On the statistical detectability of covert timing channels

Abstract

Covert channels are methods to secretly convey information across communication networks by exploiting the characteristics of communication protocols in unexpected ways. Covert channels are computer attacks primarily used by malware or other illicit activities. However, most network intrusion detection systems (NIDS, e.g., Snort, Suricata,Zeek) do not incorporate mechanisms for their detection. That is particularly true for the case of covert timing channels (CTCs); i.e., the subset of covert channels that use temporal attributes to hide clandestine information. In this thesis, we investigate statistical profiles generated by popular CTC techniques and compare them with legitimate baseline traffic.To this end, we developed CCgen.v2, a tool for injecting and retrieving a wide assortment of covert channels in network traffic, both in online and offline setups. CCgen.v2 is a firmly refined version of CCgen.v1 built with a friendly browser-based GUI. We used CCgen.v2 to inject a large number of CTCs in real-traffic captures by hiding data from different sources and formats with six state-of-the-art CTC techniques adjusted with variable configurations. We later compared the properties of these corrupted traces with a large amount of clean traffic. Alongside to conducting the statistical analysis of temporal features, we developed two detection techniques based on (a) a combination of unsupervised machine learning methods and (b) an Inter-Arrival-Time (IAT) histogram peak detector. The variability of regular traffic is so high and rich that base-rate issues hinder statistical detection as they are severely disturbed by false positives. Results also show weak performances for the combination of unsupervised learning methods but acceptable accuracy for the peak-detection approach. However, the detection ofCTCs remains challenging due to their high variability in techniques and configurations,demanding more fine-grained solutions, which are hardly feasible in network detectors that must speedily process large volumes of traffic from a computational perspective. In addition to the insights provided with regard to CTCs characteristics and keys for their detection, with CCgen.v2, this thesis offers an excellent testbed for future research and training of data analysts and cybersecurity experts