Abstract
Despite extensive research on malware and Trojan horses, covert channels are still among the top computer security threats. These attacks, which are launched using specially-crafted content or by manipulating timing characteristics, transmit sensitive information to adversaries while remaining undetected. Current detection approaches typically analyze deviations from legitimate network traffic statistics. These approaches, however, are not applicable to highly dynamic, noisy environments, such as cloud computing environments, because they rely heavily on historical traffic and tedious model training. To address these challenges, we present a real-time, wavelet-based approach for detecting covert timing channels. The novelty of the approach comes from leveraging a secure virtual machine to mimic a vulnerable virtual machine. A key advantage is that the detection approach does not require historical traffic data. Experimental results demonstrate that the approach exhibits good overall performance, including a high detection rate and a low false positive rate.
Chapter PDF
Similar content being viewed by others
References
A. Akansu and P. Haddad, Multiresolution Signal Decomposition: Transforms, Subbands and Wavelets, Academic Press, San Diego, California, 2001.
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt and A. Warfield, Xen and the art of virtualization, Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, pp. 164–177, 2003.
V. Berk, A. Giani and G. Cybenko, Covert channel detection using process query systems, Proceedings of the Second Annual Workshop on Flow Analysis, 2005.
R. Blahut, Computation of channel capacity and rate-distortion functions, IEEE Transactions on Information Theory, vol. 18(4), pp. 460–473, 1972.
S. Cabuk, Network Covert Channels: Design, Analysis, Detection and Elimination, Ph.D. Dissertation, Department of Computer Science, Purdue University, West Lafayette, Indiana, 2006.
S. Gianvecchio and H. Wang, Detecting covert timing channels: An entropy-based approach, Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, pp. 211–230, 2007.
S. Gianvecchio, H. Wang, D. Wijesekera and S. Jajodia, Model-based covert timing channels: Automated modeling and evasion, Proceedings of the Eleventh International Symposium on Recent Advances in Intrusion Detection, pp. 211–230, 2008.
J. Giffin, R. Greenstadt, P. Litwack and R. Tibbetts, Covert messaging through TCP timestamps, Proceedings of the Second International Conference on Privacy Enhancing Technologies, pp. 194–208, 2002.
M. Hollander and D. Wolfe, Nonparametric Statistical Methods, John Wiley, New York, 1999.
J. Jin and X. Wang, On the effectiveness of low-latency anonymous network in the presence of timing attack, Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 429–438, 2009.
S. Kullback and R. Leibler, On information and sufficiency, Annals of Mathematical Statistics, vol. 22(1), pp. 79–86, 1951.
J. Lin, E. Keogh, L. Wei and S. Lonardi, Experiencing SAX: A novel symbolic representation of time series, Data Mining and Knowledge Discovery, vol. 15(2), pp. 107–144, 2007.
Y. Liu, D. Ghosal, F. Armknecht, A. Sadeghi, S. Schulz and S. Katzenbeisser, Hide and seek in time: Robust covert timing channels, Proceedings of the Fourteenth European Conference on Research in Computer Security, pp. 120–135, 2009.
P. Peng, P. Ning and D. Reeves, On the secrecy of timing-based active watermarking trace-back techniques, Proceedings of the IEEE Symposium on Security and Privacy, pp. 335–349, 2006.
M. Pereyra and L. Ward, Harmonic Analysis: From Fourier to Wavelets, American Mathematical Society, Providence, Rhode Island, 2012.
D. Ramsbrock, X. Wang and X. Jiang, A first step towards live botmaster traceback, Proceedings of the Eleventh International Symposium on Recent Advances in Intrusion Detection, pp. 59–77, 2008.
G. Shah, A. Molina and M. Blaze, Keyboards and covert channels, Proceedings of the Fifteenth USENIX Security Symposium, 2006.
United States Government Accountability Office, Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance, Report to Congressional Requesters, GAO-10-606, Washington, DC, 2010.
VMWare, Timekeeping in VMWare virtual machines, Palo Alto, California ( www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf ), 2011.
X. Wang, S. Chen and S. Jajodia, Tracking anonymous peer-to-peer VoIP calls on the Internet, Proceedings of the Twelfth ACM Conference on Computer and Communications Security, pp. 81–91, 2005.
B. Welch, The generalization of student’s problem when several different population variances are involved, Biometrika, vol. 34(1-2), pp. 28–35, 1947.
D. Zhang, A. Askarov and A. Myers, Predictive mitigation of timing channels in interactive systems, Proceedings of the Eighteenth ACM Conference on Computer and Communications Security, pp. 563–574, 2011.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, A., Chen, J., Wechsler, H. (2013). Real-Time Covert Timing Channel Detection in Networked Virtual Environments. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics IX. DigitalForensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-41148-9_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41147-2
Online ISBN: 978-3-642-41148-9
eBook Packages: Computer ScienceComputer Science (R0)