Volume 13 - Issue 1
Detection Of Computational Intensive Reversible Covert Channels Based On Packet Runtime
- Tobias Schmidbauer
Fernuniversitat in Hagen, 58084 Hagen, Nordrhein-Westfalen, Germany
- Steffen Wendzel
Fernuniversitat in Hagen, 58084 Hagen, Nordrhein-Westfalen, Germany, Worms University of Applied Sciences, 67549 Worms, Rheinland-Pfalz, Germany
Keywords: network steganography, anomaly detection, reversible steganography, computational intensive
In current research, reversible network-level covert channels are receiving more and more attention.
The restoration of the original data leaves little evidence for detection, especially if the implementation
is plausibly deniable. Recently, such a channel based on one-time password hash chains has been
published. The covert channel uses repeated computational intensive operations to restore a modified
hash and to extract covert information transferred within. In this paper, we present an approach that
observes the influence of repeated MD5, SHA2-384, SHA3-256 and SHA3-512 hash-operations on
packet runtimes. Besides these hash algorithms, we also investigate whether the alphabet that the
Covert Sender and the Covert Receiver agreed upon, has an influence on our detection approach.
For each algorithm, we carry out three experiments with different alphabets: one without a covert
channel, one with a covert channel altering all hashes, and finally, one with a covert channel altering
every second hash. We further repeat each experiment ten times and define a threshold for packet
runtimes without modified hashes. Also, we investigate the detectability of computational intensive
reversible covert channels for all our scenarios and evaluate the detection rate depending on the number
of observed packets. In addition, we describe countermeasures and limitations of our detection
method and, finally, discuss application scenarios for existing network environments.