Detecting Covert Timing Channels: An Entropy-Based Approach Steven Gianvecchio Haining Wang College of William and Mary 1 Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 2 Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 3 Background Covert Channels: covert channel - manipulates a shared resource to transfer information The goal is to hide communication (or hide extra communication) with a host steal sensitive data (e.g., keys or passwords) hide other illicit communications ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 4 Background Types of Covert Channels: The shared resource is the type covert storage channels e.g., packet header fields covert timing channels e.g., packet arrival times ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 5 Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 6 Covert Timing Channels Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic Scenario 1: Scenario 2: COVERT TIMING CHANNEL COVERT TIMING CHANNEL COMPROMISED MACHINE FIREWALL / IDS active or passive ACM CCS 2007 COMPROMISED INPUT DEVICE FIREWALL / IDS passive Detecting Covert Timing Channels: An Entropy-Based Approach 7 Covert Timing Channels Covert Timing Channels: IP Covert Timing Channel or IPCTC (Cabuk 2004) Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) JitterBug (Shah 2006) ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 8 Covert Timing Channels IP Covert Timing Channel or IPCTC (Cabuk 2004) 1-bit: send a packet 0-bit: do nothing packet 1-bit ACM CCS 2007 packet 0-bit time interval t 1-bit 0-bit Detecting Covert Timing Channels: An Entropy-Based Approach 9 Covert Timing Channels Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) replay a sample of legitimate traffic bin 0 < cutoff < bin 1 1-bit: replay from bin 1 0-bit: replay from bin 0 by construction, the distribution of inter-packet delays is close to the legitimate distribution ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 10 Covert Timing Channels JitterBug (Shah 2006) 0-bit: increase to modulo w 1-bit: increase to modulo ceil(w/2) timing window w is the maximum delay that can be added for small w, the distribution of inter-packet delays is close to the legitimate distribution ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 11 Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 12 Detection Methods Types of Detection Tests: shape – relates to first-order statistics statistics of singles invariant on permutations of the data regularity – relates to second or higherorder statistics statistics of doubles, triples, etc. ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 13 Detection Methods Tests of Shape: Kolmogorov-Smirnov test – KSTEST max | s1 ( x) s2 ( x) | where s1 and s2 are distribution functions Tests of Regularity: The regularity test (Cabuk 2004) – | i j | regularity STDEV , i j, i, i ACM CCS 2007 j Detecting Covert Timing Channels: An Entropy-Based Approach 14 Motivation There are a number of other tests However, no previous test is effective at detecting a wide range of different covert timing channels Our goal is to develop a better solution entropy-based approach entropy and conditional entropy ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 16 Entropy In general, the creation of covert timing channels has some effect on entropy entropy is a measure of information covert timing channels transfer information entropy rate regular 0 complex ◄predictable ACM CCS 2007 random unpredictable► max Detecting Covert Timing Channels: An Entropy-Based Approach 17 Entropy The entropy of a series – H ( x1 ,..., xm ) P( x ,..., x 1 m ) log P( x1 ,..., xm ) x1 ,..., xm The conditional entropy of a series – H ( xm | x1 ,..., xm1 ) H ( x1 ,..., xm ) H ( x1 ,..., xm1 ) The entropy rate of a process – H ( X ) lim H ( xm | x1 ,..., xm1 ) m ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 18 Entropy Estimation The data is binned in Q bins e.g., 0.0 < bin1 ≤ 0.22, 0.22 < bin2 ≤ 0.51, etc. The “true” probabilities are replaced with empirical probabilities of bin sequences number of occurrence s of S P(sequence S ) total numberisofEN sequences The entropy estimate The conditional entropy estimate is CE ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 19 CE( xm | x1 ,.., xm1 ) EN ( x1 ,.., xm ) EN ( x1 ,.., xm1 ) CE tends to 0 because of unique sequences in the data 2.2 CE tends to 0 as m increases (graph adapted from Porta 1998) entropy CE number of possible sequences Qm 0.0 1 ACM CCS 2007 m 15 Detecting Covert Timing Channels: An Entropy-Based Approach 20 CCE( xm | x1 ,.., xm1 ) CE( xm | x1 ,.., xm1 ) perc EN ( x1 ) perc percentage of unique sequences in the data 2.2 (graph adapted from Porta 1998) entropy CE CCE corrective term 0.0 1 ACM CCS 2007 m 15 Detecting Covert Timing Channels: An Entropy-Based Approach 21 CCE( xm | x1 ,.., xm1 ) CE( xm | x1 ,.., xm1 ) perc EN ( x1 ) perc percentage of unique sequences in the data (graph adapted from Porta 1998) entropy 2.2 CCE m=4 The minimum of CCE is the best choice for m 0.0 1 ACM CCS 2007 m 15 Detecting Covert Timing Channels: An Entropy-Based Approach 22 Entropy-Based Approach The corrected conditional entropy test (Porta 1998) min CCE( xm | x1 ,.., xm1 ) m estimates the entropy rate, Q=5, m varies The entropy test EN ( x1 ) estimates the first-order entropy Q=2^16, m=1 ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 23 Outline Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 24 Experimental Evaluation Covert Timing Channels: IPCTC TRCTC JitterBug Detection Tests: regularity test (regularity) Kolmogorov-Smirnov test (KSTEST) entropy test (EN) corrected conditional entropy test (CCE) ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 25 Experimental Evaluation IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples of the time interval t ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 26 Experimental Evaluation IPCTC test scores LEGIT-HTTP mean stdev KSTEST 0.180 0.077 regularity 35.726 36.635 EN 17.794 0.862 CCE 1.964 0.149 ACM CCS 2007 IPCTC mean 0.708 0.330 3.059 2.216 stdev 0.000 0.056 0.032 0.013 Detecting Covert Timing Channels: An Entropy-Based Approach 27 Experimental Evaluation IPCTC test scores LEGIT-HTTP mean stdev KSTEST 0.180 0.077 regularity 35.726 36.635 EN 17.794 0.862 CCE 1.964 0.149 ACM CCS 2007 IPCTC mean 0.708 0.330 3.059 2.216 stdev 0.000 0.056 0.032 0.013 Detecting Covert Timing Channels: An Entropy-Based Approach 28 Experimental Evaluation IPCTC detection rates LEGIT-HTTP false positive KSTEST 0.01 regularity 0.01 EN 0.01 CCE 0.01 ACM CCS 2007 IPCTC true positive 1.00 0.49 1.00 1.00 Detecting Covert Timing Channels: An Entropy-Based Approach 29 Experimental Evaluation TRCTC 100x 2000 HTTP inter-packet delays the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 30 Experimental Evaluation TRCTC test scores LEGIT-HTTP mean stdev KSTEST 0.180 0.077 regularity 35.726 36.635 EN 17.794 0.862 CCE 1.964 0.149 ACM CCS 2007 TRCTC mean 0.180 7.845 17.794 2.217 stdev 0.077 9.324 0.861 0.012 Detecting Covert Timing Channels: An Entropy-Based Approach 31 Experimental Evaluation CCE scores TRCTC LEGIT ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 32 Experimental Evaluation TRCTC detection rates LEGIT-HTTP false positive KSTEST 0.01 regularity 0.01 EN 0.01 CCE 0.01 ACM CCS 2007 TRCTC true positive 0.02 0.04 0.02 1.00 Detecting Covert Timing Channels: An Entropy-Based Approach 33 Experimental Evaluation JitterBug 100x 2000 SSH inter-packet delays the distribution of inter-packet delays is close to the legitimate distribution, but with small delays added enhancement: a random sequence si is subtracted before the modulo operation avoids creating a regular pattern at multiples of the timing window w ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 34 Experimental Evaluation JitterBug test scores LEGIT-SSH mean stdev KSTEST 0.270 0.133 regularity 6.230 5.847 EN 19.422 1.856 CCE 1.779 0.261 ACM CCS 2007 JitterBug mean 0.273 6.038 9.432 1.837 stdev 0.123 5.624 1.253 0.220 Detecting Covert Timing Channels: An Entropy-Based Approach 35 Experimental Evaluation EN scores JitterBug LEGIT ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 36 Experimental Evaluation JitterBug detection rates LEGIT-HTTP false positive KSTEST 0.01 regularity 0.01 EN 0.01 CCE 0.01 ACM CCS 2007 JitterBug true positive 0.01 0.02 1.00 0.04 Detecting Covert Timing Channels: An Entropy-Based Approach 37 Outline Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 38 Potential Countermeasures TRCTC replay longer correlated sequences this would reduce the capacity JitterBug use a smaller timing-window w again, this would reduce the capacity ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 39 Conclusion The regularity test has problems with the high variation of legitimate traffic fails for all covert timing channels tested Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic fails for JitterBug and TRCTC ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 40 Conclusion CCE detects abnormal regularity EN detects abnormal shape In combination, our entropy-based approach is effective on all of the covert timing channels tested ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 41 Questions? Thank You! ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 42
© Copyright 2026 Paperzz