detecting covert timing channels: an entropy-based approach

1

Detecting Covert Timing Channels:An Entropy-Based Approach

Steven Gianvecchio Haining Wang

College of William and Mary

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 2

Outline

Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 3

Outline

Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 4

Background

Covert Channels: covert channel - manipulates a shared

resource to transfer information The goal is to hide communication (or hide

extra communication) with a host steal sensitive data (e.g., keys or passwords) hide other illicit communications

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 5

Background

Types of Covert Channels: The shared resource is the type covert storage channels

e.g., packet header fields

covert timing channels e.g., packet arrival times

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 6

Outline

Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 7

Covert Timing Channels

Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic

FIREWALL /IDS

COVERTTIMING

CHANNEL

COMPROMISEDMACHINE

FIREWALL /IDS

COVERTTIMING

CHANNEL

COMPROMISEDINPUT DEVICE

Scenario 1: Scenario 2:

active or passive passive

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 8

Covert Timing Channels

Covert Timing Channels: IP Covert Timing Channel or IPCTC

(Cabuk 2004) Time-Replay Covert Timing Channel or

TRCTC (Cabuk 2006) JitterBug (Shah 2006)

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach

IP Covert Timing Channel or IPCTC (Cabuk 2004) 1-bit: send a packet 0-bit: do nothing

9

Covert Timing Channels

1-bit 0-bit 1-bit 0-bit

packet packet time interval t

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 10

Covert Timing Channels

Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) replay a sample of legitimate traffic bin 0 < cutoff < bin 1 1-bit: replay from bin 1 0-bit: replay from bin 0 by construction, the distribution of inter-packet

delays is close to the legitimate distribution

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 11

Covert Timing Channels

JitterBug (Shah 2006) 0-bit: increase to modulo w 1-bit: increase to modulo ceil(w/2) timing window w is the maximum delay that

can be added for small w, the distribution of inter-packet

delays is close to the legitimate distribution

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 12

Outline

Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 13

Detection Methods

Types of Detection Tests: shape – relates to first-order statistics

statistics of singles invariant on permutations of the data

regularity – relates to second or higher-order statistics statistics of doubles, triples, etc.

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach

Tests of Shape: Kolmogorov-Smirnov test –

where s1 and s2 are distribution functions

Tests of Regularity: The regularity test (Cabuk 2004) –

14

Detection Methods

|)()(|max 21 xsxsKSTEST

jijiSTDEVregularity

i

ji ,,,||

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach

Motivation

There are a number of other tests However, no previous test is effective at

detecting a wide range of different covert timing channels

Our goal is to develop a better solution entropy-based approach entropy and conditional entropy

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 16

Outline

Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 17

Entropy

regular complex random

unpredictable►

In general, the creation of covert timing channels has some effect on entropy entropy is a measure of information covert timing channels transfer information

entropy rate

◄predictable0 max

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 18

The entropy of a series –

The conditional entropy of a series –

The entropy rate of a process –

Entropy

mxx

mmm xxPxxPxxH,...,

111

1

),...,(log),...,(),...,(

),...,(),...,(),...,|( 11111 mmmm xxHxxHxxxH

),...,|(lim)( 11 mmm

xxxHXH

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 19

The data is binned in Q bins e.g., 0.0 < bin1 ≤ 0.22, 0.22 < bin2 ≤ 0.51, etc.

The “true” probabilities are replaced with empirical probabilities of bin sequences

The entropy estimate is EN The conditional entropy estimate is CE

Entropy Estimation

sequences ofnumber total

of soccurrence ofnumber ) sequence(

SSP

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach

CE tends to 0

as m increases

20

1 15m

entr

opy

0.0

2.2

),..,(),..,(),..,|( 11111 mmmm xxENxxENxxxCE

CE

data in the sequences unique of because 0 to tendsCE

(gra

ph

ad

ap

ted

fro

m P

ort

a 1

99

8)

mQ sequences possible ofnumber

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 21

1 15m

entr

opy

0.0

2.2

)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm

CE

CCE

corrective term

data in the sequences unique of percentage perc

(gra

ph

ad

ap

ted

fro

m P

ort

a 1

99

8)

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 22

1 15m

entr

opy

0.0

2.2

The minimum of CCE is

the best choice for m

CCE

m=4

)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm

data in the sequences unique of percentage perc

(gra

ph

ad

ap

ted

fro

m P

ort

a 1

99

8)

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 23

The corrected conditional entropy test (Porta 1998)

estimates the entropy rate, Q=5, m varies

The entropy test

estimates the first-order entropy Q=2^16, m=1

Entropy-Based Approach

),..,|(min 11 mmm

xxxCCE

)( 1xEN

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 24

Outline

Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 25

Experimental Evaluation

Covert Timing Channels: IPCTC TRCTC JitterBug

Detection Tests: regularity test (regularity) Kolmogorov-Smirnov test (KSTEST) entropy test (EN) corrected conditional entropy test (CCE)

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 26

Experimental Evaluation

IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated

among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples

of the time interval t

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 27

Experimental Evaluation

LEGIT-HTTP IPCTC

mean stdev mean stdev

KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056

EN 17.794 0.862 3.059 0.032

CCE 1.964 0.149 2.216 0.013

IPCTC test scores

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 28

Experimental Evaluation

LEGIT-HTTP IPCTC

mean stdev mean stdev

KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056

EN 17.794 0.862 3.059 0.032

CCE 1.964 0.149 2.216 0.013

IPCTC test scores

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 29

Experimental Evaluation

LEGIT-HTTP IPCTC

false positive true positive

KSTEST 0.01 1.00regularity 0.01 0.49

EN 0.01 1.00

CCE 0.01 1.00

IPCTC detection rates

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 30

Experimental Evaluation

TRCTC 100x 2000 HTTP inter-packet delays

the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 31

Experimental Evaluation

LEGIT-HTTP TRCTC

mean stdev mean stdev

KSTEST 0.180 0.077 0.180 0.077regularity 35.726 36.635 7.845 9.324

EN 17.794 0.862 17.794 0.861

CCE 1.964 0.149 2.217 0.012

TRCTC test scores

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 32

Experimental Evaluation

CCE scores

TRCTC

LEGIT

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 33

Experimental Evaluation

LEGIT-HTTP TRCTC

false positive true positive

KSTEST 0.01 0.02regularity 0.01 0.04

EN 0.01 0.02

CCE 0.01 1.00

TRCTC detection rates

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 34

Experimental Evaluation

JitterBug 100x 2000 SSH inter-packet delays the distribution of inter-packet delays is close

to the legitimate distribution, but with small delays added

enhancement: a random sequence si is subtracted before the modulo operation

avoids creating a regular pattern at multiples of the timing window w

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 35

Experimental Evaluation

LEGIT-SSH JitterBug

mean stdev mean stdev

KSTEST 0.270 0.133 0.273 0.123regularity 6.230 5.847 6.038 5.624

EN 19.422 1.856 9.432 1.253

CCE 1.779 0.261 1.837 0.220

JitterBug test scores

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 36

Experimental Evaluation

EN scores

JitterBug

LEGIT

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 37

Experimental Evaluation

LEGIT-HTTP JitterBug

false positive true positive

KSTEST 0.01 0.01regularity 0.01 0.02

EN 0.01 1.00

CCE 0.01 0.04

JitterBug detection rates

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 38

Outline

Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 39

Potential Countermeasures

TRCTC replay longer correlated sequences this would reduce the capacity

JitterBug use a smaller timing-window w again, this would reduce the capacity

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 40

Conclusion

The regularity test has problems with the high variation of legitimate traffic fails for all covert timing channels tested

Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic fails for JitterBug and TRCTC

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 41

Conclusion

CCE detects abnormal regularity

EN detects abnormal shape

In combination, our entropy-based approach is effective on all of the covert timing channels tested

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 42

Questions?

Thank You!