Protocol-independent Detection of "Messaging Ordering" Network Covert Channels

TL;DR

This paper presents a protocol-independent method to detect message ordering network covert channels by analyzing the compressibility of packet sequences, achieving high accuracy especially for channels using 3 or 4 PDUs.

Contribution

It introduces a novel detection approach based on a modified compressibility score and evaluates its effectiveness across different message ordering channel types.

Findings

Detection accuracy >= 99.5% for channels using 3 or 4 PDUs

False-positive rate less than 1% for channels with 3 or 4 PDUs

Detection accuracy of 94.5% for channels manipulating 2 PDUs

Abstract

Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easily as they do not modify header content but instead mimic typical network behavior such as TCP segments that arrive in a different order than they were sent. Contribution: In this paper, we show a protocol-independent approach to detect message ordering channels. Our approach is based on a modified compressibility score. We analyze the detectability of message ordering channels and whether several types of message ordering channels differ in their detectability. Results: Our results show that the detection of message ordering channels depends on their number of utilized PDUs. First, we performed a rough threshold selection by hand, which we later optimized using the C4.5 decision tree classifier. We were able to detect message ordering covert channels with an accuracy and F1 score of >= 99.5% and a false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4 PDUs, respectively. Simpler channels that only manipulate a sequence of two PDUs were detectable with an accuracy and F1 score of 94.5% and were linked to a false-positive rate of 5.19%. We thus consider our approach suitable for real-world detection scenarios with channels utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs should be improved further.