Top

Published in:

2020 | OriginalPaper | Chapter

Evaluation of Statistical Tests for Detecting Storage-Based Covert Channels

Authors : Thomas A. V. Sattolo, Jason Jaskolka

Published in: ICT Systems Security and Privacy Protection

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Individuals and organizations are more aware than ever of the importance and value of preserving the confidentiality and privacy of sensitive information. However, detecting the leakage of sensitive information in networked systems is still a challenging problem, especially when adversaries use covert channels to exfiltrate sensitive information to unauthorized parties. Presently, approaches for detecting timing-based covert channels have been studied more extensively than those for detecting storage-based covert channels. In this paper, we evaluate the effectiveness of a selection of statistical tests for detecting storage-based covert channels. We present the results of several experiments which show that complexity-based tests are effective at detecting storage-based covert channels when information is embedded into network packet header fields that are not expected to follow a particular pattern, such as the IP Identification and Time-to-Live. These results can help to guide the construction of practical detection platforms capable of effectively detecting the leakage of sensitive information via storage-based covert channels.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Leaky Controller: Cross-VM Memory Controller Covert Channel on Multi-core Systems

next chapter IE-Cache: Counteracting Eviction-Based Cache Side-Channel Attacks Through Indirect Eviction

This is the case with timing-based covert channels because normal inter-packet delays are essentially random and those of covert channels cluster at either of the values used as symbols in the communication.

A similar process can be adopted for other header fields of network packets.

Padding the message would complicate interpretation of the results.

Berk, V., Giani, A., Cybenko, G.: Covert channel detection using process query systems. In: 2nd Annual Conference for Network Flow Analysis, September 2005

Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Technical report TR2005-536, Dartmouth College, Hanover, NH, USA, August 2005

Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: 11th ACM Conference on Computer and Communications Security, pp. 178–187. ACM (2004)

Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 22 (2009)CrossRef

Collin, L.: A quick benchmark: Gzip vs. Bzip2 vs. LZMA (2005). https://tukaani.org/lzma/benchmarks.html. Accessed 22 Oct 2019

Crespi, V., Cybenko, G., Giani, A.: Engineering statistical behaviors for attacking and defending covert channels. IEEE J. Sel. Top. Signal Process. 7(1), 124–136 (2013)CrossRef

Garcia, S.: Normal captures (2017). https://stratosphereips.org. Malware Capture Facility Project

Gianvecchio, S., Wang, H.: An entropy-based approach to detecting covert timing channels. IEEE Trans. Dependable Secure Comput. 8(6), 785–797 (2010)CrossRef

Gunadi, H., Zander, S.: Bro covert channel detection (BroCCaDe) framework: design and implementation. Technical report 20171117B, Murdoch University (2017)

10.

Gunadi, H., Zander, S.: Bro covert channel detection (BroCCaDe) framework: scope and background. Technical report 20171117A, Murdoch University (2017)

11.

Gunadi, H., Zander, S.: Extending bro covert channel detection (BroCCaDe) with new plugins. Technical report 20171207A, Murdoch University (2017)

12.

Gunadi, H., Zander, S.: Performance evaluation of the bro covert channel detection (BroCCaDe) framework. Technical report 20180427A, Murdoch University (2018)

13.

Jadhav, M., Kattimani, S.: Effective detection mechanism for TCP based hybrid covert channels in secure communication. In: 2011 International Conference on Emerging Trends in Electrical and Computer Technology, pp. 1123–1128 (2011)

14.

Jaskolka, J.: Modeling, analysis, and detection of information leakage via protocol-based covert channels. Master’s thesis, McMaster University, Hamilton, ON, Canada, September 2010

15.

Jaskolka, J., Khedri, R.: Exploring covert channels. In: 44th Hawaii International Conference on System Sciences, pp. 1–10, January 2011

16.

Jaskolka, J., Khedri, R., Sabri, K.: A formal test for detecting information leakage via covert channels. In: 7th Annual Cyber Security and Information Intelligence Research Workshop, pp. 1–4, October 2011

17.

Kullback, S., Leibler, R.: On information and sufficiency. Ann. Math. Stat. 22(1), 79–86 (1951)MathSciNetCrossRef

18.

Lempel, A., Ziv, J.: On the complexity of finite sequences. IEEE Trans. Inf. Theory 22(1), 75–81 (1976)MathSciNetCrossRef

19.

Li, Q., Zhang, P., Chen, Z., Fu, G.: Covert timing channel detection method based on random forest algorithm. In: 17th IEEE International Conference on Communication Technology, pp. 165–171 (2017)

20.

Naik, B., Boddukolu, S., Sujatha, P., Dhavachelvan, P.: Connecting entropy-based detection methods and entropy to detect covert timing channels. In: Meghanathan, N., Nagamalai, D., Chaki, N. (eds.) Advances in Computing and Information Technology. AISC, vol. 176, pp. 279–288. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31513-8_29CrossRef

21.

Ponemon Institute: 2018 cost of a data breach study: global overview. Technical report, IBM Security (2018)

22.

Porta, A., et al.: Measuring regularity by means of a corrected conditional entropy in sympathetic outflow. Biol. Cybern. 78(1), 71–78 (1998)CrossRef

23.

Sohn, T., Seo, J.T., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39927-8_29CrossRef

24.

Tumoian, E., Anikeev, M.: Network based detection of passive covert channels in TCP/IP. In: 30th IEEE Conference on Local Computer Networks, pp. 802–807 (2005)

25.

Zhai, J., Liu, G., Dai, Y.: A covert channel detection algorithm based on TCP Markov model. In: 2nd International Conference on Multimedia Information Networking and Security, pp. 893–897 (2010)

26.

Zhao, H., Shi, Y.: A phase-space reconstruction approach to detect covert channels in TCP/IP protocols. In: 2010 IEEE International Workshop on Information Forensics and Security, pp. 1–6 (2010)

27.

Ziv, J., Lempel, A.: A universal algorithm for sequential data compression. IEEE Trans. Inf. Theory 23(3), 337–343 (1977)MathSciNetCrossRef

28.

Ziv, J., Lempel, A.: Compression of individual sequences via variable-rate coding. IEEE Trans. Inf. Theory 24(5), 530–536 (1978)MathSciNetCrossRef

Title: Evaluation of Statistical Tests for Detecting Storage-Based Covert Channels
Authors: Thomas A. V. Sattolo
Jason Jaskolka
Publisher: Springer International Publishing
Book: ICT Systems Security and Privacy Protection
Print ISBN: 978-3-030-58200-5

Electronic ISBN: 978-3-030-58201-2

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-58201-2_2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner