Stealthier Inter-packet Timing Covert Channels

  • Sebastian Zander
  • Grenville Armitage
  • Philip Branch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6640)


Covert channels aim to hide the existence of communication. Recently proposed packet-timing channels encode covert data in inter-packet times, based on models of inter-packet times of normal traffic. These channels are detectable if normal inter-packet times are not independent identically-distributed, which we demonstrate is the case for several network applications. We show that ~80% of channels are detected with a false positive rate of 0.5%. We then propose an improved channel that is much harder to detect. Only ~9% of our new channels are detected at a false positive rate of 0.5%. Our new channel uses packet content for synchronisation and works with UDP and TCP traffic. The channel capacity reaches over hundred bits per second depending on overt traffic and network jitter.


Covert Channels Steganography Inter-packet Times 


  1. 1.
    Zander, S., Armitage, G., Branch, P.: A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys and Tutorials 9(3), 44–57 (2007)CrossRefGoogle Scholar
  2. 2.
    Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: Automated modeling and evasion. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 211–230. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Sellke, S.H., Wang, C.-C., Bagchi, S., Shroff, N.B.: Covert TCP/IP Timing Channels: Theory to Implementation. In: Conference on Computer Communications (INFOCOM) (April 2009)Google Scholar
  4. 4.
    Paxson, V.: End-to-end Internet Packet Dynamics. IEEE/ACM Transactions on Networking 7(3), 277–292 (1999)CrossRefGoogle Scholar
  5. 5.
    Padlipsky, M.A., Snow, D.W., Karger, P.A.: Limitations of End-to-End Encryption in Secure Computer Networks. Technical Report ESD-TR-78-158, Mitre Corporation (August 1978)Google Scholar
  6. 6.
    Berk, V., Giani, A., Cybenko, G.: Detection of Covert Channel Encoding in Network Packet Delays. Technical Report TR2005-536, Dartmouth College (November 2005)Google Scholar
  7. 7.
    Shah, G., Molina, A., Blaze, M.: Keyboards and Covert Channels. In: USENIX Security (August 2006)Google Scholar
  8. 8.
    Gianvecchio, S., Wang, H.: Detecting Covert Timing Channels: An Entropy-Based Approach. In: ACM Conference on Computer and Communication Security (CCS) (November 2007)Google Scholar
  9. 9.
    Luo, X., Chan, E.W.W., Chang, R.K.C.: TCP Covert Timing Channels: Design and Detection. In: IEEE/IFIP Conference on Dependable Systems and Networks (DSN) (June 2008)Google Scholar
  10. 10.
    Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Hide and Seek in Time — Robust Covert Timing Channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 120–135. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
  12. 12.
    Branch, P., Heyde, A., Armitage, G.: Rapid Identification of Skype Traffic. In: ACM Network and Operating System Support for Digital Audio and Video (NOSSDAV) (June 2009)Google Scholar
  13. 13.
    M2C Measurement Data Repository (December 2003),
  14. 14.
    Henke, C., Schmoll, C., Zseby, T.: Empirical Evaluation of Hash Functions for PacketID Generation in Sampled Multipoint Measurements. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 197–206. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Williams, N., Zander, S., Armitage, G.: A Preliminary Performance Comparison of Five Machine Learning Algorithms for Practical IP Traffic Flow Classification. SIGCOMM Computer Communication Review 36(5) (October 2006)Google Scholar
  16. 16.
    Kohavi, R., Quinlan, J.R.: Decision-tree Discovery, ch. 16.1.3, pp. 267–276. Oxford University Press, Oxford (2002)Google Scholar
  17. 17.
    Witten, I.H., Frank, E.: Data Mining: Practical Machine Learning Tools and Techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)zbMATHGoogle Scholar
  18. 18.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley Series in Telecommunications. John Wiley & Sons, Chichester (1991)zbMATHCrossRefGoogle Scholar
  19. 19.
    Zander, S.: CCHEF - Covert Channels Evaluation Framework (2007),
  20. 20.
    Linux Foundation. Netem (2008),
  21. 21.
    Rizo, L., Torres, D., Dehesa, J., Muñoz, D.: Cauchy Distribution for Jitter in IP Networks. In: International Conference on Electronics, Communications and Computers, pp. 35–40 (2008)Google Scholar
  22. 22.
    Demichelis, C., Chimento, P.: IP Packet Delay Variation Metric for IP Performance Metrics (IPPM). RFC 3393, IETF (November 2002),

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Sebastian Zander
    • 1
  • Grenville Armitage
    • 1
  • Philip Branch
    • 1
  1. 1.Centre for Advanced Internet Architectures (CAIA)Swinburne University of TechnologyMelbourneAustralia

Personalised recommendations