X hits on this document

PDF document

IP Covert Timing Channels: Design and Detection - page 5 / 10





5 / 10

Timing interval vs. Accuracy



Accuracy (%)




0 0.02







Timing interval (sec)

k=0 k=25 k=10

Figure 3: Timing interval versus accuracy with dif- ferent values of k for the silent interval synchroniza- tion scheme.

[5]. The current error in synchronization between the out- put and input signal at a given instant in time is used to refine the synchronization between the signals at a future instant. Our future work includes investigation of a PLL as a synchronization mechanism.


An Empirical Evaluation of the IP Timing Channel Performance

In this section we show the performance of our IP tim- ing channel. The communication channel becomes lossy as the timing interval is decreased due to the impact of one or more performance factors described in Section 3.1. We in- vestigate the maximum data rate provided by our IP timing channel by decreasing the timing interval and observing the corresponding accuracy.

The channel accuracy can be measured as the percentage of correctly received bits, characters, or words. Because of potential erasures or shifting of bits, the number of bits, characters, or words may not be identical in the sent and received messages. We therefore measure accuracy based on edit distance, which is the minimum distance between two strings (in our case bits or characters) that is needed to transform the first string into the second. We use an efficient (Θ(mn) where m and n are the lengths of the strings) dy- namic programming approach to calculate the edit distance known as the Wagner-Fischer technique [33].

Our covert channel ran between Purdue and Georgetown Universities, and was subject to changing network condi- tions. During “normal” network conditions, the route be- tween communicating parties was twelve hops with an av- erage RTT of 31.5 msec. In order to assess the accuracy of our covert channel under varying traffic loads, we ran our experiments at different times. Our results show that an IP timing channel is highly dependent on network factors.

3.5.1 Effect of timing interval size:

We first investigate the potential data rate of our channel by decreasing the timing interval until the accuracy drops. We mark this point as a threshold that can be thought as a boundary between the lossless and lossy communication


and calculate the corresponding channel bit and character rate. In this experiment we used the periodic silent intervals synchronization scheme described in Section 3.4, with k de- noting the frequency the synchronization scheme goes into a silent period (e.g., every twenty timing intervals). The character coding is eight bit ASCII with no error correction. Figure 3 shows the trade-off between the timing interval and the channel accuracy. Our channel provides nearly lossless communication for larger intervals at the cost of lower trans- mission bandwidth.

The experiment results show that the threshold value for the covert interval is around 0.06 seconds, which guaran- tees nearly 98% character accuracy for all three values of k. The equivalent channel bit rate is 16.666 bits per sec- ond (bps). With ASCII encoding and the SOF bit taken into account, we calculate the channel character rate around 1.852 characters per second (cps). As expected, the channel accuracy remains high for larger timing intervals. It also remains slightly higher when the transmissions are periodi- cally paused for resynchronization.

3.5.2 Effect of network conditions:

In this experiment, we demonstrate an example of a net- work congestion and its effects on the performance of the covert channel. We plan to expand on these results in fu- ture work with reproducible network conditions using the DETER test bed [8].

We ran our covert channel on a congested network with a highly varying RTT between the sender and receiver with mean RTT at 42.07 msec. The normal RTT values for this channel have a mean RTT at 31.5 msec. Our evaluations show that congestion lowers the accuracy rate. For example, with timing interval set to 0.08, we observe 100% average character accuracy under normal conditions, but the accu- racy drops to 82.11% for the congested network. Clearly, the interval must be increased to retain accuracy during periods of high congestion.



In this initial exploration, our focus is on whether we can create mechanisms that can detect covert channels in IP traffic. To this end we have developed and experimented with two different methods. As we explain in Section 4.1, each method tries to detect the fundamental regularity that must exist for a covert timing channel to exist. In Figure 4(a), we show the inter-arrival times of a simple covert tim- ing channel. The y-axis is the inter-arrival time and the x-axis is the packet number. In Figure 4(b), we have sorted the inter-arrival times from smallest to largest. The result is a step function (note that because of varying network load, it is not a perfect step function). From these two figures, we observe that there appear to be approximately 4 or 5 different inter-arrival times. This highly regular behavior is a direct result of the static encoding of the frames in the timing channel. The arrival of packets is separated by 0, 1, 2, 3, 4,... intervals (the number of intervals separating packets is the number of “zeros” between two consecutive “ones” in a codeword). In contrast overt traffic packets can arrive anytime, resulting in an irregular pattern.

We present empirical results that show that for the simple case of a covert channel with a single interval and no noise

Document info
Document views13
Page views13
Page last viewedSat Oct 22 16:36:13 UTC 2016