We just published a new paper on the detection of network covert channels that encode their secret data using packet size.
S. Wendzel, F. Link, D. Eller, W. Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, in: Journal of Universal Computer Science (J.UCS), Vol. 25(11), pp. 1396-1416, 2019.
Network covert channels enable stealthy communications for malware
and data exfiltration. For this reason, developing effective
countermeasures for these threats is important for the protection of
individuals and organizations. However, due to the large number of
available covert channel techniques, it is considered impractical to
develop countermeasures for all existing covert channels.
recent years, researchers started to develop countermeasures that
(instead of only countering one particular hiding technique) can be
applied to a whole family of similar hiding techniques. These families
are referred to as hiding patterns.
Considering above, the main contribution of this paper is to introduce the concept of countermeasure variation.
Countermeasure variation is a slight modification of a given
countermeasure that was designed to detect covert channels of one
specific hiding pattern so that the countermeasure can also detect
covert channels that are representing other hiding patterns.
exemplify countermeasure variation using the compressibility score,
the ε-similarity and the regularity metric originally presented by
Cabuk et al. All three methods are used to detect covert channels that
utilize the Inter-packet Times pattern and we show that
countermeasure variation allows the application of these
countermeasures to detect covert channels of the Size Modulation
covert channels, information hiding, network security, network steganography, patterns