Detection of Covert Channels in TCP Retransmissions

  • Sebastian Zillien
  • Steffen WendzelEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11252)


In this paper we describe the implementation and detection of a network covert channel based on TCP retransmissions. For the detection, we implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based covert channels, namely the \(\epsilon \)-similarity and the compressibility. The \(\varepsilon \)-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can be applied to the detection of retransmission-based covert channels, i.e. we performed a so-called countermeasure variation.

Our initial results indicate that the \(\varepsilon \)-similarity can be considered a promising detection method for retransmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.


Covert channel Steganography Information hiding Retransmission TCP Countermeasure variation 


  1. 1.
    Cabaj, K., Caviglione, L., Mazurczyk, W., Wendzel, S., Woodward, A., Zander, S.: The new threats of information hiding: the road ahead. IT Prof. 20(3), 31–39 (2018)CrossRefGoogle Scholar
  2. 2.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 178–187 (2004)Google Scholar
  3. 3.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 1–29 (2009)CrossRefGoogle Scholar
  4. 4.
    Girling, C.G.: Covert channels in lan’s. IEEE Trans. Softw. Eng. 13(2), 292 (1987)CrossRefGoogle Scholar
  5. 5.
    Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996). Scholar
  6. 6.
    Krätzer, C., Dittmann, J., Lang, A., Kühne, T.: WLAN steganography – a practical review. In: Proceedings of 8th Workshop on Multimedia and security, MM&Sec 2006 (2006)Google Scholar
  7. 7.
    Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  8. 8.
    Mazurczyk, W., Smolarczyk, M., Szczypiorski, K.: Hiding information in retransmissions. CoRR abs/0905.0363 (2009)Google Scholar
  9. 9.
    Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack – extended version. Cent. Eur. J. Comput. Sci. 4, 45–66 (2014)Google Scholar
  10. 10.
    Millen, J.: 20 years of covert channel modeling and analysis. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, pp. 113–114. IEEE (1999)Google Scholar
  11. 11.
    Wendzel, S., Eller, D., Mazurczyk, W.: One countermeasure, multiple patterns: countermeasure variation for covert channels. In: Proceedings of Central European Cybersecurity Conference (CECC 2018). ACM (2018, in press).
  12. 12.
    Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3), 1–26 (2015)CrossRefGoogle Scholar
  13. 13.
    Wolf, M.: Covert channels in LAN protocols. In: Berson, T.A., Beth, T. (eds.) LANSEC 1989. LNCS, vol. 396, pp. 89–101. Springer, Heidelberg (1989). Scholar
  14. 14.
    Zander, S., Armitage, G., Branch, P.: Covert channels and countermeasures in computer network protocols (reprinted from IEEE communications surveys and tutorials). IEEE Commun. Mag. 45(12), 136–142 (2007)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Centre of Technology and TransferWorms University of Applied SciencesWormsGermany
  2. 2.Department of Cyber SecurityFraunhofer FKIEBonnGermany

Personalised recommendations