Print Email Facebook Twitter Investigating the efficiency of detection methods against network covert timing channels Title Investigating the efficiency of detection methods against network covert timing channels Author Faber, Julian (TU Delft Electrical Engineering, Mathematics and Computer Science; TU Delft Cyber Security) Contributor Zarras, A. (mentor) Lagendijk, R.L. (graduation committee) Roos, S. (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science | Cyber Security Date 2021-01-28 Abstract Network covert timing channels are techniques to covertly transmit information over computer networks, by utilizing the time between subsequent network packets. Previous work on the detection of the various techniques has introduced numerous new methods, with high reported success. From these previous works we have noticed that there is little confirmation on these results in subsequent works, as well as there being a lack of an overview for the efficiency of each method. Next to this, we have found that many works use data in their experiments that may not be representative of real network scenarios. In this thesis we attempt to remedy this lack of information, by performing a broad performance evaluation on the currently existing singular detection metrics. This performance evaluation was done on a total of 18 different detection methods, applied to the 8 most prevalent covert timing channels. For the underlying network data, we gathered SSH and HTTPS traffic from the TU Delft, and applied varying amounts of simulated network jitter to them. From the resulting evaluations we find that there are cases where the detection methods do perform similarly to what has been shown in previous work, but we also find those that have a large difference in performance. Further, we discuss possible strengths and weaknesses of each of the detection methods, based on their performance, and in some cases how this performance might be improved. Using the (simulated) network scenarios we show the effects that jitter and different traffic types can have on each of the detection methods, and also find those that are resilient to network effects. Finally, we combine the full experimental performance evaluations into a comprehensive overview, for each combination of detection method and covert channel technique. We find that the current detection methods are likely not sufficient to be reliably applied in a realistic network setting, and more work needs to be done in this field to reach that point. The overview and discussions we have provided can then serve as a basis for future research, to give an indication of where performance needs to be improved. Subject network covert channelscovert timing channelsdetection To reference this document use: http://resolver.tudelft.nl/uuid:70e75d67-025a-4ad6-8868-4aed7d928f90 Part of collection Student theses Document type master thesis Rights © 2021 Julian Faber Files PDF master_thesis_jkfaber_final.pdf 70.74 MB Close viewer /islandora/object/uuid:70e75d67-025a-4ad6-8868-4aed7d928f90/datastream/OBJ/view