The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. The existing detection schemes are ineffective to detect most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels, and is capable of detecting them in an accurate manner.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Johan Agat, Transforming out timing leaks, Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.40-53, January 19-21, 2000, Boston, MA, USA  [doi>10.1145/325694.325702]
	2	Arimoto, S. An algorithm for computing the capacity of arbitrary discrete memoryless channels. IEEE Transactions on Information Theory Vol. 18, No. 1 (January 1972).
	3	Berk, V., Giani, A., and Cybenko, G. Covert channel detection using process query systems. In Proceedings of FLOCON 2005 (September 2005).
	4	Berk, V., Giani, A., and Cybenko, G. Detection of covert channel encoding in network packet delays. Tech. Rep. TR2005-536, Dartmouth College, Computer Science, Hanover, NH., USA, August 2005.
	5	Blahut, R. E. Computation of channel capacity and rate-distortion functions. IEEE Transactions on Information Theory Vol. 18, No. 4 (July 1972).
	6	Serdar Cabuk , Carla E. Brodley , Eugene H. Spafford, Network covert channels: design, analysis, detection, and elimination, Purdue University, West Lafayette, IN, 2006
	7	Serdar Cabuk , Carla E. Brodley , Clay Shields, IP covert timing channels: design and detection, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030108]
	8	Christian Cachin, An information-theoretic model for steganography, Information and Computation, v.192 n.1, p.41-56, 1 July 2004  [doi>10.1016/j.ic.2004.02.003]
	9	Thomas M. Cover , Joy A. Thomas, Elements of information theory, Wiley-Interscience, New York, NY, 1991
	10	Giffin, J., Greenstadt, R., Litwack, P., and Tibbetts, R. Covert messaging through TCP timestamps. In Proceedings of the 2002 International Workshop on Privacy Enhancing Technologies (April 2002).
	11	Giles, J., and Hajek, B. An information-theoretic and game-theoretic study of timing channels. IEEE Transactions on Information Theory Vol. 48, No. 9 (September 2002).
	12	Hu, W.-M. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Symposium on Security and Privacy (May 1991).
	13	Myong H. Kang , Ira S. Moskowitz, A pump for rapid, reliable, secure communication, Proceedings of the 1st ACM conference on Computer and communications security, p.119-129, November 03-05, 1993, Fairfax, Virginia, United States  [doi>10.1145/168588.168604]
	14	Myong H. Kang , Ira S. Moskowitz , Stanley Chincheck, The Pump: A Decade of Covert Fun, Proceedings of the 21st Annual Computer Security Applications Conference, p.352-360, December 05-09, 2005  [doi>10.1109/CSAC.2005.56]
	15	Richard A. Kemmerer, A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later, Proceedings of the 18th Annual Computer Security Applications Conference, p.109, December 09-13, 2002
	16	Richard A. Kemmerer, A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later, Proceedings of the 18th Annual Computer Security Applications Conference, p.109, December 09-13, 2002
	17	Pai Peng , Peng Ning , Douglas S. Reeves, On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.334-349, May 21-24, 2006  [doi>10.1109/SP.2006.28]
	18	Porta, A., Baselli, G., Liberati, D., Montano, N., Cogliati, C., Gnecchi-Ruscone, T., Malliani, A., and Cerutti, S. Measuring regularity by meansof a corrected conditional entropy in sympathetic outflow. Biological Cybernetics Vol. 78, No. 1 (January 1998).
	19	Rosipal, R. Kernel-Based Regression and Objective Nonlinear Measures to Assess Brain Functioning. PhD thesis, University of Paisley, Paisley, Scotland, UK, September 2001.
	20	Gaurav Shah , Andres Molina , Matt Blaze, Keyboards and covert channels, Proceedings of the 15th conference on USENIX Security Symposium, p.5-5, July 31-August 04, 2006, Vancouver, B.C., Canada
	21	Shannon, C. A mathematical theory of communication. Bell System Technical Journal Vol. 27 (July and October 1948).
	22	Xinyuan Wang , Shiping Chen , Sushil Jajodia, Tracking anonymous peer-to-peer VoIP calls on the internet, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102133]
	23	Xinyuan Wang , Douglas S. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948115]