Similarity scores for Covert Channel II. For each window of t packets, the interval is selected to
be from the set (0.04, 0.06, 0.08). and for the original covert channel
Results are shown for both selection that employs a single interval (0.04).
FTP-data, UDP and the covert channel. The reported val- ues are averaged over ten runs. The results show a striking difference between the covert channel and non-covert flows for the NZIX-II data. For example, 40% of the covert traf-
non-covert channel less than 15% is interesting is that although the
What for the
that because synthetically
the normal traffic in the DARPA dataset was generated, it is not entirely representative of
real traffic [24, 22]. examined the specific
Although previous studies have not inter-arrival times, they have illus-
trated that 1) many are more predictable
attributes of DARPA network traffic than the real traffic, and 2) the syn-
Figure 6 for consequence
Similarity for the DARPA dataset
of the nature of the synthetic data.
4.2.4 Covert Channel III: Injecting noise:
Our third experiment examines how our measures fare when we explicitly introduce irregularity into the covert channel. We inject noise into the channel as follows. For a covert channel operating on a port typically associated with a particular application X, we insert portions of inter- arrival times from a non-covert traffic stream for application X. For example, if the covert channel runs on Port 80, we use WWW traffic. We then break the covert channel into blocks of 100 packets, and randomly replace blocks of the covert traffic with the non-covert traffic of application X un- til we achieve the desired noise level (e.g., for 10% noise, the IA times for two randomly selected blocks of 100 packets would be replaced in our 2000 packet stream).
This scheme again impacts our first measure because of the random nature of noise injection. Because a window may include components from the noisy traffic, the windows are no longer comparable and our regularity measure fails to discriminate covert from non-covert traffic.
4.2.3 Covert Channel II: Varying the timing interval:
To understand how our metrics work when the sender tries to hide the covert channel, we first experimented with covert channels where the sender alternates between differ- ent intervals. The motivation from the sender’s viewpoint is to obfuscate the regularity. In our experiment, we chose three different interval values 0.04, 0.06, and 0.08. After t packets, we switch to a new interval. We experimented with two different methods of specifying the new interval: cycling through them sequentially or random selection.
Varying the interval impacts Measure I (regularity) be- cause the variance of the windows are no longer comparable unless t is much smaller than w. In this case, all three inter- vals would be observed several times in each window of w packets, and therefore the variance for each window would be similar. However, for cases where t approaches or exceeds w this metric cannot detect covert timing channels and hence due to space we do not show the actual numbers.
On the other hand, our second metric ( -Similarity) still shows differences in values for the covert versus the non- covert traffic. In Table 2 we show the results for the original single-interval covert channel, and for several choices of t for both methods for selecting a new interval period after t frames. Note that the results are averaged over ten runs for each parameter setting. Looking at each of the seven values of , we see little difference for either the sequential or random method. These results show that the -Similarity metric is robust for this method of hiding covert traffic.
Our second measure, however, fares better. In Table 3 we show the -Similarity values for the original covert channel
(Covert Channel I noise levels of 10, the values for the
shown in the 0% noise row), and for
25 and 50%. In addition, we include non-covert traffic in the bottom three
rows of the table. Note the covert traffic begins to the non-covert traffic.
that as the noise level increases to have -Similarity values close However, a drawback from the
sender/receiver’s viewpoints is that the decreases linearly with the noise level.
Automatic Detection of IP Covert Timing Channels
In this section, we present the results of an experiment designed to evaluate our metrics’ ability to be used to auto- matically detect covert timing channels. Both of our meth- ods require that we set a threshold. For -Similarity, we
need to choose a regularity metric,
threshold for each value of
values below the threshold are considered
to have been generated by covert traffic. rameters, we first ran experiments with ten
To set the pa- flows from each
protocol type. Note that we and FTPd traffic, as in the
experimented only with WWW NZIX-II dataset there is insuf-
1Note that for values of
< 0.1 observations
threshold are considered covert traffic and for
ues below our threshold are considered covert, because the
majority of covert traffic has a similarity ≤ 0.1