Leveraging Statistical Feature Points for Generalized Detection of Covert Timing Channels

Covert channels exploit network resources never intended for the purpose of communication in order to transfer messages undetectable by conventional security measures like intrusion detection systems and firewalls. Since covert communication provides a means to secretly transfer messages they pose a grave cyber security threat. Most research in detecting covert timing channels are focused on detecting a specific type of covert channel implementation and cannot be generalized to detect all covert channels. The most notable work in universal detection was published by Gianvecchio et al. In 2011. They evaluated the corrected conditional entropy (CCE) of the interpacket arrival time and then built a classifier based on those measurements. However, we show in this paper that the CCE fails to detect covert communications when the size of the covert message is short. Furthermore, we also show that it is not possible to train the classifier using these short covert messages, as the CCE is a parameter based on the statistical distribution of traffic, and smaller traffic samples may not adequately reflect the properties of the whole population. We also show that the variance of the CCE remains as a potential parameter for detecting covert traffic. Furthermore, we introduce the autocorrelation function of the traffic channel as an additional statistical parameter for detecting covert channels. Finally, we propose building an SVM (Support Vector Machine) classifier system using these parameters as the feature points for reliable and generalized detection of covert channels, which we show to have superior performance.