Fingerprint Embedding: A Proactive Strategy of Detecting Timing Channels

  • Jing Wang
  • Peng Liu
  • Limin Liu
  • Le Guan
  • Jiwu Jing
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8233)


The detection of covert timing channels is notoriously a difficult work due to the high variation of network traffic. The existing detection methods, mainly based on statistical tests, cannot effectively detect a variety of covert timing channels. In this paper, we propose a proactive strategy of detecting covert timing channels. The basic idea is that a timing fingerprint is embedded into outgoing traffic of the to-be-protected host in advance. The presence of a covert timing channel is exposed, provided that the fingerprint is absent from the traffic during transmission. As a proof of concept, we design and implement a detection system, which consists of two modules for fingerprint embedding and checking, respectively. We also perform a series of experiments to validate if this system works effectively. The results show that it detects various timing channels accurately and quickly, while has less than 2.4% degradation on network performance.


timing channel covert channel fingerprint embedding intrusion detection system 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Winpcap: The windows packet capture library,
  2. 2.
    Berk, V., Giani, A., Cybenko, G., Hanover, N.: Detection of covert channel encoding in network packet delays. Tech. Rep. TR2005-536, Dartmouth College, Computer Science, Hanover (2005)Google Scholar
  3. 3.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Proceedings of the 16th European Symposium on Research in Computer Security, pp. 355–371 (2011)Google Scholar
  4. 4.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Conference on USENIX Security Symposium (2003)Google Scholar
  5. 5.
    Cabuk, S.: Network covert channels: design, analysis, detection, and elimination. PhD thesis (2006)Google Scholar
  6. 6.
    Cabuk, S., Brodley, C., Shields, C.: Ip covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 178–187 (2004)Google Scholar
  7. 7.
    Crosby, S.A., Wallach, D.S., Riedi, R.H.: Opportunities and limits of remote timing attacks. ACM Transactions on Information and System Security 12(3), 17 (2009)CrossRefGoogle Scholar
  8. 8.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 25–32 (2000)Google Scholar
  9. 9.
    Gianvecchio, S., Wang, H.: Detecting covert timing channels: an entropy-based approach. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 307–316 (2007)Google Scholar
  10. 10.
    Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: Automated modeling and evasion. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 211–230. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Giles, J., Hajek, B.: An information-theoretic and game-theoretic study of timing channels. IEEE Transactions on Information Theory 48(9), 2455–2477 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Handel, T., Sandford, M.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  13. 13.
    Henry, P.: Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. CyberGuard Corporation (2000)Google Scholar
  14. 14.
    Houmansadr, A., Borisov, N.: CoCo: Coding-based covert timing channels for network flows. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 314–328. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Hu, W.M.: Reducing timing channels with fuzzy time. In: IEEE Symposium on Security and Privacy, pp. 8–20 (1991)Google Scholar
  16. 16.
    Kang, M., Moskowitz, I.: A pump for rapid, reliable, secure communication. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 119–129 (1993)Google Scholar
  17. 17.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  18. 18.
    Kothari, K., Wright, M.: Mimic: An active covert channel that evades regularity-based detection. Computer Networks (2012)Google Scholar
  19. 19.
    Lampson, B.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  20. 20.
    Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Hide and seek in time — robust covert timing channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 120–135. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Lucena, N.B., Pease, J., Yadollahpour, P., Chapin, S.J.: Syntax and semantics-preserving application-layer protocol steganography. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 164–179. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Peng, P., Ning, P., Reeves, D.: On the secrecy of timing-based active watermarking trace-back techniques. In: IEEE Symposium on Security and Privacy (2006)Google Scholar
  23. 23.
    Russell, R., Welte, H.: Linux netfilter hacking HOWTO (2002),
  24. 24.
    Sellke, S., Wang, C., Bagchi, S., Shroff, N.: TCP/IP timing channels: Theory to implementation. In: INFOCOM 2009, pp. 2204–2212 (2009)Google Scholar
  25. 25.
    Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15 (2006)Google Scholar
  26. 26.
    Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 477–487 (2009)Google Scholar
  27. 27.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: Proceedings of the 10th USENIX Security Symposium, vol. 2, p. 3 (2001)Google Scholar
  28. 28.
    Walls, R., Kothari, K., Wright, M.: Liquid: A detection-resistant covert timing channel based on IPD shaping. Computer Networks 55(6), 1217–1228 (2011)CrossRefGoogle Scholar
  29. 29.
    WAND Research Group: Waikato internet traffic storage,
  30. 30.
    Wang, X., Chen, S., Jajodia, S.: Tracking anonymous peer-to-peer voip calls on the internet. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 81–91 (2005)Google Scholar
  31. 31.
    Wang, X., Reeves, D.S.: Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 20–29 (2003)Google Scholar
  32. 32.
    Wu, J., Wang, Y., Ding, L., Liao, X.: Improving performance of network covert timing channel through huffman coding. Mathematical and Computer Modelling 55(1), 69–79 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys & Tutorials 9(3), 44–57 (2007)CrossRefGoogle Scholar
  34. 34.
    Zi, X., Yao, L., Pan, L., Li, J.: Implementing a passive network covert timing channel. Computers & Security 29(6), 686–696 (2010)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Jing Wang
    • 1
    • 2
  • Peng Liu
    • 3
  • Limin Liu
    • 1
  • Le Guan
    • 1
    • 2
  • Jiwu Jing
    • 1
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringCASBeijingChina
  2. 2.University of Chinese Academy of SciencesBeijingChina
  3. 3.Pennsylvania State UniversityUniversity ParkUSA

Personalised recommendations