Abstract:Abstract-The detection of covert timing channels is of increasing interest in light of recent exploits of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. Existing detection schemes are ineffective at detecting most of the covert timing channels known to the security community. In this paper, we introduce a new entropybased approach to detecting various covert timing channels. Our new approach is … Show more
“…In our work, we consider a well-known CTC variety known as model-based covert timing channels (MBCTCs), which avoid detection by fitting the CTC's packet timings to a statistical model based on natural traffic [7]. By testing our tool against a traffic sample injected with MBCTCs, we confirm the CCE test's effectiveness as a classifier established in previous results [5]. We also evaluated the maximum performance of our tool, establishing that it can handle close to a full 10 Gbps line rate assuming average sized packets.…”
Section: Introductionsupporting
confidence: 67%
“…A very basic channel type would be Cabuk's IP covert timing channel (IPCTC) [10], a simple on/off channel, where a packet transmission during a set time interval will be interpreted by the receiver as a 1, while no transmission during that interval will be interpreted as a 0 [10]. This encoding scheme, although functional, creates traffic where the shape and regularity differs greatly from the original, overt traffic, making detection simple [5]. More advanced timing channels attempt to mimic real traffic statistics to bypass detection.…”
Section: Timing Channels and Detectionmentioning
confidence: 99%
“…• By performing our tree transformation and completing the calculation using arrays, we compute the CCE scores in less than 1 ms per flow, an order of magnitude faster than previous results [5].…”
Section: Introductionmentioning
confidence: 99%
“…A more effective detection method requires calculating the corrected conditional entropy (CCE), which is the conditional entropy calculation plus a corrective term accounting for the number of unique subsequences in the sample. The CCE test has proven effective for detecting a variety of CTCs with minimal false positives [5]. Outside of CTC detection, the CCE test has a variety of applications, particularly in medical imaging applications, such as analyzing heart rate variability data and other biological processes [6].…”
Section: Introductionmentioning
confidence: 99%
“…Outside of CTC detection, the CCE test has a variety of applications, particularly in medical imaging applications, such as analyzing heart rate variability data and other biological processes [6]. However, calculating the CCE score for a large sequence is an expensive calculation computationally, requiring the construction of a tree for each individual flow [5]. For higher traffic rates with a large number of flows arriving each second, we need to calculate the CCE score for each flow more efficiently.…”
Abstract-As line rates continue to grow, network security applications such as covert timing channel (CTC) detection must utilize new techniques for processing network flows in order to protect critical enterprise networks. GPU-based packet processing provides one means of scaling the detection of CTCs and other anomalies in network flows. In this paper, we implement a GPUbased detection tool, capable of detecting model-based covert timing channels (MBCTCs). The GPU's ability to process a large number of packets in parallel enables more complex detection tests, such as the corrected conditional entropy (CCE) test-a modified version of the conditional entropy measurement, which has a variety of applications outside of covert channel detection. In our experiments, we evaluate the CCE test's true and false positive detection rates, as well as the time required to perform the test on the GPU. Our results demonstrate that GPU packet processing can be applied successfully to perform real-time CTC detection at near 10 Gbps with high accuracy.
“…In our work, we consider a well-known CTC variety known as model-based covert timing channels (MBCTCs), which avoid detection by fitting the CTC's packet timings to a statistical model based on natural traffic [7]. By testing our tool against a traffic sample injected with MBCTCs, we confirm the CCE test's effectiveness as a classifier established in previous results [5]. We also evaluated the maximum performance of our tool, establishing that it can handle close to a full 10 Gbps line rate assuming average sized packets.…”
Section: Introductionsupporting
confidence: 67%
“…A very basic channel type would be Cabuk's IP covert timing channel (IPCTC) [10], a simple on/off channel, where a packet transmission during a set time interval will be interpreted by the receiver as a 1, while no transmission during that interval will be interpreted as a 0 [10]. This encoding scheme, although functional, creates traffic where the shape and regularity differs greatly from the original, overt traffic, making detection simple [5]. More advanced timing channels attempt to mimic real traffic statistics to bypass detection.…”
Section: Timing Channels and Detectionmentioning
confidence: 99%
“…• By performing our tree transformation and completing the calculation using arrays, we compute the CCE scores in less than 1 ms per flow, an order of magnitude faster than previous results [5].…”
Section: Introductionmentioning
confidence: 99%
“…A more effective detection method requires calculating the corrected conditional entropy (CCE), which is the conditional entropy calculation plus a corrective term accounting for the number of unique subsequences in the sample. The CCE test has proven effective for detecting a variety of CTCs with minimal false positives [5]. Outside of CTC detection, the CCE test has a variety of applications, particularly in medical imaging applications, such as analyzing heart rate variability data and other biological processes [6].…”
Section: Introductionmentioning
confidence: 99%
“…Outside of CTC detection, the CCE test has a variety of applications, particularly in medical imaging applications, such as analyzing heart rate variability data and other biological processes [6]. However, calculating the CCE score for a large sequence is an expensive calculation computationally, requiring the construction of a tree for each individual flow [5]. For higher traffic rates with a large number of flows arriving each second, we need to calculate the CCE score for each flow more efficiently.…”
Abstract-As line rates continue to grow, network security applications such as covert timing channel (CTC) detection must utilize new techniques for processing network flows in order to protect critical enterprise networks. GPU-based packet processing provides one means of scaling the detection of CTCs and other anomalies in network flows. In this paper, we implement a GPUbased detection tool, capable of detecting model-based covert timing channels (MBCTCs). The GPU's ability to process a large number of packets in parallel enables more complex detection tests, such as the corrected conditional entropy (CCE) test-a modified version of the conditional entropy measurement, which has a variety of applications outside of covert channel detection. In our experiments, we evaluate the CCE test's true and false positive detection rates, as well as the time required to perform the test on the GPU. Our results demonstrate that GPU packet processing can be applied successfully to perform real-time CTC detection at near 10 Gbps with high accuracy.
Network covert timing channel (NCTC) is a kind of covert channel that acquires strong concealment by modifying the interpacket delays of legitimate network traffic and can evade detection by conventional network security mechanisms such as firewalls. Existing detection schemes are not able to detect multiple types of covert channels. Moreover, the robustness of the detection method is low when the network environment changes. Therefore, detecting NCTC is a challenging task. In this paper, an NCTC detection method based on threshold secret sharing is proposed. The new approach utilizes the principle of threshold secret sharing to tolerate the loss or the destruction of partial subsecrets, improves the robustness of the detection method, and solves the problem that the current detection method cannot resist environment changes. Experimental results show that the proposed scheme in this paper has strong robustness to a changing network environment such as when network jitter, packet loss, and packet injection occur in the network transmission process. The approach can detect varieties of NCTCs with a guaranteed true positive rate and greatly improve the versatility and robustness.
Network covert channels use network resources to transmit data covertly, and their existence will seriously threaten network security. Therefore, an effective method is needed to prevent and detect them. Current network covert timing channel detection methods often incorporate machine learning methods in order to achieve generalized detection, but they consume a large amount of computational resources. In this paper, we propose a generalized detection framework for covert channels based on perceptual hashing without relying on machine learning methods. And we propose a one‐dimensional data feature descriptor for feature extraction of perceptual hash for the data characteristics of covert timing channels. We first generate the hash sequence of the corresponding channel to get the average hash, which is used for comparison in the test phase. The experimental results show that the feature descriptor can capture the feature differences of one‐dimensional data well. When compared to machine learning methods, this perceptual hashing algorithms enable faster traffic detection. Meanwhile, our method is able to detect the effectiveness with the smallest coverage window compared with the latest solutions. Moreover, it exhibits robustness in jitter network environment.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.