[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3837/tiis.2016.04.026

Detection and Parameter Estimation for Jitterbug Covert Channel Based on Coefficient of Variation

Wang, Hao (School of Automation, Nanjing University of Science and Technology)
Liu, Guangjie (School of Automation, Nanjing University of Science and Technology)
Zhai, Jiangtao (School of Electronics and Information, Jiangsu University of Science and Technology)
Dai, Yuewei (School of Automation, Nanjing University of Science and Technology)

Publication Information

KSII Transactions on Internet and Information Systems (TIIS) / v.10, no.4, 2016 , pp. 1927-1943 More about this Journal

Abstract

Jitterbug is a passive network covert timing channel supplying reliable stealthy transmission. It is also the basic manner of some improved covert timing channels designed for higher undetectability. The existing entropy-based detection scheme based on training sample binning may suffer from model mismatching, which results in detection performance deterioration. In this paper, a new detection method based on the feature of Jitterbug covert channel traffic is proposed. A fixed binning strategy without training samples is used to obtain bins distribution feature. Coefficient of variation (CV) is calculated for several sets of selected bins and the weighted mean is used to calculate the final CV value to distinguish Jitterbug from normal traffic. Furthermore, the timing window parameter of Jitterbug is estimated based on the detected traffic. Experimental results show that the proposed detection method can achieve high detection performance even with interference of network jitter, and the parameter estimation method can provide accurate values after accumulating plenty of detected samples.

Keywords

covert channel detection; Jitterbug; coefficient of variation; parameter estimation;

Citations & Related Records

Times Cited By KSCI : 1 (Citation Analysis)

Reference
Cited By KSCI

1	M.A. Padlipsky, D.W. Snow, and P.A. Karger, "Limitations of End-to-End encryption in Secure Computer Networks," Tech. Rep. ESD-TR-78-158, Mitre Corporation, Aug. 1978. Article (CrossRef Link).
2	C.G. Girling, “Covert Channels in LAN's,” IEEE Transactions on Software Engineering, vol.SE-13, no.2, pp.292–296, 1987. Article (CrossRef Link). DOI
3	V. Berk, A. Giani, and G. Cybenko, "Detection of Covert Channel Encoding in Network Packet Delays," Technical Report TR2005-536, Dartmouth College, Aug. 2005. Article (CrossRef Link).
4	S. Cabuk, C. E. Brodley, and C. Shields, "IP Covert Timing Channels: Design and Detection," in Proc. of the 11th ACM conference on Computer and communications security, pp.178-187, 2004. Article (CrossRef Link).
5	S. Cabuk, Network Covert Channels: Design, Analysis, Detection, and Elimination, Ph.D. Thesis, Purdue University, West Lafayette, USA, 2006. Article (CrossRef Link).
6	S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia, "Model-based Covert timing Channels: Automated Modeling and Evasion," RAID 2008, LNCS, vol.5230, pp.211-230, 2008. Article (CrossRef Link).
7	G. Liu, J. Zhai, and Y. Dai, “Network Covert timing Channel with Distribution Matching,” Telecommunication Systems: Modeling, Analysis, Design and Management, vol.49, no.2, pp.199-205, 2012. Article (CrossRef Link). DOI
8	P. Peng, P. Ning, and D.S. Reeves, "On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques," IEEE Symposium on Security and Privacy, pp.334-349, 2006. Article (CrossRef Link).
9	S. Gianvecchio and H. Wang, "Detecting Covert Timing Channels: An Entropy-Based Approach," CCS'07, Alexandria, Virginia, USA, 2007. Article (CrossRef Link).
10	S. Gianvecchio and H. Wang, “An Entropy-Based Approach to Detecting Covert Timing Channels,” IEEE Transactions on Dependable and Secure Computing, vol.8, no.6, pp.785-797, 2011. Article (CrossRef Link). DOI
11	G. Shah, A. Molina, and M. Blaze, "Keyboards and Covert Channels," in Proc. of the 15th conference on USENIX Security Symposium, pp.59-75, Aug. 2006. Article (CrossRef Link).
12	R.J. Walls, K. Kothari, and M. Wright, “Liquid: A detection-resistant covert timing channel based on IPD shaping,” Computer Networks, vol.55, no.6, pp.1217-1228, 2011. Article (CrossRef Link). DOI
13	K. Kothari and M. Wright, “Mimic: An active covert channel that evades regularity-based detection,” Computer Networks, vol.57, no.3, pp.647-657, 2013. Article (CrossRef Link). DOI
14	“Packet traces from WIDE backbone,” 2014. Article (CrossRef Link).
15	S. Kadry, Mathematical Formulas for Industrial and Mechanical Engineering. Elsevier, 2014. Article (CrossRef Link).
16	W. Mazurczyk, M. Karaś and K. Szczypiorski, “SkyDe: a Skype-based Steganographic Method,” International Journal of Computers, Communications & Control, vol.8, no.3, pp.389-400, 2013. Article (CrossRef Link). DOI
17	E. Zielińska, W. Mazurczyk, and K. Szczypiorski, “Trends in steganography,” Communications of the ACM, vol.57, no.3, pp.86-95, 2014. Article (CrossRef Link). DOI
18	“Linux Networking Workgroup”, 2009. Article (CrossRef Link).
19	National Computer Security Center, US DoD, "Trusted Computer System Evaluation Criteria," Tech. Rep. DOD 5200.28-STD, National Computer Security Center, Dec. 1985. Article (CrossRef Link).
20	K. Muhammad, J. Ahmad, H. Farman, et al, “A Secure Method for Color Image Steganography using Gray-Level Modification and Multi-level Encryption,” KSII Transactions on Internet and Information Systems, vol.9, no.5, pp.1938-1962, 2015. Article (CrossRef Link). DOI