BIB-VERSION:: CS-TR-v2.0
ID:: ncstrl.dartmouthcs//TR2005-536
ENTRY:: August 10, 2005
ORGANIZATION:: Dartmouth College, Computer Science
TITLE:: Detection of Covert Channel Encoding in Network Packet Delays
TYPE:: Technical Report (paper)
REVISION:: 3
AUTHOR:: Berk, Vincent
AUTHOR:: Giani, Annarita
AUTHOR:: Cybenko, George
DATE:: August 2005	
RETRIEVAL:: For a paper copy, email <reports@cs.dartmouth.edu>
RETRIEVAL:: For a paper copy, write to
       Technical Report Librarian
       Department of Computer Science
       Dartmouth College
       6211 Sudikoff Laboratory
       Hanover, NH 03755-3510
       USA
RETRIEVAL:: PDF at http://www.cs.dartmouth.edu/reports/TR2005-536-rev1.pdf
ABSTRACT:: 
Covert channels are mechanisms for communicating information in
ways that are difficult to detect. Data exfiltration can be an
indication that a computer has been compromised by an attacker
even when other intrusion detection schemes have failed to detect
a successful attack. Covert timing channels use packet
inter-arrival times, not header or payload embedded information,
to encode covert messages. This paper investigates the channel
capacity of Internet-based timing channels and proposes a
methodology for detecting covert timing channels based on how
close a source comes to achieving that channel capacity. A
statistical approach is then used for the special case of binary
codes.
NOTE::
This revision differs from the original only in  the correction of one
reference.
END:: ncstrl.dartmouthcs//TR2005-536