Model-Based Covert Timing Channels: Automated Modeling and Evasion

  • Steven Gianvecchio
  • Haining Wang
  • Duminda Wijesekera
  • Sushil Jajodia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5230)


The exploration of advanced covert timing channel design is important to understand and defend against covert timing channels. In this paper, we introduce a new class of covert timing channels, called model-based covert timing channels, which exploit the statistical properties of legitimate network traffic to evade detection in an effective manner. We design and implement an automated framework for building model-based covert timing channels. Our framework consists of four main components: filter, analyzer, encoder, and transmitter. The filter characterizes the features of legitimate network traffic, and the analyzer fits the observed traffic behavior to a model. Then, the encoder and transmitter use the model to generate covert traffic and blend with legitimate network traffic. The framework is lightweight, and the overhead induced by model fitting is negligible. To validate the effectiveness of the proposed framework, we conduct a series of experiments in LAN and WAN environments. The experimental results show that model-based covert timing channels provide a significant increase in detection resistance with only a minor loss in capacity.


covert timing channels traffic modeling evasion 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Department of Defense, U.S.: Trusted computer system evaluation criteria (1985)Google Scholar
  2. 2.
    Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10) (October 1973)Google Scholar
  3. 3.
    Wang, Z., Lee, R.: Covert and side channels due to processor architecture. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186, Springer, Heidelberg (2006)Google Scholar
  4. 4.
    Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in internet traffic with active wardens. In: Proc. of the 2002 International Workshop on Information Hiding (October 2002)Google Scholar
  5. 5.
    Kang, M.H., Moskowitz, I.S.: A pump for rapid, reliable, secure communication. In: Proc. of ACM CCS 1993 (November 1993)Google Scholar
  6. 6.
    Kang, M.H., Moskowitz, I.S., Lee, D.C.: A network version of the pump. In: Proc. of the 1995 IEEE Symposium on Security and Privacy (May 1995)Google Scholar
  7. 7.
    Kang, M.H., Moskowitz, I.S., Chincheck, S.: The pump: A decade of covert fun. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS, vol. 3740. Springer, Heidelberg (2005)Google Scholar
  8. 8.
    Giles, J., Hajek, B.: An information-theoretic and game-theoretic study of timing channels. IEEE Trans. on Information Theory 48(9) (September 2002)Google Scholar
  9. 9.
    Berk, V., Giani, A., Cybenko, G.: Covert channel detection using process query systems. In: Proc. of FLOCON 2005 (September 2005)Google Scholar
  10. 10.
    Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Technical Report TR2005-536, Department of Computer Science, Dartmouth College, Hanover, NH., USA (August 2005)Google Scholar
  11. 11.
    Cabuk, S., Brodley, C., Shields, C.: IP covert timing channels: Design and detection. In: Proc. of ACM CCS (October 2004)Google Scholar
  12. 12.
    Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: Proc. of the 2006 USENIX Security Symposium (July–August, 2006)Google Scholar
  13. 13.
    Gianvecchio, S., Wang, H.: Detecting covert timing channels: An entropy-based approach. In: Proceedings of the 2007 ACM Conference on Computer and Communications Security (October 2007)Google Scholar
  14. 14.
    Luo, X., Chan, E.W.W., Chang, R.K.C.: Cloak: A ten-fold way for reliable covert communications. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 283–298. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Arimoto, S.: An algorithm for computing the capacity of arbitrary discrete memoryless channels. IEEE Trans. on Information Theory 18(1) (January 1972)Google Scholar
  16. 16.
    Blahut, R.E.: Computation of channel capacity and rate-distortion functions. IEEE Trans. on Information Theory 18(4) (July 1972)Google Scholar
  17. 17.
    Borders, K., Prakash, A.: Web tap: Detecting covert web traffic. In: Proc. of ACM CCS 2004 (October 2004)Google Scholar
  18. 18.
    Wang, X., Reeves, D.S.: Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proc. of ACM CCS 2003 (October 2003)Google Scholar
  19. 19.
    Yu, W., Fu, X., Graham, S., Xuan, D., Zhao, W.: Dsss-based flow marking technique for invisible traceback. In: Proc. of the 2007 IEEE Symposium on Security and Privacy, Washington, DC, USA (May 2007)Google Scholar
  20. 20.
    Peng, P., Ning, P., Reeves, D.S.: On the secrecy of timing-based active watermarking trace-back techniques. In: Proc. of the 2006 IEEE Symposium on Security and Privacy (May 2006)Google Scholar
  21. 21.
    Moskowitz, I.S., Kang, M.H.: Covert channels - here to stay? In: Proc. of the 1994 Annual Conf. on Computer Assurance (June 1994)Google Scholar
  22. 22.
    Cao, J., Cleveland, W.S., Lin, D., Sun, D.X.: On the nonstationarity of internet traffic. In: Proc. of SIGMETRICS/Performance 2001 (June 2001)Google Scholar
  23. 23.
    Leemis, L., Park, S.K.: Discrete-Event Simulation: A First Course. Prentice-Hall, Upper Saddle River (2006)Google Scholar
  24. 24.
    Zheng, L., Zhang, L., Xu, D.: Characteristics of network delay and delay jitter and its effect on oice over IP (VoIP). In: Proc. of the 2001 IEEE International Conf. on Communications (June 2001)Google Scholar
  25. 25.
    Duda, R., Hart, P., Stork, D.: Pattern Classification. Wiley-Interscience, New York (2001)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Steven Gianvecchio
    • 1
  • Haining Wang
    • 1
  • Duminda Wijesekera
    • 2
  • Sushil Jajodia
    • 2
  1. 1.Department of Computer ScienceCollege of William and MaryWilliamsburgUSA
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA

Personalised recommendations