Current covert timing channel detection relies upon discerning the underlying regularity that must be present in the packet interarrival times (PIATs) in order for the channel to carry information. But, it is not hard for a determined adversary to defeat detection. Existing algorithms look only at the PIATs. We hypothesized that detection could be improved by also exploiting knowledge about the system from which the exfiltration is occurring. In particular, the bits that are being extruded likely reside in memory at some point during the transmission. Any correlation between memory content and interpacket time delays-even a remote one-is no coincidence. It suggests an active timing channel. Furthermore, even if the data has been encrypted prior to transmission, at least a portion of the corresponding ciphertext should reside somewhere in the address space used by the rogue process. We tested this approach against an adversary applying increasingly sophisticated schemes to conceal an IP timing channel. Even when the attack escalated well beyond the level at which other detection methods failed, our method identified (and decoded) the covert communication.
[1]
Carla E. Brodley,et al.
IP covert timing channels: design and detection
,
2004,
CCS '04.
[2]
Sang Joon Kim,et al.
A Mathematical Theory of Communication
,
2006
.
[3]
Vincent H. Berk,et al.
Detection of Covert Channel Encoding in Network Packet Delays
,
2005
.
[4]
Ira S. Moskowitz,et al.
The Pump: a decade of covert fun
,
2005,
21st Annual Computer Security Applications Conference (ACSAC'05).
[5]
Randy Browne.
An entropy conservation law for testing the completeness of covert channel analysis
,
1994,
CCS '94.
[6]
Steven B. Lipner,et al.
A comment on the confinement problem
,
1975,
SOSP.
[7]
Kevin Borders,et al.
Web tap: detecting covert web traffic
,
2004,
CCS '04.
[8]
Butler W. Lampson,et al.
A note on the confinement problem
,
1973,
CACM.
[9]
M S Waterman,et al.
Identification of common molecular subsequences.
,
1981,
Journal of molecular biology.