Information Technology Reference
In-Depth Information
Detection of Illegal Information Flow
Alexander Grusho
1
, Alexander Kniazev
2
, and Elena Timonina
1
1
Russian State University for Humanity,
25 Kirovogradskaya, Moscow, Russian Federation
aaotee@mail.infotel.ru
,
eltimon@yandex.ru
2
Russian Academy of Sciences Lebedev Institute of Precise Mechanics and
Computer Technology, 51 Leninsky Prospekt, Moscow, Russian Federation
avk@ipmce.ru
Abstract.
Several types of statistical covert channels that break the in-
formational system security policy ensuring a reliable information trans-
fer between hostile agents can be detected by a competent warden. We
introduce
1
the basic detection technique and analyze the conditions un-
der which the warden with limited resources can perform his task suc-
cessfully.
1
Introduction
Since [4] many papers dealing with statistical profiles of normal behavior in in-
trusion detection techniques have been published. Some methods proposed can
be used as well for analysis of steganography methods or covert channels. We
investigate the means to detect covert channels build up by hostile agents within
an informational system. We assume that such covert channels will exploit for
secure transmission a manipulation of the probability distribution parameters
of the sent message sequence. We think that the most dicult problem here is
to establish the proper correspondence between the reliability of analysis results
and adequacy the chosen model of the message sequence probability distribu-
tion. In many cases a probabilistic description of informational system extremely
simplifies the system behavior. Natural dependencies in message sequences are
eliminated by the necessity to calculate probabilities.
The problem of mathematical exposure of data hiding was discussed in [1].
This work also pointed to existence of problem of adequate mathematical model
choice. In [1] reasons were presented in the terms of Shannon entropies which
suppose memoryless channels or channels with restricted memory. Usage of such
models is a serious simplification of real command flow structure from one com-
puter to another computer, for example from task manager of GRID to the com-
puter where problems are solved. The main point of our paper is the research
of data sequence from task control computer to the computer where tasks are
solved. Adversary chances to manipulate this data sequence seem to be very lim-
ited. Adversary can use different dependencies. But he tries to use them without
1
This work was supported by the Russian Foundation for Basic Research, grant 04-
01-00089.
