The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.06 - November/December (2011 vol.8)
pp: 785-797
Steven Gianvecchio , College of William and Mary, Williamsburg
Haining Wang , College of William and Mary, Williamsburg
ABSTRACT
The detection of covert timing channels is of increasing interest in light of recent exploits of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. Existing detection schemes are ineffective at detecting most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels and is capable of detecting them in an accurate manner.
INDEX TERMS
Network security, covert timing channels, entropy-based detection.
CITATION
Steven Gianvecchio, Haining Wang, "An Entropy-Based Approach to Detecting Covert Timing Channels", IEEE Transactions on Dependable and Secure Computing, vol.8, no. 6, pp. 785-797, November/December 2011, doi:10.1109/TDSC.2010.46
REFERENCES
[1] S. Cabuk, “Network Covert Channels: Design, Analysis, Detection, and Elimination,” PhD dissertation, Purdue Univ., Dec. 2006.
[2] S. Cabuk, C. Brodley, and C. Shields, “IP Covert Timing Channels: Design and Detection,” Proc. ACM Conf. Computer and Comm. Security, Oct. 2004.
[3] G. Shah, A. Molina, and M. Blaze, “Keyboards and Covert Channels,” Proc. USENIX Security Symp., July/Aug. 2006.
[4] X. Luo, E.W.W. Chan, and R.K.C. Chang, “Cloak: A Ten-Fold Way for Reliable Covert Communications,” Proc. European Symp. Research in Computer Security, Sept. 2007.
[5] S. Gianvecchio, H. Wang, D. Wikesekera, and S. Jajodia, “Model-Based Covert Timing Channels: Automated Modeling and Evasion,” Proc. Symp. Recent Advances in Intrusion Detection, Sept. 2008.
[6] C. Shannon, “A Mathematical Theory of Communication,” Bell System Technical J., vol. 27, pp. 379-423, 623-656, July-Oct. 1948.
[7] C. Cachin, “An Information-Theoretic Model for Steganography,” Information and Computation, vol. 192, no. 1, pp. 41-56, 2004.
[8] A. Porta, G. Baselli, D. Liberati, N. Montano, C. Cogliati, T. Gnecchi-Ruscone, A. Malliani, and S. Cerutti, “Measuring Regularity by Means of a Corrected Conditional Entropy in Sympathetic Outflow,” Biological Cybernetics, vol. 78, no. 1, pp. 71-78, Jan. 1998.
[9] J. Giles and B. Hajek, “An Information-Theoretic and Game-Theoretic Study of Timing Channels,” IEEE Trans. Information Theory, vol. 48, no. 9, pp. 2455-2477, Sept. 2002.
[10] W.-M. Hu, “Reducing Timing Channels with Fuzzy Time,” Proc. IEEE Symp. Security and Privacy, May 1991.
[11] M.H. Kang and I.S. Moskowitz, “A Pump for Rapid, Reliable, Secure Communication,” Proc. ACM Conf. Computer and Comm. Security, Nov. 1993.
[12] M.H. Kang, I.S. Moskowitz, and D.C. Lee, “A Network Version of the Pump,” Proc. IEEE Symp. Security and Privacy, May 1995.
[13] M.H. Kang, I.S. Moskowitz, and S. Chincheck, “The Pump: A Decade of Covert Fun,” Proc. Ann. Computer Security Applications Conf., Dec. 2005.
[14] J. Agat, “Transforming Out Timing Leaks,” Proc. ACM SIGPLAN/SIGACT Symp. Principles of Programming Languages, Jan. 2000.
[15] R.A. Kemmerer, “A Practical Approach to Identifying Storage and Timing Channels,” Proc. IEEE Symp. Security and Privacy, Apr. 1982.
[16] R.A. Kemmerer, “A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later,” Proc. Ann. Computer Security Applications Conf., Dec. 2002.
[17] X. Luo, E.W.W. Chan, and R.K.C. Chang, “TCP Covert Timing Channels: Design and Detection,” Proc. IEEE Int'l Conf. Dependable Systems and Networks, June 2008.
[18] S.H. Sellke, C.-C. Wang, and S. Bagchi, “TCP/IP Timing Channels: Theory to Implementation,” Proc. IEEE Conf. Computer Comm., Apr. 2009.
[19] L. Leemis and S.K. Park, Discrete-Event Simulation: A First Course. Prentice Hall, 2006.
[20] V. Berk, A. Giani, and G. Cybenko, “Detection of Covert Channel Encoding in Network Packet Delays,” Technical Report TR2005-536, Dartmouth College, Aug. 2005.
[21] S. Arimoto, “An Algorithm for Computing the Capacity of Arbitrary Discrete Memoryless Channels,” IEEE Trans. Information Theory, vol. IT-18, no. 1, pp. 14-20, Jan. 1972.
[22] R.E. Blahut, “Computation of Channel Capacity and Rate-Distortion Functions,” IEEE Trans. Information Theory, vol. 18, no. IT-4, pp. 460-473, July 1972.
[23] A. El-Atawy and E. Al-Shaer, “Building Covert Channels over the Packet Reordering Phenomenon,” Proc. IEEE Conf. Computer Comm., Apr. 2009.
[24] J. Giffin, R. Greenstadt, P. Litwack, and R. Tibbetts, “Covert Messaging through TCP Timestamps,” Proc. Int'l Workshop Privacy Enhancing Technologies, Apr. 2002.
[25] X. Wang and D.S. Reeves, “Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Interpacket Delays,” Proc. ACM Conf. Computer and Comm. Security, Oct. 2003.
[26] X. Wang, S. Chen, and S. Jajodia, “Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet,” Proc. ACM Conf. Computer and Comm. Security, Nov. 2005.
[27] P. Peng, P. Ning, and D. Reeves, “On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques,” Proc. IEEE Symp. Security and Privacy, May 2006.
[28] X. Wang, S. Chen, and S. Jajodia, “Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems,” Proc. IEEE Symp. Security and Privacy, May 2007.
[29] W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, “DSSS-Based Flow Marking Technique for Invisible Traceback,” Proc. IEEE Symp. Security and Privacy, May 2007.
[30] A. Houmansadr, N. Kiyavash, and N. Borisov, “RAINBOW: A Robust and Invisible Non-Blind Watermark for Network Flows,” Proc. Internet Soc. (ISOC) Network and Distributed System Security Symp., Feb. 2009.
[31] A. Giani, “Detection of Attacks on Cognitive Channels,” PhD dissertation, Dartmouth College, Nov. 2006.
[32] X. Fu, B. Graham, R. Bettati, and W. Zhao, “On Effectiveness of Link Padding for Statistical Traffic Analysis Attacks,” Proc. 23rd Int'l Conf. Distributed Computing Systems, May 2003.
[33] R. Moddemeijer, “On Estimation of Entropy and Mutual Information of Continuous Distributions,” Signal Processing, vol. 16, no. 3, pp. 233-248, 1989.
[34] Y. Gu, A. McCallum, and D.F. Towsley, “Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation,” Proc. Conf. Internet Measurement, Oct. 2005.
[35] R. Rosipal, “Kernel-Based Regression and Objective Nonlinear Measures to Assess Brain Functioning,” PhD dissertation, Univ. of Paisley, Sept. 2001.
[36] T.M. Cover and J.A. Thomas, Elements of Information Theory. Wiley-Interscience, 1991.
[37] “UNC CS Network Traces,” http://www.cs.unc.edu/Researchdirt/, Apr. 2007.
24 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool