DAT detectors: uncovering TCP/IP covert channels by descriptive analytics

Abstract: Covert channels provide means to conceal information transfer between hosts and bypass security barriers in communication networks. Hidden communication is of paramount concern for governments and companies, because it can conceal data leakage and malware communication, which are crucial building blocks used in cyber crime. We propose detectors based on descriptive analytics of traffic (DAT) to facilitate revealing network and transport layer covert channels originated from a wide spectrum of published data‐hi… Show more

“…As mentioned in Section 1, a recent classification of covert channels is presented in [12]. Moreover, DAT is introduced as a general methodology to identify covert channels in network traffic flows.…”

“…Further derived studies that focus on covert timing channels are developed in [13] and [15]. Here we explore the features used in these three cited works ( [12,13] and [15]) and add five new features related to regularity and randomness in time and symbol series.…”

“…The calculation of c is based on empirical tables and tries to estimate the number of potential covert bytes sent in a flow [12]. It uses S k (defined in Section 3.2) to guess the number of different symbols that the covert channel might be applying.…”

“…Figure 1 shows two examples with similar estimated curves and both with S k = 2. Kernel density estimation for assessing multimodality is widely described in [29], and their application for covert channels is discussed in [12].…”

“…We continue the investigations started with [12], where covert channels were classified by studying the implications and challenges faced from the detection side. Additionally, in [12] a general solution for covert channel identification called DAT (from Descriptive Analytics of Traffic) is proposed. The DAT methodology is based on representing traffic flows with a set of statistical measurements and estimations.…”

Analytic Study of Features for the Detection of Covert Timing Channels in NetworkTraffic

“…As mentioned in Section 1, a recent classification of covert channels is presented in [12]. Moreover, DAT is introduced as a general methodology to identify covert channels in network traffic flows.…”

“…Further derived studies that focus on covert timing channels are developed in [13] and [15]. Here we explore the features used in these three cited works ( [12,13] and [15]) and add five new features related to regularity and randomness in time and symbol series.…”

“…The calculation of c is based on empirical tables and tries to estimate the number of potential covert bytes sent in a flow [12]. It uses S k (defined in Section 3.2) to guess the number of different symbols that the covert channel might be applying.…”

“…Figure 1 shows two examples with similar estimated curves and both with S k = 2. Kernel density estimation for assessing multimodality is widely described in [29], and their application for covert channels is discussed in [12].…”

“…We continue the investigations started with [12], where covert channels were classified by studying the implications and challenges faced from the detection side. Additionally, in [12] a general solution for covert channel identification called DAT (from Descriptive Analytics of Traffic) is proposed. The DAT methodology is based on representing traffic flows with a set of statistical measurements and estimations.…”

Analytic Study of Features for the Detection of Covert Timing Channels in NetworkTraffic

Malware Forensic Analytics Framework Using Big Data Platform

Decision Tree Rule Induction for Detecting Covert Timing Channels in TCP/IP Traffic