Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Detection of covert channels in TCP retransmissions

: Zillien, Sebastian; Wendzel, Steffen


Gruschka, N.:
Secure IT systems. 23rd Nordic conference, NordSec 2018. Proceedings : Oslo, Norway, November 28-30, 2018
Cham: Springer International Publishing, 2018 (Lecture Notes in Computer Science 11252)
ISBN: 978-3-030-03637-9 (Print)
ISBN: 978-3-030-03638-6 (Online)
ISBN: 3-030-03637-5
Nordic Conference on Secure IT Systems (NordSec) <23, 2018, Oslo>
Conference Paper
Fraunhofer FKIE ()

In this paper we describe the implementation and detection of a network covert channel based on TCP retransmissions. For the detection, we implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based covert channels, namely the ϵ-similarity and the compressibility. The ε-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can be applied to the detection of retransmission-based covert channels, i.e. we performed a so-called countermeasure variation.
Our initial results indicate that the ε-similarity can be considered a promising detection method for retransmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.