Abstract
Messages through covert channels may contain valuable information either in clear text or encrypted. This study focuses on a Covert Storage Channels (CSC) in TCP/IP network packets that uses the 6-bit TCP flag header to transmit messages between accomplices. It uses relative entropy to characterize the irregularities in the TCP flags. First a normal profile of TCP flags is represented by their frequency distribution of regular traffic packets. Then the TCP flag frequency distribution in network traffic is computed for each unique IP pair. The distance of the testing traffic data set from this normal profile is the relative entropy between these two distributions. Moreover, to evaluate the performance of the proposed method this study uses real regular traffic data sets as well as CSC messages generated for both clear text and encrypted forms of a list of keywords common in Unix systems. Different approaches are used to choose the packets to be included in extracting the TCP flag frequencies. The experimentation results by Receiver Operating Characteristic (ROC) curves have shown that the method is promising to choose the best control threshold to differentiate normal and CSC traffic packet streams.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
