Detecting IP covert timing channels by correlating packet timing with memory content

Current covert timing channel detection relies upon discerning the underlying regularity that must be present in the packet interarrival times (PIATs) in order for the channel to carry information. But, it is not hard for a determined adversary to defeat detection. Existing algorithms look only at the PIATs. We hypothesized that detection could be improved by also exploiting knowledge about the system from which the exfiltration is occurring. In particular, the bits that are being extruded likely reside in memory at some point during the transmission. Any correlation between memory content and interpacket time delays-even a remote one-is no coincidence. It suggests an active timing channel. Furthermore, even if the data has been encrypted prior to transmission, at least a portion of the corresponding ciphertext should reside somewhere in the address space used by the rogue process. We tested this approach against an adversary applying increasingly sophisticated schemes to conceal an IP timing channel. Even when the attack escalated well beyond the level at which other detection methods failed, our method identified (and decoded) the covert communication.