Covert Channel Detection Framework in Bro (BroCCaDe)

Hi All,

We are from Murdoch University in Perth, exploring the opportunity to integrate covert channel detection

into an open source IDS. After looking/comparing around some IDS, we decided to work with Bro.

Our framework is implemented as a collection of Plugins:

1. Plugin to do a feature extraction such as packets' inter-arrival time

2. Analysis plugin which implements some analysis methods, such as KS test, Entropy, CCE, Multi Modality,

Autocorrelation, and Regularity analysis\.

3. Classifier plugin to classify whether a flow contains covert communication or not. Currently the only

classifier we implemented is C4\.5 decision tree classifier\.

4. Training plugin to train model for the C4.5 decision tree classifier.

If you are interested, please have a look into our project's website and let us know what you think



There is a little prior work along these lines, see the second half of this talk:

It’s pretty resource intense. I don’t speak for the development team, but it kinda felt like the majority of the Bro community didn’t think it was that high of a priority. At least not for the University and un-classified lab communities that I talk to. :slight_smile: For Enterprise though, I could see them potentially wanting to fund some additional work.


This looks like a good candidate for a bro-pkg so users can test and
submit feedback :slight_smile:


@Michael Shirk: That sounds like a good idea, thanks for letting us know. We'll work on it :slight_smile:

@Dop: Thanks for the feedback. Yeah we saw this video and contacted Ross for some pointers

on how he did it. But we were not really aware of the research outcome

- Hendra