Web Covert Timing Channel Detection based on Entropy

Document Type : Original Article

Authors

1 Computer Engineering Department, Imam Khomeini International University

2 Imam-Khomeini International University, Faculty of Engineering and Technology, Computer Engineering Department

Abstract

Regarding the general acceptance of the web, analyzing its weaknesses and vulnerabilities in order to find and face security attacks has become more urgent. In case there is a communication contrary to the system security       policies, a covert channel has been     created. The attacker can easily disclose information from the victim’s system with just one public access permission. Covert     timing channels, unlike covert storage channels, do not have memory storage and draw less attention. Different methods have been proposed for their identification, which generally benefit from the shape of traffic and the channel’s regularity. The applicative nature of HTTP protocol allows the creation of a covert timing channel based on different features (or different levels) of this protocol, which has not been             addressed in previous researches. In this article, the entropy-based detection method was designed and implemented. The attacker can adjust the amount of channel entropy by controlling measures such as changing the channel’s level or creating noise on the channel to hide from the analyst’s detection. As a result, the entropy threshold is not always constant for detection. By comparing the entropy from different levels of the channel and the analyst, we concluded that the analyst must investigate the traffic at all possible levels. We also illustrated that by making noise on the covert channel, although its capacity would decrease, but as the entropy has increased, the attacker would have more       difficulty in its detection.
 

Keywords


[1]     F. Sommer, D. Jürgen, and K. Reiner, “Survey and Classification of Automotive Security Attacks,” Information 10.4, 148, 2019. https://doi.org/10.3390/info10040148##
[2]     F. Mikhail, A. Flor, D. Steinmetzer, S. Paul Gardner, and M. Hollick, “Survey and Systematization of Secure Device Pairing,” Communications Surveys & Tutorials IEEE, vol. 20, no. 1, pp. 517-550, 2018. https://doi.org/10.1109/COMST.2017.2748278##
[3]     US Department of Defense, “Trusted Computer System Evaluation Criteria,” ISBN 978-0-333-53947-7, Palgrave Macmillan, London, 1985. https://doi.org/10.1007/978-1-349-12020-8_1##
[4]     V. D. Gligor, “A Guide to Understanding Covert Channel Analysis of Trusted Systems,” National Computer Security Center (U.S.). Meade, Maryland, NCSC-TG-030. 1994.##
[5]     B. Carrara and C. Adams, “A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels,” In Proc. of the 4th ACM Workshop on Information Hiding and Multimedia Security, pp. 115-126, 2016. https://doi.org/10.1145/2909827.2930800##
[6]     H. Okhravi, S. Bak, and S. T. King, “Design, Implementation and Evaluation of Covert Channel Attacks,” in Technologies for Homeland Security (HST), 2010 IEEE Int. Conf. on, pp. 481-487, 2010. https://doi.org/10.1109/THS.2010.5654967##
[7]     Z. Wang and R. B. Lee, “New Constructive Approach to Covert Channel Modeling and Channel Capacity Estimation,” In Int. Conf. on Information Security, pp. 498--505, 2005. https://doi.org/10.1007/11556992_37##
[8]     ChangXiang Shen, HuangGuo Zhang, DengGuo Feng, ZhenFu Cao and JiWu Huang, “Survey of Information Security,” Science in China Series F: Information Sciences 50.3, 273-298, 2007. https://doi.org/10.1007/s11432-007-0037-2##
[9]     XIAOSONG ZHANG, YU-AN TAN, CHEN LIANG, YUANZHANG LI, AND JIN LI, “A Covert Channel Over Volte via Adjusting Silence Periods,” IEEE Access 6, 9292-9302, 2018. https://doi.org/10.1109/ACCESS.2018.2802783##
[10]  Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, Krzysztof Szczypiorski, “Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures,” John Wiley & Sons, 2016. https://doi.org/10.1002/9781119081715, PMid:27000183##
[11]  S. Cabuk, C. E. Brodley, and C. Shields, “IP Covert Timing Channels: Design and Detection,” In Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 178--187, 2004. https://doi.org/10.1145/1030083.1030108##
[12]  S. Yao, W. Yang, and H. Liusheng, “Concealed in Web Surfing: Behavior-based Covert Channels in HTTP,” J. of Network and Computer Applications 101, 83-95, 2018. https://doi.org/10.1016/j.jnca.2017.10.019##
[13]  Ang Chen, W Brad Moore, Hanjun  Xiao, Andreas Haeberlen, Linhthi  Phan, Micah  Sherr and Wenchao  Zhou, “Detecting Covert Timing Channels with Time-Deterministic Replay,” 11th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 14), 2014.##
[14]  V. Berk, A. Giani, G. Cybenko, and N. Hanover, “Detection of Covert Channel Encoding in Network Packet Delays,” Rapport technique TR536, de lUniversité de Dartmouth, pp. 19, 2005.##
[15]  S. Cabuk, C. E. Brodley, and C. Shields, “IP Covert Channel Detection,” ACM Transactions on Information and System Security (TISSEC), vol. 12, no. 4, pp. 22, 2009. https://doi.org/10.1145/1513601.1513604##
[16]  E. Brown, B. Yuan, D. Johnson, and P. Lutz, “Covert Channels in the HTTP Network Protocol: Channel Characterization and Detecting Man-in-the-Middle Attacks,” in Int. Conf. on Cyber Warfare and Security, pp. 56, 2010.##
[17]  S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia, “Model-based Covert Timing Channels: Automated Modeling and Evasion,” In Int. Workshop on Recent Advances in Intrusion Detection, pp. 211-230, 2008. https://doi.org/10.1007/978-3-540-87403-4_12##
[18]  T. P. Coleman and N. Kiyavash, “Sparse Graph Codes and Practical Decoding Algorithms for Communicating over Packet Timings in Networks,” In Information Sciences and Systems, CISS 2008. 42nd Annual Conf. on, pp. 447-452, 2008. https://doi.org/10.1109/CISS.2008.4558568##
[19]  T. P. Coleman and N. Kiyavash, “Practical Codes for Queueing Channels: An Algebraic, State-Space, Message-Passing Approach,” In Information Theory Workshop, ITW'08. IEEE, pp. 318-322, 2008. https://doi.org/10.1109/ITW.2008.4578677##
[20]  R. M. Stillman, “Detecting IP Covert Timing Channels by Correlating Packet Timing with Memory Content,” In Southeastcon, IEEE, pp. 204-209, 2008. https://doi.org/10.1109/SECON.2008.4494286##
[21]  Y. Liu, D. Ghosal, F. Armknecht, A.-R. Sadeghi, S. Schulz, and S. Katzenbeisser, “Hide and Seek in time---Robust Covert Timing Channels,” In European Symposium on Research in Computer Security, pp. 120-135, 2009. https://doi.org/10.1007/978-3-642-04444-1_8##
[22]  Y. Liu, D. Ghosal, F. Armknecht, A.-R. Sadeghi, S. Schulz, and S. Katzenbeisser, “Robust and Undetectable Steganographic Timing Channels for Iid Traffic,” In Int. Workshop on Information Hiding, pp. 193-207, 2010. https://doi.org/10.1007/978-3-642-16435-4_15##
[23]  N. Kiyavash and T. Coleman, “Covert Timing Channels Codes for Communication Over Interactive Traffic,” In Acoustics, Speech and Signal processing, ICASSP 2009. IEEE Int. Conf. on, pp. 1485-1488. 2009. https://doi.org/10.1109/ICASSP.2009.4959876##
[24]  G. Liu, J. Zhai, Y. Dai, and Z. Wang, “Covert Timing Channel with Distribution Matching,” In Multimedia Information Networking and Security, MINES'09. Int. Conf. on, vol. 1, pp. 565-568, 2009. https://doi.org/10.1109/MINES.2009.28, PMCid:PMC2683182##
[25]  G. Liu, J. Zhai, and Y. Dai, “Network Covert Timing Channel with Distribution Matching,” Telecommunication Systems, vol. 49, no. 2, pp. 199-205, 2012. https://doi.org/10.1007/s11235-010-9368-1##
[26]  S. Zander, G. Armitage, and P. Branch, “Stealthier Inter-Packet Timing Covert Channels,” Networking, pp. 458-470, 2011. https://doi.org/10.1007/978-3-642-20757-0_36##
[27]  R. J. Walls, K. Kothari, and M. Wright, “Liquid: A Detection-Resistant Covert Timing Channel Based on IPD Shaping,” Computer Networks, vol. 55, no. 6, pp. 1217-1228, 2011. https://doi.org/10.1016/j.comnet.2010.11.007##
[28]  Jianhua Liu, Wei Yang, Liusheng Huang and Wuji Chen, “A Detection-Resistant Covert Timing Channel Based on Geometric Huffman Coding,”  Int. Conf. on Wireless Algorithms, Systems, and Applications. Springer, Cham, 2018. https://doi.org/10.1007/978-3-319-94268-1_26##
[29]  R. Archibald and D. Ghosal, “A Covert Timing Channel Based on Fountain Codes,” In Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE 11th Int. Conf. on, pp. 970--977, 2012. https://doi.org/10.1109/TrustCom.2012.21##
[30]  Tae-Seok Ahn, Ji-Won Jung, Ha-Hyun Sung, Dong-Won Lee and Tae-Doo Park, “Turbo Equalization for Covert Communication in Underwater Channel,”  Eighth Int. Conf. on Ubiquitous and Future Networks (ICUFN). IEEE, 2016. https://doi.org/10.1109/ICUFN.2016.7537071##
[31]  Jing Wang, Le Guan, Limin Liu and Daren Zha, “Implementing a Covert Timing Channel Based on Mimic Function,” Int. Conf.on Information Security Practice and Experience. Springer, Cham, 2014. https://doi.org/10.1007/978-3-319-06320-1_19##
[32]  K. S. Lee, H. Wang and H. Weatherspoon, “{PHY} Covert Channels: Can You See the Idles?,” In 11th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 14), pp. 173-185. 2014.##
[33]  T. S. Han and K. Kobayashi, “Mathematics of Information and Coding,” American Mathematical Society, 2007. https://doi.org/10.1090/mmono/203, PMid:17014848##
[34]  M. Saadati, M. Dehghani, and M. Saleh Esfahani, “Simulation and Evaluation of Jitter and Packet Loss Noises Influence on Covert Timing Channel Performance,” J. of Electronic & Cyber Defence, vol. 2, no. 3, pp. 35-49, 2014 (In Persian)##
[35]  B. Beyrami, M. Dehghani, M. Saleh Esfahani, “Covert Timing Channel Detection Based on Statistical Methods,” J. of Electronic & Cyber Defence, vol. 2, no. 5, pp. 13-24, 2014 (In Persian).##
 
Volume 8, Issue 3 - Serial Number 31
November 2020
Pages 13-23
  • Receive Date: 06 May 2019
  • Revise Date: 07 January 2020
  • Accept Date: 19 January 2020
  • Publish Date: 31 January 2021