the regularity the inter-arrival time of packets in the trace. The second, -Similarity, measures the similarity of pairs of sorted inter-arrival times.
We then empirically evaluated the performance of these methods in three different scenarios: a simple, unobfuscated timing channel; a channel in which the timing interval var- ied during transmission; and a timing channel that paused periodically for transmission of noise of a form that would mimic the protocol used for cover. Both detection meth- ods could reliably differentiate the covert traffic in the sim- ple case. In the second case, with varying timing intervals, the -Similarity measure succeeded in identifying the timing channel after the regularity measure failed. In the third sce- nario, as the amount of noise and available covert bandwidth increased, the success of our methods decreased.
This work was an initial exploration into the creation and detection of network covert timing channels and there are many avenues for future work. In the short term we will add error-correction and better synchronization techniques to in- crease the bandwidth of the covert channel. In the longer term we will investigate other detection methods designed to be robust in the face of attempts to hide its regularity.
Carla Brodley’s research was supported by AFRL grant num- ber F30602-02-2-0217 and by a grant from the National Sci- ence Foundation grant number 0335574. The authors would like to thank Miguel Rui Forte for his participation in dis- cussions about this research.
 Christopher Abad. IP checksum covert channels and selected hash collision. Technical report, 2001.
 Kamran Ahsan. Covert channel analysis and data hiding in TCP/IP. Master’s thesis, University of Toronto, 2000.
 Kamran Ahsan and Deepa Kundur. Practical data hiding in TCP/IP. In Proc. Workshop on Multimedia Security at ACM Multimedia, December 2002.
 Hari Balakrishnan, Mark Stemm, Srinivasan Seshan, and Randy H. Katz. Analyzing stability in wide-area network performance. In Proceedings of the 1997 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 2–12. ACM Press, 1997.
 Ronald E. Best. Phase-locked loops: Design, simulation and applications. McGraw-Hill Professional, 5th edition, 2003.
 Kimberly C. Claffy, George C. Polyzos, and Hans-Werner Braun. Application of sampling methodologies to network traffic characterization. In Conference proceedings on Communications architectures, protocols and applications, pages 194–203. ACM Press, 1993.
 D. R. Cox and P. A. W. Lewis. The statistical analysis of series of events. Chapman and Hall, 1966.
 Cyber Defense Technology Experimental Research (DETER) network. http://www.isi.edu/deter/.
 Daemon9. Project Loki. Phrack, 49(6), August 1996.
 Alex Dyatlov and Simon Castro. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol. June 2003.
 Gina Fisk, Mike Fisk, Christos Papadopoulos, and Joshua Neil. Eliminating steganography in Internet traffic with active wardens. In 5th International Workshop on Information Hiding, volume 2578, pages 18–35, October 2002.
 John Giffin, Rachel Greenstadt, Peter Litwack, and Richard Tibbetts. Covert messaging through TCP timestamps. In Workshop on Privacy Enhancing Technologies, volume 2482, pages 194–208, April 2002.
 James Giles and Bruce Hajek. An information-theoretic and game-theoretic study of timing channels. In IEEE Transaction on Information Theory, volume 48, pages 2455–2477, September 2003.
 Virgil Gligor. A guide to understanding covert channel analysis of trusted systems. Technical Report NCSC-TG-030, National Computer Security Center, Ft. George G. Meade, Maryland, U.S.A., November 1993.
 WAND Research group. NZIX-II trace archive, data available at http://pma.nlanr.net/traces/long/nzix2.html.
 Riccardo Gusella. Characterizing the variability of arrival processes with indexes of dispersion. IEEE Journal on Selected Areas in Communications, 9(2):203–211, February 1991.
 Mark Handley and Vern Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium, August 2001.
 Paul A. Henry. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Technical report, 2000.
 James W. Gray III. Countermeasures and tradeoffs for a class of covert timing channel. Technical report, 1994.
 M. Kang, I. Moskowitz, and D. Lee. A network version of the pump. In Proceedings of the IEEE Symposium in Security and Privacy, pages 144–154, May 1995.
 Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, and Kumar Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579–595, 2000.
 M Mahoney and P Chan. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In Proceeding of Recent Advances in Intrusion Detection (RAID)-2003, volume 2820, pages 220–237, September 8-10 2003.
 John McHugh. Covert channel analysis. Technical report, December 1995.
 John McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262–294, November 2000.
 U.S. Department of Defense. Trusted computer system evaluation ”The Orange Book”. DoD 5200.28-STD Washington: GPO:1985, 1985.
 Vern Paxson. Empirically derived analytic models of wide-area TCP connections. IEEE/ACM Trans. Netw., 2(4):316–336, 1994.
 Phil A. Porras and Richard A. Kemmerer. Covert flow trees: A technique for identifying and analyzing covert storage channels. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.
 C. Rosenberg, F. Guillemin, and R. Mazumdar. New approach for traffic characterisation in ATM networks. In IEE Proceedings - Communications, volume 142, pages 87–90, April 1995.
 C. Rowland. Covert channels in the TCP/IP protocol suite. First Monday: Peer-reviewed Journal on the Internet, 2(5), 1997.
 Sergio D. Servetto and Martin Vetterli. Communication using phantoms: Covert channels in the Internet. In IEEE International Symposium on Information Theory, June 2001.
 J. Christian Smith. Covert shells. SANS Institute Information Security Reading Room, November 2000.
 C.R. Tsai, V.D. Gligor, and C.S. Chandersekaran. A formal method for the identification of covert storage channels in secure XENIX. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, April 1987.
 Robert A. Wagner and Micheal J. Fischer. The string-to-string correction problem. Journal of the ACM, 21(1):168–173, January 1974.
 John C. Wray. An analysis of covert timing channels. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.