A study of on/off timing channel based on packet delay distribution

An on/off timing channel is a typical network covert timing channel, which can be used by attackers to steal information from compromised systems without triggering network firewalls and intrusion detection systems. In this paper, we discuss the principle of the information transmission in an on/off timing channel and categorize such channels into two types: deterministic channels and non-deterministic channels. We then analyze the components of packet delay and their characteristics, and provide a method of calculating the maximum transmission rate of a non-deterministic channel based on the packet delay distribution. After that, we conduct experiments to obtain the packet delay distribution in real network, and calculate the maximum transmission rate via our method. Then we construct an actual channel, and attain the actual transmission rate based on the observed symbol transmission probabilities. Our experiments show that the transmission rate calculated through our method is close to the real one, and can reveal the risk of the information leakage via on/off time channels in a network. In addition, the results indicate that non-deterministic channels may bring more threat than deterministic ones in the same network, and the information leakage via on/off timing channels should gain more intention.

[1]  Amarnath Mukherjee,et al.  On the Dynamics and Significance of Low Frequency Components of Internet Load , 1992 .

[2]  Hesham El-Sayed,et al.  A novel covert channel based on the IP header record route option , 2007, Int. J. Adv. Media Commun..

[3]  Ronald William Smith,et al.  Predictable Design of Network-Based Covert Communication Systems , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[4]  R.M. Stillman Detecting IP covert timing channels by correlating packet timing with memory content , 2008, IEEE SoutheastCon 2008.

[5]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[6]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[7]  Xiapu Luo,et al.  Cloak: A Ten-Fold Way for Reliable Covert Communications , 2007, ESORICS.

[8]  C. Brodley,et al.  Network covert channels: design, analysis, detection, and elimination , 2006 .

[9]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[10]  Der-Chyuan Lou,et al.  Dual-wrapped digital watermarking scheme for image copyright protection , 2007, Comput. Secur..

[11]  C. Bovy,et al.  Analysis of end-to-end delay measurements in the Internet , 2002 .

[12]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[13]  C. Pandu Rangan,et al.  Steganographic Communication in Ordered Channels , 2006, Information Hiding.

[14]  Xiapu Luo,et al.  TCP covert timing channels: Design and detection , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[15]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[16]  David L. Mills,et al.  Jitter-based delay-boundary prediction of wide-area networks , 2001, TNET.

[17]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[18]  Dong Hoon Lee,et al.  Covert Channel Detection in the ICMP Payload Using Support Vector Machine , 2003, ISCIS.

[19]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[20]  Der-Chyuan Lou,et al.  Steganographic Method for Secure Communications , 2002, Comput. Secur..

[21]  Anthony Ephremides,et al.  A covert channel in MAC protocols based on splitting algorithms , 2005, IEEE Wireless Communications and Networking Conference, 2005.

[22]  Hiroyuki Ohsaki,et al.  Modeling end-to-end packet delay dynamics of the internet using system identification , 2001 .