As part of a broader organisational restructure, data networking research at Swinburne University of Technology has moved from the Centre for Advanced Internet Architecture (CAIA) to the Internet For Things (I4T) Research Lab.

Although CAIA no longer exists, this website reflects CAIA's activities and outputs between March 2002 and February 2017, and is being maintained as a service to the broader data networking research community.

Performance of Selected Noisy Covert Channels and Their Countermeasures in IP Networks

Encryption alone secures communication by preventing adversaries from easily decoding one’s transmissions. Covert channels go one step further by attempting to hide the very existence of communication. They hide inside legitimate overt network traffic. Huge amounts of traffic make the Internet an ideal vehicle for covert communications.

Most existing covert channels are simple and in principle easy to detect or eliminate. The more complex channels are usually harder to detect and eliminate, but typically suffer from channel noise. Previous work has only partly analysed the performance of noisy channels and their countermeasures and has not compared different types of channels.

We characterise the trade-offs between channel simplicity, capacity and ease of detection and elimination by investigating the performance of selected noisy covert channels and their countermeasures. Not all chosen channels are entirely new, but we propose novel improved encoding schemes. We also develop techniques for reliable data transmission. We analyse the theoretical channel capacities as well as empirically measure achievable throughputs. We show that the Internet’s potential to support more sophisticated covert channels is considerably greater than suggested by most existing simple channels.

First, we analyse a channel in the IP Time-to-live (TTL) header field. We develop new stealthier encoding schemes that also provide a slightly increased capacity. The channel has a comparatively high capacity of up to a few hundred bits per second depending on the overt traffic, but is easy to detect and eliminate. Next, we analyse an inter-packet gap timing channel. We develop novel stealthy encoding schemes because previous schemes are easy to detect. The channel only has up to 70–80% of the TTL channel’s capacity, but is harder to detect. However, it can still be eliminated.

Then we propose and analyse a novel indirect channel in multiplayer game traffic. The channel is impractical to eliminate, but is still detectable. The capacity is up to 10–20 bits per second – lower than that of direct channels. Next, we analyse an indirect timing channel that transmits bits via temperature changes. We develop an improved version of the channel that has increased capacity. Still the capacity is only 10–20 bits per hour, but the channel is potentially hard to detect and eliminate.

Finally, we develop techniques to detect and eliminate the covert channels and evaluate their effectiveness. While the proposed elimination methods are effective but channelspecific, we demonstrate that machine-learning techniques detect different covert channels with over 95% accuracy.

Intro

Chapter 1: Introduction 

Chapter 2: Covert Channels

Chapter 3: Time-to-Live Covert Channels 

Chapter 4: Packet-Timing Covert Channels 

Chapter 5: Covert Channels in Multiplayer Games

Chapter 6: Temperature-based Covert Channels 

Chapter 7: Countermeasures 

Chapter 8: Conclusions and Future Work 

References 

Appendix A: Covert Channels Software Framework 

Appendix B: Time-to-Live Covert Channels 

Appendix C: Packet Timing Covert Channels 

Appendix D: Covert Channels in Multiplayer Games 

Appendix E: Temperature-based Covert Channels 

Appendix F: Netem Accuracy


Last Updated: Tuesday 14-Feb-2017 20:19:28 AEDT | Maintained by: Sebastian Zander (szander@swin.edu.au) | Authorised by: Grenville Armitage ( garmitage@swin.edu.au)