Skip to main content
SpringerLink
Log in

Covert timing channels: analyzing WEB traffic

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In case there is a communication contrary to the system security policies, a covert channel has been created. The attacker can easily disclosure information from the victim’s system with just one public access permission. Covert timing channels, unlike covert storage channels, do not have memory storage and they draw less attention. Different methods have been proposed for their identification, which generally benefit from the shape of traffic and the channel’s regularity. The application nature of HTTP protocol allows the creation of a covert timing channel based on different features of this protocol (or different levels) that has not been addressed in previous researches. This research tries to study the effect of using different features (or levels) of HTTP protocol on identifying the covert channel. The amount of channel’s entropy could be manipulated by changing the channel’s level or adding intentional noise on the channel to protect from the analyzer’s detection. The difference in the placement of the covert channel and the detector causes the amount of channel entropy to be far from the detection threshold. Therefore, we concluded that the analyzer must investigate traffic at all possible levels. Adding noise on the covert channel decrease its capacity, but as entropy increases, it would be harder to detect it.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. Simple mail transfer protocol.

  2. File transfer protocol.

References

  1. Sommer, F., Jürgen, D., Reiner, K.: Survey and classification of automotive security attacks. Information 10(4), 148 (2019). https://doi.org/10.3390/info10040148

    Article  Google Scholar 

  2. Mikhail, F., Flor, A., Steinmetzer, D., Paul Gardner, S., Hollick, M.: Survey and systematization of secure device pairing. Commun. Surv. Tutor. IEEE 20(1), 517–550 (2018). https://doi.org/10.1109/COMST.2017.2748278

    Article  Google Scholar 

  3. US Department of Defense.: Trusted Computer System Evaluation Criteria. ISBN 978-0-333-53947-7, Palgrave Macmillan, London (1985). https://doi.org/10.1007/978-1-349-12020-8_1.

  4. Gligor,V.D.: A guide to understanding covert channel analysis of trusted systems. National Computer Security Center (US). Meade, Maryland, NCSC-TG-030 (1994)

  5. Carrara, B., Adams, C.: A survey and taxonomy aimed at the detection and measurement of covert channels. In: Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security, pp. 115–126 (2016). https://doi.org/10.1145/2909827.2930800

  6. Okhravi, H., Bak, S., King, S.T.: Design, implementation and evaluation of covert channel attacks. In: IEEE International Conference on Technologies for Homeland Security (HST), pp. 481–487 (2010). https://doi.org/10.1109/THS.2010.5654967

  7. Wang, Z., Lee, R.B.: New constructive approach to covert channel modeling and channel capacity estimation. In: International Conference on Information Security, pp. 498–505 (2005). https://doi.org/10.1007/11556992_37

  8. Changxiang, S., et al.: Survey of information security. Sci. China Ser. F Inf. Sci. 50(3), 273–298 (2007). https://doi.org/10.1007/s11432-007-0037-2

    Article  MATH  Google Scholar 

  9. Xiaosong, Z., et al.: A covert channel over volte via adjusting silence periods. IEEE Access 6, 9292–9302 (2018). https://doi.org/10.1109/ACCESS.2018.2802783

    Article  Google Scholar 

  10. Mazurczyk, W. et al.: Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures, Wiley (2016). https://doi.org/10.1002/9781119081715

  11. Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 178–187 (2004). https://doi.org/10.1145/1030083.1030108

  12. Berk, V., Giani, A., Cybenko, G., Hanover, N.: Detection of covert channel encoding in network packet delays. Rapport technique TR536, de lUniversité de Dartmouth, p. 19 (2005)

  13. Coleman, T.P., Kiyavash, N.: Sparse graph codes and practical decoding algorithms for communicating over packet timings in networks. In: 42nd Annual Conference on Information Sciences and Systems, CISS 2008, pp. 447–452 (2008). https://doi.org/10.1109/CISS.2008.4558568

  14. Yao, S., Yang, W., Liusheng, H.: Concealed in web surfing: behavior-based covert channels in HTTP. J. Netw. Comput. Appl. 101, 83–95 (2018). https://doi.org/10.1016/j.jnca.2017.10.019

    Article  Google Scholar 

  15. Chen, A. et al.: Detecting covert timing channels with time-deterministic replay. In: 11th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 14) (2014)

  16. Beyrami, B., Dehghani, M., Saleh Esfahani, M.: Covert timing channel detection based on statistical methods. J. Electron. Cyber Defence 2(5), 13–24 (2014). ((in Persian))

    Google Scholar 

  17. Kiyavash, N., Coleman, T.: Covert timing channels codes for communication over interactive traffic. In: ICASSP IEEE International Conference on Acoustics, Speech and Signal processing, pp. 1485–1488 (2009). https://doi.org/10.1109/ICASSP.2009.4959876

  18. Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 12(4), 22 (2009). https://doi.org/10.1145/1513601.1513604

    Article  Google Scholar 

  19. Nasseralfoghara, M., Hamidi, H.: Web covert timing channel detection based on entropy. Electron. Cyber Defense 8(3), 13–23 (2021). (in Persian)

    Google Scholar 

  20. Nasseralfoghara, M., Hamidi, H.: Entropy-based analyzing anomaly WEB traffic. High Speed Netw. 26(4), 255–266 (2020)

    Article  Google Scholar 

  21. Brown, E., Yuan, B., Johnson, D., Lutz, P.: Covert channels in the HTTP network protocol: channel characterization and detecting man-in-the-middle attacks. In: International Conference on Cyber Warfare and Security, p. 56 (2010)

  22. Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: automated modeling and evasion. In: International Workshop on Recent Advances in Intrusion Detection, pp. 211–230 (2008). https://doi.org/10.1007/978-3-540-87403-4_12

  23. Coleman, T.P., Kiyavash, N.: Practical codes for queueing channels: an algebraic, state-space, message-passing approach. In: Information Theory Workshop, ITW'08, IEEE, pp. 318–322 (2008). https://doi.org/10.1109/ITW.2008.4578677

  24. Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Hide and seek in time—robust covert timing channels. In: European Symposium on Research in Computer Security, pp. 120–135 (2009). https://doi.org/10.1007/978-3-642-04444-1_8

  25. Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Robust and undetectable steganographic timing channels for iid traffic. In: International Workshop on Information Hiding, pp. 193--207 (2010). https://doi.org/10.1007/978-3-642-16435-4_15

  26. Saadati, M., Dehghani, M., Saleh Esfahani, M.: Simulation and evaluation of jitter and packet loss noises influence on covert timing channel performance. J. Electron. Cyber Defence 2(3), 35–49 (2014). ((in Persian))

    Google Scholar 

  27. Liu, J., et al.: A detection-resistant covert timing channel based on geometric huffman coding. In: International Conference on Wireless Algorithms, Systems, and Applications, Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94268-1_26

  28. Archibald, R., Ghosal, D.: A covert timing channel based on fountain codes. In: IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 970–977 (2012). https://doi.org/10.1109/TrustCom.2012.21

  29. Ahn, T.S. et al.: Turbo equalization for covert communication in underwater channel. In: Eighth International Conference on Ubiquitous and Future Networks (ICUFN), IEEE (2016). https://doi.org/10.1109/ICUFN.2016.7537071

  30. Wang, J. et al.: Implementing a covert timing channel based on mimic function. In: International Conference on Information Security Practice and Experience, Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06320-1_19

  31. Han, T.S., Kobayashi, K.: Mathematics of information and coding. Am. Math. Soc. (2007). https://doi.org/10.1090/mmono/203,PMid:17014848

    Article  Google Scholar 

  32. Stillman, R.M.: Detecting IP covert timing channels by correlating packet timing with memory content. In: Southeastcon, IEEE, pp. 204–209 (2008). https://doi.org/10.1109/SECON.2008.4494286

  33. Liu,G., Zhai, J., Dai, Y., Wang, Z.: Covert timing channel with distribution matching. In: International Conference on Multimedia Information Networking and Security, MINES'09, vol.1, pp. 565–568 (2009). https://doi.org/10.1109/MINES.2009.28

  34. Liu, G., Zhai, J., Dai, Y.: Network covert timing channel with distribution matching. Telecommun. Syst. 49(2), 199–205 (2012). https://doi.org/10.1007/s11235-010-9368-1

    Article  Google Scholar 

  35. Zander, S., Armitage, G., Branch, P.: Stealthier inter-packet timing covert channels. Networking 2011, 458–470 (2011). https://doi.org/10.1007/978-3-642-20757-0_36

    Article  Google Scholar 

  36. Walls, R.J., Kothari, K., Wright, M.: Liquid: a detection-resistant covert timing channel based on IPD shaping. Comput. Netw. 55(6), 1217–1228 (2011). https://doi.org/10.1016/j.comnet.2010.11.007

    Article  Google Scholar 

  37. Lee, K.S., Wang, H., Weatherspoon, H.:{PHY} covert channels: can you see the idles? In: 11th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 14), pp. 173–185 (2014)

Download references

Funding

This research received no external funding.

Author information

Authors and Affiliations

  1. Faculty of Engineering, Imam Khomeini International University, Qazvin, Iran

    Mehrdad Nasseralfoghara & Hamid Reza Hamidi

Authors
  1. Mehrdad Nasseralfoghara
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hamid Reza Hamidi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hamid Reza Hamidi.

Ethics declarations

Conflict of interest

The authors declare no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Nasseralfoghara, M., Hamidi, H.R. Covert timing channels: analyzing WEB traffic. J Comput Virol Hack Tech 18, 117–126 (2022). https://doi.org/10.1007/s11416-021-00396-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-021-00396-w

Keywords

Search

Navigation