Detection of Covert Channels in TCP Retransmissions
In this paper we describe the implementation and detection of a network covert channel based on TCP retransmissions. For the detection, we implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based covert channels, namely the \(\epsilon \)-similarity and the compressibility. The \(\varepsilon \)-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can be applied to the detection of retransmission-based covert channels, i.e. we performed a so-called countermeasure variation.
Our initial results indicate that the \(\varepsilon \)-similarity can be considered a promising detection method for retransmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.
KeywordsCovert channel Steganography Information hiding Retransmission TCP Countermeasure variation
- 2.Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 178–187 (2004)Google Scholar
- 6.Krätzer, C., Dittmann, J., Lang, A., Kühne, T.: WLAN steganography – a practical review. In: Proceedings of 8th Workshop on Multimedia and security, MM&Sec 2006 (2006)Google Scholar
- 8.Mazurczyk, W., Smolarczyk, M., Szczypiorski, K.: Hiding information in retransmissions. CoRR abs/0905.0363 (2009)Google Scholar
- 9.Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack – extended version. Cent. Eur. J. Comput. Sci. 4, 45–66 (2014)Google Scholar
- 10.Millen, J.: 20 years of covert channel modeling and analysis. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, pp. 113–114. IEEE (1999)Google Scholar
- 11.Wendzel, S., Eller, D., Mazurczyk, W.: One countermeasure, multiple patterns: countermeasure variation for covert channels. In: Proceedings of Central European Cybersecurity Conference (CECC 2018). ACM (2018, in press). https://doi.org/10.1145/3277570.3277571