The capacity of undetectable on/off covert channel

Abstract

Almost all modern computer networks are based on TCP/IP protocol suite. However, structure features of IP allow constructing covert channels with high capacity using modification of inter-packets delays, packets’ header fields and packets lengths. A technique to eliminate such channels is traffic normalization which means sending packets with equal lengths and fixed header fields with equal inter-packets delays that leads to significant decreasing of efficient communication channels capacity and missing of functional capabilities of network protocols. Another way to counteract covert channel is to detect an active channel. Nevertheless, an attacker can reduce the covert channel capacity purposely to make it undetectable. We investigate on/off covert channel and give recommendations to choose the parameters of ε-similarity detection method with specified threshold values of covert channels capacity.