Weaknesses of popular and recent covert channel detection methods and a remedy
IEEE Transactions on Dependable and Secure Computing. Bd. 20. H. 6. Institute of Electrical and Electronics Engineers (IEEE) 2023 S. 5156 - 5157
Erscheinungsjahr: 2023
Publikationstyp: Zeitschriftenaufsatz
Sprache: Englisch
Doi/URN: 10.1109/tdsc.2023.3241451
Geprüft | Bibliothek |
Inhaltszusammenfassung
Network covert channels are applied for the secret exfiltration of confidential data, the stealthy operation of malware, and legitimate purposes, such as censorship circumvention. In recent decades, some major detection methods for network covert channels have been developed. In this paper, we investigate two highly cited detection methods for covert timing channels, namely ϵ-similarity and compressibility score from Cabuk et al. (jointly cited by 930 papers and applied by thousands of resear...Network covert channels are applied for the secret exfiltration of confidential data, the stealthy operation of malware, and legitimate purposes, such as censorship circumvention. In recent decades, some major detection methods for network covert channels have been developed. In this paper, we investigate two highly cited detection methods for covert timing channels, namely ϵ-similarity and compressibility score from Cabuk et al. (jointly cited by 930 papers and applied by thousands of researchers). We additionally analyze two recent ML-based detection methods: GAS (2022) and SnapCatch (2021). While all these detection methods must be considered valuable for the analysis of typical covert timing channels, we show that these methods are not reliable when a covert channel's behavior is slightly modified. In particular, we demonstrate that when confronted with a simple covert channel that we call ϵ-κlibur, all detection methods can be circumvented or their performance can be significantly reduced although the covert channel still provides a high bitrate. In comparison to previous timing channels that circumvent these methods, ϵ-κlibur is much simpler and eliminates the need of altering previously recorded traffic. Moreover, we propose an enhanced ϵ -similarity that can detect the classical covert timing channel as well as ϵ-κlibur.» weiterlesen» einklappen
Klassifikation
DFG Fachgebiet:
Informatik
DDC Sachgruppe:
Informatik