1
Detecting Covert Timing Channels:An Entropy-Based Approach
Steven Gianvecchio Haining Wang
College of William and Mary
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 2
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 3
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 4
Background
Covert Channels: covert channel - manipulates a shared
resource to transfer information The goal is to hide communication (or hide
extra communication) with a host steal sensitive data (e.g., keys or passwords) hide other illicit communications
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 5
Background
Types of Covert Channels: The shared resource is the type covert storage channels
e.g., packet header fields
covert timing channels e.g., packet arrival times
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 6
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 7
Covert Timing Channels
Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic
FIREWALL /IDS
COVERTTIMING
CHANNEL
COMPROMISEDMACHINE
FIREWALL /IDS
COVERTTIMING
CHANNEL
COMPROMISEDINPUT DEVICE
Scenario 1: Scenario 2:
active or passive passive
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 8
Covert Timing Channels
Covert Timing Channels: IP Covert Timing Channel or IPCTC
(Cabuk 2004) Time-Replay Covert Timing Channel or
TRCTC (Cabuk 2006) JitterBug (Shah 2006)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
IP Covert Timing Channel or IPCTC (Cabuk 2004) 1-bit: send a packet 0-bit: do nothing
9
Covert Timing Channels
1-bit 0-bit 1-bit 0-bit
packet packet time interval t
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 10
Covert Timing Channels
Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) replay a sample of legitimate traffic bin 0 < cutoff < bin 1 1-bit: replay from bin 1 0-bit: replay from bin 0 by construction, the distribution of inter-packet
delays is close to the legitimate distribution
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 11
Covert Timing Channels
JitterBug (Shah 2006) 0-bit: increase to modulo w 1-bit: increase to modulo ceil(w/2) timing window w is the maximum delay that
can be added for small w, the distribution of inter-packet
delays is close to the legitimate distribution
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 12
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 13
Detection Methods
Types of Detection Tests: shape – relates to first-order statistics
statistics of singles invariant on permutations of the data
regularity – relates to second or higher-order statistics statistics of doubles, triples, etc.
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
Tests of Shape: Kolmogorov-Smirnov test –
where s1 and s2 are distribution functions
Tests of Regularity: The regularity test (Cabuk 2004) –
14
Detection Methods
|)()(|max 21 xsxsKSTEST
jijiSTDEVregularity
i
ji ,,,||
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
Motivation
There are a number of other tests However, no previous test is effective at
detecting a wide range of different covert timing channels
Our goal is to develop a better solution entropy-based approach entropy and conditional entropy
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 16
Outline
Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 17
Entropy
regular complex random
unpredictable►
In general, the creation of covert timing channels has some effect on entropy entropy is a measure of information covert timing channels transfer information
entropy rate
◄predictable0 max
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 18
The entropy of a series –
The conditional entropy of a series –
The entropy rate of a process –
Entropy
mxx
mmm xxPxxPxxH,...,
111
1
),...,(log),...,(),...,(
),...,(),...,(),...,|( 11111 mmmm xxHxxHxxxH
),...,|(lim)( 11 mmm
xxxHXH
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 19
The data is binned in Q bins e.g., 0.0 < bin1 ≤ 0.22, 0.22 < bin2 ≤ 0.51, etc.
The “true” probabilities are replaced with empirical probabilities of bin sequences
The entropy estimate is EN The conditional entropy estimate is CE
Entropy Estimation
sequences ofnumber total
of soccurrence ofnumber ) sequence(
SSP
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach
CE tends to 0
as m increases
20
1 15m
entr
opy
0.0
2.2
),..,(),..,(),..,|( 11111 mmmm xxENxxENxxxCE
CE
data in the sequences unique of because 0 to tendsCE
(gra
ph
ad
ap
ted
fro
m P
ort
a 1
99
8)
mQ sequences possible ofnumber
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 21
1 15m
entr
opy
0.0
2.2
)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm
CE
CCE
corrective term
data in the sequences unique of percentage perc
(gra
ph
ad
ap
ted
fro
m P
ort
a 1
99
8)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 22
1 15m
entr
opy
0.0
2.2
The minimum of CCE is
the best choice for m
CCE
m=4
)(),..,|(),..,|( 11111 xENpercxxxCExxxCCE mmmm
data in the sequences unique of percentage perc
(gra
ph
ad
ap
ted
fro
m P
ort
a 1
99
8)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 23
The corrected conditional entropy test (Porta 1998)
estimates the entropy rate, Q=5, m varies
The entropy test
estimates the first-order entropy Q=2^16, m=1
Entropy-Based Approach
),..,|(min 11 mmm
xxxCCE
)( 1xEN
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 24
Outline
Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 25
Experimental Evaluation
Covert Timing Channels: IPCTC TRCTC JitterBug
Detection Tests: regularity test (regularity) Kolmogorov-Smirnov test (KSTEST) entropy test (EN) corrected conditional entropy test (CCE)
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 26
Experimental Evaluation
IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated
among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples
of the time interval t
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 27
Experimental Evaluation
LEGIT-HTTP IPCTC
mean stdev mean stdev
KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056
EN 17.794 0.862 3.059 0.032
CCE 1.964 0.149 2.216 0.013
IPCTC test scores
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 28
Experimental Evaluation
LEGIT-HTTP IPCTC
mean stdev mean stdev
KSTEST 0.180 0.077 0.708 0.000regularity 35.726 36.635 0.330 0.056
EN 17.794 0.862 3.059 0.032
CCE 1.964 0.149 2.216 0.013
IPCTC test scores
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 29
Experimental Evaluation
LEGIT-HTTP IPCTC
false positive true positive
KSTEST 0.01 1.00regularity 0.01 0.49
EN 0.01 1.00
CCE 0.01 1.00
IPCTC detection rates
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 30
Experimental Evaluation
TRCTC 100x 2000 HTTP inter-packet delays
the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 31
Experimental Evaluation
LEGIT-HTTP TRCTC
mean stdev mean stdev
KSTEST 0.180 0.077 0.180 0.077regularity 35.726 36.635 7.845 9.324
EN 17.794 0.862 17.794 0.861
CCE 1.964 0.149 2.217 0.012
TRCTC test scores
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 32
Experimental Evaluation
CCE scores
TRCTC
LEGIT
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 33
Experimental Evaluation
LEGIT-HTTP TRCTC
false positive true positive
KSTEST 0.01 0.02regularity 0.01 0.04
EN 0.01 0.02
CCE 0.01 1.00
TRCTC detection rates
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 34
Experimental Evaluation
JitterBug 100x 2000 SSH inter-packet delays the distribution of inter-packet delays is close
to the legitimate distribution, but with small delays added
enhancement: a random sequence si is subtracted before the modulo operation
avoids creating a regular pattern at multiples of the timing window w
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 35
Experimental Evaluation
LEGIT-SSH JitterBug
mean stdev mean stdev
KSTEST 0.270 0.133 0.273 0.123regularity 6.230 5.847 6.038 5.624
EN 19.422 1.856 9.432 1.253
CCE 1.779 0.261 1.837 0.220
JitterBug test scores
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 36
Experimental Evaluation
EN scores
JitterBug
LEGIT
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 37
Experimental Evaluation
LEGIT-HTTP JitterBug
false positive true positive
KSTEST 0.01 0.01regularity 0.01 0.02
EN 0.01 1.00
CCE 0.01 0.04
JitterBug detection rates
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 38
Outline
Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 39
Potential Countermeasures
TRCTC replay longer correlated sequences this would reduce the capacity
JitterBug use a smaller timing-window w again, this would reduce the capacity
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 40
Conclusion
The regularity test has problems with the high variation of legitimate traffic fails for all covert timing channels tested
Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic fails for JitterBug and TRCTC
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 41
Conclusion
CCE detects abnormal regularity
EN detects abnormal shape
In combination, our entropy-based approach is effective on all of the covert timing channels tested
ACM CCS 2007 Detecting Covert Timing Channels: An Entropy-Based Approach 42
Questions?
Thank You!