A novel analytical model and its test bed verification for network covert timing channels

Covert channels threaten conventional network security paradigms by exploiting existing system resources never intended to facilitate communication. By doing so, they can evade detection by conventional network security mechanisms such as firewalls. In order to improve network security, it is necessary to detect and disrupt covert communications. Due to the sheer number and variety of covert channel algorithms, it becomes impossible to deal with them on a case-by-case basis. A complete applicable covert channel detector necessitates the use of a common modeling framework. However a generic model is still lacking and the published models apply to only a few covert channel algorithms. To remedy this problem we present an event-based framework that models the covert communication process as a set of discrete events separated by a finite duration of time. This framework will allow behavioral analysis of the covert communications process in a generic way, which can be used to develop generalized detection mechanisms. Using this model, we derive the error performance of covert channels in different conditions of network delay jitter and packet losses. We then calculate the error performance of these algorithms by implementing them over a test-bed real network traffic and MATLAB simulations and compare the results to verify our model.