X hits on this document

PDF document

IP Covert Timing Channels: Design and Detection - page 9 / 10

25 views

0 shares

0 downloads

0 comments

9 / 10

0.005

0.008

0.01

0.02

0.03

0.1

>0.1

39.92

52.83

58.58

72.79

79.74

91.85

8.15

36.54

47.50

52.67

66.46

73.39

87.46

12.54

35.03

46.05

51.30

64.89

71.45

84.94

15.06

34.89

45.83

51.14

64.29

70.70

83.17

16.83

31.88

40.93

44.45

58.96

65.76

83.01

16.99

30.69

39.93

44.43

56.88

63.14

78.80

21.20

29.06

38.34

42.61

54.12

60.04

73.27

26.73

31.70

37.31

40.33

53.15

59.52

79.32

20.68

26.12

32.21

35.60

46.35

52.39

70.53

29.47

24.21

30.31

33.31

42.47

47.72

61.40

38.60

10.81

13.49

14.96

23.76

28.70

52.69

47.31

7.54

10.25

12.04

18.69

23.65

46.99

53.01

8.20

13.19

15.19

25.36

33.20

62.05

37.95

Non-covert Traffic WWW Telnet FTPd

  • -

    Similarity Score

Noise

Type of

Level

Noise

0%

10%

WWW

10%

FTPd

10%

Telnet

25%

WWW

25%

FTPd

25%

Telnet

50%

WWW

50%

FTPd

50%

Telnet

µ + 2σ

10.0

0.0

0.0

86.6

100.0

100.0

µ + 1.5σ

10.0

0.0

0.0

0.0

53.0

86.6

µ + 1σ

10.0

0.0

0.0

0.0

0.0

86.6

> Max

10.0

0.0

0.0

0.0

20.0

86.6

Threshold

FP

Cov-I

Cov-II

Cov-III(10%)

Cov-III(25%)

Cov-III(50%)

µ + 2σ

10.0

0.0

66.7

86.6

100.0

100.0

µ + 1.5σ

10.0

0.0

0.0

0.0

80.0

93.3

µ + 1σ

30.0

0.0

0.0

0.0

6.7

93.3

> Max

10.0

0.0

0.0

0.0

33.3

86.6

Table 3:

  • -

    Similarity scores

WWW

Threshold

FP

Cov-I

FTPd

with different classes and levels of noise.

Cov-II Cov-III(10%) Cov-III(25%) Cov-III(50%)

Table 4: False positive (FP) and false negative (FN) rates for covert channel detection.

ing flows, we compute various statistics to determine our thresholds. Specifically we calculate the mean and standard deviation, and record the minimum and maximum observed values for each of our metrics. We then applied several dif- ferent thresholds to a new set of independent testing data. For each protocol we collected ten new flows (we did not examine them until after parameter selection).

The results for -Similarity are shown in Table 4. For each protocol, we show the results for several different choices

of threshold. Specifically, values standard deviation(s) away from for the non-covert traffic. We also set to be greater than the largest

smaller than 2, 1.5 or 1 the mean value observed show values for thresholds

observed value

for

< 0.1

(and less than be classified as

the smallest observed value for

  • >

    0.1). To

a covert channel all seven

  • -

    Similarity metrics

are

computed

and

we

take

a

majority

vote.

In the third column of the table we show the results for the non-covert traffic, which gives us the false positive rate (FP). Our results show that the false positive rate for both WWW and FTPd traffic is 10% for most choices of the threshold value.

We also report the false negative rates for several differ- ent types of covert channel. Specifically we report the false negative rate for the basic channel (Cov-I), for a channel for which the interval is varied randomly between three choices (Cov-II), and for channels with noise injected (Cov-III). For the original covert timing channel (Cov-I) our false negative rate is 0%. For the interval varying covert channel (Covert II), all values of our thresholds work well except for the strictest test which is µ + 2σ, in this case the covert channel begins to resemble the normal FTPd traffic. Finally, for the channels in which noise is injected (Covert III) the higher

the level of noise the more difficulty our method has in rec- ognizing that it is a covert channel. However, for both the WWW and FTP traffic at 10% noise, most values of the threshold work well.

We also ran experiments for our measure of regularity. For the simple timing channel without any noise, our method is able to detect it with 100% accuracy with a 0.0% false positive rate. However, as discussed earlier this method fails when attempts are made to obfuscate the channel (Cov-II and Cov-III).

5.

CONCLUSIONS AND FUTURE WORK

In this paper we have presented the design and imple- mentation of a network covert timing channel; developed methods of distinguishing the covert traffic generated by our channel from normal traffic; and examined the efficacy of our detection methods in the face of counter-measures attackers seem likely to pursue.

The implementation of the timing channel raised a num- ber of non-obvious issues in its design, particularly in meth- ods of determining timing intervals in the absence of an ac- curate, shared clock. Our implementation uses a variety of mechanisms to synchronize the data stream, including use of blocking and non-blocking sockets; periodic idle intervals; and dynamic adjustment of the intervals. We then evaluated the performance of the channel to determine the maximum dependable speed of transmission.

We then collected data while our timing channel com- municated between two remote locations on the Internet, and using this data, developed two methods to differenti- ate covert traffic traces from normal traffic traces obtained from widely used research data. The first method measures

186

Document info
Document views25
Page views25
Page last viewedSun Dec 04 14:34:21 UTC 2016
Pages10
Paragraphs840
Words9153

Comments