Indirect communication channels have been effectively employed in the communications world to bypass mechanisms that do not permit direct communication between unauthorized parties. Such covert channels emerge as a threat to information-sensitive systems in which leakage to unauthorized parties may be unacceptable (e.g., military systems). In this dissertation, we show that traffic analysis can counter traditional event-based covert channels, which do not employ any additional scheme to obfuscate the channel further. For these channels, we introduce effective noiseless and noisy covert channel detection mechanisms that capture the anomalous traffic patterns. However, because a motivated user can potentially hide the channel further, we introduce a new family of covert channels that do not produce such anomaly. These IP time-replay covert channels transmit covert messages by adjusting packet timings consistent with inter-arrival time sequences that are extracts from recently recorded normal sequences. Under certain assumptions and lowered data rates, these channels generate output sequences that are equal in distribution to normal sequences allowing them to by-pass traffic anomaly detection schemes that are based on distribution analysis. Additionally, we illustrate that these channels can potentially survive channel elimination schemes such as jammers and network data pumps with lowered data rates. Thus, we discuss two types of transformations on packet inter-arrival times to increase the efficacy of existing elimination schemes.
Cited By
- Xing J, Morrison A and Chen A NetWarden Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing, (2-2)
- Wendzel S Get Me Cited, Scotty! Proceedings of the 13th International Conference on Availability, Reliability and Security, (1-8)
- Biswas A (2016). Source Authentication Techniques for Network-on-Chip Router Configuration Packets, ACM Journal on Emerging Technologies in Computing Systems, 13:2, (1-31), Online publication date: 10-Mar-2017.
- Carrara B and Adams C A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security, (115-126)
- Wendzel S, Zander S, Fechner B and Herdin C (2015). Pattern-Based Survey and Categorization of Network Covert Channel Techniques, ACM Computing Surveys, 47:3, (1-26), Online publication date: 16-Apr-2015.
- Chen A, Moore W, Xiao H, Haeberlen A, Phan L, Sherr M and Zhou W Detecting covert timing channels with time-deterministic replay Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation, (541-554)
- Gasior W and Yang L Network covert channels on the Android platform Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, (1-1)
- Sun Y, Guan X and Liu T A new method for authentication based on covert channel Proceedings of the 8th IFIP international conference on Network and parallel computing, (160-165)
- Liu Y, Ghosal D, Armknecht F, Sadeghi A, Schulz S and Katzenbeisser S Robust and undetectable steganographic timing channels for i.i.d. traffic Proceedings of the 12th international conference on Information hiding, (193-207)
- Yao L, Zi X, Pan L and Li J (2009). A study of on/off timing channel based on packet delay distribution, Computers and Security, 28:8, (785-794), Online publication date: 1-Nov-2009.
- Liu Y, Ghosal D, Armknecht F, Sadeghi A, Schulz S and Katzenbeisser S Hide and seek in time Proceedings of the 14th European conference on Research in computer security, (120-135)
- Gianvecchio S and Wang H Detecting covert timing channels Proceedings of the 14th ACM conference on Computer and communications security, (307-316)
Index Terms
- Network covert channels: design, analysis, detection, and elimination
Recommendations
Detecting covert timing channels: an entropy-based approach
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityThe detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing ...
Capacity estimation and auditability of network covert channels
SP '95: Proceedings of the 1995 IEEE Symposium on Security and PrivacyAbstract: Classical covert channel analysis has focused on channels available on a single computer: timing channels and storage channels. We characterize network covert channels. Potential network covert channels are exploited by modulating transmission ...
Out-of-Band Covert Channels—A Survey
A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’ prisoners’ problem. This new class of covert channel is established by surveying the existing covert channel, device-pairing, and side-channel research. ...