Detecting JitterBug covert timing channel with sparse embedding

As the detection methods of covert channels can provide a better way to detect the existence of advanced persistent threat, it has become a hot research topic in the field of network security. Although the existing methods can achieve feasible performance for detecting the JitterBug covert timing channel, they are ineffective when the covert timing channels are implemented with sparse embedding, especially for low embedding probability. In this paper, a new method to detect JitterBug covert timing channel with sparse embedding is proposed, in which the timing intervals are first modeled in histogram statistics, and then the Kolmogorov–Smirnov statistic is used for detection. In addition, the diversifications of the references and the model updating scheme in practical usage are analyzed. The experimental results show that the proposed method is effective when the embedding probability is 0.3, while the existing methods can effective only when the embedding probability is larger than 0.6. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[2]  Xiapu Luo,et al.  Robust Network Covert Communications Based on TCP and Enumerative Combinatorics , 2012, IEEE Transactions on Dependable and Secure Computing.

[3]  Victor S. Frost,et al.  A Covert Channel Using Named Resources , 2014, ArXiv.

[4]  Wojciech Mazurczyk,et al.  Evaluation of steganographic methods for oversized IP packets , 2012, Telecommun. Syst..

[5]  Taeshik Shon,et al.  A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine , 2003, ICICS.

[6]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[7]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[8]  Steven Gianvecchio,et al.  An Entropy-Based Approach to Detecting Covert Timing Channels , 2011, IEEE Transactions on Dependable and Secure Computing.

[9]  Hassan Alsaffar,et al.  Covert Channel using the IP Timestamp Option of an IPv4 Packet , 2015 .

[10]  Matthew K. Wright,et al.  Mimic: An active covert channel that evades regularity-based detection , 2013, Comput. Networks.

[11]  Jing Wang,et al.  Implementing a Covert Timing Channel Based on Mimic Function , 2014, ISPEC.

[12]  Krzysztof Szczypiorski A Performance Analysis of HICCUPS--A Steganographic System for WLAN , 2009 .

[13]  Yun Q. Shi,et al.  Detecting Covert Channels in Computer Networks Based on Chaos Theory , 2013, IEEE Transactions on Information Forensics and Security.

[14]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[15]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Yongji Wang,et al.  Improving performance of network covert timing channel through Huffman coding , 2012, Math. Comput. Model..

[17]  Guru Venkataramani,et al.  An algorithm for detecting contention-based covert timing channels on shared hardware , 2014, HASP@ISCA.

[18]  Krzysztof Szczypiorski,et al.  A performance analysis of HICCUPS—a steganographic system for WLAN , 2009, 2009 International Conference on Multimedia Information Networking and Security.

[19]  Wojciech Mazurczyk,et al.  Hiding information in a Stream Control Transmission Protocol , 2011, Comput. Commun..