Abstract
In this paper we describe the implementation and detection of a network covert channel based on TCP retransmissions. For the detection, we implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based covert channels, namely the \(\epsilon \)-similarity and the compressibility. The \(\varepsilon \)-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can be applied to the detection of retransmission-based covert channels, i.e. we performed a so-called countermeasure variation.
Our initial results indicate that the \(\varepsilon \)-similarity can be considered a promising detection method for retransmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cabaj, K., Caviglione, L., Mazurczyk, W., Wendzel, S., Woodward, A., Zander, S.: The new threats of information hiding: the road ahead. IT Prof. 20(3), 31–39 (2018)
Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 178–187 (2004)
Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 1–29 (2009)
Girling, C.G.: Covert channels in lan’s. IEEE Trans. Softw. Eng. 13(2), 292 (1987)
Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61996-8_29
Krätzer, C., Dittmann, J., Lang, A., Kühne, T.: WLAN steganography – a practical review. In: Proceedings of 8th Workshop on Multimedia and security, MM&Sec 2006 (2006)
Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)
Mazurczyk, W., Smolarczyk, M., Szczypiorski, K.: Hiding information in retransmissions. CoRR abs/0905.0363 (2009)
Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack – extended version. Cent. Eur. J. Comput. Sci. 4, 45–66 (2014)
Millen, J.: 20 years of covert channel modeling and analysis. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, pp. 113–114. IEEE (1999)
Wendzel, S., Eller, D., Mazurczyk, W.: One countermeasure, multiple patterns: countermeasure variation for covert channels. In: Proceedings of Central European Cybersecurity Conference (CECC 2018). ACM (2018, in press). https://doi.org/10.1145/3277570.3277571
Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3), 1–26 (2015)
Wolf, M.: Covert channels in LAN protocols. In: Berson, T.A., Beth, T. (eds.) LANSEC 1989. LNCS, vol. 396, pp. 89–101. Springer, Heidelberg (1989). https://doi.org/10.1007/3-540-51754-5_33
Zander, S., Armitage, G., Branch, P.: Covert channels and countermeasures in computer network protocols (reprinted from IEEE communications surveys and tutorials). IEEE Commun. Mag. 45(12), 136–142 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Zillien, S., Wendzel, S. (2018). Detection of Covert Channels in TCP Retransmissions. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-03638-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03637-9
Online ISBN: 978-3-030-03638-6
eBook Packages: Computer ScienceComputer Science (R0)