Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
On Distance Mapping from non-Euclidean Spaces to Euclidean Spaces Kapitel lesen Erstes Kapitel lesen

2017 | OriginalPaper | Buchkapitel

Decision Tree Rule Induction for Detecting Covert Timing Channels in TCP/IP Traffic

verfasst von : Félix Iglesias, Valentin Bernhardt, Robert Annessi, Tanja Zseby

Erschienen in: Machine Learning and Knowledge Extraction

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The detection of covert channels in communication networks is a current security challenge. By clandestinely transferring information, covert channels are able to circumvent security barriers, compromise systems, and facilitate data leakage. A set of statistical methods called DAT (Descriptive Analytics of Traffic) has been previously proposed as a general approach for detecting covert channels. In this paper, we implement and evaluate DAT detectors for the specific case of covert timing channels. Additionally, we propose machine learning models to induce classification rules and enable the fine parameterization of DAT detectors. A testbed has been created to reproduce main timing techniques published in the literature; consequently, the testbed allows the evaluation of covert channel detection techniques. We specifically applied Decision Trees to infer DAT-rules, achieving high accuracy and detection rates. This paper is a step forward for the actual implementation of effective covert channel detection plugins in modern network security devices.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Online Self-disclosure: From Users’ Regrets to Instructional Awareness
Nächstes Kapitel Practical Estimation of Mutual Information on Non-Euclidean Spaces
Fußnoten
1
Note that the classic 5-tuple used to identify communication flows is not used here (i.e., src.IP, dst.IP, Protocol, src.Port, dst.Port). Unlike overt IP communications, covert channels can be constructed using different protocols, source and destination ports in the transmission of the same hidden message.
 
2
iat is treated like a header field for DAT detectors.
 
3
Features in Eq. 2 should be annotated with the first-level field to which they correspond (i.e., \(U_{TTL}\), \(U_{src.Port}\), \(U_{iat}\),...). Since in this work we only use iats, we omit such subindices for the sake of clarity.
 
5
Details of the conducted parametrization are: Decision Trees used Information Gain (i.e., entropy-based) as splitting criterion; the minimal size for splitting was four samples; the minimal leaf size was two samples, allowing a maximal tree depth of 20 levels; the minimal gain for splitting a node was 0.1; the confidence level used for the pessimistic error calculation of pruning was 0.25, whereas the number of prepruning alternatives was three.
 
Literatur
1.
Archibald, R., Ghosal, D.: A covert timing channel based on fountain codes. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 970–977 (2012)
2.
Berk, V., Giani, A., Cybenko, G., Hanover, N.: Detection of covert channel encoding in network packet delays. Rapport technique TR536, de lUniversité de Dartmouth, p. 19 (2005)
3.
Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 178–187. ACM, New York (2004)
4.
Chen, A., Moore, W.B., Xiao, H., Haeberlen, A., Phan, L.T.X., Sherr, M., Zhou, W.: Detecting covert timing channels with time-deterministic replay. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI 2014), pp. 541–554 (2014)
5.
Gasior, W., Yang, L.: Network covert channels on the android platform. In: Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW 2011), p. 61:1. ACM, New York (2011)
6.
Gianvecchio, S., Wang, H.: An entropy-based approach to detecting covert timing channels. IEEE Trans. Dependable Secure Comput. 8(6), 785–797 (2011)CrossRef
7.
Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: automated modeling and evasion. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 211–230. Springer, Heidelberg (2008). doi:10.​1007/​978-3-540-87403-4_​12 CrossRef
8.
Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP timestamps. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003). doi:10.​1007/​3-540-36467-6_​15 CrossRef
9.
Girling, C.G.: Covert channels in LAN’s. IEEE Trans. Softw. Eng. 13(2), 292–296 (1987)CrossRef
10.
Holloway, R., Beyah, R.: Covert DCF: a DCF-based covert timing channel in 802.11 networks. In: 2011 IEEE Eighth International Conference on Mobile Ad-Hoc and Sensor Systems, pp. 570–579 (2011)
11.
Iglesias, F., Annessi, R., Zseby, T.: DAT detectors: uncovering TCP/IP covert channels by descriptive analytics. Secur. Commun. Netw. 9(15), 3011–3029 (2016). sec.1531CrossRef
12.
Kamber, M., Winstone, L., Gong, W., Cheng, S., Han, J.: Generalization and decision tree induction: efficient classification in data mining. In: Proceedings Seventh International Workshop on Research Issues in Data Engineering. High Performance Database Management for Large-Scale Applications, pp. 111–120 (1997)
13.
Kiyavash, N., Coleman, T.: Covert timing channels codes for communication over interactive traffic. In: IEEE International Conference on Acoustics, Speech, and Signal Processing, pp. 1485–1488 (2009)
14.
Luo, X., Chan, E.W.W., Chang, R.K.C.: TCP covert timing channels: design and detection. In: IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pp. 420–429, June 2008
15.
16.
Padlipsky, M.A., Snow, D.W., Karger, P.A.: Limitations of end-to-end encryption in secure computer networks, eSD-TR-78-158 (1978)
17.
Saeys, Y., Inza, I., Larrañaga, P.: A review of feature selection techniques in bioinformatics. Bioinformatics 23(19), 2507–2517 (2007)CrossRef
18.
Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: Proceedings of the 15th Conference on USENIX Security Symposium (USENIX-SS 2006), vol. 15. USENIX Association, Berkeley (2006)
19.
Shen, J., Qing, S., Shen, Q., Li, L.: Optimization of covert channel identification. In: Third IEEE International Security in Storage Workshop (SISW 2005), pp. 13–95, December 2005
20.
Shrestha, P.L., Hempel, M., Rezaei, F., Sharif, H.: A support vector machine-based framework for detection of covert timing channels. IEEE Trans. Dependable Secur. Comput. 13(2), 274–283 (2016)CrossRef
21.
Sohn, T., Seo, J.T., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003). doi:10.​1007/​978-3-540-39927-8_​29 CrossRef
22.
23.
Walls, R.J., Kothari, K., Wright, M.: Liquid: a detection-resistant covert timing channel based on IPD shaping. Comput. Netw. 55(6), 1217–1228 (2011)CrossRef
24.
Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3), 50:1–50:26 (2015)CrossRef
25.
Wray, J.C.: An analysis of covert timing channels. J. Comput. Secur. 1(3–4), 219–232 (1992)CrossRef
26.
Wu, J., Wang, Y., Ding, L., Liao, X.: Improving performance of network covert timing channel through Huffman coding. Math. Comput. Model. 55(1–2), 69–79 (2012). Advanced Theory and Practice for Cryptography and Future SecurityMathSciNetCrossRefMATH
27.
Zander, S., Armitage, G., Branch, P.: An empirical evaluation of IP time to live covert channels. In: 2007 15th IEEE International Conference on Networks, pp. 42–47, November 2007
28.
Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. Commun. Surv. Tutor. 9(3), 44–57 (2007)CrossRef
29.
Zander, S., Armitage, G., Branch, P.: Stealthier inter-packet timing covert channels. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011. LNCS, vol. 6640, pp. 458–470. Springer, Heidelberg (2011). doi:10.​1007/​978-3-642-20757-0_​36 CrossRef
30.
Zhiyong, C., Yong, Z.: Entropy based taxonomy of network convert channels. In: 2009 2nd International Conference on Power Electronics and Intelligent Transportation System (PEITS), vol. 1, pp. 451–455, December 2009
31.
Zi, X., Yao, L., Pan, L., Li, J.: Implementing a passive network covert timing channel. Comput. Secur. 29(6), 686–696 (2010)CrossRef
Metadaten
Titel
Decision Tree Rule Induction for Detecting Covert Timing Channels in TCP/IP Traffic
verfasst von
Félix Iglesias
Valentin Bernhardt
Robert Annessi
Tanja Zseby
Copyright-Jahr
2017
Buch
Machine Learning and Knowledge Extraction

Print ISBN: 978-3-319-66807-9

Electronic ISBN: 978-3-319-66808-6

Copyright-Jahr: 2017

DOI
https://doi.org/10.1007/978-3-319-66808-6_8