%T Detection of Covert Channel Encoding in Network Packet Delays
%A Vincent Berk
%A Annarita Giani
%A George Cybenko
%R Technical Report TR2005-536
%I Dartmouth College, Computer Science
%C Hanover, NH
%D August 2005
%U http://www.cs.dartmouth.edu/reports/TR2005-536-rev1.pdf
%X
 Covert channels are mechanisms for communicating information in
 ways that are difficult to detect. Data exfiltration can be an
 indication that a computer has been compromised by an attacker
 even when other intrusion detection schemes have failed to detect
 a successful attack. Covert timing channels use packet
 inter-arrival times, not header or payload embedded information,
 to encode covert messages. This paper investigates the channel
 capacity of Internet-based timing channels and proposes a
 methodology for detecting covert timing channels based on how
 close a source comes to achieving that channel capacity. A
 statistical approach is then used for the special case of binary
 codes.
%Z
 This revision differs from the original only in  the correction of one
 reference.