Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

Generic and Sensitive Anomaly Detection of Network Covert Timing Channels

Generic and Sensitive Anomaly Detection of Network Covert Timing Channels

Packet Payload Based Anomalous Network Intrusion Detection

Covert timing channel detection method based on time interval and payload length analysis

An Entropy-Based Approach to Detecting Covert Timing Channels

A generalized detection framework for covert timing channels based on perceptual hashing

IP Covert Channel Detection

Design of Transport Layer Based Hybrid Covert Channel Detection Engine

Entropy Based Detection And Behavioral Analysis Of Hybrid Covert Channeling Secured Communication

A Detection-Resistant Covert Timing Channel Based On Geometric Huffman Coding

An Entropy-Based Method For Detection Of Covert Channels Over Lte

Weaknesses of popular and recent covert channel detection methods and a remedy

Liquid: A detection-resistant covert timing channel based on IPD shaping

HTTP Cookie Covert Channel Detection Based on Session Flow Interaction Features

Efficient Non-Linear Covert Channel Detection in TCP Data Streams

Covert Channel Detection and Analysis System Based on Data Mining

A Communication-Channel-based Method for Detecting Deeply Camouflaged Malicious Traffic

: Towards Fine-Grained Unknown Class Detection Against the Open-Set Attack Spectrum with Variable Legitimate Traffic

A Classifier Method for Detection of Covert Channels over LTE

Covert Channel Detection and Generation Techniques: A Survey