## Covert channel inter-arrival times

0.25

0.2

### Inter-arrival times

0.15

0.1

0.05

0

1

33 65 97 129 161 193 225 257 289 321 353 385 417 449 481 513 545 577 609 641 673 705 737 769 801 833 865 897 929 961 993 Number of packets

## Covert channel inter-arrival times (sorted)

0.25

0.2

Inter-arrival times

0.15

0.1

0.05

0

1

33 65 97 129 161 193 225 257 289 321 353 385 417 449 481 513 545 577 609 641 673 705 737 769 801 833 865 897 929 961 993 Number of packets

Figure 4: Inter-arrival times for the covert timing channel. (a) Actual values. (b) Sorted values.

that both of the proposed methods are highly effective at detecting covert channels. We then explore how well each method performs when measures are taken to try to hide the covert channel’s regularity.

4.1

# Methods for Detecting Regularity in Inter-arrival Times

Assume that we have observed n packets (in our exper- iments we set n to be 2000). Our objective is to develop metrics that capture any pattern of regularity in the traffic that is suggestive of a covert timing channel.

4.1.1 Measure 1: Examining patterns in the variance:

Our first method examines whether the variance in the inter-arrival (IA) remains constant. To this end, we separate the traffic into non-overlapping windows of size w packets. For each window i, we compute the standard deviation σ_{i }of the IA times. To compute our heuristic measure of reg- ularity, we then calculate the pairwise differences between σ_{i }and σ_{j }for each pair of windows i < j. Finally to obtain a summary statistic, we compute the standard deviation of the pairwise differences. The following formula summarizes the process:

183

## Covert channel inter-arrival times (percent differences)

25

20

### Percent differences

15

10

5

0

1

33 65 97 129 161 193 225 257 289 321 353 385 417 449 481 513 545 577 609 641 673 705 737 769 801 833 865 897 929 961 993 Number of packets

Figure 5: Relative differences of the covert timing channel inter-arrival times.

regularity= ST DEV (

| σ i − σ j ^{σ}i |

, i < j,

∀i, j)

4.1.2

# Measure 2: -Similarity between adjacent inter-arrival times

The second measure is derived from the sorted IA times (see Figure 4(b)). From this sorted list, we compute the relative difference between each pair of consecutive points. F o r e x a m p l e t h e r e l a t i v e d i ff e r e n c e b e t w e e n P i a n d P i + 1 i s c o m p u t e d a s | P i − P i + 1 | / P i . W e s h o w t h e s e p a i r w i s e r e tive differences plotted in Figure 5. We can then compute a measure of similarity, which we call -Similarity by comput- ing the percentage of relative differences that are less than . For covert channels the majority of the pairwise differences in the sorted list of IA times will be very small. It is large only for jumps in the step function (see Figure 4(b)). l a -

# 4.1.3 A discussion of other approaches:

We also investigated several approaches that were not fruitful, but were more obvious from a statistical point of view.

Indexes of dispersion of a point process have been used as a tool in network characterization [16, 28]. In particular, index of dispersion for intervals (IDI) can be used to qual- itatively compare the inter-arrival times of a point process with the Poisson process serving as the basis (for which the IDI is unity) [7]. IDI provides a finer measure for defining the variability of the process than does a second order mo- ment analysis. In [16], the variability, or the burstiness, of the network traffic is defined as “the changes in the variance of the sum of consecutive inter-arrivals.” Although this mea- sure appears promising, it makes a number of assumptions including stationarity, which needs to be verified for the cor- rect interpretation of the results. In this initial study, we do not impose such assumptions on the distributions of covert or overt traffic. Our future work includes such analysis of both types of traffic.

Another avenue we examined was statistical non- parametric tests similar to those used in other work [26, 4, 6]. Applications of these tests has mainly concentrated on network traffic characterization and modeling. The goal is often to determine whether two streams come from the same