ABSTRACT
A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner that can be difficult to detect. In this paper, we describe our implementation of a covert network timing channel, discuss the subtle issues that arose in its design, and present performance data for the channel. We then use our implementation as the basis for our experiments in its detection. We show that the regularity of a timing channel can be used to differentiate it from other traffic and present two methods of doing so and measures of their efficiency. We also investigate mechanisms that attackers might use to disrupt the regularity of the timing channel, and demonstrate methods of detection that are effective against them.
- Christopher Abad. IP checksum covert channels and selected hash collision. Technical report, 2001.Google Scholar
- Kamran Ahsan. Covert channel analysis and data hiding in TCP/IP. Master's thesis, University of Toronto, 2000.Google Scholar
- Kamran Ahsan and Deepa Kundur. Practical data hiding in TCP/IP. In Proc. Workshop on Multimedia Security at ACM Multimedia, December 2002.Google Scholar
- Hari Balakrishnan, Mark Stemm, Srinivasan Seshan, and Randy H. Katz. Analyzing stability in wide-area network performance. In Proceedings of the 1997 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 2--12. ACM Press, 1997. Google ScholarDigital Library
- Ronald E. Best. Phase-locked loops: Design, simulation and applications. McGraw-Hill Professional, 5th edition, 2003.Google Scholar
- Kimberly C. Claffy, George C. Polyzos, and Hans-Werner Braun. Application of sampling methodologies to network traffic characterization. In Conference proceedings on Communications architectures, protocols and applications, pages 194--203. ACM Press, 1993. Google ScholarDigital Library
- D. R. Cox and P. A. W. Lewis. The statistical analysis of series of events. Chapman and Hall, 1966.Google ScholarCross Ref
- Cyber Defense Technology Experimental Research (DETER) network. http://www.isi.edu/deter/.Google Scholar
- Daemon9. Project Loki. Phrack, 49(6), August 1996.Google Scholar
- Alex Dyatlov and Simon Castro. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol. June 2003.Google Scholar
- Gina Fisk, Mike Fisk, Christos Papadopoulos, and Joshua Neil. Eliminating steganography in Internet traffic with active wardens. In 5th International Workshop on Information Hiding, volume 2578, pages 18--35, October 2002. Google ScholarDigital Library
- John Giffin, Rachel Greenstadt, Peter Litwack, and Richard Tibbetts. Covert messaging through TCP timestamps. In Workshop on Privacy Enhancing Technologies, volume 2482, pages 194--208, April 2002. Google ScholarDigital Library
- James Giles and Bruce Hajek. An information-theoretic and game-theoretic study of timing channels. In IEEE Transaction on Information Theory, volume 48, pages 2455--2477, September 2003. Google ScholarDigital Library
- Virgil Gligor. A guide to understanding covert channel analysis of trusted systems. Technical Report NCSC-TG-030, National Computer Security Center, Ft. George G. Meade, Maryland, U.S.A., November 1993.Google Scholar
- WAND Research group. NZIX-II trace archive, data available at http://pma.nlanr.net/traces/long/nzix2.html.Google Scholar
- Riccardo Gusella. Characterizing the variability of arrival processes with indexes of dispersion. IEEE Journal on Selected Areas in Communications, 9(2):203--211, February 1991.Google ScholarDigital Library
- Mark Handley and Vern Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium, August 2001. Google ScholarDigital Library
- Paul A. Henry. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Technical report, 2000.Google Scholar
- James W. Gray III. Countermeasures and tradeoffs for a class of covert timing channel. Technical report, 1994.Google Scholar
- M. Kang, I. Moskowitz, and D. Lee. A network version of the pump. In Proceedings of the IEEE Symposium in Security and Privacy, pages 144--154, May 1995. Google ScholarDigital Library
- Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, and Kumar Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579--595, 2000. Google ScholarDigital Library
- M Mahoney and P Chan. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In Proceeding of Recent Advances in Intrusion Detection (RAID)-2003, volume 2820, pages 220--237, September 8-10 2003.Google Scholar
- John McHugh. Covert channel analysis. Technical report, December 1995.Google Scholar
- John McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262--294, November 2000. Google ScholarDigital Library
- U.S. Department of Defense. Trusted computer system evaluation "The Orange Book". DoD 5200.28-STD Washington: GPO:1985, 1985.Google Scholar
- Vern Paxson. Empirically derived analytic models of wide-area TCP connections. IEEE/ACM Trans. Netw., 2(4):316--336, 1994. Google ScholarDigital Library
- Phil A. Porras and Richard A. Kemmerer. Covert flow trees: A technique for identifying and analyzing covert storage channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.Google Scholar
- C. Rosenberg, F. Guillemin, and R. Mazumdar. New approach for traffic characterisation in ATM networks. In IEE Proceedings - Communications, volume 142, pages 87--90, April 1995.Google ScholarCross Ref
- C. Rowland. Covert channels in the TCP/IP protocol suite. First Monday: Peer-reviewed Journal on the Internet, 2(5), 1997.Google Scholar
- Sergio D. Servetto and Martin Vetterli. Communication using phantoms: Covert channels in the Internet. In IEEE International Symposium on Information Theory, June 2001.Google Scholar
- J. Christian Smith. Covert shells. SANS Institute Information Security Reading Room, November 2000.Google Scholar
- C.R. Tsai, V.D. Gligor, and C.S. Chandersekaran. A formal method for the identification of covert storage channels in secure XENIX. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, April 1987.Google ScholarCross Ref
- Robert A. Wagner and Micheal J. Fischer. The string-to-string correction problem. Journal of the ACM, 21(1):168--173, January 1974. Google ScholarDigital Library
- John C. Wray. An analysis of covert timing channels. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.Google ScholarCross Ref
Index Terms
- IP covert timing channels: design and detection
Recommendations
Detecting covert timing channels: an entropy-based approach
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityThe detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing ...
IP Covert Channel Detection
A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival ...
An Entropy-Based Approach to Detecting Covert Timing Channels
The detection of covert timing channels is of increasing interest in light of recent exploits of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a ...
Comments