Liquid: A detection-resistant covert timing channel based on IPD shaping

نویسندگان

  • Robert J. Walls
  • Kush Kothari
  • Matthew K. Wright
چکیده

Covert timing channels provide a way to surreptitiously leak information from an entity in a higher-security level to an entity in a lower level. The difficulty of detecting or eliminating such channels makes them a desirable choice for adversaries that value stealth over throughput. When one considers the possibility of such channels transmitting information across network boundaries, the threat becomes even more acute. A promising technique for detecting covert timing channels focuses on using entropy-based tests. This method is able to reliably detect known covert timing channels by using a combination of entropy and conditional entropy to detect anomalies in shape and regularity, respectively. This dual approach is intended to make entropy-based detection robust against both current and future channels. In this work, we show that entropy-based detection can be defeated by a channel that intelligently and adaptively manipulates the metrics used for detection. Specifically, we propose a new passive covert channel that uses a portion of the inter-packet delays in a compromised stream to smooth out the shape distortions detected by the entropy test. As a passive channel, it is not as prone to regularity-based detection as previously proposed active channels. We introduce a model for analyzing the effect of our techniques on the entropy of the channel and empirically investigate the accuracy ∗Corresponding author Email addresses: [email protected] (Robert Walls), [email protected] (Kush Kothari), [email protected] (Matthew Wright) Preprint submitted to Elsevier June 19, 2010 of the model. In network experiments and simulation, we validate this model and demonstrate that the proposed channel successfully evades entropy-based detection and other known tests while maintaining reasonable throughput.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Model-Based Covert Timing Channels: Automated Modeling and Evasion

The exploration of advanced covert timing channel design is important to understand and defend against covert timing channels. In this paper, we introduce a new class of covert timing channels, called model-based covert timing channels, which exploit the statistical properties of legitimate network traffic to evade detection in an effective manner. We design and implement an automated framework...

متن کامل

Methods of IPD normalization to counteract IP timing covert channels

Covert channels are used for information transmission in a manner that is not intended for communication and is difficult to detect. We propose a technique to prevent the information leakage via IP covert timing channels by inter-packet delays normalization in the process of packets sending. Recommendations for using the counteraction methods and choosing parameters were given. The advantage of...

متن کامل

طراحی و ارزیابی روش کدگذاری ترکیبی برای کانال پوششی زمانبندی‌دار در شبکه اینترنت

Covert channel means communicating information through covering of overt and authorized channel in a manner that existence of channel to be hidden. In network covert timing channels that use timing features of transmission packets to modulating covert information, the appropriate encoding schema is very important. In this paper, a hybrid encoding schema proposed through combining "the inter-pac...

متن کامل

Detection of Covert Channel Encoding in Network Packet Delays

Covert channels are mechanisms for communicating information in ways that are difficult to detect. Data exfiltration can be an indication that a computer has been compromised by an attacker even when other intrusion detection schemes have failed to detect a successful attack. Covert timing channels use packet interarrival times, not header or payload embedded information, to encode covert messa...

متن کامل

A Detection Method for Cloak Covert Channel Based on Distribution of TCP Burst Size

Cloak is a new class of network covert timing channel relied on multilink with high reliability and enhanced data rate. The existing detection schemes are less effective to detect this kind of covert channel. In this paper, the detection method for Cloak covert channel based on burst size distribution is proposed. The statistical distribution of burst size is calculated and Chi-Squared test is ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • Computer Networks

دوره 55  شماره 

صفحات  -

تاریخ انتشار 2011