detecting covert timing channels: an entropy-based approach

1

Detecting Covert Timing Channels:An Entropy-Based Approach

Steven Gianvecchio Haining Wang

College of William and Mary

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 2

Outline

Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion


Outline



Background

Covert Channels: covert channel - manipulates a shared

resource to transfer information The goal is to hide communication (or hide

extra communication) with a host steal sensitive data (e.g., keys or passwords) hide other illicit communications


Background

Types of Covert Channels: The shared resource is the type covert storage channels

e.g., packet header fields

covert timing channels e.g., packet arrival times


Outline



Covert Timing Channels

Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic

FIREWALL /IDS

COVERTTIMING

CHANNEL

COMPROMISEDMACHINE

FIREWALL /IDS

COVERTTIMING

CHANNEL

COMPROMISEDINPUT DEVICE

Scenario 1: Scenario 2:

active or passive passive



Covert Timing Channels: IP Covert Timing Channel or IPCTC

(Cabuk 2004) Time-Replay Covert Timing Channel or

TRCTC (Cabuk 2006) JitterBug (Shah 2006)

ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach

IP Covert Timing Channel or IPCTC (Cabuk 2004) 1-bit: send a packet 0-bit: do nothing

9


1-bit 0-bit 1-bit 0-bit

packet packet time interval t



Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) replay a sample of legitimate traffic bin 0 < cutoff < bin 1 1-bit: replay from bin 1 0-bit: replay from bin 0 by construction, the distribution of inter-packet

delays is close to the legitimate distribution



JitterBug (Shah 2006) 0-bit: increase to modulo w 1-bit: increase to modulo ceil(w/2) timing window w is the maximum delay that

can be added for small w, the distribution of inter-packet

delays is close to the legitimate distribution


Outline



Detection Methods

Types of Detection Tests: shape – relates to first-order statistics

statistics of singles invariant on permutations of the data

regularity – relates to second or higher-order statistics statistics of doubles, triples, etc.


Tests of Shape: Kolmogorov-Smirnov test –

where s1 and s2 are distribution functions

Tests of Regularity: The regularity test (Cabuk 2004) –

14

Detection Methods

|)()(|max 21 xsxsKSTEST

jijiSTDEVregularity

i

ji ,,,||


Motivation

There are a number of other tests However, no previous test is effective at

detecting a wide range of different covert timing channels

Our goal is to develop a better solution entropy-based approach entropy and conditional entropy


Outline



Entropy

regular complex random

unpredictable►

In general, the creation of covert timing channels has some effect on entropy entropy is a measure of information covert timing channels transfer information

entropy rate

◄predictable0 max


The entropy of a series –

The conditional entropy of a series –

The entropy rate of a process –

Entropy

mxx

mmm xxPxxPxxH,...,

111

1

),...,(log),...,(),...,(

),...,(),...,(),...,|( 11111 mmmm xxHxxHxxxH

),...,|(lim)( 11 mmm

xxxHXH


The data is binned in Q bins e.g., 0.0 < bin1 ≤ 0.22, 0.22 < bin2 ≤ 0.51, etc.

The “true” probabilities are replaced with empirical probabilities of bin sequences

The entropy estimate is EN The conditional entropy estimate is CE

Entropy Estimation

sequences ofnumber total

of soccurrence ofnumber ) sequence(

SSP


CE tends to 0

as m increases

20

1 15m

entr

opy

0.0

2.2

),..,(),..,(),..,|( 11111 mmmm xxENxxENxxxCE

CE

data in the sequences unique of because 0 to tendsCE

(gra

ph

ad

ap

ted

fro

m P

ort

a 1

99

8)

mQ sequences possible ofnumber


1 15m

entr

opy

0.0

2.2

)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm

CE

CCE

corrective term

data in the sequences unique of percentage perc

(gra

ph

ad

ap

ted

fro

m P

ort

a 1

99

8)


1 15m

entr

opy

0.0

2.2

The minimum of CCE is

the best choice for m

CCE

m=4

)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm

data in the sequences unique of percentage perc

(gra

ph

ad

ap

ted

fro

m P

ort

a 1

99

8)


The corrected conditional entropy test (Porta 1998)

estimates the entropy rate, Q=5, m varies

The entropy test

estimates the first-order entropy Q=2^16, m=1

Entropy-Based Approach

),..,|(min 11 mmm

xxxCCE

)( 1xEN


Outline

Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion


Experimental Evaluation

Covert Timing Channels: IPCTC TRCTC JitterBug

Detection Tests: regularity test (regularity) Kolmogorov-Smirnov test (KSTEST) entropy test (EN) corrected conditional entropy test (CCE)



IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated

among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples

of the time interval t



LEGIT-HTTP IPCTC

mean stdev mean stdev

KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056

EN 17.794 0.862 3.059 0.032

CCE 1.964 0.149 2.216 0.013

IPCTC test scores



LEGIT-HTTP IPCTC



EN 17.794 0.862 3.059 0.032

CCE 1.964 0.149 2.216 0.013

IPCTC test scores



LEGIT-HTTP IPCTC

false positive true positive

KSTEST 0.01 1.00regularity 0.01 0.49

EN 0.01 1.00

CCE 0.01 1.00

IPCTC detection rates



TRCTC 100x 2000 HTTP inter-packet delays

the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations



LEGIT-HTTP TRCTC



EN 17.794 0.862 17.794 0.861

CCE 1.964 0.149 2.217 0.012

TRCTC test scores



CCE scores

TRCTC

LEGIT



LEGIT-HTTP TRCTC



EN 0.01 0.02

CCE 0.01 1.00

TRCTC detection rates



JitterBug 100x 2000 SSH inter-packet delays the distribution of inter-packet delays is close

to the legitimate distribution, but with small delays added

enhancement: a random sequence si is subtracted before the modulo operation

avoids creating a regular pattern at multiples of the timing window w



LEGIT-SSH JitterBug



EN 19.422 1.856 9.432 1.253

CCE 1.779 0.261 1.837 0.220

JitterBug test scores



EN scores

JitterBug

LEGIT



LEGIT-HTTP JitterBug



EN 0.01 1.00

CCE 0.01 0.04

JitterBug detection rates


Outline

Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion


Potential Countermeasures

TRCTC replay longer correlated sequences this would reduce the capacity

JitterBug use a smaller timing-window w again, this would reduce the capacity


Conclusion

The regularity test has problems with the high variation of legitimate traffic fails for all covert timing channels tested

Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic fails for JitterBug and TRCTC


Conclusion

CCE detects abnormal regularity

EN detects abnormal shape

In combination, our entropy-based approach is effective on all of the covert timing channels tested


Questions?

Thank You!

detecting covert timing channels: an entropy-based approach

Documents

covert timing channelstime

covert timing channels1bit0

backgroundcovert channels

maryacm ccs

legitimate distributionacm

illicit communicationsacm

packet arrival timesacm

ipctc cabuk