detecting covert timing channels: an entropy-based approach
DESCRIPTION
Detecting Covert Timing Channels: An Entropy-Based Approach. Steven Gianvecchio Haining Wang College of William and Mary. Outline. Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion. Outline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/1.jpg)
1
Detecting Covert Timing Channels:An Entropy-Based Approach
Steven Gianvecchio Haining Wang
College of William and Mary
![Page 2: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/2.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 2
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
![Page 3: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/3.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 3
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
![Page 4: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/4.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 4
Background
Covert Channels: covert channel - manipulates a shared
resource to transfer information The goal is to hide communication (or hide
extra communication) with a host steal sensitive data (e.g., keys or passwords) hide other illicit communications
![Page 5: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/5.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 5
Background
Types of Covert Channels: The shared resource is the type covert storage channels
e.g., packet header fields
covert timing channels e.g., packet arrival times
![Page 6: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/6.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 6
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
![Page 7: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/7.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 7
Covert Timing Channels
Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic
FIREWALL /IDS
COVERTTIMING
CHANNEL
COMPROMISEDMACHINE
FIREWALL /IDS
COVERTTIMING
CHANNEL
COMPROMISEDINPUT DEVICE
Scenario 1: Scenario 2:
active or passive passive
![Page 8: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/8.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 8
Covert Timing Channels
Covert Timing Channels: IP Covert Timing Channel or IPCTC
(Cabuk 2004) Time-Replay Covert Timing Channel or
TRCTC (Cabuk 2006) JitterBug (Shah 2006)
![Page 9: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/9.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
IP Covert Timing Channel or IPCTC (Cabuk 2004) 1-bit: send a packet 0-bit: do nothing
9
Covert Timing Channels
1-bit 0-bit 1-bit 0-bit
packet packet time interval t
![Page 10: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/10.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 10
Covert Timing Channels
Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) replay a sample of legitimate traffic bin 0 < cutoff < bin 1 1-bit: replay from bin 1 0-bit: replay from bin 0 by construction, the distribution of inter-packet
delays is close to the legitimate distribution
![Page 11: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/11.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 11
Covert Timing Channels
JitterBug (Shah 2006) 0-bit: increase to modulo w 1-bit: increase to modulo ceil(w/2) timing window w is the maximum delay that
can be added for small w, the distribution of inter-packet
delays is close to the legitimate distribution
![Page 12: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/12.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 12
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
![Page 13: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/13.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 13
Detection Methods
Types of Detection Tests: shape – relates to first-order statistics
statistics of singles invariant on permutations of the data
regularity – relates to second or higher-order statistics statistics of doubles, triples, etc.
![Page 14: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/14.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
Tests of Shape: Kolmogorov-Smirnov test –
where s1 and s2 are distribution functions
Tests of Regularity: The regularity test (Cabuk 2004) –
14
Detection Methods
|)()(|max 21 xsxsKSTEST
jijiSTDEVregularity
i
ji ,,,||
![Page 15: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/15.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
Motivation
There are a number of other tests However, no previous test is effective at
detecting a wide range of different covert timing channels
Our goal is to develop a better solution entropy-based approach entropy and conditional entropy
![Page 16: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/16.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 16
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
![Page 17: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/17.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 17
Entropy
regular complex random
unpredictable►
In general, the creation of covert timing channels has some effect on entropy entropy is a measure of information covert timing channels transfer information
entropy rate
◄predictable0 max
![Page 18: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/18.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 18
The entropy of a series –
The conditional entropy of a series –
The entropy rate of a process –
Entropy
mxx
mmm xxPxxPxxH,...,
111
1
),...,(log),...,(),...,(
),...,(),...,(),...,|( 11111 mmmm xxHxxHxxxH
),...,|(lim)( 11 mmm
xxxHXH
![Page 19: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/19.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 19
The data is binned in Q bins e.g., 0.0 < bin1 ≤ 0.22, 0.22 < bin2 ≤ 0.51, etc.
The “true” probabilities are replaced with empirical probabilities of bin sequences
The entropy estimate is EN The conditional entropy estimate is CE
Entropy Estimation
sequences ofnumber total
of soccurrence ofnumber ) sequence(
SSP
![Page 20: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/20.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
CE tends to 0
as m increases
20
1 15m
entr
opy
0.0
2.2
),..,(),..,(),..,|( 11111 mmmm xxENxxENxxxCE
CE
data in the sequences unique of because 0 to tendsCE
(gra
ph
ad
ap
ted
fro
m P
ort
a 1
99
8)
mQ sequences possible ofnumber
![Page 21: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/21.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 21
1 15m
entr
opy
0.0
2.2
)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm
CE
CCE
corrective term
data in the sequences unique of percentage perc
(gra
ph
ad
ap
ted
fro
m P
ort
a 1
99
8)
![Page 22: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/22.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 22
1 15m
entr
opy
0.0
2.2
The minimum of CCE is
the best choice for m
CCE
m=4
)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm
data in the sequences unique of percentage perc
(gra
ph
ad
ap
ted
fro
m P
ort
a 1
99
8)
![Page 23: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/23.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 23
The corrected conditional entropy test (Porta 1998)
estimates the entropy rate, Q=5, m varies
The entropy test
estimates the first-order entropy Q=2^16, m=1
Entropy-Based Approach
),..,|(min 11 mmm
xxxCCE
)( 1xEN
![Page 24: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/24.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 24
Outline
Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion
![Page 25: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/25.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 25
Experimental Evaluation
Covert Timing Channels: IPCTC TRCTC JitterBug
Detection Tests: regularity test (regularity) Kolmogorov-Smirnov test (KSTEST) entropy test (EN) corrected conditional entropy test (CCE)
![Page 26: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/26.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 26
Experimental Evaluation
IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated
among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples
of the time interval t
![Page 27: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/27.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 27
Experimental Evaluation
LEGIT-HTTP IPCTC
mean stdev mean stdev
KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056
EN 17.794 0.862 3.059 0.032
CCE 1.964 0.149 2.216 0.013
IPCTC test scores
![Page 28: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/28.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 28
Experimental Evaluation
LEGIT-HTTP IPCTC
mean stdev mean stdev
KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056
EN 17.794 0.862 3.059 0.032
CCE 1.964 0.149 2.216 0.013
IPCTC test scores
![Page 29: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/29.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 29
Experimental Evaluation
LEGIT-HTTP IPCTC
false positive true positive
KSTEST 0.01 1.00regularity 0.01 0.49
EN 0.01 1.00
CCE 0.01 1.00
IPCTC detection rates
![Page 30: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/30.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 30
Experimental Evaluation
TRCTC 100x 2000 HTTP inter-packet delays
the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations
![Page 31: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/31.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 31
Experimental Evaluation
LEGIT-HTTP TRCTC
mean stdev mean stdev
KSTEST 0.180 0.077 0.180 0.077regularity 35.726 36.635 7.845 9.324
EN 17.794 0.862 17.794 0.861
CCE 1.964 0.149 2.217 0.012
TRCTC test scores
![Page 32: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/32.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 32
Experimental Evaluation
CCE scores
TRCTC
LEGIT
![Page 33: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/33.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 33
Experimental Evaluation
LEGIT-HTTP TRCTC
false positive true positive
KSTEST 0.01 0.02regularity 0.01 0.04
EN 0.01 0.02
CCE 0.01 1.00
TRCTC detection rates
![Page 34: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/34.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 34
Experimental Evaluation
JitterBug 100x 2000 SSH inter-packet delays the distribution of inter-packet delays is close
to the legitimate distribution, but with small delays added
enhancement: a random sequence si is subtracted before the modulo operation
avoids creating a regular pattern at multiples of the timing window w
![Page 35: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/35.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 35
Experimental Evaluation
LEGIT-SSH JitterBug
mean stdev mean stdev
KSTEST 0.270 0.133 0.273 0.123regularity 6.230 5.847 6.038 5.624
EN 19.422 1.856 9.432 1.253
CCE 1.779 0.261 1.837 0.220
JitterBug test scores
![Page 36: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/36.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 36
Experimental Evaluation
EN scores
JitterBug
LEGIT
![Page 37: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/37.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 37
Experimental Evaluation
LEGIT-HTTP JitterBug
false positive true positive
KSTEST 0.01 0.01regularity 0.01 0.02
EN 0.01 1.00
CCE 0.01 0.04
JitterBug detection rates
![Page 38: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/38.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 38
Outline
Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion
![Page 39: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/39.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 39
Potential Countermeasures
TRCTC replay longer correlated sequences this would reduce the capacity
JitterBug use a smaller timing-window w again, this would reduce the capacity
![Page 40: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/40.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 40
Conclusion
The regularity test has problems with the high variation of legitimate traffic fails for all covert timing channels tested
Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic fails for JitterBug and TRCTC
![Page 41: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/41.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 41
Conclusion
CCE detects abnormal regularity
EN detects abnormal shape
In combination, our entropy-based approach is effective on all of the covert timing channels tested
![Page 42: Detecting Covert Timing Channels: An Entropy-Based Approach](https://reader035.vdocuments.mx/reader035/viewer/2022062305/568151c1550346895dbff58d/html5/thumbnails/42.jpg)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 42
Questions?
Thank You!