@TechReport{Dartmouth:TR2005-536,
  author = {Vincent Berk and Annarita Giani and George Cybenko},
  title = {{Detection of Covert Channel Encoding in Network Packet Delays}},
  institution = {Dartmouth College, Computer Science},
  address = {Hanover, NH},
  number = {TR2005-536},
  year = {2005},
  month = {August},
  URL = {http://www.cs.dartmouth.edu/reports/TR2005-536-rev1.pdf},
  comment = {
    This revision differs from the original only in  the correction of one
    reference.
  },
  abstract = {
    Covert channels are mechanisms for communicating information in
    ways that are difficult to detect. Data exfiltration can be an
    indication that a computer has been compromised by an attacker
    even when other intrusion detection schemes have failed to detect
    a successful attack. Covert timing channels use packet
    inter-arrival times, not header or payload embedded information,
    to encode covert messages. This paper investigates the channel
    capacity of Internet-based timing channels and proposes a
    methodology for detecting covert timing channels based on how
    close a source comes to achieving that channel capacity. A
    statistical approach is then used for the special case of binary
    codes.
  }
}