1 / 42

Detecting Covert Timing Channels: An Entropy-Based Approach

Detecting Covert Timing Channels: An Entropy-Based Approach. Steven Gianvecchio Haining Wang College of William and Mary. Outline. Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion. Outline.

riona
Download Presentation

Detecting Covert Timing Channels: An Entropy-Based Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Covert Timing Channels:An Entropy-Based Approach Steven Gianvecchio Haining Wang College of William and Mary

  2. Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

  3. Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion 3

  4. Background Covert Channels: • covert channel - manipulates a shared resource to transfer information • The goal is to hide communication (or hide extra communication) with a host • steal sensitive data (e.g., keys or passwords) • hide other illicit communications

  5. Background Types of Covert Channels: • The shared resource is the type • covert storage channels • e.g., packet header fields • covert timing channels • e.g., packet arrival times

  6. Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

  7. Covert Timing Channels Scenario 1: Scenario 2: active or passive passive Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic

  8. Covert Timing Channels Covert Timing Channels: IP Covert Timing Channel or IPCTC (Cabuk 2004) Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) JitterBug (Shah 2006) 8

  9. Covert Timing Channels • IP Covert Timing Channel or IPCTC (Cabuk 2004) • 1-bit: send a packet • 0-bit: do nothing packet packet time interval t 1-bit 0-bit 1-bit 0-bit

  10. Covert Timing Channels • Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) • replay a sample of legitimate traffic • bin 0 < cutoff < bin 1 • 1-bit: replay from bin 1 • 0-bit: replay from bin 0 • by construction, the distribution of inter-packet delays is close to the legitimate distribution

  11. Covert Timing Channels • JitterBug (Shah 2006) • 0-bit: increase to modulo w • 1-bit: increase to modulo ceil(w/2) • timing window w is the maximum delay that can be added • for small w, the distribution of inter-packet delays is close to the legitimate distribution

  12. Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

  13. Detection Methods Types of Detection Tests: shape – relates to first-order statistics statistics of singles invariant on permutations of the data regularity – relates to second or higher-order statistics statistics of doubles, triples, etc.

  14. Detection Methods Tests of Shape: • Kolmogorov-Smirnov test – where s1 and s2 are distribution functions Tests of Regularity: • The regularity test (Cabuk 2004) –

  15. Motivation • There are a number of other tests • However, noprevious test is effective at detecting a wide range of different covert timing channels • Our goal is to develop a better solution • entropy-based approach • entropy and conditional entropy

  16. Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

  17. Entropy • In general, the creation of covert timing channels has some effect on entropy • entropy is a measure of information • covert timing channels transfer information entropy rate regular complex random max 0 ◄predictable unpredictable► 17

  18. The entropy of a series – The conditional entropy of a series – The entropy rate of a process – Entropy 18

  19. The data is binned in Q bins e.g., 0.0 < bin1≤ 0.22, 0.22 < bin2 ≤ 0.51, etc. The “true” probabilities are replaced with empirical probabilities of bin sequences The entropy estimate is EN The conditional entropy estimate is CE Entropy Estimation 19

  20. 2.2 CE CE tends to 0 as m increases entropy (graph adapted from Porta 1998) 0.0 1 m 15 20

  21. 2.2 CE CCE entropy (graph adapted from Porta 1998) corrective term 0.0 1 m 15 21

  22. 2.2 CCE entropy (graph adapted from Porta 1998) m=4 The minimum of CCE is the best choice for m 0.0 1 m 15 22

  23. The corrected conditional entropy test (Porta 1998) estimates the entropy rate, Q=5, m varies The entropy test estimates the first-order entropy Q=2^16, m=1 Entropy-Based Approach 23

  24. Outline Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion

  25. Experimental Evaluation • Covert Timing Channels: • IPCTC • TRCTC • JitterBug • Detection Tests: • regularity test (regularity) • Kolmogorov-Smirnov test (KSTEST) • entropy test (EN) • corrected conditional entropy test (CCE)

  26. Experimental Evaluation IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples of the time interval t

  27. Experimental Evaluation • IPCTC test scores

  28. Experimental Evaluation • IPCTC test scores 28

  29. Experimental Evaluation • IPCTC detection rates

  30. Experimental Evaluation TRCTC 100x 2000 HTTP inter-packet delays the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations

  31. Experimental Evaluation • TRCTC test scores

  32. Experimental Evaluation CCE scores TRCTC LEGIT

  33. Experimental Evaluation • TRCTC detection rates

  34. Experimental Evaluation • JitterBug • 100x 2000 SSH inter-packet delays • the distribution of inter-packet delays is close to the legitimate distribution, but with small delays added • enhancement: a random sequence si is subtracted before the modulo operation • avoids creating a regular pattern at multiples of the timing window w

  35. Experimental Evaluation • JitterBug test scores

  36. Experimental Evaluation EN scores JitterBug LEGIT

  37. Experimental Evaluation • JitterBug detection rates

  38. Outline Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion

  39. Potential Countermeasures TRCTC replay longer correlated sequences this would reduce the capacity JitterBug use a smaller timing-window w again, this would reduce the capacity

  40. Conclusion • The regularity test has problems with the high variation of legitimate traffic • fails for all covert timing channels tested • Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic • fails for JitterBug and TRCTC

  41. Conclusion • CCE detects abnormal regularity • EN detects abnormal shape • In combination, our entropy-based approach is effective on all of the covert timing channels tested

  42. Questions? Thank You! 42

More Related