IP covert timing channels

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

IP covert timing channels: design and detection

Full text

Pdf (572 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 11th ACM conference on Computer and communications security table of contents

Washington DC, USA

SESSION: Information flow table of contents

Pages: 178 - 187

Year of Publication: 2004

ISBN:1-58113-961-6

Authors

Serdar Cabuk	Purdue University
Carla E. Brodley	Tufts University
Clay Shields	Georgetown University

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 25, Downloads (12 Months): 170, Citation Count: 8

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1030083.1030108 What is a DOI?

ABSTRACT

A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner that can be difficult to detect. In this paper, we describe our implementation of a covert network timing channel, discuss the subtle issues that arose in its design, and present performance data for the channel. We then use our implementation as the basis for our experiments in its detection. We show that the regularity of a timing channel can be used to differentiate it from other traffic and present two methods of doing so and measures of their efficiency. We also investigate mechanisms that attackers might use to disrupt the regularity of the timing channel, and demonstrate methods of detection that are effective against them.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Christopher Abad. IP checksum covert channels and selected hash collision. Technical report, 2001.
	2	Kamran Ahsan. Covert channel analysis and data hiding in TCP/IP. Master's thesis, University of Toronto, 2000.
	3	Kamran Ahsan and Deepa Kundur. Practical data hiding in TCP/IP. In Proc. Workshop on Multimedia Security at ACM Multimedia, December 2002.
	4	Hari Balakrishnan , Mark Stemm , Srinivasan Seshan , Randy H. Katz, Analyzing stability in wide-area network performance, Proceedings of the 1997 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, p.2-12, June 15-18, 1997, Seattle, Washington, United States
	5	Ronald E. Best. Phase-locked loops: Design, simulation and applications. McGraw-Hill Professional, 5th edition, 2003.
	6	Kimberly C. Claffy , George C. Polyzos , Hans-Werner Braun, Application of sampling methodologies to network traffic characterization, Conference proceedings on Communications architectures, protocols and applications, p.194-203, September 13-17, 1993, San Francisco, California, United States
	7	D. R. Cox and P. A. W. Lewis. The statistical analysis of series of events. Chapman and Hall, 1966.
	8	Cyber Defense Technology Experimental Research (DETER) network. http://www.isi.edu/deter/.
	9	Daemon9. Project Loki. Phrack, 49(6), August 1996.
	10	Alex Dyatlov and Simon Castro. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol. June 2003.
	11	Gina Fisk , Mike Fisk , Christos Papadopoulos , Joshua Neil, Eliminating Steganography in Internet Traffic with Active Wardens, Revised Papers from the 5th International Workshop on Information Hiding, p.18-35, October 07-09, 2002
	12	John Giffin, Rachel Greenstadt, Peter Litwack, and Richard Tibbetts. Covert messaging through TCP timestamps. In Workshop on Privacy Enhancing Technologies, volume 2482, pages 194--208, April 2002.
	13	James Giles and Bruce Hajek. An information-theoretic and game-theoretic study of timing channels. In IEEE Transaction on Information Theory, volume 48, pages 2455--2477, September 2003.
	14	Virgil Gligor. A guide to understanding covert channel analysis of trusted systems. Technical Report NCSC-TG-030, National Computer Security Center, Ft. George G. Meade, Maryland, U.S.A., November 1993.
	15	WAND Research group. NZIX-II trace archive, data available at http://pma.nlanr.net/traces/long/nzix2.html.
	16	Riccardo Gusella. Characterizing the variability of arrival processes with indexes of dispersion. IEEE Journal on Selected Areas in Communications, 9(2):203--211, February 1991.
	17	Mark Handley and Vern Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium, August 2001.
	18	Paul A. Henry. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Technical report, 2000.
	19	James W. Gray III. Countermeasures and tradeoffs for a class of covert timing channel. Technical report, 1994.
	20	M. H. Kang , I. S. Moskowitz , D. C. Lee, A network version of the Pump, Proceedings of the 1995 IEEE Symposium on Security and Privacy, p.144, May 08-10, 1995
	21	Richard Lippmann , Joshua W. Haines , David J. Fried , Jonathan Korba , Kumar Das, The 1999 DARPA off-line intrusion detection evaluation, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.579-595, Oct. 2000 [doi>10.1016/S1389-1286(00)00139-0]
	22	M Mahoney and P Chan. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In Proceeding of Recent Advances in Intrusion Detection (RAID)-2003, volume 2820, pages 220--237, September 8-10 2003.
	23	John McHugh. Covert channel analysis. Technical report, December 1995.
	24	Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.262-294, Nov. 2000 [doi>10.1145/382912.382923]
	25	U.S. Department of Defense. Trusted computer system evaluation "The Orange Book". DoD 5200.28-STD Washington: GPO:1985, 1985.
	26	Vern Paxson, Empirically derived analytic models of wide-area TCP connections, IEEE/ACM Transactions on Networking (TON), v.2 n.4, p.316-336, Aug. 1994 [doi>10.1109/90.330413]
	27	Phil A. Porras and Richard A. Kemmerer. Covert flow trees: A technique for identifying and analyzing covert storage channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.
	28	C. Rosenberg, F. Guillemin, and R. Mazumdar. New approach for traffic characterisation in ATM networks. In IEE Proceedings - Communications, volume 142, pages 87--90, April 1995.
	29	C. Rowland. Covert channels in the TCP/IP protocol suite. First Monday: Peer-reviewed Journal on the Internet, 2(5), 1997.
	30	Sergio D. Servetto and Martin Vetterli. Communication using phantoms: Covert channels in the Internet. In IEEE International Symposium on Information Theory, June 2001.
	31	J. Christian Smith. Covert shells. SANS Institute Information Security Reading Room, November 2000.
	32	C.R. Tsai, V.D. Gligor, and C.S. Chandersekaran. A formal method for the identification of covert storage channels in secure XENIX. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, April 1987.
	33	Robert A. Wagner , Michael J. Fischer, The String-to-String Correction Problem, Journal of the ACM (JACM), v.21 n.1, p.168-173, Jan. 1974 [doi>10.1145/321796.321811]
	34	John C. Wray. An analysis of covert timing channels. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.

CITED BY 8

	Gaurav Shah , Andres Molina , Matt Blaze, Keyboards and covert channels, Proceedings of the 15th conference on USENIX Security Symposium, p.5-5, July 31-August 04, 2006, Vancouver, B.C., Canada
	Arati Baliga , Joe Kilian, On covert collaboration, Proceedings of the 9th workshop on Multimedia & security, September 20-21, 2007, Dallas, Texas, USA
	Weng-Keen Wong , Andrew Moore , Gregory Cooper , Michael Wagner, What's Strange About Recent Events (WSARE): An Algorithm for the Early Detection of Disease Outbreaks, The Journal of Machine Learning Research, 6, p.1961-1998, 12/1/2005
	Kevin Borders , Atul Prakash, Towards quantification of network-based information leaks via HTTP, Proceedings of the 3rd conference on Hot topics in security, p.1-6, July 29, 2008, San Jose, CA
	Steven Gianvecchio , Haining Wang, Detecting covert timing channels: an entropy-based approach, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Wenyuan Xu , Wade Trappe , Yanyong Zhang, Anti-jamming timing channels for wireless networks, Proceedings of the first ACM conference on Wireless network security, March 31-April 02, 2008, Alexandria, VA, USA
	Alan B. Shaffer , Mikhail Auguston , Cynthia E. Irvine , Timothy E. Levin, A security domain model to assess software for exploitable covert channels, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, June 07-13, 2008, Tucson, AZ, USA
	Serdar Cabuk , Carla E. Brodley , Clay Shields, IP Covert Channel Detection, ACM Transactions on Information and System Security (TISSEC), v.12 n.4, p.1-29, April 2009