Skip to main content
SpringerLink
Log in

Evaluation of Statistical Tests for Detecting Storage-Based Covert Channels

  • Conference paper
  • First Online:
ICT Systems Security and Privacy Protection (SEC 2020)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 580))

Abstract

Individuals and organizations are more aware than ever of the importance and value of preserving the confidentiality and privacy of sensitive information. However, detecting the leakage of sensitive information in networked systems is still a challenging problem, especially when adversaries use covert channels to exfiltrate sensitive information to unauthorized parties. Presently, approaches for detecting timing-based covert channels have been studied more extensively than those for detecting storage-based covert channels. In this paper, we evaluate the effectiveness of a selection of statistical tests for detecting storage-based covert channels. We present the results of several experiments which show that complexity-based tests are effective at detecting storage-based covert channels when information is embedded into network packet header fields that are not expected to follow a particular pattern, such as the IP Identification and Time-to-Live. These results can help to guide the construction of practical detection platforms capable of effectively detecting the leakage of sensitive information via storage-based covert channels.

This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) grant RGPIN-2019-06306.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This is the case with timing-based covert channels because normal inter-packet delays are essentially random and those of covert channels cluster at either of the values used as symbols in the communication.

  2. 2.

    A similar process can be adopted for other header fields of network packets.

  3. 3.

    Padding the message would complicate interpretation of the results.

References

  1. Berk, V., Giani, A., Cybenko, G.: Covert channel detection using process query systems. In: 2nd Annual Conference for Network Flow Analysis, September 2005

    Google Scholar 

  2. Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Technical report TR2005-536, Dartmouth College, Hanover, NH, USA, August 2005

    Google Scholar 

  3. Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: 11th ACM Conference on Computer and Communications Security, pp. 178–187. ACM (2004)

    Google Scholar 

  4. Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 22 (2009)

    Article  Google Scholar 

  5. Collin, L.: A quick benchmark: Gzip vs. Bzip2 vs. LZMA (2005). https://tukaani.org/lzma/benchmarks.html. Accessed 22 Oct 2019

  6. Crespi, V., Cybenko, G., Giani, A.: Engineering statistical behaviors for attacking and defending covert channels. IEEE J. Sel. Top. Signal Process. 7(1), 124–136 (2013)

    Article  Google Scholar 

  7. Garcia, S.: Normal captures (2017). https://stratosphereips.org. Malware Capture Facility Project

  8. Gianvecchio, S., Wang, H.: An entropy-based approach to detecting covert timing channels. IEEE Trans. Dependable Secure Comput. 8(6), 785–797 (2010)

    Article  Google Scholar 

  9. Gunadi, H., Zander, S.: Bro covert channel detection (BroCCaDe) framework: design and implementation. Technical report 20171117B, Murdoch University (2017)

    Google Scholar 

  10. Gunadi, H., Zander, S.: Bro covert channel detection (BroCCaDe) framework: scope and background. Technical report 20171117A, Murdoch University (2017)

    Google Scholar 

  11. Gunadi, H., Zander, S.: Extending bro covert channel detection (BroCCaDe) with new plugins. Technical report 20171207A, Murdoch University (2017)

    Google Scholar 

  12. Gunadi, H., Zander, S.: Performance evaluation of the bro covert channel detection (BroCCaDe) framework. Technical report 20180427A, Murdoch University (2018)

    Google Scholar 

  13. Jadhav, M., Kattimani, S.: Effective detection mechanism for TCP based hybrid covert channels in secure communication. In: 2011 International Conference on Emerging Trends in Electrical and Computer Technology, pp. 1123–1128 (2011)

    Google Scholar 

  14. Jaskolka, J.: Modeling, analysis, and detection of information leakage via protocol-based covert channels. Master’s thesis, McMaster University, Hamilton, ON, Canada, September 2010

    Google Scholar 

  15. Jaskolka, J., Khedri, R.: Exploring covert channels. In: 44th Hawaii International Conference on System Sciences, pp. 1–10, January 2011

    Google Scholar 

  16. Jaskolka, J., Khedri, R., Sabri, K.: A formal test for detecting information leakage via covert channels. In: 7th Annual Cyber Security and Information Intelligence Research Workshop, pp. 1–4, October 2011

    Google Scholar 

  17. Kullback, S., Leibler, R.: On information and sufficiency. Ann. Math. Stat. 22(1), 79–86 (1951)

    Article  MathSciNet  Google Scholar 

  18. Lempel, A., Ziv, J.: On the complexity of finite sequences. IEEE Trans. Inf. Theory 22(1), 75–81 (1976)

    Article  MathSciNet  Google Scholar 

  19. Li, Q., Zhang, P., Chen, Z., Fu, G.: Covert timing channel detection method based on random forest algorithm. In: 17th IEEE International Conference on Communication Technology, pp. 165–171 (2017)

    Google Scholar 

  20. Naik, B., Boddukolu, S., Sujatha, P., Dhavachelvan, P.: Connecting entropy-based detection methods and entropy to detect covert timing channels. In: Meghanathan, N., Nagamalai, D., Chaki, N. (eds.) Advances in Computing and Information Technology. AISC, vol. 176, pp. 279–288. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31513-8_29

    Chapter  Google Scholar 

  21. Ponemon Institute: 2018 cost of a data breach study: global overview. Technical report, IBM Security (2018)

    Google Scholar 

  22. Porta, A., et al.: Measuring regularity by means of a corrected conditional entropy in sympathetic outflow. Biol. Cybern. 78(1), 71–78 (1998)

    Article  Google Scholar 

  23. Sohn, T., Seo, J.T., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39927-8_29

    Chapter  Google Scholar 

  24. Tumoian, E., Anikeev, M.: Network based detection of passive covert channels in TCP/IP. In: 30th IEEE Conference on Local Computer Networks, pp. 802–807 (2005)

    Google Scholar 

  25. Zhai, J., Liu, G., Dai, Y.: A covert channel detection algorithm based on TCP Markov model. In: 2nd International Conference on Multimedia Information Networking and Security, pp. 893–897 (2010)

    Google Scholar 

  26. Zhao, H., Shi, Y.: A phase-space reconstruction approach to detect covert channels in TCP/IP protocols. In: 2010 IEEE International Workshop on Information Forensics and Security, pp. 1–6 (2010)

    Google Scholar 

  27. Ziv, J., Lempel, A.: A universal algorithm for sequential data compression. IEEE Trans. Inf. Theory 23(3), 337–343 (1977)

    Article  MathSciNet  Google Scholar 

  28. Ziv, J., Lempel, A.: Compression of individual sequences via variable-rate coding. IEEE Trans. Inf. Theory 24(5), 530–536 (1978)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Systems and Computer Engineering, Carleton University, Ottawa, ON, K1S 5B6, Canada

    Thomas A. V. Sattolo & Jason Jaskolka

Authors
  1. Thomas A. V. Sattolo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jason Jaskolka
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jason Jaskolka .

Editor information

Editors and Affiliations

  1. University of Maribor, Maribor, Slovenia

    Marko Hölbl

  2. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  3. University of Maribor, Maribor, Slovenia

    Tatjana Welzer

Rights and permissions

Reprints and permissions

Copyright information

© 2020 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sattolo, T.A.V., Jaskolka, J. (2020). Evaluation of Statistical Tests for Detecting Storage-Based Covert Channels. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58201-2_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58200-5

  • Online ISBN: 978-3-030-58201-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation