A Zero-Day Cloud Timing Channel Attack

Abstract

The Intrusion Detection and Prevention System (IDPS) services of a North American cloud service provider were ineffective against a simulated network timing channel attack. During the tests, three conspiring white hat agents exchanged a total of 33,024 network packets. As the proxy based attack executed, the vendor’s intrusion detection service did not generate a warning, nor did its intrusion prevention service drop packets. Throughout the experiment, 4,096 bytes of randomized data (simulating covert traffic) were exchanged over a 2.06 hour period (4.4 bits-per-second); however, the vendor’s Artificial Intelligence (AI) enabled threat detection service did not issue an alert. A Wilcoxon Ranked Sum test on the before-and-after throughput confirmed none of the vendor’s countermeasures triggered/intervened to a statistically significant degree (threat intel: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">p</i> = 0.703, IDPS: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">p</i> = 0.998, threat intel + IDPS: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">p</i> = 0.118). These results indicate those accountable for data-oriented Service Organization Control (SOC) 2/3 reports (e.g., auditors, cybersecurity executives, etc.) should carefully examine the assurances offered by cloud service providers with regard to their network steganography defenses.