Talks and Poster Presentations (with Proceedings-Entry):
F. Iglesias Vazquez, T. Zseby:
"Are Network Covert Timing Channels Statistical Anomalies?";
Talk: ARES Conference 2017,
Reggio Calabria, Italy;
- 09-01-2017; in: "Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES'17), Workshop on Criminal Use of Information Hiding (CUIng)",
Covert channels exploit communication protocols to clandestinely transfer information. They enable criminals to hide malicious activities and can be used for secret data exfiltration, malware spreading or for the stealthy establishment of command and control structures. In this paper we study covert timing channels from a statistical perspective and investigate whether they can be identified as anomalies with unsupervised learning methods. We use a testbed to generate covert timing channels based on seven popular techniques and inject them in real captured traffic. Final datasets are analyzed with diverse outlier detection and classification algorithms. Our results show that, based on their statistical properties, covert channels do not occupy low density regions or take extreme values in the problem space, and therefore are not detectable as strong anomalies. However, they present traceable profiles that can be abstracted by supervised learning models. Such findings reveal that facing the detection of novel (and classic) covert timing channels from an anomaly-detection perspective will probably fail or not suffice; instead, they must be identified based on the similarity to known schemes, using supervised and semi-supervised approaches.
traffic analysis; covert timing channels; anomaly detection; machine learning; outlier analysis
Electronic version of the publication:
Created from the Publication Database of the Vienna University of Technology.