Advertisement

Decision Tree Rule Induction for Detecting Covert Timing Channels in TCP/IP Traffic

  • Félix Iglesias
  • Valentin Bernhardt
  • Robert Annessi
  • Tanja Zseby
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10410)

Abstract

The detection of covert channels in communication networks is a current security challenge. By clandestinely transferring information, covert channels are able to circumvent security barriers, compromise systems, and facilitate data leakage. A set of statistical methods called DAT (Descriptive Analytics of Traffic) has been previously proposed as a general approach for detecting covert channels. In this paper, we implement and evaluate DAT detectors for the specific case of covert timing channels. Additionally, we propose machine learning models to induce classification rules and enable the fine parameterization of DAT detectors. A testbed has been created to reproduce main timing techniques published in the literature; consequently, the testbed allows the evaluation of covert channel detection techniques. We specifically applied Decision Trees to infer DAT-rules, achieving high accuracy and detection rates. This paper is a step forward for the actual implementation of effective covert channel detection plugins in modern network security devices.

Keywords

Covert channels Decision trees Forensic analysis Machine learning Network communications Statistics 

Notes

Acknowledgments

The research leading to these results has been partially funded by the Vienna Science and Technology Fund (WWTF) through project ICT15-129, “BigDAMA”.

References

  1. 1.
    Archibald, R., Ghosal, D.: A covert timing channel based on fountain codes. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 970–977 (2012)Google Scholar
  2. 2.
    Berk, V., Giani, A., Cybenko, G., Hanover, N.: Detection of covert channel encoding in network packet delays. Rapport technique TR536, de lUniversité de Dartmouth, p. 19 (2005)Google Scholar
  3. 3.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 178–187. ACM, New York (2004)Google Scholar
  4. 4.
    Chen, A., Moore, W.B., Xiao, H., Haeberlen, A., Phan, L.T.X., Sherr, M., Zhou, W.: Detecting covert timing channels with time-deterministic replay. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation (OSDI 2014), pp. 541–554 (2014)Google Scholar
  5. 5.
    Gasior, W., Yang, L.: Network covert channels on the android platform. In: Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW 2011), p. 61:1. ACM, New York (2011)Google Scholar
  6. 6.
    Gianvecchio, S., Wang, H.: An entropy-based approach to detecting covert timing channels. IEEE Trans. Dependable Secure Comput. 8(6), 785–797 (2011)CrossRefGoogle Scholar
  7. 7.
    Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: automated modeling and evasion. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 211–230. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-87403-4_12 CrossRefGoogle Scholar
  8. 8.
    Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP timestamps. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003). doi: 10.1007/3-540-36467-6_15 CrossRefGoogle Scholar
  9. 9.
    Girling, C.G.: Covert channels in LAN’s. IEEE Trans. Softw. Eng. 13(2), 292–296 (1987)CrossRefGoogle Scholar
  10. 10.
    Holloway, R., Beyah, R.: Covert DCF: a DCF-based covert timing channel in 802.11 networks. In: 2011 IEEE Eighth International Conference on Mobile Ad-Hoc and Sensor Systems, pp. 570–579 (2011)Google Scholar
  11. 11.
    Iglesias, F., Annessi, R., Zseby, T.: DAT detectors: uncovering TCP/IP covert channels by descriptive analytics. Secur. Commun. Netw. 9(15), 3011–3029 (2016). sec.1531CrossRefGoogle Scholar
  12. 12.
    Kamber, M., Winstone, L., Gong, W., Cheng, S., Han, J.: Generalization and decision tree induction: efficient classification in data mining. In: Proceedings Seventh International Workshop on Research Issues in Data Engineering. High Performance Database Management for Large-Scale Applications, pp. 111–120 (1997)Google Scholar
  13. 13.
    Kiyavash, N., Coleman, T.: Covert timing channels codes for communication over interactive traffic. In: IEEE International Conference on Acoustics, Speech, and Signal Processing, pp. 1485–1488 (2009)Google Scholar
  14. 14.
    Luo, X., Chan, E.W.W., Chang, R.K.C.: TCP covert timing channels: design and detection. In: IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pp. 420–429, June 2008Google Scholar
  15. 15.
    Mazurczyk, W., Szczypiorski, K.: Steganography of VoIP streams. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1001–1018. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88873-4_6 CrossRefGoogle Scholar
  16. 16.
    Padlipsky, M.A., Snow, D.W., Karger, P.A.: Limitations of end-to-end encryption in secure computer networks, eSD-TR-78-158 (1978)Google Scholar
  17. 17.
    Saeys, Y., Inza, I., Larrañaga, P.: A review of feature selection techniques in bioinformatics. Bioinformatics 23(19), 2507–2517 (2007)CrossRefGoogle Scholar
  18. 18.
    Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: Proceedings of the 15th Conference on USENIX Security Symposium (USENIX-SS 2006), vol. 15. USENIX Association, Berkeley (2006)Google Scholar
  19. 19.
    Shen, J., Qing, S., Shen, Q., Li, L.: Optimization of covert channel identification. In: Third IEEE International Security in Storage Workshop (SISW 2005), pp. 13–95, December 2005Google Scholar
  20. 20.
    Shrestha, P.L., Hempel, M., Rezaei, F., Sharif, H.: A support vector machine-based framework for detection of covert timing channels. IEEE Trans. Dependable Secur. Comput. 13(2), 274–283 (2016)CrossRefGoogle Scholar
  21. 21.
    Sohn, T., Seo, J.T., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39927-8_29 CrossRefGoogle Scholar
  22. 22.
    TU Wien CN Group: Data Analysis and Algorithms (2017). https://www.cn.tuwien.ac.at/public/data.html
  23. 23.
    Walls, R.J., Kothari, K., Wright, M.: Liquid: a detection-resistant covert timing channel based on IPD shaping. Comput. Netw. 55(6), 1217–1228 (2011)CrossRefGoogle Scholar
  24. 24.
    Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3), 50:1–50:26 (2015)CrossRefGoogle Scholar
  25. 25.
    Wray, J.C.: An analysis of covert timing channels. J. Comput. Secur. 1(3–4), 219–232 (1992)CrossRefGoogle Scholar
  26. 26.
    Wu, J., Wang, Y., Ding, L., Liao, X.: Improving performance of network covert timing channel through Huffman coding. Math. Comput. Model. 55(1–2), 69–79 (2012). Advanced Theory and Practice for Cryptography and Future SecurityMathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Zander, S., Armitage, G., Branch, P.: An empirical evaluation of IP time to live covert channels. In: 2007 15th IEEE International Conference on Networks, pp. 42–47, November 2007Google Scholar
  28. 28.
    Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. Commun. Surv. Tutor. 9(3), 44–57 (2007)CrossRefGoogle Scholar
  29. 29.
    Zander, S., Armitage, G., Branch, P.: Stealthier inter-packet timing covert channels. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011. LNCS, vol. 6640, pp. 458–470. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20757-0_36 CrossRefGoogle Scholar
  30. 30.
    Zhiyong, C., Yong, Z.: Entropy based taxonomy of network convert channels. In: 2009 2nd International Conference on Power Electronics and Intelligent Transportation System (PEITS), vol. 1, pp. 451–455, December 2009Google Scholar
  31. 31.
    Zi, X., Yao, L., Pan, L., Li, J.: Implementing a passive network covert timing channel. Comput. Secur. 29(6), 686–696 (2010)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Félix Iglesias
    • 1
  • Valentin Bernhardt
    • 1
  • Robert Annessi
    • 1
  • Tanja Zseby
    • 1
  1. 1.CN Group, Institute of TelecommunicationsTU WienViennaAustria

Personalised recommendations