Analytic Study of Features for the Detection of Covert Timing Channels in NetworkTraffic

Authors

  • Félix Iglesias Vázquez CN Group, Institute of Telecommunications, TU Wien, Austria
  • Robert Annessi CN Group, Institute of Telecommunications, TU Wien, Austria
  • Tanja Zseby CN Group, Institute of Telecommunications, TU Wien, Austria

DOI:

https://doi.org/10.13052/2245-1439.632

Keywords:

Covert timing channels, Network traffic analysis, Classification, Anomaly detection, Feature selection

Abstract

Covert timing channels are security threats that have concerned the expert community from the beginnings of secure computer networks. In this paper we explore the nature of covert timing channels by studying the behavior of a selection of features used for their detection. Insights are obtained from experimental studies based on ten covert timing channels techniques published in the literature, which include popular and novel approaches. The study digs into the shapes of flows containing covert timing channels from a statistical perspective as well as using supervised and unsupervised machine learning algorithms. Our experiments reveal which features are recommended for building detection methods and draw meaningful representations to understand the problem space. Covert timing channels show high histogramdistance based outlierness, but insufficient to clearly discriminate them from normal traffic. On the other hand, traffic features do show dependencies that allow separating subspaces and facilitate the identification of covert timing channels. The conducted study shows the detection difficulties due to the high shape variability of normal traffic and suggests the implementation of semi-supervised techniques to develop accurate and reliable detectors.

 

Downloads

Download data is not yet available.

Author Biographies

Félix Iglesias Vázquez, CN Group, Institute of Telecommunications, TU Wien, Austria

Félix Iglesias Vázquez was born in Madrid, Spain, in 1980. He obtained the Dipl.-Ing. in electrical engineering and MAS in IT from the Ramon Llull University, Barcelona, Spain. In 2012 he received the Ph.D. degree in technical sciences from TU Wien, Austria, where he currently holds a University Assistant position doing fundamental research in data analysis and network security. He has worked on R&D for diverse Spanish and Austrian firms, and lectured in the fields of electronics, physics, automation, machine learning and data analysis.

Robert Annessi, CN Group, Institute of Telecommunications, TU Wien, Austria

Robert Annessi received his B.Sc. and his M.Sc. degrees in computer engineering from TU Wien in 2011 and 2014 respectively. He is genuinely interested in communication networks, network security, and privacy, and is currently pursuing his Ph.D in the area of secure group communication for critical infrastructures. His further research interests are anonymous communication, covert communication, and subliminal communication.

Tanja Zseby, CN Group, Institute of Telecommunications, TU Wien, Austria

Tanja Zseby is a professor of communication networks in the Faculty of Electrical Engineering and Information Technology at TU Wien. She received her Dipl.-Ing. degree in electrical engineering and her Ph.D. (Dr.-Ing.) from Technical University Berlin, Germany. Before joining TU Wien she led the Competence Center for Network Research at the Fraunhofer Institute for Open Communication Systems (FOKUS) in Berlin and worked as visiting scientist at the University of California, San Diego.

References

V. Berk, A. Giani, G. Cybenko, and N. Hanover (2005). Detection of covert channel encoding in network packet delays. Rapport technique TR536, de lUniversité de Dartmouth, 19.

James V. Bradley (1968). Distribution-Free Statistical Tests, 1st Edition. Prentice-Hall.

M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander (2000). Lof: Identifying density-based local outliers. SIGMOD Rec. 29, 93–104.

S. Cabuk, C. E. Brodley, and C. Shields (2004). IP covert timing channels: Design and detection. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS’04, (ACM: New York, NY, USA), 178–187.

G. O. Campos, A. Zimek, J. Sander, R. J. G. B. Campello, B. Micenkov, E. Schubert, I. Assent, and M. E. Houle (2016). On the evaluation ofunsupervised outlier detection: Measures, datasets, and an empirical study. Data Mining and Knowledge Discovery, 30, 891–927.

A. Carbone, G. Castelli, and H. E. Stanley (2004). Time-dependent hurst exponent in financial time series. Applications of Physics in Financial Analysis 4 (APFA4). Physica A: Statistical Mechanics and Its Applications, 344, 267–271.

E. J. Castillo, X. Mountrouidou, and X. Li (2017). “Time Lord: Covert Timing Channel Implementation and Realistic Experimentation,” inProceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education, SIGCSE’17, (ACM: New York, NY, USA), 755–756.

ElevenPaths. Low cost malware that uses gmail as a covert channel. Telefónica Digital España, Technical report, May 2016.

W. Gasior and L. Yang (2011). “Network covert channels on the android platform,” in Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW’11, (ACM: New York, NY, USA), p. 61:1.

J. Giffin, R. Greenstadt, P. Litwack, and R. Tibbetts (2003). Covert Messaging through TCP Timestamps. Springer: Berlin, Heidelberg, 194–208.

M. Goldstein and A. Dengel (2012). “Histogram-based Outlier Score (HBOS): A Fast Unsupervised Anomaly Detection Algorithm,” in Advances in Artificial Intelligence, (KI-2012), ed. S. Wölfl, pp. 59–63. [Online, 9, 2012].

F. Iglesias, R. Annessi, and T. Zseby (2016). DAT detectors: uncovering TCP/IP covert channels by descriptive analytics. Security and Communication Networks, 9, 3011–3029.

F. Iglesias, V. Bernhardt, R. Annessi, and T. Zseby (2017). “Decision tree rule induction for detecting covert timing channels in TCP/IP traffic,” in First IFIP TC 5, WG 8.4, 8.9, 12.9 International Cross-Domain Conference, CD-MAKE 2017, in (eds) Holzinger A., Kieseberg P., Tjoa A., Weippl E., Lecture Notes in Computer Science, Vol. 10410, ( Springer: Cham), 105–122.

F. Iglesias and T. Zseby (2015). Analysis of network traffic features for anomaly detection. Machine Learning, 101, 59–84.

F. Iglesias and T. Zseby (2017). “Are network covert timing channels statistical anomalies?” in Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES’17, (ACM: New York, NY, USA), 81:1–81:9.

W. Jin, A. K. H. Tung, J. Han, and W. Wang (2006). Ranking Outliers Using Symmetric Neighborhood Relationship. Springer: Berlin Heidelberg, 577–593.

T. Kleinow (2002). Testing continuous time models in financial markets.PhD thesis, Humboldt-Universitát zu Berlin, Wirtschaftswissenschaftliche Fakultt, 2002.

A. N. Kolmogorov (1968). Three approaches to the quantitative definition of information. International Journal of Computer Mathematics, 2, 157–168.

M. Li and P. Vitanyi (1997). An Introduction to Kolmogorov Complexity and Its Applications (Texts in Computer Science). Springer.

X. Luo, E. W. W. Chan, and R. K. C. Chang (2008). “TCP covert timing channels: Design and detection,” in IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), 420–429.

Henry B. Mann (1945). On a test for randomness based on signs of differences. Ann. Math. Statist. 16, 193–199.

N. Meinshausen and P. Bhlmann (2010). Stability selection. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 72, 417–473.

B. H. Menze, B. M. Kelm, R. Masuch, U. Himmelreich, P. Bachert, W. Petrich, and and F. A. Hamprecht (2009). A comparison of random forest and its Gini importance with standard chemometric methods for the feature selection and classification of spectral data. BMC Bioinformatics, 10, 213.

MEJ Newman (2005). Power laws, Pareto distributions and Zipf’s law. Contemporary Physics, 46, 323–351.

M. A. Padlipsky, D. W. Snow, and P. A. Karger (1978). Limitations of end-to-end encryption in secure computer networks, 1978. ESD-TR-78-158.

H. Peng, F. Long, and C. Ding (2005). Feature selection based on mutual in- formation criteria of max-dependency, max-relevance, and min-redundancy. IEEE Transactions on Pattern Analysis and Machine Intelligence, 27, 1226–1238.

S. M. Pincus (1991). Approximate entropy as a measure of system complexity. Proceedings of the National Academy of Sciences, 88, 2297–2301.

G. Shah, A. Molina, and M. Blaze (2006). “Keyboards and covert channels,” in Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS’06, USENIX Association: Berkeley, CA, USA.

B. W. Silverman. Using kernel density estimates to investigate multimodality. Journal of the Royal Statistical Society: Series B, 43, 97–99.

J. Tang, Z. Chen, A. W. Fu, and D. W.-L. Cheung (2002). “Enhancing effectiveness of outlier detections for low density patterns,” in Proceedings of the 6th Pacific-Asia Conference on Advances in Knowledge Discovery and Data Mining, PAKDD’02, (Springer-Verlag: London, UK), 535–548.

TU Wien CN Group. Data Analysis and Algorithms, 2017.

J. Wu, Y. Wang, L. Ding, and X. Liao (2012). Improving performance of network covert timing channel through Huffman coding. Mathematical and Computer Modelling, 55, 69–79, 2012.

S. Zander, G. Armitage, and P. Branch (2007). “An empirical evaluation of ip time to live covert channels,” in 2007 15th IEEE International Conference on Networks, ICON 2007, (IEEE), 42–47.

Downloads

Published

2017-11-30

How to Cite

1.
Vázquez FI, Annessi R, Zseby T. Analytic Study of Features for the Detection of Covert Timing Channels in NetworkTraffic. JCSANDM [Internet]. 2017 Nov. 30 [cited 2024 Apr. 26];6(3):245-70. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5245

Issue

2017: Vol 6 Iss 3

Section

Articles