![Page 1: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/1.jpg)
Model-Based Covert Timing Channels:Automated Modeling and Evasion
Steven Gianvecchio1, Haining Wang1, Duminda Wijesekera2, and Sushil Jajodia2
1College of William and Mary2George Mason University
![Page 2: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/2.jpg)
2RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
![Page 3: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/3.jpg)
3RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
![Page 4: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/4.jpg)
4RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Background
Covert Channels manipulate shared resources to transfer
information hide communication (or extra communication) exfiltrate sensitive data (e.g., keys,
passwords)
![Page 5: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/5.jpg)
5RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Background
Types of Covert Channels shared resource is the type covert storage channels
(e.g., packet header fields) covert timing channels
(e.g., packet arrival times)
![Page 6: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/6.jpg)
6RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
![Page 7: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/7.jpg)
7RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Main Goals high capacity strong detection resistance
Capacity –
bits/time unit, not bits/symbol
Covert Timing Channels
)(
);(max
XE
YXIC Xt
![Page 8: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/8.jpg)
8RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Covert Timing Channels
OPtimal Capacity (OPC) send information as fast as possible E(X) is small (1,000s of packets/second)
Fixed-average Packet Rate (FPR) send information as fast as possible with a
fixed-average packet rate E(X) is fixed (a few packets/second)
![Page 9: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/9.jpg)
9RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
![Page 10: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/10.jpg)
10RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Model-Based Framework
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
The Framework filters and analyzes legitimate traffic encodes and transmits covert traffic
![Page 11: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/11.jpg)
11RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Filter filters input for the specified type of traffic
(e.g., outgoing HTTP) outputs legitimate IPDs
![Page 12: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/12.jpg)
12RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Analyzer fits the legitimate IPDs to several models
using MLE (blocks of 100 IPDs) selects the model with the lowest RMSE
![Page 13: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/13.jpg)
13RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Encoder uses the IDF of the model generates covert IPDs that mimic the
legitimate traffic
![Page 14: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/14.jpg)
14RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Encoding / Decoding
1. Continuize
2. Encode
3. Decode
4. Discretize
scontinuize rrS
ssF
1mod||
)(
ss1
modelencode drFF )(
srrSrF ssdiscretize )1mod)((||)(
ssmodeldecode rdFF )(
![Page 15: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/15.jpg)
15RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Transmitter sends out packets with covert IPDs
Receiver and Decoder receive packets and decode message
![Page 16: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/16.jpg)
16RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Model-Based Framework
Implementation Details components run in user space filter, encoder, transmitter written in C; plus
inline assembly for RDTSC analyzer written in MATLAB
![Page 17: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/17.jpg)
17RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
![Page 18: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/18.jpg)
18RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Experimental Evaluation
Test Scenarios LAN, WAN East-to-East, WAN East-to-West
LAN WAN-EE WAN-EW
distance 0.3 mi 525 mi 2660 mi
RTT 1.7ms 59.6ms 87.2ms
IPDV 2.5e-05 2.41e-03 2.1e-04
hops 3 18 13
IPDV – inter-packet delay variation
![Page 19: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/19.jpg)
19RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Test Setup
MB-HTTP Weibull – avg. λ = 0.0371, avg. k = 0.3010 E(X) is 0.3385 (~3 packets/second)
OPC E(X) is 7.31e-3 to 7.87e-5
(1,515 to 12,777 packets/second) FPR
Exponential – λ = 2.954 E(X) is 0.3385 (~3 packets/second)
![Page 20: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/20.jpg)
20RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Theoretical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 9.39 27.76 4.12 12.19 6.84 20.21
OPC 0.50 6,395 0.50 68.80 0.50 758.54
FPR 12.63 37.32 6.15 18.17 9.59 28.35
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West OPC has highest capacity
![Page 21: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/21.jpg)
21RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Theoretical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 9.39 27.76 4.12 12.19 6.84 20.21
OPC 0.50 6,395 0.50 68.80 0.50 758.54
FPR 12.63 37.32 6.15 18.17 9.59 28.35
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West MB-HTTP and FPR are close
![Page 22: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/22.jpg)
22RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
WAN E-E empirical capacity
0
0.2
0.4
0.6
0.8
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
em
pir
ica
l ca
pa
cit
y
FPR MB-HTTP
WAN E-E bit error rates
0
0.1
0.2
0.3
0.4
0.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
err
or
rate
FPR MB-HTTP
WAN East-East MB-HTTP versus FPR capacity and bit error degrade quickly
![Page 23: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/23.jpg)
23RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
WAN E-W empirical capacity
0
0.2
0.4
0.6
0.8
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
em
pir
ica
l ca
pa
cit
y
FPR MB-HTTP
WAN E-W bit error rates
0
0.1
0.2
0.3
0.4
0.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
err
or
rate
FPR MB-HTTP
WAN East-West MB-HTTP versus FPR capacity and bit error degrade slowly
![Page 24: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/24.jpg)
24RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 6.74 19.93 2.15 6.35 5.18 15.31
OPC 0.85 10,899 0.66 91.28 0.98 1,512
FPR 10.95 32.35 4.63 13.67 9.37 27.69
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West OPC again has the highest capacity
![Page 25: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/25.jpg)
25RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 6.74 19.93 2.15 6.35 5.18 15.31
OPC 0.85 10,899 0.66 91.28 0.98 1,512
FPR 10.95 32.35 4.63 13.67 9.37 27.69
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West MB-HTTP and FPR are still close
![Page 26: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/26.jpg)
26RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Tests of Shape: Kolmogorov-Smirnov test –
where s1 and s2 are distribution functions
Tests of Regularity: The regularity test (Cabuk 2004) –
26
Detection Resistance
|)()(|max 21 xsxsKSTEST
jijiSTDEVregularity
i
ji ,,,||
![Page 27: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/27.jpg)
27RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size mean stddev m. s.d. m. s.d m. s.d
100x2,000 .193 .110 .196 .093 .92 .0 .99 .0
100x10,000 .141 .103 .157 .087 .92 .0 .99 .0
100x50,000 .096 .096 .122 .073 .92 .0 .99 .0
100x250,000 .069 .066 .096 .036 .92 .0 .99 .0
KSTEST scores high mean and low s.d. for FPR and OPC
![Page 28: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/28.jpg)
28RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size mean stddev m. s.d. m. s.d m. s.d
100x2,000 .193 .110 .196 .093 .92 .0 .99 .0
100x10,000 .141 .103 .157 .087 .92 .0 .99 .0
100x50,000 .096 .096 .122 .073 .92 .0 .99 .0
100x250,000 .069 .066 .096 .036 .92 .0 .99 .0
KSTEST scores similar mean and s.d. for LEGIT and MB-HTTP
![Page 29: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/29.jpg)
29RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
scores for 100x 2,000 packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
scores for 100x 10,000 packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
KSTEST distribution similar distributions for LEGIT-HTTP and MB-
HTTP scores
![Page 30: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/30.jpg)
30RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
scores for 100x 50,000 packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
scores for 100x 250,000 packets
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
KSTEST distribution LEGIT-HTTP and MB-HTTP overlap even
with 250,000 packets
![Page 31: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/31.jpg)
31RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 .01 .01 1.00 1.00
100x10,000 .01 .01 1.00 1.00
100x50,000 .01 .01 1.00 1.00
100x250,000 .01 .02 1.00 1.00
KSTEST detection rates FPR and OPC are detected easily
![Page 32: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/32.jpg)
32RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 .01 .01 1.00 1.00
100x10,000 .01 .01 1.00 1.00
100x50,000 .01 .01 1.00 1.00
100x250,000 .01 .02 1.00 1.00
KSTEST detection rates FP equals TP for LEGIT and MB-HTTP
![Page 33: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/33.jpg)
33RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
regularity
LEGIT-HTTP MB-HTTP FPR OPC
sample size mean mean mean mean
100x2,000 w=100
43.80 38.21 0.34 0.00
100x2,000 w=250
23.74 22.87 0.26 0.00
regularity scores similar mean for LEGIT and MB-HTTP
![Page 34: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/34.jpg)
34RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
regularity
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 w=100
.01 .00 1.00 1.00
100x2,000 w=250
.01 .00 1.00 1.00
regularity detection rates MB-HTTP is not detected at all
![Page 35: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/35.jpg)
35RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
regularity
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 w=100
.01 .00 1.00 1.00
100x2,000 w=250
.01 .00 1.00 1.00
regularity detection rates again FPR and OPC are detected easily
![Page 36: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/36.jpg)
36RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
![Page 37: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/37.jpg)
37RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Conclusion
Model-Based Covert Timing Channels can be built automatically effective even in coast-to-coast scenario capacity is very close to FPR much stronger detection resistance than FPR
and OPC
![Page 38: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/38.jpg)
38RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Conclusion (cont.)
Future Work investigate detection methods for model-
based covert timing channels explore other more advanced covert timing
channel designs (e.g., non-parametric models)
![Page 39: Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College](https://reader036.vdocuments.site/reader036/viewer/2022062309/56649f125503460f94c25a42/html5/thumbnails/39.jpg)
39RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Questions?
Thank You!