Detection of Covert Channel Encoding in Network Packet Delays

Authors

Vincent Berk, Dartmouth College
Annarita Giani, Dartmouth College
George Cybenko, Dartmouth CollegeFollow

Document Type

Technical Report

Publication Date

11-1-2005

Technical Report Number

TR2005-536

Abstract

Covert channels are mechanisms for communicating information in ways that are difficult to detect. Data exfiltration can be an indication that a computer has been compromised by an attacker even when other intrusion detection schemes have failed to detect a successful attack. Covert timing channels use packet inter-arrival times, not header or payload embedded information, to encode covert messages. This paper investigates the channel capacity of Internet-based timing channels and proposes a methodology for detecting covert timing channels based on how close a source comes to achieving that channel capacity. A statistical approach is then used for the special case of binary codes.

Comments

This revision differs from the original only in the correction of one reference.

Dartmouth Digital Commons Citation

Berk, Vincent; Giani, Annarita; and Cybenko, George, "Detection of Covert Channel Encoding in Network Packet Delays" (2005). Computer Science Technical Report TR2005-536. https://digitalcommons.dartmouth.edu/cs_tr/269