A novel method for securing critical infrastructures by detecting hidden flows of data

This work introduces a novel method for securing critical infrastructures. We propose an innovative hypothesis test for intrusion detection in data communications. In particular, we detect the presence or absence of a covert (i.e. hidden) timing channel. We devised a new testing procedure, namely the Weibullness test, that statistically measures how much the series under investigation (inter-arrival times of the received packets) fits Weibull vs. non-Weibull models. This is equivalent to differentiating between the cases of legitimate and covert data communications. The achieved results show the robustness of this innovative test versus the conventional shape and regularity tests, even in presence of short-lived covert communications for intrusion detection in data communications.

[1]  Dipak Ghosal,et al.  A comparative analysis of detection metrics for covert timing channels , 2014, Comput. Secur..

[2]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[3]  Stefan Katzenbeisser,et al.  Hide and Seek in Time - Robust Covert Timing Channels , 2009, ESORICS.

[4]  Sebastian Zander,et al.  Covert channels and countermeasures in computer network protocols [Reprinted from IEEE Communications Surveys and Tutorials] , 2007, IEEE Communications Magazine.

[5]  Sheng Mou,et al.  Feature extraction and classification algorithm for detecting complex covert timing channel , 2012, Comput. Secur..

[6]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[7]  Abraham O. Fapojuwo,et al.  Analysis and modeling of a campus wireless network TCP/IP traffic , 2009, Comput. Networks.

[8]  Farinaz Koushanfar,et al.  A Timing Channel Spyware for the CSMA/CA Protocol , 2013, IEEE Transactions on Information Forensics and Security.

[9]  Sebastian Zander,et al.  Capacity of Temperature-Based Covert Channels , 2011, IEEE Communications Letters.

[10]  N. L. Johnson,et al.  Continuous Univariate Distributions. , 1995 .

[11]  John G. Proakis,et al.  Probability, random variables and stochastic processes , 1985, IEEE Trans. Acoust. Speech Signal Process..

[12]  Gaetano Giunta,et al.  A New Test for Initial Code Acquisition of Correlated Cells , 2013, IEEE Transactions on Vehicular Technology.

[13]  Steven Gianvecchio,et al.  An Entropy-Based Approach to Detecting Covert Timing Channels , 2011, IEEE Transactions on Dependable and Secure Computing.

[14]  Markku Renfors,et al.  Detection of hidden users in cognitive radio networks , 2013, 2013 IEEE 24th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).

[15]  Matthew K. Wright,et al.  Mimic: An active covert channel that evades regularity-based detection , 2013, Comput. Networks.

[16]  Jian Gong,et al.  Investigation on the IP Flow Inter-Arrival Time in Large-Scale Network , 2007, 2007 International Conference on Wireless Communications, Networking and Mobile Computing.

[17]  Aarnout Brombacher,et al.  Probability... , 2009, Qual. Reliab. Eng. Int..

[18]  Jim Euchner Design , 2014, Catalysis from A to Z.

[19]  Amir-Hossein Jahangir,et al.  On the TCP Flow Inter-arrival Times Dsitribution , 2011, 2011 UKSim 5th European Symposium on Computer Modeling and Simulation.

[20]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[21]  S. Sangamdace,et al.  Automatic detection of illegal transmission in a network , 2012, 2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12).

[22]  Hamid Sharif,et al.  Towards a unified model for the analysis of timing-based covert channels , 2014, 2014 IEEE International Conference on Communications (ICC).

[23]  Samuel T. King,et al.  Design, implementation and evaluation of covert channel attacks , 2010, 2010 IEEE International Conference on Technologies for Homeland Security (HST).

[24]  Constantinos Dovrolis,et al.  Beyond the Model of Persistent TCP Flows: Open-Loop vs Closed-Loop Arrivals of Non-persistent Flows , 2008, 41st Annual Simulation Symposium (anss-41 2008).

[25]  Markku Renfors,et al.  Effective Monitoring of Freeloading User in the Presence of Active User in Cognitive Radio Networks , 2014, IEEE Transactions on Vehicular Technology.

[26]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[27]  Nazar Abbas Saqib,et al.  Covert channel detection: A survey based analysis , 2012, High Capacity Optical Networks and Emerging/Enabling Technologies.

[28]  Andreas Haeberlen,et al.  Detecting Covert Timing Channels with Time-Deterministic Replay , 2014, OSDI.

[29]  Anja Feldmann,et al.  Characteristics of TCP Connection Arrivals , 2002 .