Detection of Jitterbug Covert Channel Based on Partial Entropy Test

Jitterbug is a typical delay-based covert timing channel and supplies reliable covert communication in a passive manner. The existing entropy-based detection scheme based on training samples may suffer from model mismatching, which results in detection performance deterioration. In this paper, a new detection method for Jitterbug based on partial entropy test is proposed. A fixed binning strategy without training samples is used to obtain bins distribution feature. The first-order entropy is calculated for several sets of partial successive bins and the weighted mean is used to calculate the final entropy value to distinguish Jitterbug from legitimate traffic. Furthermore, the influence of detection performance caused by network jitter is also discussed. Experimental results show that the proposed detection method achieves high detection performance and is less affected by network jitter.

[1]  Hamid Sharif,et al.  A Support Vector Machine-Based Framework for Detection of Covert Timing Channels , 2016, IEEE Transactions on Dependable and Secure Computing.

[2]  Matthew K. Wright,et al.  Mimic: An active covert channel that evades regularity-based detection , 2013, Comput. Networks.

[3]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[4]  Matthew K. Wright,et al.  Liquid: A detection-resistant covert timing channel based on IPD shaping , 2011, Comput. Networks.

[5]  Hao Wang,et al.  Detection and Parameter Estimation for Jitterbug Covert Channel Based on Coefficient of Variation , 2016, KSII Trans. Internet Inf. Syst..

[6]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[7]  C. Brodley,et al.  Network covert channels: design, analysis, detection, and elimination , 2006 .

[8]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[9]  M A Padlipsky,et al.  Limitations of End-to-End Encryption in Secure Computer Networks , 1978 .

[10]  Steven Gianvecchio,et al.  An Entropy-Based Approach to Detecting Covert Timing Channels , 2011, IEEE Transactions on Dependable and Secure Computing.

[11]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[12]  Xingming Sun,et al.  Achieving Efficient Cloud Search Services: Multi-Keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing , 2015, IEICE Trans. Commun..

[13]  Wojciech Mazurczyk,et al.  SkyDe: a Skype-based Steganographic Method , 2013, Int. J. Comput. Commun. Control.

[14]  Wojciech Mazurczyk,et al.  Trends in steganography , 2014, Commun. ACM.

[15]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[16]  Yuewei Dai,et al.  Network covert timing channel with distribution matching , 2012, Telecommun. Syst..

[17]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.