Covert Channels

The concept of covert channels has been visited frequently by academia in a quest to analyse their occurrence and prevention in trusted systems. This has lead to a wide variety of approaches being developed to prevent and identify such channels and implement applicable countermeasures. However, little of this research has actually trickled down into the field of operational security management and risk analysis. Quite recently a number of covert channels and enabling tools have appeared that did have a significant impact on the operational security of organizations. This paper identifies a number of those channels and shows the relative ease with which new ones can be devised. It identifies how risk management processes do not take this upcoming threat into account and suggests where improvements would be helpful.

“YOU, the U-Bomb, or ‘YOU-Bomb goes Kabloom’: An Essay on Anonymity, Risibility, & Quantum Subjectivity,” published without author page-proofs ∴ with many odd glitches and with sections that had been deleted in the final draft (oh well!) in The Canadian Review of Comparative Literature Vol XXIII, Issue II, 1996, pp. 426-455 (submitted just prior to beginning a Masters/M.A. in Comparative Literature).

Considering the wide range of functionalities provided by smartphones, smartphone-users’ privacy and security of their personal information is of vital importance. Android has been the most targeted platform for malware attacks, due to being the most popular platform, open source system and its vulnerable architecture. In this paper, we have studied about android permission mechanism, collusion attack, and covert and overt communication channels. Collusion attacks allow apps to indirectly execute operations, which they should not be able to execute, based on their declared permissions. For instance, disclosure of users’ private data (e.g., contacts or GPS location) to a destined attacker, by apps that do not have direct access to such data or cannot directly establish remote connections. According to the survey[1], there’s significant potential of collusion attacks and these attacks are really hard to detect, therefore it is considered to be a real threat to smartphone security.

This paper looks at the difficulty in mapping covert networks. Analyzing networks after an event is fairly easy for prosecution purposes. Mapping covert networks to prevent criminal activity is much more difficult. We examine the network surrounding the tragic events of September 11th, 2001. Through public data we are able to map a portion of the network centered around the 19 dead hijackers. This map gives us some insight into the terrorist organization, yet it is incomplete. Suggestions for further work and research are offered.

Security in building automation systems (BAS) re-
cently became a topic in the security community. BAS form a
part of enterprise networks and can be utilized to gain access to
a company network or to violate a security policy.
Up to now, the threat of covert channels in BAS protocols was
not discovered. While a first available solution can limit “high
level” covert channels in BAS, there is no solution available to
prevent covert channels on the lower level (i.e., in BAS protocols).
In this paper, we present network covert storage and network
covert timing channels in the network and application layer of the
BACnet protocol stack to show that protocol-level covert channels
in BAS are feasible. Additionally, we introduce the first means
enabling a BAS to become multi-level secure on the network and
application layer to prevent covert channels. We built a prototype
based on the BACnet firewall router (BFR) to implement multi-
level security in BACnet environments.

A methodology for designing content based digital signatures which can be used to authenticate images is presented. A continuous measure of authenticity is presented which forms the basis of this methodology. Using this methodology signature systems can be designed which allow certain types of image modification (e.g. lossy compression) but which prevent other types of manipulation. Some experience with content based signatures is also presented.
The idea of signature based authentication is extended to video, and a system to generate signatures for video sequences is presented. This signature also allows smaller segments of the secured video to be verified as unmanipulated.

Malicious actors in the world are using more ingenuity than ever for both data infiltration and exfiltration purposes, also known as command and control communications. In this paper I aim to describe a system that could be used to send or receive data from both a client and a server perspective utilizing research into x509 certificates specifically in areas where you can place arbitrary binary data into the certificate or utilizing them as a covert channel. While lots of attention is given to data infiltration and exfiltration techniques they are commonly done so after they’ve been used in an incident, making this area of cyber security very retroactive in a defensive posture. The aim in presenting this material is to demonstrate that we can take some lessons from the other areas of cyber security research, namely exploitation, and look at potential use cases in how malware authors could utilize technologies outside of their intended purposes to not only accomplish their goals but ...

Network covert channels enable a policy-breaking
network communication (e.g., within botnets). Within the last
years, new covert channel techniques occurred which are based
on the capability of protocol switching. There are currently no
means available to counter these new techniques. In this paper
we present the first approach to effectively limit the bandwidth
of such covert channels by introducing a new active warden.
We present a calculation method for the bandwidth of these
channels in case the active warden is used. Additionally, we
discuss implementation details and we evaluate the practical
usefulness of our technique.

Clock skew is defined as the rate of deviation of a device clock from the true time. The frequency of a device's clock actually depends on its environment, such as the temperature and humidity, as well as the type of crystal. The main contributions of this paper are twofold. First, we experimentally validate that MICAz and TelosB sensor motes have different and unique clock skews. Furthermore, the clock skew of a node can easily be monitored, even via a multi-hop Wireless Sensor Network (WSN). We argue that this feature can be used for identification of the nodes, detection of Wormhole and Sybil attacks. Second, we show that the clock skew of a sensor node varies with the temperature. We explain how this property can be used to detect malicious and malfunctioning nodes and to geo-localize them.

Network steganography is a relatively new discipline which studies different steganographic techniques that utilize network protocols for data hiding. Internet of Things (IoT) is a concept which integrates billions of embedded devices that communicate to each other. To the best of our knowledge, there are not many attempts that utilize existing network steganographic techniques in protocols specifically created for IoT. Therefore, in this paper, we present several new covert channels that utilize the Constrained Application Protocol (CoAP), which is a specialized Web transfer protocol used for constrained devices and networks. This protocol can be used regardless of its transport carrier (Datagram Transport Layer Security-DTLS or clear UDP-User Datagram Protocol). The suggested covert channels are categorized according to the pattern-based classification, and, for each covert channel, the total number of hidden data bits transmitted per CoAP message or its Packet Raw Bit Rate (PRBP) is given.

ains how roughness is a channel. This experimental research tries to explore (n) by making 8 m length, 40 cm width and 40 cm height laboratory flume with adjustable slope. The flume was used to carry out a total of 72 experiments with 4 different slopes, 3 different flow rates and 2 types of sorting with angular and rounded aggregates. The results showed that the roughness coefficient of the beds covered with angular grains is on average 6.68% higher than that of the beds covered with rounded grains. Also, for a constant value, if the flow rate increases, Manning roughness coefficient will also decrease. It was also shown that parameters such as relative submergence, grain size and slope affect the roughness coefficient. Based on the results of this research, it can be concluded that in all of the experim

Network covert channels are policy-breaking and stealthy commu-
nication channels in computer networks. These channels can be used to bypass
Internet censorship, to exfiltrate data without raising attention, to allow a safe
and stealthy communication for members of political oppositions and for spies,
to hide the communication of military units at the battlefield from the enemy,
and to provide stealthy communication for today’s malware, especially for bot-
nets. To enhance network covert channels, researchers started to add protocol
headers, so called micro protocols, to hidden payload in covert channels. Such
protocol headers enable fundamental features such as reliability, dynamic rout-
ing, proxy capabilities, simultaneous connections, or session management for
network covert channels — features which enrich future botnet communica-
tions to become more adaptive and more stealthy than nowadays.
In this survey, we provide the first overview and categorization of existing mi-
cro protocols. We compare micro protocol features and present currently un-
covered research directions for these protocols. Afterwards, we discuss the sig-
nificance and the existing means for micro protocol engineering. Based on our
findings, we propose further research directions for micro protocols. These fea-
tures include to introduce multi-layer protocol stacks, peer auto-configuration,
and peer group communication based on micro protocols, as well as to develop
protocol translation in order to achieve inter-connectivity for currently separated overlay networks.

Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.

Malicious actors in the world are using more ingenuity than ever for both data infiltration and exfiltration purposes, also known as command and control communications. In this paper I aim to describe a system that could be used to send or receive data from both a client and a server perspective utilizing research into x509 certificates specifically in areas where you can place arbitrary binary data into the certificate or utilizing them as a covert channel. While lots of attention is given to data infiltration and exfiltration techniques they are commonly done so after they've been used in an incident, making this area of cyber security very retroactive in a defensive posture. The aim in presenting this material is to demonstrate that we can take some lessons from the other areas of cyber security research, namely exploitation, and look at potential use cases in how malware authors could utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process. Doing this sort of research can lead to more advances in defensive security postures by spurring discussions in the community on how a technique either does or doesn't bypass security measures.

—Consider a channel where authorized transmitter Jack sends packets to authorized receiver Steve according to a Poisson process with rate λ packets per second for a time period T. Suppose that covert transmitter Alice wishes to communicate information to covert receiver Bob on the same channel without being detected by a watchful adversary Willie. We consider two scenarios. In the first scenario, we assume that warden Willie cannot look at packet contents but rather can only observe packet timings, and Alice must send information by inserting her own packets into the channel. We show that the number of packets that Alice can covertly transmit to Bob is on the order of the square root of the number of packets that Jack transmits to Steve; conversely, if Alice transmits more than that, she will be detected by Willie with high probability. In the second scenario, we assume that Willie can look at packet contents but that Alice can communicate across an M/M/1 queue to Bob by altering the timings of the packets going from Jack to Steve. First, Alice builds a codebook, with each codeword consisting of a sequence of packet timings to be employed for conveying the information associated with that codeword. However, to successfully employ this codebook, Alice must always have a packet to send at the appropriate time. Hence, leveraging our result from the first scenario, we propose a construction where Alice covertly slows down the packet stream so as to buffer packets to use during a succeeding codeword transmission phase. Using this approach, Alice can covertly and reliably transmit O(λT) covert bits to Bob in time period T over an M/M/1 queue with service rate µ > e · λ.

In this paper, we present new techniques to detect interposition attacks on stream-based connections in local and wide area networks. The approach developed here is general enough to apply uniformly to all circumstances where the manin-the-middle attacker achieves interposition by corrupting higherlayer to low-layer address mappings. Thus, both the problem of local area network interposition through ARP poisoning, and the problem wide area interposition through DNS poisoning are addressed as special cases of our work. Like other solutions that reside between Layers 3 and 4 (e.g. IPSEC), our techniques enjoy the property that they do not require redesigning legacy software, as is the case for approaches that reside above Layer 4 (e.g. SSL/TLS). Unlike IPSEC, however, the developed system is tailored only to the detection of interposition attacks, and thus circumvents the overhead and complexity introduced in guaranteeing stream confidentiality and integrity. We describe the design of the system, demonstrate its efficacy, and provide a publicly accessible prototype implementation.

Modern malware is becoming hard to spot since attackers are increasingly adopting new techniques to elude signature-and rule-based detection mechanisms. Among the others, steganography and information hiding can be used to bypass security frameworks searching for suspicious communications between processes or exfiltration attempts through covert channels. Since the array of potential carriers is very large (e.g., information can be hidden in hardware resources, various multimedia files or network flows), detecting this class of threats is a scarcely generalizable process and gathering multiple behavioral information is time-consuming, lacks scalability, and could lead to performance degradation. In this paper, we leverage the extended Berkeley Packet Filter (eBPF), which is a recent code augmentation feature provided by the Linux kernel, for programmatically tracing and monitoring the behavior of software processes in a very efficient way. To prove the flexibility of the approach, we investigate two realistic use cases implementing different attack mechanisms, i.e., two processes colluding via the alteration of the file system and hidden network communication attempts nested within IPv6 traffic flows. Our results show that even simple eBPF programs can provide useful data for the detection of anomalies, with a minimal overhead. Furthermore, the flexibility to develop and run such programs allows to extract relevant features that could be used for the creation of datasets for feeding security frameworks exploiting AI.

High assurance systems such as those found in aircraft controls and the financial industry are often required to handle a mix of tasks where some are niceties (such as the control of media for entertainment, or supporting a remote monitoring interface) while others are absolutely critical (such as the control of safety mechanisms, or maintaining the secrecy of a root key). While special purpose languages, careful code reviews, and automated theorem proving can be used to help mitigate the risk of combining these operations onto a single machine, it is difficult to say if any of these techniques are truly complete because they all assume a simplified model of computation far different from an actual processor implementation both in functionality and timing. In this paper we propose a new method for creating architectures that both a) makes the complete information-flow properties of the machine fully explicit and available to the programmer and b) allows those properties to be verified all the way down to the gate-level implementation the design.

In the last years, the utilization of information hiding techniques for empowering modern strains of malware has become a serious concern for security experts. Such an approach allows attackers to act in a stealthy manner, for instance, to covertly exfiltrate confidential data or retrieve additional command & control payloads for the operation of malware. Therefore, the deep understanding of data hiding mechanisms is a core requirement, as it allows designing effective countermeasures. Unfortunately, the most recent evolution of information-hiding-capable threats enjoys reversible properties, i.e., the abused network flow is restored to its original form. Hence, detection approaches based on the comparison of different traffic samples may not work anymore. In this paper, we further investigate various methods for performing reversible data hiding for network covert channels. Specifically, we extend our previous research by considering different scenarios focusing on IPv4 traffic and HTTP conversations. The results confirm that reversibility can be used in various network conditions and is not impaired by middleboxes. In addition, engineering countermeasures or mitigation techniques could be difficult, thus requiring to consider reversible mechanisms already in the early design stages of a protocol/deployment.

Network covert channels enable hidden commu-
nication and can be used to break security policies. Within
the last years, new techniques for such covert channels arose,
including protocol switching covert channels (PSCCs). PSCCs
transfer hidden information by sending network packets with
different selected network protocols. In this paper we present the
first detection methods for PSCCs. We show that the number
of packets between network protocol switches and the time
between switches can be monitored to detect PSCCs with 98–
99% accuracy for bit rates of 4 bits/second or higher.

Covert channels are not new in computing systems, and have been studied since their first definition four decades ago. New platforms invoke thorough investigations to assess their security. Now is the time for Android platform to analyze its security model, in particular the two key principles: process-isolation and the permissions system. Aside from all sorts of malware, one threat proved intractable by current protection solutions, that is, collusion attacks involving two applications communicating over covert channels. Still no universal solution can countermeasure this sort of attack unless the covert channels are known. This paper is an attempt to reveal a new covert channel, not only being specific to smartphones, but also exploiting an unusual resource as a vehicle to carry covert information: sensors data. Accelerometers generate signals that reflect user motions, and malware applications can apparently only read their data. However, if the vibration motor on the device is used properly, programmatically produced vibration patterns can encode stolen data and hence an application can cause discernible effects on acceleration data to be received and decoded by another application. Our evaluations confirmed a real threat where strings of tens of characters could be transmitted errorless if the throughput is reduced to around 2.5-5 bps. The proposed covert channel is very stealthy as no unusual permissions are required and there is no explicit communication between the colluding applications.

In disruption tolerant networks (DTNs), nodes exchange beacon messages to set up links via a process known as neighbor discovery.  However as it is, beacon messages are susceptible to forgery and tampering that could be exploited to attack and participate in the network.  This paper outlines a protocol to 1) protect beacon messages in tactical-level DTNs from forgery and tampering utilizing an identity-based signature scheme (IBS), and 2) provide capabilities for nodes that are compromised or captured to signal its state discreetly to other DTN nodes.  The protocol maintains the same amount of message overhead as without it.

Abstract In recent scientific literature, network based steganography is regarded as a new research direction in the paradigm of information hiding. Few approaches have been found which embed secret information by altering the length of network packets. In this paper, ...

Clock skew is defined as the rate of deviation of a device clock from the true time. The frequency of a device's clock actually depends on its environment, such as the temperature and humidity, as well as the type of crystal. The main contributions of this paper are twofold. First, we experimentally validate that MICAz and TelosB sensor motes have different and unique clock skews. Furthermore, the clock skew of a node can easily be monitored, even via a multi-hop Wireless Sensor Network (WSN). We argue that this feature can be used for identification of the nodes, detection of Wormhole and Sybil attacks. Second, we show that the clock skew of a sensor node varies with the temperature. We explain how this property can be used to detect malicious and malfunctioning nodes and to geo-localize them.

Network covert channels have become a sophisticated means for transferring hidden information over the network. Covert channel-internal control protocols, also called micro protocols, have been introduced in the recent years to enhance capabilities of the network covert channels. Micro protocols are usually placed within the hidden bits of a covert channel's payload and enable features such as reliable data transfer, session management, and dynamic routing for network covert channels. These features provide adaptive and stealthy covert communication channels. Some of the micro protocol based tools exhibit vulnerabilities and are susceptible to attacks. In this paper, we demonstrate some possible attacks on micro protocols, which are capable of breaking the sophisticated covert channel communication or jeopardizing the identity of peers in such a network. These attacks are based on the attacker's interaction with the micro protocol. We also present the defense techniques to safeguard micro protocols against such attacks. By using these techniques, micro protocol-based tools can become immune to certain attacks and lead to robust covert communication. We present our results for two micro protocol-based tools: Ping Tunnel and smart covert channel tool. Copyright © 2016 John Wiley & Sons, Ltd.

Abstract Covert channels are secret communication paths, which existance is not expected in the original system design. Covert channels can be used as legimate tools of censorship resistance, anonimity and privacy preservation to address issues with" national" firewalls, ...

It is possible to enhance our understanding of what has happened on a computer system by using forensic techniques that do not require prediction of the nature of the attack, the skill of the attacker, or the details of the system resources or objects affected. These techniques address five fundamental principles of computer forensics. These principles include recording data about the entire operating system, particularly user space events and environments, and interpreting events at different layers of abstraction, aided by the context in which they occurred. They also deal with modeling the recorded data as a multi-resolution, finite state machine so that results can be established to a high degree of certainty rather than merely inferred.

Modern malware increasingly exploits information hiding or steganography to elude security frameworks and remain unnoticed for long periods. To this aim, a prime technique relies upon the ability of creating covert channels to bypass the limits imposed by a sandbox or to exfiltrate data towards a remote server. Unfortunately, detecting a covert channel is not a trivial task and often requires to inspect a composite set of information, e.g., the behavior of a software or statistical indicators of network traffic. Therefore, in this paper we investigate the adoption of code augmentation features offered by the Linux kernel to gather data useful to reveal the presence of covert communications. To prove the effectiveness of the approach, we tested a lightweight program to detect covert channels targeting IPv6 conversations. Results indicate that technologies like the extended Berkeley Packet Filter can offer a foundation to frameworks for spotting and mitigating covert communications.

Computer network is unpredictable due to information warfare and is prone to various attacks. Such attacks on network compromise the most important attribute, the privacy. Most of such attacks are devised using special communication channel called ``Covert Channel''. The word ``Covert'' stands for hidden or non-transparent

While general-purpose processor based systems are built to enforce memory protection to prevent the unintended sharing of data between processes, current systems built around reconfigurable hardware typically offer no such protection. Several reconfigurable cores are often integrated onto a single chip where they share external resources such as memory. While this enables small form factor and low cost designs, it opens up the opportunity for modules to intercept or even interfere with the operation of one another. We investigate the design and synthesis of a FPGA memory protection mechanism capable of enforcing access control policies and a methodology for translating formal policy descriptions into FPGA enforcement mechanisms. The efficiency of our access language design flow is evaluated in terms of area and cycle time across a variety of security scenarios. We also describe a technique for ensuring that the internal state of the reference monitor cannot be used as a covert storage channel.

Covert channels are an immense cause of security concern because they can be used to pass malicious messages. The messages could be in form of computer virus, spy programs, terrorist messages, etc. Most available techniques proposed covert channels that use the upper layers of the OSI model. In this paper, we discuss a novel covert channel in the data link layer dedicated to wireless local area networks. Depending on the configuration of the network, the covert channel uses either sequence control or initial vector fields, or both of them. We present also some measurements to protect the proposed covert channel against steganalysis processes and sniffing attack. Finally, the performance of proposed covert channel is compared with the available common TCP/IP covert channels regarding the offered bandwidth and the imperceptibility.

Intrusion detection is the method of monitoring the actions taking place in a network and diffracts them for doubtful patterns that may identify a network or system attack from someone trying to violate the system. An intrusion detection system (IDS) is software that automates the intrusion detection process. An IDS falls into either Signature recognition or Anomaly detection methodologies. The majority of available IDs need reduction technique to reduce the number of features of data which is redundant. The reduction technique makes the classification more accurate and perfect. The classification algorithm classifies the data into intrusion or normal. This paper adopts an optimal anomaly detection method to detect multivariate attacks. This method is going to be achieved by measuring the performance of different functions of Kernel Principal Component Analysis (KPCA) as a reduction method applied to different classification algorithms [K-Nearest Neighbor (KNN) & Discriminant Analysis (DA)] to find out which function of KPCA is the best to decide which method is an optimal anomaly detection method. The experiments with NSL KDD Cup 1999 data demonstrate that Laplace kernel is the best function of all consequently Laplace kernel & KNN classification becomes the best method. The final results achieve 98.048% in detection rate and 98.261% in precision with 1.484% false positive rate, so outperforms the other methods.

The ability of creating covert channels within network traffic is now largely exploited by malware to elude detection, remain unnoticed while exfiltrating data or coordinating an attack. As a consequence, designing a network covert channel or anticipating its exploitation are prime goals to fully understand the security of modern network and computing environments. Due to its ubiquitous availability and large diffusion, Transport Layer Security (TLS) traffic may quickly become the target of malware or attackers wanting to establish a hidden communication path through the Internet. Therefore, this paper investigates mechanisms that can be used to create covert channels within TLS conversations. Experimental results also demonstrated the inability of de-facto standard network security tools to spot TLS-based covert channels out of the box.

The Flume system is an implementation of decentralized information flow control (DIFC) at the operating system level. Prior work has shown Flume can be implemented as a practical extension to the Linux Operating System, allowing real Web applications to achieve useful security guarantees. However, the question remains if the Flume system is actually secure. This paper compares Flume with other recent DIFC system like Asbestos, arguing that the latter is susceptible to wide-bandwidth covert channels, and proving Flume is not by means of a formal non-interference proof.

This paper looks at the difficulty in mapping covert networks. Analyzing networks after an event is fairly easy for prosecution purposes. Mapping covert networks to prevent criminal activity is much more difficult. We examine the network surrounding the tragic events of September 11th, 2001. Through public data we are able to map a portion of the network centered around the 19 dead hijackers. This map gives us some insight into the terrorist organization, yet it is incomplete. Suggestions for further work and research are offered.

We examine covert channels in privacy-enhanced mobile identification devices where the devices uniquely identify themselves to an authorized verifier. Such devices (e.g. RFID tags) are increasingly commonplace in hospitals and many other environments. For privacy, the device outputs used for identification should "appear random" to any entity other than the verifier, and should not allow physical tracking of device bearers. Worryingly, there already exist privacy breaches for some devices [28] that allow adversaries to physically track users. Ideally, such devices should allow anyone to publicly determine that the device outputs are covert-channel free (CCF); we say that such devices are CCF-checkable. Our main result shows that there is a fundamental tension between identifier privacy and CCFcheckability; we show that the two properties cannot co-exist in a single system. We also develop a weaker privacy model where a continuous observer can correlate appearances of a given tag, but a sporadic observer cannot. We also construct a privacy-preserving tag identification scheme that is CCF-checkable and prove it secure under the weaker privacy model using a new complexity assumption. The main challenge addressed in our construction is the enforcement of public verifiability, which allows a user to verify covert-channel-freeness in her device without managing secret keys external to the device.

Covert Channels constitute an important security threat because they are used to ex-filtrate sensitive information, to disseminate malicious code, and, more alarmingly, to transfer instructions to a criminal (or terrorist). This work presents zero day vulnerabilities and weaknesses , that we discovered, in the Short Message Service (SMS) protocol, that allow the embedding of high capacity covert channels. We show that an intruder, by exploiting these SMS vulnerabilities, can bypass the existing security infrastructure (including firewalls, intrusion detection systems, content filters) of a sensitive organization and the primitive content filtering software at an SMS Center (SMSC). We found that the SMS itself, along with its value added services (like picture SMS, ring tone SMS), appears to be much more susceptible to security vulnerabilities than other services in IP-based networks. To demonstrate the effectiveness of covert channels in SMS, we have used our tool GeheimSMS 1 that practically embeds data bytes (not only secret, but also hidden) by composing the SMS in Protocol Description Unit (PDU) mode and transmitting it from a mobile device using a serial or Bluetooth link. The contents of the overt (benign) message are not corrupted; hence the secret communication remains unsuspicious during the transmission and reception of SMS. Our experiments on active cellular networks show that 1 KB of a secret message can be transmitted in less than 3 minutes by sending 26 SMS without raising an alarm over suspicious activity.

Within the last years, new techniques for network covert
channels arose, such as covert channel overlay networking, protocol switch-
ing covert channels, and adaptive covert channels. These techniques have
in common that they rely on covert channel-internal control protocols (so
called micro protocols) placed within the hidden bits of a covert chan-
nel’s payload. An adaptable approach for the engineering of such micro
protocols is not available. This paper introduces a protocol engineering
technique for micro protocols. We present a two-layer system comprising
six steps to create a micro protocol design. The approach tries to combine
different goals: (1) simplicity, (2) ensuring a standard-conform behaviour
of the underlying protocol if the micro protocol is used within a binary
protocol header, as well as we provide an optimization technique to (3)
raise as little attention as possible. We apply a context-free and regular
grammar to analyze the micro protocol’s behavior within the context of
the underlying network protocol.

Now a day's there is great attention in the accounting and cyber crime fields because of government regulations in the whole world . Although these regulations force corporations to provide financial transparency, they still commit accounting frauds such as tax evasion. Moreover, companies have substituted paper-work with IT systems such as DBMS, EDMS, and ERP system. So there is a need to focus the attention on discovering financial information in a database server. However, frauds are difficult to observe and detect because the perpetrators did their best to conceal their fraudulent activities. In particular, there is need to consider the case of a covert database server. Secondly a network covert channel is a communication channel that allows two cooperating processes to transfer information on the network in a manner that violates the system's security policy. So for covert channel, in order to solve the problem one detection algorithm can only detect one kind of network covert channel, the detection approach hierarchical and density based cluster was purposed. Because the coding scheme of the covert channel would cause many similar data occurred repeatedly, the detection algorithm cluster based on density can be used to detect several kinds of the covert channels. Moreover, the detection approach cluster based on hierarchy and density is able to tackle of detection a noisy channel. The algorithm can work well to distinguish the covert channel from normal network traffic. This paper proposes a novel approach for detection of covert database server and covert channel,