Covert channel detection using machine learning methods

Thesis Type: Postgraduate

Institution Of The Thesis: Middle East Technical University, Graduate School of Natural and Applied Sciences, Turkey

Approval Date: 2019

Thesis Language: English


Supervisor: Hande Alemdar


A covert channel is a communication method that misuses legitimate resources to bypass intrusion detection systems. They can be used to do illegal work like leaking classified (or sensitive) data or sending commands to malware bots. Network timing channels are a type of these channels that use inter-arrival times between network packets to encode the data to be sent. Although these types of channels are hard to detect, they are not used frequently due to their low capacity and sensitivity to the network conditions. However, upcoming technologies like 5G and WiFi 6 offer more reliable networks with low latency, which we believe can work in favor of network timing channels and attract hackers to them. Therefore, we also believe that the detection of network timing channels is an increasingly important issue. In this thesis, we worked with two types of network covert channels: Fixed Interval and Jitterbug. Fixed Interval defines an inter-arrival time for each symbol to be transmitted and send network packets accordingly. On the other hand, Jitterbug does not create new packet traffic; it just delays existing packets for some predefined time. Two channels are very different: Jitterbug creates traffic that is similar to the legitiv mate network though has lower capacity, and Fixed Interval has a very different traffic shape from the legitimate network but has higher capacity. Our work has shown it is indeed possible to detect these channels with a decision tree with four features called mean, variance, skewness and kurtosis. However, more research is needed to make this system work in the real world.