An Entropy-Based Approach to Detecting Covert Timing Channels

Gianvecchio, Steven; Wang, Haining

doi:10.1109/tdsc.2010.46

Cited by 118 publications

(115 citation statements)

References 26 publications

(39 reference statements)

Supporting

Mentioning

111

Contrasting

Order By: Relevance

“…In our work, we consider a well-known CTC variety known as model-based covert timing channels (MBCTCs), which avoid detection by fitting the CTC's packet timings to a statistical model based on natural traffic [7]. By testing our tool against a traffic sample injected with MBCTCs, we confirm the CCE test's effectiveness as a classifier established in previous results [5]. We also evaluated the maximum performance of our tool, establishing that it can handle close to a full 10 Gbps line rate assuming average sized packets.…”

Section: Introductionsupporting

confidence: 67%

“…A very basic channel type would be Cabuk's IP covert timing channel (IPCTC) [10], a simple on/off channel, where a packet transmission during a set time interval will be interpreted by the receiver as a 1, while no transmission during that interval will be interpreted as a 0 [10]. This encoding scheme, although functional, creates traffic where the shape and regularity differs greatly from the original, overt traffic, making detection simple [5]. More advanced timing channels attempt to mimic real traffic statistics to bypass detection.…”

Section: Timing Channels and Detectionmentioning

confidence: 99%

“…• By performing our tree transformation and completing the calculation using arrays, we compute the CCE scores in less than 1 ms per flow, an order of magnitude faster than previous results [5].…”

Section: Introductionmentioning

confidence: 99%

“…A more effective detection method requires calculating the corrected conditional entropy (CCE), which is the conditional entropy calculation plus a corrective term accounting for the number of unique subsequences in the sample. The CCE test has proven effective for detecting a variety of CTCs with minimal false positives [5]. Outside of CTC detection, the CCE test has a variety of applications, particularly in medical imaging applications, such as analyzing heart rate variability data and other biological processes [6].…”

Section: Introductionmentioning

confidence: 99%

“…Outside of CTC detection, the CCE test has a variety of applications, particularly in medical imaging applications, such as analyzing heart rate variability data and other biological processes [6]. However, calculating the CCE score for a large sequence is an expensive calculation computationally, requiring the construction of a tree for each individual flow [5]. For higher traffic rates with a large number of flows arriving each second, we need to calculate the CCE score for each flow more efficiently.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Real-time GPU-based timing channel detection using entropy

Gegan

Ahuja

Owens

et al. 2016

2016 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Abstract-As line rates continue to grow, network security applications such as covert timing channel (CTC) detection must utilize new techniques for processing network flows in order to protect critical enterprise networks. GPU-based packet processing provides one means of scaling the detection of CTCs and other anomalies in network flows. In this paper, we implement a GPUbased detection tool, capable of detecting model-based covert timing channels (MBCTCs). The GPU's ability to process a large number of packets in parallel enables more complex detection tests, such as the corrected conditional entropy (CCE) test-a modified version of the conditional entropy measurement, which has a variety of applications outside of covert channel detection. In our experiments, we evaluate the CCE test's true and false positive detection rates, as well as the time required to perform the test on the GPU. Our results demonstrate that GPU packet processing can be applied successfully to perform real-time CTC detection at near 10 Gbps with high accuracy.

show abstract

Section: Introductionsupporting

confidence: 67%

Section: Timing Channels and Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Real-time GPU-based timing channel detection using entropy

Gegan

Ahuja

Owens

et al. 2016

2016 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

show abstract

A network covert timing channel detection method based on threshold secret sharing

Xie

Chen

Wang

et al. 2019

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Network covert timing channel (NCTC) is a kind of covert channel that acquires strong concealment by modifying the interpacket delays of legitimate network traffic and can evade detection by conventional network security mechanisms such as firewalls. Existing detection schemes are not able to detect multiple types of covert channels. Moreover, the robustness of the detection method is low when the network environment changes. Therefore, detecting NCTC is a challenging task. In this paper, an NCTC detection method based on threshold secret sharing is proposed. The new approach utilizes the principle of threshold secret sharing to tolerate the loss or the destruction of partial subsecrets, improves the robustness of the detection method, and solves the problem that the current detection method cannot resist environment changes. Experimental results show that the proposed scheme in this paper has strong robustness to a changing network environment such as when network jitter, packet loss, and packet injection occur in the network transmission process. The approach can detect varieties of NCTCs with a guaranteed true positive rate and greatly improve the versatility and robustness.

show abstract

A generalized detection framework for covert timing channels based on perceptual hashing

Zhuang,

Chen,

Tian

2024

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Network covert channels use network resources to transmit data covertly, and their existence will seriously threaten network security. Therefore, an effective method is needed to prevent and detect them. Current network covert timing channel detection methods often incorporate machine learning methods in order to achieve generalized detection, but they consume a large amount of computational resources. In this paper, we propose a generalized detection framework for covert channels based on perceptual hashing without relying on machine learning methods. And we propose a one‐dimensional data feature descriptor for feature extraction of perceptual hash for the data characteristics of covert timing channels. We first generate the hash sequence of the corresponding channel to get the average hash, which is used for comparison in the test phase. The experimental results show that the feature descriptor can capture the feature differences of one‐dimensional data well. When compared to machine learning methods, this perceptual hashing algorithms enable faster traffic detection. Meanwhile, our method is able to detect the effectiveness with the smallest coverage window compared with the latest solutions. Moreover, it exhibits robustness in jitter network environment.

show abstract

An Entropy-Based Approach to Detecting Covert Timing Channels

Cited by 118 publications

References 26 publications

Real-time GPU-based timing channel detection using entropy

Real-time GPU-based timing channel detection using entropy

A network covert timing channel detection method based on threshold secret sharing

A generalized detection framework for covert timing channels based on perceptual hashing

Contact Info

Product

Resources

About