmission 312 destined for an application, however that application and data transmission will be recorded and observable to monitoring systems and facilities. Therefore, the transmissions of covert data 310 must be contained within standard data traffic 312, and yet be extracted and processed via unexpected portions of the IP layer 210 protocols that exist below the TCP layers protocols.
Covert Interception
As illustrated in
Regardless, by intercepting the covert data 310 at this level of processing, the covert interception 314 mechanism can isolate, extract, and perform a covert processing 316 routine on the extracted covert data 310. The cover data 310 may be further treated as nonsense for the rest of normal operation and processing through the TCP/IP protocol stack 110. TCP/IP protocol stacks 110 are typically designed to deal with the potential of erroneous data produced by normal IP network traffic 312, and these failed pieces of information are normally be discarded without further notation or observation. Therefore, the covert interception process 314, which may be inserted between normal operations and the discard mechanism, may be used to read what otherwise appears to be nonsense, but which actually contains the covert payload 310.
Covert Processing
Once a covert payload 310 has been intercepted 314 within the IP layer 210 of a TCP/IP protocol stack 110, the covert payload 310 may be passed to a covert processing routine 316 for processing. Such covert processing 316 may comprise, for example without limitation, decoding of the covert data 310, which may be encrypted. While it is possible to spawn a process to handle this operation, the existence of an observable process may expose the existence of the covert interception 314 routine. Therefore, any processing 316 of covert data 310 may occur as an extension of the interception 314 routine, which may be an extension of, or inserted between, normal routines in the IP layer 210. In this way, existence of the covert processing 316 routine is further obfuscated. As this process may extend the IP layer 210, it is possible that a wide range of operations within the operating system may occur.
Any embodiment of the present invention may include any of the optional or preferred features of the other embodiments of the present invention. The exemplary embodiments herein disclosed are not intended to be exhaustive or to unnecessarily limit the scope of the invention. The exemplary embodiments were chosen and described in order to explain some of the principles of the present invention so that others skilled in the art may practice the invention. Having shown and described exemplary embodiments of the present invention, those skilled in the art will realize that many variations and modifications may be made to the described invention. Many of those variations and modifications will provide the same result and fall within the spirit of the claimed invention. It is the intention, therefore, to limit the invention only as indicated by the scope of the claims.
This application claims the benefit of U.S. Provisional Application Ser. No. 62/614,549 filed Jan. 8, 2018, the disclosures of which are hereby incorporated by reference as if fully restated herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 3688090 | Rankin | Aug 1972 | A |
| 6023724 | Bhatia et al. | Feb 2000 | A |
| 6567416 | Chuah | May 2003 | B1 |
| 6714985 | Malagrino et al. | Mar 2004 | B1 |
| 6757248 | Li et al. | Jun 2004 | B1 |
| 7103025 | Choksi | Sep 2006 | B1 |
| 7215684 | Rosen et al. | May 2007 | B1 |
| 8090866 | Bashyam et al. | Jan 2012 | B1 |
| 8131281 | Hildner et al. | Mar 2012 | B1 |
| 8374091 | Chiang | Feb 2013 | B2 |
| 8397151 | Salgado et al. | Mar 2013 | B2 |
| 8730966 | Awano | May 2014 | B2 |
| 9203755 | Wong et al. | Dec 2015 | B1 |
| 9350663 | Rankin | May 2016 | B2 |
| 9386028 | Altman | Jul 2016 | B2 |
| 9626522 | Flowers, Jr. | Apr 2017 | B1 |
| 11032257 | Rankin | Jun 2021 | B1 |
| 20010017844 | Mangin | Aug 2001 | A1 |
| 20010019614 | Madoukh | Sep 2001 | A1 |
| 20020041592 | Van Der Zee et al. | Apr 2002 | A1 |
| 20020054570 | Takeda | May 2002 | A1 |
| 20020071436 | Border et al. | Jun 2002 | A1 |
| 20020114341 | Sutherland et al. | Aug 2002 | A1 |
| 20020164024 | Arakawa et al. | Nov 2002 | A1 |
| 20030031198 | Currivan et al. | Feb 2003 | A1 |
| 20030048793 | Pochon | Mar 2003 | A1 |
| 20030056009 | Mizrachi et al. | Mar 2003 | A1 |
| 20030108063 | Joseph | Jun 2003 | A1 |
| 20030115364 | Shu et al. | Jun 2003 | A1 |
| 20040210763 | Jonas | Oct 2004 | A1 |
| 20050058129 | Jones et al. | Mar 2005 | A1 |
| 20050060538 | Beverly | Mar 2005 | A1 |
| 20050105506 | Birdwell et al. | May 2005 | A1 |
| 20050286517 | Babbar et al. | Dec 2005 | A1 |
| 20060002681 | Spilo et al. | Jan 2006 | A1 |
| 20060034317 | Hong et al. | Feb 2006 | A1 |
| 20060133364 | Venkatsubra | Jun 2006 | A1 |
| 20060259587 | Ackerman et al. | Nov 2006 | A1 |
| 20070025388 | Abhishek et al. | Feb 2007 | A1 |
| 20070028121 | Hsieh | Feb 2007 | A1 |
| 20070223395 | Lee et al. | Sep 2007 | A1 |
| 20080082661 | Huber | Apr 2008 | A1 |
| 20080104313 | Chu | May 2008 | A1 |
| 20090046717 | Li | Feb 2009 | A1 |
| 20090110003 | Julien et al. | Apr 2009 | A1 |
| 20100103830 | Salgado et al. | Apr 2010 | A1 |
| 20100281257 | Yamazaki et al. | Nov 2010 | A1 |
| 20110072234 | Chinya et al. | Mar 2011 | A1 |
| 20110149891 | Ramakrishna | Jun 2011 | A1 |
| 20110231564 | Korsunky et al. | Sep 2011 | A1 |
| 20120117376 | Fink et al. | May 2012 | A1 |
| 20120243539 | Keesara | Sep 2012 | A1 |
| 20120289250 | Fix et al. | Nov 2012 | A1 |
| 20120300648 | Yang | Nov 2012 | A1 |
| 20120307678 | Gerber et al. | Dec 2012 | A1 |
| 20130028121 | Rajapakse | Jan 2013 | A1 |
| 20130058231 | Paddon et al. | Mar 2013 | A1 |
| 20130091102 | Nayak | Apr 2013 | A1 |
| 20130185445 | Larkin | Jul 2013 | A1 |
| 20130343377 | Stroud et al. | Dec 2013 | A1 |
| 20140025806 | Robitaille et al. | Jan 2014 | A1 |
| 20140100014 | Bennett, III et al. | Apr 2014 | A1 |
| 20140169692 | Lin | Jun 2014 | A1 |
| 20140173085 | Gupta | Jun 2014 | A1 |
| 20140254598 | Jha et al. | Sep 2014 | A1 |
| 20140280669 | Harper, III et al. | Sep 2014 | A1 |
| 20140294019 | Quan et al. | Oct 2014 | A1 |
| 20150100613 | Osiecki et al. | Apr 2015 | A1 |
| 20150229714 | Venkatsubra | Aug 2015 | A1 |
| 20150264083 | Prenger et al. | Sep 2015 | A1 |
| 20160219024 | Verzun | Jul 2016 | A1 |
| 20160269294 | Rankin | Sep 2016 | A1 |
| 20160366160 | Kapoor et al. | Dec 2016 | A1 |
| 20170012951 | Mennes | Jan 2017 | A1 |
| 20170041296 | Ford et al. | Feb 2017 | A1 |
| 20170090872 | Mathew et al. | Mar 2017 | A1 |
| 20170351575 | Baker et al. | Dec 2017 | A1 |
| 20180018147 | Sugawara | Jan 2018 | A1 |
| 20180102975 | Rankin | Apr 2018 | A1 |
| 20210344687 | Rankin | Nov 2021 | A1 |
| Number | Date | Country |
|---|---|---|
| 103841118 | Jun 2014 | CN |
| Entry |
|---|
| Thyer, J., Covert Data Storae Channel Using IP Packet Headers, SANS Institute, Information Security Reading Room, Jan. 30, 2008. |
| Mistree, B., PingFS, https://bmistree.com/pingfs/, pp. 1-27, Dec. 5, 2019. |
| Brown, J. et al., ARP Coaching Poisoning and Routing Loops in ad Hoc Networks, Mobile Networks and Applications, pp. 1306-1317, 2018. |
| Hansen, R. et al., Covert6: A Tool to Corroborate the Existence of IPv6 Covert Channels, Annual ADFSL Conference on Digital Forensics, Security Law, 2016. |
| Mileva, A. et al., Covert Channels in TCP/IP Protocol Stack—extended version—, Central European Journal of Computer Science, 2000. |
| York, D., Flooding Attack, Science Direct, 2021. |
| Rabah, K., Steganography—The Art of Hiding Data, Information Technology Journal, 2004, pp. 245-269. |
| Arkin, O., ICMP Usage in Scanning, The Complete Know-How, Jun. 2001. |
| Information Sciences Institute, University of Southern California, RFC 791, Internet Protocol, DARPA Internet Program Protocol Specification, Sep. 1981. |
| Postel, J., RFC 792, Internet Control Message Protocol, DARPA Internet Program Protocol Specification, Sep. 1981. |
| Information Sciences Institute, University of Southern California, RFC 793, Transmission Control Protocol, DARPA Internet Program Protocol Specification, Sep. 1981. |
| McCann, J. et al., RFC 1981, Path MTU Discovery for IP version 6, Aug. 1996. |
| Mathis, M. et al., TCP Selective Acknowledgment Options, Oct. 1996. |
| Montenegro, G. et al., RFC 4944, Transmission of IPV6 Packets over IEEE 802.15.4 Networks, Sep. 2007. |
| Paxson et al., RFC 2330, Framework for IP Performance Metrics, May 1998. |
| Thubert, P. et al., LLN Fragment Forwarding and Recovery draft-thubert-6lo-forwarding-fragments-02, Nov. 25, 2014. |
| Li, T. et al., A New MAC Scheme for Very High-Speed WLANs, Proceedings of the 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks, 2006. |
| Mileva, Aleksandra, Covert Channels in TCP/IP Protocol Stack—extended version—, Central European Journal of Computer Science, Accepted May 9, 2014, 22 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 62614549 | Jan 2018 | US |
