Model-Based Covert Timing Channels: Automated Modeling and Evasion

Authors:
Steven Gianvecchio;Haining Wang;Duminda Wijesekera;Sushil Jajodia
Affiliations:
Department of Computer Science, College of William and Mary, Williamsburg, USA VA 23187;Department of Computer Science, College of William and Mary, Williamsburg, USA VA 23187;Center for Secure Information Systems, George Mason University, Fairfax, USA VA 22030;Center for Secure Information Systems, George Mason University, Fairfax, USA VA 22030
Venue:
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Year:
2008

Citing 18
Cited 7

A pump for rapid, reliable, secure communication

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
A note on the confinement problem

Communications of the ACM
On the nonstationarity of Internet traffic

Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Eliminating Steganography in Internet Traffic with Active Wardens

IH '02 Revised Papers from the 5th International Workshop on Information Hiding
A network version of the Pump

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Proceedings of the 10th ACM conference on Computer and communications security
Pattern Classification (2nd Edition)

Pattern Classification (2nd Edition)
Web tap: detecting covert web traffic

Proceedings of the 11th ACM conference on Computer and communications security
IP covert timing channels: design and detection

Proceedings of the 11th ACM conference on Computer and communications security
The Pump: A Decade of Covert Fun

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Covert and Side Channels Due to Processor Architecture

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Discrete-Event Simulation: A First Course

Discrete-Event Simulation: A First Course
DSSS-Based Flow Marking Technique for Invisible Traceback

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Keyboards and covert channels

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Detecting covert timing channels: an entropy-based approach

Proceedings of the 14th ACM conference on Computer and communications security
An information-theoretic and game-theoretic study of timing channels

IEEE Transactions on Information Theory
Cloak: a ten-fold way for reliable covert communications

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

Robust and undetectable steganographic timing channels for i.i.d. traffic

IH'10 Proceedings of the 12th international conference on Information hiding
Stealthier inter-packet timing covert channels

NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
CoCo: coding-based covert timing channels for network flows

IH'11 Proceedings of the 13th international conference on Information hiding
Cirripede: circumvention infrastructure using router redirection with plausible deniability

Proceedings of the 18th ACM conference on Computer and communications security
Network covert channels on the Android platform

Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Mimic: An active covert channel that evades regularity-based detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
Practical comprehensive bounds on surreptitious communication over DNS

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The exploration of advanced covert timing channel design is important to understand and defend against covert timing channels. In this paper, we introduce a new class of covert timing channels, called model-based covert timing channels, which exploit the statistical properties of legitimate network traffic to evade detection in an effective manner. We design and implement an automated framework for building model-based covert timing channels. Our framework consists of four main components: filter, analyzer, encoder, and transmitter. The filter characterizes the features of legitimate network traffic, and the analyzer fits the observed traffic behavior to a model. Then, the encoder and transmitter use the model to generate covert traffic and blend with legitimate network traffic. The framework is lightweight, and the overhead induced by model fitting is negligible. To validate the effectiveness of the proposed framework, we conduct a series of experiments in LAN and WAN environments. The experimental results show that model-based covert timing channels provide a significant increase in detection resistance with only a minor loss in capacity.