Detection of Covert Channels in TCP Retransmissions

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11252)


In this paper we describe the implementation and detection of a network covert channel based on TCP retransmissions. For the detection, we implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based covert channels, namely the \(\epsilon \)-similarity and the compressibility. The \(\varepsilon \)-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can be applied to the detection of retransmission-based covert channels, i.e. we performed a so-called countermeasure variation.

Our initial results indicate that the \(\varepsilon \)-similarity can be considered a promising detection method for retransmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.


Covert channel Steganography Information hiding Retransmission TCP Countermeasure variation 


  1. 1.
    Cabaj, K., Caviglione, L., Mazurczyk, W., Wendzel, S., Woodward, A., Zander, S.: The new threats of information hiding: the road ahead. IT Prof. 20(3), 31–39 (2018)CrossRefGoogle Scholar
  2. 2.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 178–187 (2004)Google Scholar
  3. 3.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 1–29 (2009)CrossRefGoogle Scholar
  4. 4.
    Girling, C.G.: Covert channels in lan’s. IEEE Trans. Softw. Eng. 13(2), 292 (1987)CrossRefGoogle Scholar
  5. 5.
    Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996). Scholar
  6. 6.
    Krätzer, C., Dittmann, J., Lang, A., Kühne, T.: WLAN steganography – a practical review. In: Proceedings of 8th Workshop on Multimedia and security, MM&Sec 2006 (2006)Google Scholar
  7. 7.
    Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  8. 8.
    Mazurczyk, W., Smolarczyk, M., Szczypiorski, K.: Hiding information in retransmissions. CoRR abs/0905.0363 (2009)Google Scholar
  9. 9.
    Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack – extended version. Cent. Eur. J. Comput. Sci. 4, 45–66 (2014)Google Scholar
  10. 10.
    Millen, J.: 20 years of covert channel modeling and analysis. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, pp. 113–114. IEEE (1999)Google Scholar
  11. 11.
    Wendzel, S., Eller, D., Mazurczyk, W.: One countermeasure, multiple patterns: countermeasure variation for covert channels. In: Proceedings of Central European Cybersecurity Conference (CECC 2018). ACM (2018, in press).
  12. 12.
    Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3), 1–26 (2015)CrossRefGoogle Scholar
  13. 13.
    Wolf, M.: Covert channels in LAN protocols. In: Berson, T.A., Beth, T. (eds.) LANSEC 1989. LNCS, vol. 396, pp. 89–101. Springer, Heidelberg (1989). Scholar
  14. 14.
    Zander, S., Armitage, G., Branch, P.: Covert channels and countermeasures in computer network protocols (reprinted from IEEE communications surveys and tutorials). IEEE Commun. Mag. 45(12), 136–142 (2007)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Centre of Technology and TransferWorms University of Applied SciencesWormsGermany
  2. 2.Department of Cyber SecurityFraunhofer FKIEBonnGermany

Personalised recommendations