Concealed in web surfing: Behavior-based covert channels in HTTP

Application-layer covert channels have been extensively studied in recent years. Ubiquitous application packets serving as covert carriers contain a considerable potential channel capacity. However, undetectability is still a challenging task to be resolved for practicability, as almost all existing covert channels are frustrated by specific detection methods. In this paper, we focus on the problem of undetectable application-layer covert channels. We found a natural HTTP behavior that distribution relationships between HTTP requests and flows are dynamic when opening a webpage. Motivated by this finding, we present a behavior-based covert channel, Lost in HTTP Behaviors (LiHB). LiHB embeds secret messages into request-flow distributions using combinatorics without changing any packet contents. Furthermore, LiHB achieves automatic coding with no need for a codebook. In particular, LiHB is able to penetrate web proxy to transmit information stealthily. To overcome limitations of LiHB, we propose an enhanced secure HTTP behavior-based covert channel (HBCC), which is statistically undetectable by shape and regularity tests. HBCC employs an independent and identically distributed (i.i.d.) inter-request delay (IRD) generator to maintain the request distribution of legitimate traffic, and mimics normal browsing patterns based on the frequent traversal sequences. Experimental results show LiHB and HBCC have a good performance and reliability, and HBCC outperforms LiHB in terms of channel capacity and undetectability.