CovertMark
CovertMark is a deep packet inspection (DPI) framework for evaluating and benchmarking the covertness of protocol-obfuscation proxies. Working from the perspective of a state censor with extensive computational resources, CovertMark performs automated passive analysis on captured proxy traffic to determine the likelihood and practicality of accurate protocol classification, which would in turn allow the state censor to block such traffic. All TCP-based proxy protocols are applicable, including currently deployed Tor pluggable transports and tunnelling proxies such as shadowsocks.
CovertMark is extremely easy to use. You only need the downloaded code, a Python 3.5+ installation, and a PCAP file of your proxy traffic captured with WireShark (or with tcpdump on UNIX-like systems). You can download publicly available Tor pluggable transport and negative network traffic traces from here.
As an integrated offline traffic analysis solution, CovertMark is implemented entirely with Python, and no pre- or post-processing of captured traffic in other traffic analysis tools such as Bro are required. In addition to a summary report of covertness benchmarks (and a CovertMark Score), full CSV results and simple graph plotting are also available from CovertMark.
CovertMark comprises of generalised strategies (CovertMark/strategy)
observing different features of traffic, with varying effects on
different proxy protocols. You can easily implement new strategies into
CovertMark by extending
CovertMark.strategy.strategy.DetectionStrategy. For more detailed
descriptions on how strategies can be implemented, please see the
strategy implementation page
here.
Installation
CovertMark requires Python 3.5 or newer, which can be obtained from
python.org should your system
came with an older version. For easy setup of dependencies,
setuptools and pip are recommended, as well as virtualenv.
These are normally available from your system’s package management
system, such as apt on Debian and Ubuntu, and brew on Mac OS X. They can
otherwise be installed by downloading releases and installing manually
with Python.
CovertMark uses a local MongoDB (3.2+) database to store parsed traffic traces for fast access, which can be installed by following the tutorial here. MongoDB authentication is supported locally (see the relevant section below).
In addition to UNIX and UNIX-like systems, CovertMark should work on Windows with all necessary dependencies, but the author did not have an appropriate machine to test it at the time of release.
On Debian and Ubuntu, matplotlib requires some additional
dependencies:
sudo apt-get install libbz2-dev tk-dev
These should have been included in Command Line Tools distributed with Apple’s Xcode on Mac OS X.
To set up CovertMark itself:
git clone https://github.com/chongyangshi/CovertMark.git
cd CovertMark
virtualenv env -p python3.5 # or python3.6, etc.
source env/bin/activate
pip install -r DEPENDENCIES
If your local MongoDB requires authentication, copy
/CovertMark/data/mongo-auth-example.json into
/CovertMark/data/mongo-auth.json, and edit the username, password,
and authentication database required.
You can move your proxy PCAP files and regular (negative) traffic PCAP
files into /CovertMark/examples/local, or leave it elsewhere on the
system to specify an explicit path later. If you wish to use the
cantab negative traces or any other example traces supplied by the
project, please download them separately from the data page
here.
To run CovertMark’s command line user interface, simply run
/CovertMark in module mode:
python -m CovertMark
In the command line interface, all possible commands (with parameters
collected within) can be shown by entering help:
CovertMark >>> help
Operations and Usage
While the command line interface should be sufficiently intuitive, it is necessary to first explain how the covertness benchmarking works in CovertMark.
A Game of Filters
Filters nearly always become the most irritating part of any network traffic analysis system, as it is necessary to avoid processing wrong types of packets. CovertMark uses two types of filters, only one of which need to be manipulated by the user (the other by strategy designers only).
The user-facing input filters determine what IP addresses or subnets,
as well as what direction(s) of flow should be parsed from the PCAP file
into MongoDB for further analysis. Not all strategies require both
directions of flow, and this will be automatically handled by CovertMark
rather than the user, based on the strategy designer’s specifications.
CovertMark also supports IPv4 and IPv6 (mutually without much
engineering effort thanks to Python 3’s ipaddress library).
Therefore for the user, it is only necessary to know what IP addresses (e.g. 192.168.0.42, 2001:db8:a0b:12f0::1) or subnets (192.168.0.0/24, 2001:db8:a0b:12f0::/64) are to be associated with the clients and (if applicable) proxy servers in the PCAP files. These information will be prompted when setting up a CovertMark procedure from the user interface. Multiple clients and proxy servers are supported, which can be entered as a subnet if they are the only members of that subnet in the PCAP, or as distinct IP addresses separated by a comma.
Once the PCAP files are parsed into MongoDB, these information will be carried within a collection of parsed traces, and will not be required again from the user until manual deletion.
The other type of filters (relevant only to strategy designers) are strategic filters, which specify the inclusion of only certain types of packets for examination (e.g. TCP packets with payload but no TLS record), and are strategy-specific. Packets not matching the strategic filter will remain in MongoDB (to enable shared use between strategies to save disk space) but not loaded by the strategy who does not need it (to improve performance).
A Clash of Strategies
In order to streamline the benchmarking process to reduce manual configuration efforts, procedures are used to represent a series of strategy executions (runs) on the same or different inputs from PCAP files or MongoDB-stored traces. A strategy can have multiple runs to, for example, perform identical computations separately on both client-to-server and server-to-client packets.
A Storm of Procedures
To set up a procedure in the command line interface:
CovertMark >>> new
The interface will then prompt you to choose from possible runs of strategies; choose to import PCAP files or to select from existing MongoDB-stored traces; specify input filters as necessary; and supply additional runtime parameters required by the strategy run. This process will be repeated until you have set up all the runs of strategies you need, and allows duplications of runs should you wish to test the same run on different inputs. This will replace whatever procedure already set up or loaded.
You can view MongoDB-stored traces from past executions with traces,
and delete some as required with delete if freeing up some disk
space is needed.
Once you have set up your procedure, you can save it to a JSON file
now, or delay saving until after the procedure’s execution to use the
parsed traces in MongoDB instead next time.
CovertMark >> save
To load a saved procedure, enter load and specify when prompted a
relative or full path to where the procedure is stored as a JSON file.
At any time, you can check the current procedure in use by entering
current. Once you are ready to execute the CovertMark procedure,
enter execute to start the automated process.
The rest of the interface commands become available after results have been yielded from the execution of runs. Results include true positive rates (TPRs), false positive rates (FPRs), execution times on positive traces, and percentage of remote IPs falsely blocked in negative traces; corresponding to different configurations (one or more parameters) embedded within each strategy.
To view a list of results available, enter results. These will be
retained until CovertMark exits, unless deleted with delresults.
Falsely blocked remote IPs can be inspected in Wireshark with a
generated display filter, which can be obtained through the
wireshark command.
Assuming all runs of strategies in your procedure are on traces from the same proxy or pluggable transport protocol, you can view a summative report of the covertness of that protocol and its CovertMark Score by entering:
CovertMark >>> score
You can export full results of strategy runs by entering csv, which
will export CSV records of all current results into a directory
specified. Simple plotting between strategy configuration parameters and
performance metrics can be done in plot, which will prompt the
specific parameter(s) and metric(s) you wish to plot in pairs. More
complex plots can be done separately from the CSVs exported.
Publication(s)
This project is the resulting product of my MPhil thesis Security evaluation of network protocol obfuscation proxies at the Computer Laboratory of the University of Cambridge, which will likely become a technical report and/or (hopefully) a conference paper. Citations to the relevant publication(s) will be available here once progresses have been made in publication.
Problems and Feedback
Despite extensive efforts made to engineer CovertMark as a user-facing product, it is likely to malfunction if not used in the intended ways. (For example, exceptions when supplied with PCAP files not matching the input filter, which are very difficult to check without consuming long execution times to read the PCAP first). If you do get strange or unexpected results after execution, it is worth checking whether the input filters have been entered correctly and match those in the PCAP files.
Of course, issues, pull requests, and general feedbacks are very welcome.