Affiliation:
1. Hewlett-Packard Laboratories
2. Tufts University
3. Georgetown University
Abstract
A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,General Computer Science
Reference58 articles.
1. Abad C. 2001. IP checksum covert channels and selected hash collision. Tech. rep. University of California. Abad C. 2001. IP checksum covert channels and selected hash collision. Tech. rep. University of California.
2. Ahsan K. 2000. Covert channel analysis and data hiding in TCP/IP. M.S. thesis University of Toronto. Ahsan K. 2000. Covert channel analysis and data hiding in TCP/IP. M.S. thesis University of Toronto.
3. Analyzing stability in wide-area network performance
4. New covert channels in HTTP
Cited by
86 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献