Abstract
With the rapid growth of data exfiltration carried out by cyber attacks, Covert Timing Channels (CTC) have become an imminent network security risk that continues to grow in both sophistication and utilization. These types of channels utilize inter-arrival times to steal sensitive data from the targeted networks. CTC detection relies increasingly on machine learning techniques, which utilize statistical-based metrics to separate malicious (covert) traffic flows from the legitimate (overt) ones. However, given the efforts of cyber attacks to evade detection and the growing column of CTC, covert channels detection needs to improve in both performance and precision to detect and prevent CTCs and mitigate the reduction of the quality of service caused by the detection process. In this article, we present an innovative image-based solution for fully automated CTC detection and localization. Our approach is based on the observation that the covert channels generate traffic that can be converted to colored images. Leveraging this observation, our solution is designed to automatically detect and locate the malicious part (i.e., set of packets) within a traffic flow. By locating the covert parts within traffic flows, our approach reduces the drop of the quality of service caused by blocking the entire traffic flows in which covert channels are detected. We first convert traffic flows into colored images, and then we extract image-based features for detection covert traffic. We train a classifier using these features on a large data set of covert and overt traffic. This approach demonstrates a remarkable performance achieving a detection accuracy of 95.83% for cautious CTCs and a covert traffic accuracy of 97.83% for 8 bit covert messages, which is way beyond what the popular statistical-based solutions can achieve.
Highlights
Covert channels provide effective methods to exfiltrate sensitive data from the targeted networks
We propose a technique for converting Covert Timing Channels (CTC) inter-arrival times into two-dimensional (2D) colored images to generate robust features that we utilize for training machine learning classifiers
EVALUATION Our evaluation seeks to measure the performance of our approach in the following terms: (a) the effectiveness of our approach to detect covert timing channels under different defense evasion configurations of cyber attacks; (b) the ability of our approach to pinpoint the covert part of the traffic sub-flow; and (c) compare and contrast different machine learning classifiers based on their accuracy and interpret-ability in detecting CTCs
Summary
Covert channels provide effective methods to exfiltrate sensitive data from the targeted networks. This type of exfiltration is effective because it uses existing system resources, which were not originally designed to transmit sensitive data for the purpose of communication. Due to the ability to transmit data without being detected, covert channels have become a serious threat to the professional domain as well as the general community of internet users. Many applications that are based on TCP, IP, and HTTP protocols can be used to establish covert storage channels. This type of cyber attack takes advantage of unused packet fields, such as TCP initial sequence number field, to maliciously
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
