Correlating Packet Timing with Memory Content Detects IP Covert Timing Channels

We report a novel approach for detecting a hostile process extruding data through a covert timing channel. Our method looks for correlations between the timing of network traffic and bit strings in the address space of the suspicious process. Background Covert leakage of sensitive information from governmental or corporate systems remains a significant threat. Intelligent network gateways can close covert storage channels, but covert timing channels are notoriously challenging to prevent. Measures that impede covert communication also slow all other outbound traffic. Current detection technology relies upon discerning the underlying regularity that must be present in the packet interarrival times (PIATs) in order for the channel to carry information. Unfortunately, it is not hard for a determined adversary to defeat detection by obfuscating the distribution of PIATs. In the work reported here, we present a new technique that combines analysis of the PIATS with string matching to data in the address space of the target process. This approach overcomes the limitations of purely statistical PIAT analysis. Experiments and Results We created a trojan process that uses an IP covert timing channel, and then tested our ability to detect it in a local area network. First, we used three published detection methods, then we implemented an entropy-based detector, and then we applied the PIAT-memory correlation approach. Efficacy of published detection algorithms By configuring the trojan to inject increasing amounts of noise within the channel, detection using the histogram approach of Borders and Prakash [2], the covert channel ratio Cμ Cmax of Berk et al [1], and the 2–similarity metric of Cabuk et al [4] were all defeated. Entropy-based detection Browne [3] theorized that if we could accurately measure the entropy of a system’s output and find that it falls short of predicted entropy, then there must be a covert process that is imposing order upon the output. We implemented this ∗Author’s mailing address: 6574 N. State Road 7, #286, Coconut Creek, FL 33073 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 0.0 0.2 0.4 0.6 0.8 1.0 Noise E n tr o p y R at io