Abstract
Network covert timing channel is a communication fashion that modifies the timing properties of network traffic to transfer secret information. It is designed to carry out the reliable and undetectable transmission. In this paper, a simple and secure covert timing channel method with distribution matching is proposed. The approach treats the network traffic as the flow with the fixed-length fragment, and calculates the histogram of the packet delays in each fragment. The message bits are modulated into the delays by the binary coding method, and the histogram is kept almost unchanged by assigning the matched distribution. The bit error rates are analyzed and two detection experiments are performed. The results show the proposed method is reliable and undetectable.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Zander, S., Armitage, G., & Branch, P. (2007). Covert channels and countermeasures in computer network protocols. IEEE Communications Magazine, 45(12), 136–142.
Padlipsky, M. A., Snow, D. W., & Karger, P. A. (1978). Limitations of end-to-end encryption in secure computer networks. Tech. Rep. ESD-TR-78-158, Mitre Corporation. http://stinet.dtic.mil/cgi-bin/GetTRDoc?AD=A059221&Location=U2&doc=GetTRDoc.pdf. Accessed 1 November 2009.
Yao, L. H., Zi, X. C., Pan, L., & Li, J. H. (2009). A study of on/off timing channel based on packet delay distribution. Computer Security. doi:10.1016/j.cose.2009.05.006.
Giffin, J., Greenstadt, R., Litwack, P., & Tibbetts, R. (2003). Covert messaging through TCP timestamps. In Lecture notes in computer science : Vol. 2482. Proceedings of privacy enhancing technologies workshop (pp. 194–208). Berlin: Springer.
Cabuk, S., Brodley, C. E., & Shields, C. (2004). IP covert timing channels: design and detection. In Proceedings of 11th ACM conf. computer and communications security (pp. 178–87).
Berk, V., Giani, A., & Cybenko, G. (2005). Detection of covert channel encoding in network packet delays. Tech. Rep. TR2005-536, Department of Computer Science, Dartmouth College. http://www.ists.dartmouth.edu/library/149.pdf. Accessed 1 November 2009.
Hintz, A. (2003). Covert channels in TCP and IP headers. http://www.defcon.org/images/defcon-10/dc-10-presentations/dc10-hintz-covert.ppt. Accessed 1 November 2009.
Shah, G., Molina, A., & Blaze, M. (2006). Keyboards and covert channels. In Proceedings of the 15th USENIX security symposium (p. 5).
Gianvecchio, S., & Wang, H. (2007). Detecting covert timing channels: an entropy-based approach. In Proceedings of the 14th ACM conference on computer and communications security (pp. 307–316).
Gianvecchio, S., Wang, H., Wijesekera, D., & Jajodia, S. (2008). Model-based covert timing channels: automated modeling and evasion. In Proceedings of recent advances in intrusion detection (RAID) symposium (pp. 211–230).
Sellke, S. H., Wang, C. C., Bagchi, S., & Shroff, N. (2009). Covert TCP/IP timing channels: theory to implementation. In Proceedings of the 28th conference on computer communications (INFOCOM). http://www.stat.purdue.edu/~ssellke/publications/covertTC.pdf. Accessed 1 November 2009.
Cabuk, S., Erodley, C. E., & Shields, C. (2009). IP covert channel detection. ACM Transactions on Information and System Security, 12(4), 1–29.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Liu, G., Zhai, J. & Dai, Y. Network covert timing channel with distribution matching. Telecommun Syst 49, 199–205 (2012). https://doi.org/10.1007/s11235-010-9368-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-010-9368-1