Mimic: An active covert channel that evades regularity-based detection

To counter the threat of leaks of sensitive and mission-critical information, high-security facilities employ multi-level security mechanisms in which information flows are prevented from high-security systems to lower-security systems. For networks, this includes the monitoring of all incoming and outgoing traffic, high-grade encryption for all data communication, intrusion detection systems, and rigid enforcement of workstation policies. These measures often make it impossible to leak information by traditional means such as email and file transfer. A covert channel is a communication channel that can be exploited by a process to transfer information in a manner that violates a system’s security policy [1]. An adversary with vested interests can utilize covert channels to leak out information from a secure facility. Ample research is required in understanding and exploring the working of covert channels to develop suitable defenses against them. Covert timing channels (CTC) are a class of advanced covert channels that use the timing difference between two consecutive packets — Inter-Packet Delays (IPDs) — to encode messages. IPDs are a natural characteristic of network traffic and as a result, messages encoded with IPDs make CTCs par-