Detection of Covert Channels in TCP Retransmissions

Zillien, Sebastian; Wendzel, Steffen

doi:10.1007/978-3-030-03638-6_13

Detection of Covert Channels in TCP Retransmissions

Conference paper
First Online: 02 November 2018

2391 Accesses
2 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11252))

Abstract

In this paper we describe the implementation and detection of a network covert channel based on TCP retransmissions. For the detection, we implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based covert channels, namely the \(\epsilon \)-similarity and the compressibility. The \(\varepsilon \)-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can be applied to the detection of retransmission-based covert channels, i.e. we performed a so-called countermeasure variation.

Our initial results indicate that the \(\varepsilon \)-similarity can be considered a promising detection method for retransmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

References

Cabaj, K., Caviglione, L., Mazurczyk, W., Wendzel, S., Woodward, A., Zander, S.: The new threats of information hiding: the road ahead. IT Prof. 20(3), 31–39 (2018)
Article Google Scholar
Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 178–187 (2004)
Google Scholar
Cabuk, S., Brodley, C.E., Shields, C.: IP covert channel detection. ACM Trans. Inf. Syst. Secur. 12(4), 1–29 (2009)
Article Google Scholar
Girling, C.G.: Covert channels in lan’s. IEEE Trans. Softw. Eng. 13(2), 292 (1987)
Article Google Scholar
Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61996-8_29
Chapter Google Scholar
Krätzer, C., Dittmann, J., Lang, A., Kühne, T.: WLAN steganography – a practical review. In: Proceedings of 8th Workshop on Multimedia and security, MM&Sec 2006 (2006)
Google Scholar
Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)
Article Google Scholar
Mazurczyk, W., Smolarczyk, M., Szczypiorski, K.: Hiding information in retransmissions. CoRR abs/0905.0363 (2009)
Google Scholar
Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack – extended version. Cent. Eur. J. Comput. Sci. 4, 45–66 (2014)
Google Scholar
Millen, J.: 20 years of covert channel modeling and analysis. In: Proceedings of 1999 IEEE Symposium on Security and Privacy, pp. 113–114. IEEE (1999)
Google Scholar
Wendzel, S., Eller, D., Mazurczyk, W.: One countermeasure, multiple patterns: countermeasure variation for covert channels. In: Proceedings of Central European Cybersecurity Conference (CECC 2018). ACM (2018, in press). https://doi.org/10.1145/3277570.3277571
Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM Comput. Surv. 47(3), 1–26 (2015)
Article Google Scholar
Wolf, M.: Covert channels in LAN protocols. In: Berson, T.A., Beth, T. (eds.) LANSEC 1989. LNCS, vol. 396, pp. 89–101. Springer, Heidelberg (1989). https://doi.org/10.1007/3-540-51754-5_33
Chapter Google Scholar
Zander, S., Armitage, G., Branch, P.: Covert channels and countermeasures in computer network protocols (reprinted from IEEE communications surveys and tutorials). IEEE Commun. Mag. 45(12), 136–142 (2007)
Article Google Scholar

Download references

Author information

Authors and Affiliations

Centre of Technology and Transfer, Worms University of Applied Sciences, Worms, Germany
Sebastian Zillien & Steffen Wendzel
Department of Cyber Security, Fraunhofer FKIE, Bonn, Germany
Steffen Wendzel

Authors

Sebastian Zillien
View author publications
You can also search for this author in PubMed Google Scholar
Steffen Wendzel
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steffen Wendzel .

Editor information

Editors and Affiliations

University of Oslo, Oslo, Norway
Nils Gruschka

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Zillien, S., Wendzel, S. (2018). Detection of Covert Channels in TCP Retransmissions. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_13

Download citation

DOI: https://doi.org/10.1007/978-3-030-03638-6_13
Published: 02 November 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03637-9
Online ISBN: 978-3-030-03638-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics