A probability-model-based approach to detect covert timing channel

Abstract

Interest of detecting covert timing channels is increasing rapidly. A lot of exploitation has been done on the construction and detection of covert timing channels over the internet. But the detection of covert timing channels is a challenging task because legitimate network traffic is so various that it's hard to detect and distinguish. The existing detection approaches are not so effective to detect the variety of covert timing channels known to security community. In this paper, we first review some typical detection methods of covert timing channels and then evaluate every approach. After that we introduce a new model-based approach to detecting various covert timing channels. Our new approach is based on the probability model that covert timing channels have different distribution from the legitimate channels. At last, we do an experiment to confirm the effectiveness of our model-based approach. The experiment result shows that our model-based approach is sensitive to the current timing channels, and is capable of detecting them in an accurate manner.