Detecting Covert Timing Channels Using Normalizing Weights Edna Milgo TSYS Department of computer Science Columbus State University Georgia, USA milgo edna@colstate.edu Submitted on 06/04/2009 Abstract Covert timing channels utilized unused space in the packets to breach security of a network traffic. The information is send based on whether synchronization occurred over a given time or not. The pattern of on and off, can later be interpreted by the attacker as a series of 1 s or 0 s and may even be used to send large information in a short time. Attackers evade detection by mimicking a legitimate traffic and even varying the delays so as to evade detection.we propose a method which captures both the regularities and the irregularities in a network to determine whether it is legitimate or covert timing channels. We use weighted values to normalize the irregular patterns, and based on the normalize distribution graph, the system can determine if it is covert timing channel or not. 1 Introduction Covert channels are illegitimate network channels which could be used by attacker to breach security policies by sending information without the knowledge of the sender [1, 4]. Covert Timing channels uses synchronized timing to communicate information by either delaying synchronization for a given interval, or skipping the interval. Covert timing channels causes security breach by channeling sensitive private information when exploited by malicious software [5, 4].Covert timing channes are classified based on its connection with the legitimate channel. Active covert timing channel creates a new connection besides a legitimate one and utilize it to communicate, whereas, passive covert timing channels finds unused packet space in the legitimate traffic without creating a new connection. Passive covert channels are hard to detect due to their dependence nature on legitimate traffic, hence hard to distinguish them. Another classification is based on the resource affected namely: storage and timing [1]. Storage convert channels are used to directly or indirectly write or read from a memory location. Timing covert channels utilized the CPU synchronization to convey a message each time a clock is triggered. The attacker system have first to negotiate the mode of communication with the attacked system [1]. First they identify the start signal and the time interval of each communication. They 1
also agree on the silent period definition. The receiver will then analyze the information based on when the trigger was made, where a connection represents 1 and silence 0.The receiver can then formulate a meaningful information based on the binary bits. The regularity of the traffic pattern of covert channels could be used to distinguish them from the legitimate traffic, but attackers have device ways to evade this by varying the delay time at a given interval. Many research works have been done on ways of disrupting or stopping covert timing channels [3], most of which uses statistical methods of detection. These statistical tools alone are suitable if a strict statistical pattern can be followed by the attacker i.e. the channel communication is regular. Attackers have harden their detection by varying the pattern by introducing some delays from to the connection which brings irregularity in the pattern. Another challenge to the statistical approach is that there is need to collect sufficient amount of data from a covert channel to be able to analyst and proof that the communication has been compromised. This brings two major concerns to the system. 1) the attacker will be identified after he has already gathered information from the system. This is because the attacker will have an undisrupted communication during the analysis session, and 2) resource which includes the bandwidth, memory location and system time are wasted during this time of data analysis and in some cases a very detailed analysis may turn out to be legitimate. This shows that there is need to achieve a fast and approximate detector of the covert channel and the process should not consume a lot of resources. In [2], the author proposed an entropy approach for detecting covert timing channels where they follow an irregular pattern by using distribution bins. This method is suitable when the data range is small but may have varying results where the data is large. We present an approach based on the entropy approach, and introduce a weight w, which is a measure of the rate of delay and is used to normalize the distribution graph. The main contributions in this scheme are: Design a covert timing channel detection method which is prone to high jitter and irregular patterns. We normalize our distribution graphs based on the weighted value of the delay intervals. Design a real time detection which optimizes the bandwidth and faster so as to avoid causing unnecessary traffic. The data is sampled randomly and the weight calculation and analysis is done offline. Our approach is based on both statistical evaluation and fuzzy logic. The rest of the paper is organized as follows: Related work is described in section 2 and the proposed scheme in section 3. In section 4, we present conclusion and directions for future work. 2
2 Related work Various covert channels have been developed and used to test the system s vulnerability to covert timing channels. Most of the research had been focused on the active covert timing channels detection. Cabuk in [1], describes a scheme which could be used to detect and block covert timing channels on the TCP/IP section of the network layer. He first describes how the attacker could utilize the data section of the packet due to its inconsistence pattern and the size and then demostrate how a the irreqularity of the traffic can be used to distiguish it from legitimate traffic. In [2], the author proposed an entropy approach to detect covert timing channels. Their approach test the irregularity in the traffic pattern, rather that the distribution of the traffic, to identify a covert channel. They use binning strategy to achieve conditional entropy to for a given traffic. This method is however limited where the dataset is big and the bins will tend to be so large that the function is reduced. The approach uses estimations based on the corrected conditional entropy to determine the entropy rate. Gianvecchio et.al. [3], designed a model of the covert channel and used filters to characterize the features of legitimate traffic, while an analyzer fits the observed traffic to a model. In their scheme a model is believed to imitate the features of an ordinary traffic. This approach however may have the limitations where the training data may not always represent the varying characteristics of the current network, and where the attacker tries to evade detection by borrowing some of the features of a normal traffic. 3 Proposed Solution Distribution function An distribution graph is generated based on the idea proposed in [2].The number of bins and the area is then computed, such that each bin has the same area under the curve, but different widths. This approach is used based on its resistance to randomness in small data and to bring a uniform representation of the data, since the data is selected randomly. Time interval and weight The weight wis a measure between 0 and 1, where the value represents how irregular the pattern is in a network traffic. The time interval between any delay is measured and assigned a weight based on the difference between the current delay period and the preceding delay. The all the delays have the same interval i.e. the delay is uniform, the weight is 0 and there will be no normalization in the distribution function. The zero weight scenario is a regular covert timing channel. In a situation where the delay varies in every clock trigger, the weight is close to 1, and the distributed graph will be skewed upwards. 3
Normalization Once the weight has been determined, the original graph is then normalized where adjustments are made to every bin based on the weighted value of the delay. For high weights, the bins are altered in such a way that the variance and the mean are increased, but the distribution remain unchanged. Results The normalized graph tend to be follow a distributed function, which when compared to known functions of normal network traffic, the system can determine whether it is legitimate or not.a legitimate traffic follows a normal or a Poisson distribution while a covert channel follows a Kolmogorov chain distribution. 4 Conclusion The proposed approach is suitable to both regular and irregular timing patterns. The approach uses weighted value to normalize the distribution of an irregular pattern. This approach uses the algorithm proposed by [2] in the second part of the processing, where the weight is applied to the graph to adjust the binning scheme. The scheme utilizes the fuzzy error detection and weighted error correction to achieve a constant and well distributed graph. The scheme has the limitation in the extra time used to compute the weights and normalize the graph. This duration is however negligible when dealing with small data sets. Our future work will include the more input detection such as the error detection in order to achieve a higher normalizing value. The weights will also be extended to capture the weighted mean in the analysis stage. References [1] S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. CCS 04: Proceedings of the 11th ACM conference on Computer and communications security, pages 178 187, 2004. [2] S. Gianvecchio and H. Wang. Detecting covert timing channels: an entropy-based approach. 2nd In,ternational Conference on i-warfare and Security, pages 307 316, 2007. [3] S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia. Model-based covert timing channels:automated modeling and evasion. Lecture Notes in Computer Science, pages 211 230, 2008. [4] R. C. Newman. Covert computer and network communications. Proceedings of the 4th annual conference on Information security curriculum development, pages 1 8, 2007. 4
[5] A. B. Shaffer, M. Auguston, C. E. Irvine, and T. E. Levin. A security domain model to assess software for exploitable covert channels. Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, pages 45 56, 2008. 5