Article

IP covert timing channels: design and detection

Authors:

Carla E. Brodley,

Clay ShieldsAuthors Info & Claims

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Pages 178 - 187

https://doi.org/10.1145/1030083.1030108

Published: 25 October 2004 Publication History

Abstract

A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner that can be difficult to detect. In this paper, we describe our implementation of a covert network timing channel, discuss the subtle issues that arose in its design, and present performance data for the channel. We then use our implementation as the basis for our experiments in its detection. We show that the regularity of a timing channel can be used to differentiate it from other traffic and present two methods of doing so and measures of their efficiency. We also investigate mechanisms that attackers might use to disrupt the regularity of the timing channel, and demonstrate methods of detection that are effective against them.

References

[1]

Christopher Abad. IP checksum covert channels and selected hash collision. Technical report, 2001.

[2]

Kamran Ahsan. Covert channel analysis and data hiding in TCP/IP. Master's thesis, University of Toronto, 2000.

[3]

Kamran Ahsan and Deepa Kundur. Practical data hiding in TCP/IP. In Proc. Workshop on Multimedia Security at ACM Multimedia, December 2002.

[4]

Hari Balakrishnan, Mark Stemm, Srinivasan Seshan, and Randy H. Katz. Analyzing stability in wide-area network performance. In Proceedings of the 1997 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 2--12. ACM Press, 1997.

Digital Library

[5]

Ronald E. Best. Phase-locked loops: Design, simulation and applications. McGraw-Hill Professional, 5th edition, 2003.

[6]

Kimberly C. Claffy, George C. Polyzos, and Hans-Werner Braun. Application of sampling methodologies to network traffic characterization. In Conference proceedings on Communications architectures, protocols and applications, pages 194--203. ACM Press, 1993.

Digital Library

[7]

D. R. Cox and P. A. W. Lewis. The statistical analysis of series of events. Chapman and Hall, 1966.

[8]

Cyber Defense Technology Experimental Research (DETER) network. http://www.isi.edu/deter/.

[9]

Daemon9. Project Loki. Phrack, 49(6), August 1996.

[10]

Alex Dyatlov and Simon Castro. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol. June 2003.

[11]

Gina Fisk, Mike Fisk, Christos Papadopoulos, and Joshua Neil. Eliminating steganography in Internet traffic with active wardens. In 5th International Workshop on Information Hiding, volume 2578, pages 18--35, October 2002.

Digital Library

[12]

John Giffin, Rachel Greenstadt, Peter Litwack, and Richard Tibbetts. Covert messaging through TCP timestamps. In Workshop on Privacy Enhancing Technologies, volume 2482, pages 194--208, April 2002.

Digital Library

[13]

James Giles and Bruce Hajek. An information-theoretic and game-theoretic study of timing channels. In IEEE Transaction on Information Theory, volume 48, pages 2455--2477, September 2003.

Digital Library

[14]

Virgil Gligor. A guide to understanding covert channel analysis of trusted systems. Technical Report NCSC-TG-030, National Computer Security Center, Ft. George G. Meade, Maryland, U.S.A., November 1993.

[15]

WAND Research group. NZIX-II trace archive, data available at http://pma.nlanr.net/traces/long/nzix2.html.

[16]

Riccardo Gusella. Characterizing the variability of arrival processes with indexes of dispersion. IEEE Journal on Selected Areas in Communications, 9(2):203--211, February 1991.

Digital Library

[17]

Mark Handley and Vern Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium, August 2001.

Digital Library

[18]

Paul A. Henry. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Technical report, 2000.

[19]

James W. Gray III. Countermeasures and tradeoffs for a class of covert timing channel. Technical report, 1994.

[20]

M. Kang, I. Moskowitz, and D. Lee. A network version of the pump. In Proceedings of the IEEE Symposium in Security and Privacy, pages 144--154, May 1995.

Digital Library

[21]

Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, and Kumar Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579--595, 2000.

Digital Library

[22]

M Mahoney and P Chan. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In Proceeding of Recent Advances in Intrusion Detection (RAID)-2003, volume 2820, pages 220--237, September 8-10 2003.

[23]

John McHugh. Covert channel analysis. Technical report, December 1995.

[24]

John McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262--294, November 2000.

Digital Library

[25]

U.S. Department of Defense. Trusted computer system evaluation "The Orange Book". DoD 5200.28-STD Washington: GPO:1985, 1985.

[26]

Vern Paxson. Empirically derived analytic models of wide-area TCP connections. IEEE/ACM Trans. Netw., 2(4):316--336, 1994.

Digital Library

[27]

Phil A. Porras and Richard A. Kemmerer. Covert flow trees: A technique for identifying and analyzing covert storage channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.

[28]

C. Rosenberg, F. Guillemin, and R. Mazumdar. New approach for traffic characterisation in ATM networks. In IEE Proceedings - Communications, volume 142, pages 87--90, April 1995.

[29]

C. Rowland. Covert channels in the TCP/IP protocol suite. First Monday: Peer-reviewed Journal on the Internet, 2(5), 1997.

[30]

Sergio D. Servetto and Martin Vetterli. Communication using phantoms: Covert channels in the Internet. In IEEE International Symposium on Information Theory, June 2001.

[31]

J. Christian Smith. Covert shells. SANS Institute Information Security Reading Room, November 2000.

[32]

C.R. Tsai, V.D. Gligor, and C.S. Chandersekaran. A formal method for the identification of covert storage channels in secure XENIX. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, April 1987.

[33]

Robert A. Wagner and Micheal J. Fischer. The string-to-string correction problem. Journal of the ACM, 21(1):168--173, January 1974.

Digital Library

[34]

John C. Wray. An analysis of covert timing channels. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.

Cited By

Elsadig M(2024)Network Covert channelsSteganography - The Art of Hiding Information [Working Title]10.5772/intechopen.1005053Online publication date: 3-Apr-2024
https://doi.org/10.5772/intechopen.1005053
Hölk KMazurczyk WZuppelli MCaviglione L(2024)Investigating HTTP Covert Channels Through Fuzz TestingProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664493(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664493
Guo ZLi XLiu JZhang ZLi MHu JZhu L(2024)Graph-Based Covert Transaction Detection and Protection in BlockchainIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334789519(2244-2257)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3347895
Show More Cited By

Index Terms

IP covert timing channels: design and detection
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Detecting covert timing channels: an entropy-based approach
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing ...
IP Covert Channel Detection

A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival ...
An Entropy-Based Approach to Detecting Covert Timing Channels

The detection of covert timing channels is of increasing interest in light of recent exploits of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

October 2004

376 pages

ISBN:1581139616

DOI:10.1145/1030083

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Birgit Pfitzmann
IBM Research, Switzerland
,
Patrick McDaniel
AT&T Labs

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 25 - 29, 2004

Washington DC, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

286
Total Citations
View Citations
2,806
Total Downloads

Downloads (Last 12 months)78
Downloads (Last 6 weeks)12

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Elsadig M(2024)Network Covert channelsSteganography - The Art of Hiding Information [Working Title]10.5772/intechopen.1005053Online publication date: 3-Apr-2024
https://doi.org/10.5772/intechopen.1005053
Hölk KMazurczyk WZuppelli MCaviglione L(2024)Investigating HTTP Covert Channels Through Fuzz TestingProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664493(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664493
Guo ZLi XLiu JZhang ZLi MHu JZhu L(2024)Graph-Based Covert Transaction Detection and Protection in BlockchainIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334789519(2244-2257)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3347895
Shepherd CKalbantner JSemal BMarkantonakis K(2024)A Side-Channel Analysis of Sensor Multiplexing for Covert Channels and Application Profiling on Mobile DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332373221:4(3141-3152)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3323732
Son SKwon DLee SJeon YPark Y(2024)A Robust Covert Channel With Self-Bit Recovery for IEEE 802.11 NetworksIEEE Internet of Things Journal10.1109/JIOT.2024.339857911:16(27356-27368)Online publication date: 15-Aug-2024
https://doi.org/10.1109/JIOT.2024.3398579
Mallikarachchi DWong KLim J(2024)A message verification scheme based on physical layer-enabled data hiding for flying ad hoc networkMultimedia Tools and Applications10.1007/s11042-024-18342-583:32(77165-77185)Online publication date: 23-Feb-2024
https://doi.org/10.1007/s11042-024-18342-5
Cassavia NCaviglione LGuarascio MLiguori AZuppelli M(2024)Learning autoencoder ensembles for detecting malware hidden communications in IoT ecosystemsJournal of Intelligent Information Systems10.1007/s10844-023-00819-862:4(925-949)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10844-023-00819-8
Vasilellis EGkionis GGritzalis D(2024)Press play, install malware: a study of rhythm game-based malware droppingInternational Journal of Information Security10.1007/s10207-024-00893-123:5(3369-3391)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1007/s10207-024-00893-1
Vasilellis EBotsos VAnagnostopoulou AGritzalis D(2024)Gaming the system: tetromino-based covert channel and its impact on mobile securityInternational Journal of Information Security10.1007/s10207-024-00875-323:4(3007-3027)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00875-3
Massimi FBenedetto F(2024)Performance Improvements of Covert Timing Channel Detection in the Era of Artificial IntelligenceAdvances in Distributed Computing and Machine Learning10.1007/978-981-97-1841-2_30(399-410)Online publication date: 18-Jun-2024
https://doi.org/10.1007/978-981-97-1841-2_30
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents