Abstract
Individuals and organizations are more aware than ever of the importance and value of preserving the confidentiality and privacy of sensitive information. However, detecting the leakage of sensitive information in networked systems is still a challenging problem, especially when adversaries use covert channels to exfiltrate sensitive information to unauthorized parties. Presently, approaches for detecting timing-based covert channels have been studied more extensively than those for detecting storage-based covert channels. In this paper, we evaluate the effectiveness of a selection of statistical tests for detecting storage-based covert channels. We present the results of several experiments which show that complexity-based tests are effective at detecting storage-based covert channels when information is embedded into network packet header fields that are not expected to follow a particular pattern, such as the IP Identification and Time-to-Live. These results can help to guide the construction of practical detection platforms capable of effectively detecting the leakage of sensitive information via storage-based covert channels.
This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) grant RGPIN-2019-06306.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is the case with timing-based covert channels because normal inter-packet delays are essentially random and those of covert channels cluster at either of the values used as symbols in the communication.
- 2.
A similar process can be adopted for other header fields of network packets.
- 3.
Padding the message would complicate interpretation of the results.
References
Berk, V., Giani, A., Cybenko, G.: Covert channel detection using process query systems. In: 2nd Annual Conference for Network Flow Analysis, September 2005
Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Technical report TR2005-536, Dartmouth College, Hanover, NH, USA, August 2005
Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: 11th ACM Conference on Computer and Communications Security, pp. 178–187. ACM (2004)
Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 22 (2009)
Collin, L.: A quick benchmark: Gzip vs. Bzip2 vs. LZMA (2005). https://tukaani.org/lzma/benchmarks.html. Accessed 22 Oct 2019
Crespi, V., Cybenko, G., Giani, A.: Engineering statistical behaviors for attacking and defending covert channels. IEEE J. Sel. Top. Signal Process. 7(1), 124–136 (2013)
Garcia, S.: Normal captures (2017). https://stratosphereips.org. Malware Capture Facility Project
Gianvecchio, S., Wang, H.: An entropy-based approach to detecting covert timing channels. IEEE Trans. Dependable Secure Comput. 8(6), 785–797 (2010)
Gunadi, H., Zander, S.: Bro covert channel detection (BroCCaDe) framework: design and implementation. Technical report 20171117B, Murdoch University (2017)
Gunadi, H., Zander, S.: Bro covert channel detection (BroCCaDe) framework: scope and background. Technical report 20171117A, Murdoch University (2017)
Gunadi, H., Zander, S.: Extending bro covert channel detection (BroCCaDe) with new plugins. Technical report 20171207A, Murdoch University (2017)
Gunadi, H., Zander, S.: Performance evaluation of the bro covert channel detection (BroCCaDe) framework. Technical report 20180427A, Murdoch University (2018)
Jadhav, M., Kattimani, S.: Effective detection mechanism for TCP based hybrid covert channels in secure communication. In: 2011 International Conference on Emerging Trends in Electrical and Computer Technology, pp. 1123–1128 (2011)
Jaskolka, J.: Modeling, analysis, and detection of information leakage via protocol-based covert channels. Master’s thesis, McMaster University, Hamilton, ON, Canada, September 2010
Jaskolka, J., Khedri, R.: Exploring covert channels. In: 44th Hawaii International Conference on System Sciences, pp. 1–10, January 2011
Jaskolka, J., Khedri, R., Sabri, K.: A formal test for detecting information leakage via covert channels. In: 7th Annual Cyber Security and Information Intelligence Research Workshop, pp. 1–4, October 2011
Kullback, S., Leibler, R.: On information and sufficiency. Ann. Math. Stat. 22(1), 79–86 (1951)
Lempel, A., Ziv, J.: On the complexity of finite sequences. IEEE Trans. Inf. Theory 22(1), 75–81 (1976)
Li, Q., Zhang, P., Chen, Z., Fu, G.: Covert timing channel detection method based on random forest algorithm. In: 17th IEEE International Conference on Communication Technology, pp. 165–171 (2017)
Naik, B., Boddukolu, S., Sujatha, P., Dhavachelvan, P.: Connecting entropy-based detection methods and entropy to detect covert timing channels. In: Meghanathan, N., Nagamalai, D., Chaki, N. (eds.) Advances in Computing and Information Technology. AISC, vol. 176, pp. 279–288. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31513-8_29
Ponemon Institute: 2018 cost of a data breach study: global overview. Technical report, IBM Security (2018)
Porta, A., et al.: Measuring regularity by means of a corrected conditional entropy in sympathetic outflow. Biol. Cybern. 78(1), 71–78 (1998)
Sohn, T., Seo, J.T., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39927-8_29
Tumoian, E., Anikeev, M.: Network based detection of passive covert channels in TCP/IP. In: 30th IEEE Conference on Local Computer Networks, pp. 802–807 (2005)
Zhai, J., Liu, G., Dai, Y.: A covert channel detection algorithm based on TCP Markov model. In: 2nd International Conference on Multimedia Information Networking and Security, pp. 893–897 (2010)
Zhao, H., Shi, Y.: A phase-space reconstruction approach to detect covert channels in TCP/IP protocols. In: 2010 IEEE International Workshop on Information Forensics and Security, pp. 1–6 (2010)
Ziv, J., Lempel, A.: A universal algorithm for sequential data compression. IEEE Trans. Inf. Theory 23(3), 337–343 (1977)
Ziv, J., Lempel, A.: Compression of individual sequences via variable-rate coding. IEEE Trans. Inf. Theory 24(5), 530–536 (1978)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sattolo, T.A.V., Jaskolka, J. (2020). Evaluation of Statistical Tests for Detecting Storage-Based Covert Channels. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-58201-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58200-5
Online ISBN: 978-3-030-58201-2
eBook Packages: Computer ScienceComputer Science (R0)