CSP-Based General Detection Model of Network Covert Storage Channels

  • Hui Zhu
  • Tingting Liu
  • Guanghui Wei
  • Beishui Liu
  • Hui Li
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7804)


A network covert channel is a malicious conversation mechanism, which brings serious security threat to security-sensitive systems and is usually difficult to be detected. Data are hidden in the header fields of protocols in network covert storage channels. In this paper, a general detection model based on formal protocol analysis for identifying possible header fields in network protocols that may be used as covert storage channels is proposed. The protocol is modeled utilizing the Communication Sequential Processes (CSP), in which a modified property of header fields is defined and the header fields are classified into three types in accordance to the extent to which their content can be altered without impairing the communication. At last, verification of the model in Transmission Control Protocol (TCP) shows that the proposed method is effective and feasible.


Security modeling Protocol analysis Network covert storage channels Detection CSP 


  1. 1.
    Snoeren, A., Partridge, C., Sanchez, L.: Single Packet IP Trace back. ACM/IEEE Transaction on networking 10(6), 721–734 (2002)CrossRefGoogle Scholar
  2. 2.
    Zander, S., Armitage, G., Branch, P.: A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys and Tutorials 9(3), 44–57 (2007)CrossRefGoogle Scholar
  3. 3.
    Ahsan, K., Kundur, D.: Practical Data Hiding in TCP/IP. In: ACM WKSP Multimedia, 7–14 (2002)Google Scholar
  4. 4.
    Cauich, E., Gardenas, R.G., Watanabe, R.: Data Hiding in Identification and Offset IP Fields. In: 5th International Symposium (2005)Google Scholar
  5. 5.
    Abad, C.: IP checksum covert channels and selected hash collision. Technical report (2001)Google Scholar
  6. 6.
    Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating Steganography in Internet Traffic with Active Wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Castiglione, A., Santis, A.D., Fiore, U., Palmieri, F.: An asynchronous covert channel using spam. Computers and Mathematics with Applications 63(2), 437–447 (2012)CrossRefGoogle Scholar
  8. 8.
    Fiore, U.: Selective Redundancy Removal: A Framework for Data Hiding. Future Internet 2(1), 30–40 (2010)CrossRefGoogle Scholar
  9. 9.
    Tumoian, E., Anikeev, M.: Network based detection of passive covert channels in TCP/IP. In: Proceedings of the IEEE Conference on Local Computer Networks 30th Anniversary, pp. 802–809 (2005)Google Scholar
  10. 10.
    Zhai, J., Liu, G., Dai, Y.: A covert channel detection algorithm based on TCP Markov model. In: Proceedings of Second International Conference on Multimedia Information Networking and Security, pp. 893–897 (2010)Google Scholar
  11. 11.
    Gianvecchio, S., Wang, H.: An Entropy-Based Approach to Detecting Covert Timing Channels. IEEE Transactions on dependentable and secure computing 8(6), 785–797 (2011)CrossRefGoogle Scholar
  12. 12.
    Hoare, C.A.R.: Communicating Sequential Processes. In: Communications of the ACM, pp. 666–677 (1978)Google Scholar
  13. 13.
    Brookes, S.D., Hoare, C.A.R., Roscoe, A.W.: A theory of Communicating Sequential Processes. Journal of the ACM 31, 560–599 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Roscoe, A.W.: The theory and practice of concurrency, s. l. Prentice Hall (1998)Google Scholar
  15. 15.
    Schneider, S.A.: Concurrent and real-time systems: the CSP approach, s. l. John Wiley (1999)Google Scholar
  16. 16.
    Rutkowska, J.: The implementation of passive covert channels in the Linux kernel,
  17. 17.
    Handel, T.G., Sandford, M.T.: Hiding Data in the OSI Network Model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Hui Zhu
    • 1
    • 2
  • Tingting Liu
    • 1
  • Guanghui Wei
    • 1
  • Beishui Liu
    • 1
  • Hui Li
    • 1
  1. 1.State Key Laboratory of Integrated Service NetworksXidian UniversityXi’anChina
  2. 2.Network and Data Security Key Laboratory of Sichuan ProvinceXidian UniversityXi’anChina

Personalised recommendations