Adaptive Warden Strategy for Countering Network Covert Storage Channels

TL;DR

This paper introduces an adaptive warden strategy that dynamically selects normalization rules based on network traffic characteristics to more effectively detect and disrupt covert storage channels.

Contribution

The paper presents a novel adaptive warden approach that improves upon static and dynamic wardens by considering traffic specifics for rule selection.

Findings

Adaptive warden outperforms static and dynamic wardens in efficiency.

The strategy increases the number of packets needed for covert transfer.

Adaptive approach effectively exposes covert peers.

Abstract

The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have their own limitations, since they do not consider traffic specifics. We propose a novel adaptive warden strategy, capable of selecting active normalization rules by taking into account the characteristics of the observed network traffic. Our goal is to disturb the covert channel and provoke the covert peers to expose themselves more by increasing the number of packets required to perform a successful covert data transfer. Our evaluation revealed that the adaptive warden has better efficiency and effectiveness when compared to the dynamic warden because of its adaptive selection of normalization rules.