Towards a reliable detection of covert timing channels over real-time network traffic

Abstract

Inter-packet delays (IPD) of legitimate network traffic can be exploited for information hiding purposes and distribution of secret and sensitive data. This process is known as Covert Timing Channel (CTC), which is usually used for malicious purposes. In this paper we propose a novel approach, CTC Real-Time Detection (CTCRTD) to detect such activities based on IPD distributions of network traffic. We present and leverage three different non-parametric statistical tests that can be used to generate distinct statistical test scores for overt and covert traffic IPDs. Our new detection approach is designed around two major benefits: First, the new detection approach can detect various CTC algorithms that have similar impact on network traffic IPD distributions. Second, our detection approach reliably detects covert communication over real-time network traffic with minimal lag between the start of covert activity and the point of detection. We have evaluated and verified the reliability and effectiveness of our detection approach utilizing a large number of overt and covert traffic streams and various scenarios of the proposed detection technique. The obtained results show that the new detection approach can precisely differentiate between overt and covert network traffic and detect covert communication activities over 90 percent of time on average.