Skip to main content

Advertisement

Springer Nature Link
Log in

Detection of TCP covert channel based on Markov model

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

Network covert channel is a covert communication method by hiding covert messages into overt network packets. In recent years, with the development of various hiding methods, network covert channel has become a new kind of threat for network security. The covert channel that uses the redundancies existing in TCP protocol to make hiding is called TCP covert channel. In this paper, the behaviors of TCP flows are modeled by the Markov chain composed of the states of TCP packets. And the abnormality caused by TCP covert channel is described by the difference between the overt and covert TCP transition probability matrix. The detection method based on MAP is proposed to detect the covert communication hidden in TCP flows under various applications such as HTTP, FTP, TELNET, SSH and SMTP. Experiments show that the proposed algorithm achieves better detection performance than the existing methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. Lampson, B. (1973). A note to the confinement problem. Communications of the ACM, 16(10), 613–615.

    Article  Google Scholar 

  2. Lian, S. G. (2010). Secure service convergence based on scalable media coding. Telecommunications Systems, 45(1), 21–35.

    Article  Google Scholar 

  3. Rowland, C. H. (1997). Covert channels in the TCP/IP protocol suite. First Monday. Peer Reviewed Journal on the Internet.

  4. Ahsan, K., & Kundur, D. (2003). Practical data hiding in TCP/IP. In Proceedings of Texas workshop on security of information systems (pp. 18–22).

    Google Scholar 

  5. Hintz, A. (2003). Covert channels in TCP and IP headers. URL: http://www.defcon.org/images//dc10-hintz-covert.ppt.

  6. Fisk, G., Fisk, M., Papadopoulos, C., & Neil, J. (2002). Eliminating stegagography in Internet traffic with active wardens. In Proceedings of 5th international workshop on information hiding (pp. 18–35).

    Google Scholar 

  7. Frikha, L., & Trabelsi, Z. (2008). A new covet channel in WiFi networks. In Proceedings of the 3rd international conference on risks and security of Internet and systems (pp. 255–260).

    Google Scholar 

  8. Mazurczyk, W., Smolarczyk, M., & Szczypiorsky, K. Hiding information in retransmissions. Computing Research Repository (CoRR). arXiv:0905.0363 e-print archive, Ithaca: Cornell University. URL: http://arxiv.org/abs/0905.0363.2009.

  9. Szczypiorsky, K. (2003). HICCUPS: hidden communication system for corrupted networks. In Proceedings of the 10th international multi-conference on advanced computer systems (pp. 31–40).

    Google Scholar 

  10. Zou, X., Jin, H., Hao, K., & Sun, S. (2006). Communication hiding algorithm based on HTTP protocol parameters sorting. Computer Engineering, 32(10), 147–149 (in Chinese).

    Google Scholar 

  11. Ji, L., Jiang, W., Dai, B., & Niu, X. (2009). A novel covert channel based on length of message. In Proceedings of 2009 international symposium on information engineering and electronic commerce (pp. 445–450).

    Google Scholar 

  12. Zou, X. (2007). Covert channels based on command sequence of FTP protocol. Journal of Harbin Institute of Technology, 39(3), 121–126 (in Chinese).

    Google Scholar 

  13. Szczypiorski, K., & Mazurczyk, W. (2010). Hiding data in OFDM symbols of IEEE 802.11 networks. In Proceedings of the 2nd international workshop on network information networking and security (pp. 835–839).

    Google Scholar 

  14. Szczypiorski, K. (2009). A performance analysis of HICCUPS-s steganographic system for WLAN. Telecommunication Systems Modeling, Analysis Design and Management, 49, 3–4.

    Google Scholar 

  15. Handel, T., & Sandford, M. (1996). Hiding data in the OSI network model. In Proceeding of the 1st international workshop of information hiding (pp. 23–38).

    Chapter  Google Scholar 

  16. Cabuk, S., Brodley, C., & Shields, C. (2004). IP covert timing channels: design and detection. In Proceedings of the 2004 ACM conference on computer and communications security (pp. 55–74).

    Google Scholar 

  17. Yao, L., Zi, X., Pan, L., & Li, J. (2009). A study of on/off timing channel based on packet delay distribution. Computers & Security, 28(8), 785–794.

    Article  Google Scholar 

  18. Liu, G. J., Zhai, J. T., & Dai, Y. W. (2010). Network covert timing channel with distribution matching. Telecommunications Systems, 49(2), 199–205.

    Article  Google Scholar 

  19. Tumoian, E., & Anikeev, M. (2005). Detecting NUSHU covert channels using neural networks. Taganrog State University of Radio Engineering.

  20. Murdoch, S. J., & Lewis, S. (2005). Embedding covert channels into TCP/IP. In Proceedings of information hiding workshop in 2005 (pp. 1–15).

    Google Scholar 

  21. Sohn, T., Seo, J., & Moon, J. (2003). A study on the covert channel detection of TCP/IP header using support vector machine. In Proceedings of the 5th international conference of information and community security (pp. 313–324).

    Chapter  Google Scholar 

  22. Liu, G., Dai, Y., et al. (2007). Steganlaysis against an IPIDs-based protocol stegagography. Computer Engineering, 33(24), 136–137 (in Chinese).

    Google Scholar 

  23. Cabuk, S., Brodley, C., & Shields, C. (2004). IP covert timing channels: design and detection. In Proceedings of the 2004 ACM conference on computer and communications security (pp. 178–187).

    Google Scholar 

  24. Gianvecchio, S., & Wang, H. (2007). Detecting covert timing channels: an entropy-based approach. In Proceedings of the 14th ACM conference on computer and communications security (pp. 307–316).

    Chapter  Google Scholar 

  25. Chang, C., & Lin, C. J. (2011). LIBSVM: a library for support vector machines. ACM Transactions on Intelligent Systems and Technology, 2(27), 1–27.

    Article  Google Scholar 

  26. Stevens, W. (1994). TCP/IP illustrated: Vol. 1. The protocols. Reading: Addison-Wesley.

    Google Scholar 

  27. Estevez-Tapiador, M., Garcia-Teodoro, P., & Diaz-Verdejo, E. (2003). Stochastic protocol modeling for anomaly based network intrusion detection. In Proceedings of the 1st IEEE international workshop on information assurance (pp. 3–12).

    Google Scholar 

  28. Cachin, C. (2004). An information-theoretic model for steganography. Information and Computation, 192(1), 41–56.

    Article  Google Scholar 

Download references

Acknowledgements

This study was supported by the Post Doctor Foundation of China (Grant No. 20070421017), NSF of Jiangsu province (Grant No. BK2008403, BK2010484), NSF (Grant No. 61103201, 61170250, 61272421) and NUST Research Funding (Grant No. 2010ZYTS048).

Author information

Authors and Affiliations

  1. School of Automation, Nanjing University of Science and Technology, 210094, Nanjing, P.R. China

    Jiangtao Zhai, Guangjie Liu & Yuewei Dai

Authors
  1. Jiangtao Zhai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guangjie Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yuewei Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guangjie Liu.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Zhai, J., Liu, G. & Dai, Y. Detection of TCP covert channel based on Markov model. Telecommun Syst 54, 333–343 (2013). https://doi.org/10.1007/s11235-013-9737-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-013-9737-7

Keywords

Search

Navigation