Covert timing channel detection method based on time interval and payload length analysis

Information leakage is becoming increasingly serious in today' s network environment. Faced with increasingly forceful network defence strategies, attackers are also constantly trying to steal important information from systems. As for security researchers, the most troublesome way of information stealing is the covert channel. Generally, the covert channel is divided into the covert storage channel (CSC) and the covert timing channel (CTC). For the covert storage channel, there are already many effective methods to detect it. However, the detection of the covert timing channel is still in the research stage. The basis for implementing the covert timing channel is to control the sending time of packets, so most researches about the covert timing channel detection are based on the time interval between packets. Based on this idea, we refer to the method adopted in the researches of the malicious traffic detection and propose a covert timing channel detection method based on the k-NearestNeighbor (kNN) algorithm. This method uses a series of statistics related to the time interval and payload length as features to train a machine learning model and using 10-fold cross-validation to improve model performance. The experiment result proves that the model has a great detection effect, the detection accuracy is 0.96, and the Area Under Curve (AUC) value the model is 0.9737. (c) 2020 Elsevier Ltd. All rights reserved.