Off-campus UNL users: To download campus access dissertations, please use the following link to log into our proxy server with your NU ID and password. When you are done browsing please remember to return to this page and log out.

Non-UNL users: Please talk to your librarian about requesting this dissertation through interlibrary loan.

An innovative approach to analyze and detect a broad class of timing-based covert communications

Pradhumna L Shrestha, University of Nebraska - Lincoln


Transmitting information by hiding it in order to evade detection has been practiced since ancient times. In the modern age of computing, digital objects and resources—such as images, video and text files—are used as carriers of hidden information. Recently, an entirely different method of information hiding that leverages existing network resources as side channels for transmitting secret messages has received considerable attention. Since these network resources were not even designed for the purpose of communication, traditional network security elements such as firewalls cannot detect them. These side channels are called covert channels. Covert channels can be used for leaking information and exchanging messages between maligned parties without being detected. This makes covert channels a serious security concern and hence it is imperative to prevent, detect and disrupt them. Due to the sheer number of covert channel algorithms, it is impossible to deal with them on a case-by-case basis. In this research, an analytical framework that can broadly define all covert timing channels through a mathematical model has been proposed and investigated. From this model, equations have been derived to characterize covert communications in terms of bit error rate under different channel conditions for four popular and diverse covert timing channels. The model was verified by implementing the same algorithms in MATLAB and on a test-bed of real network traffic. A machine learning-based generic detection mechanism has also been proposed. Statistical fingerprints were derived from the traffic under investigation, which served as feature points for training a Support Vector Machine-based framework. Four types of fingerprints—Kolmorov-Smirnov test score, Regularity score, Entropy and Corrected Conditional Entropy—were used for this purpose. The presented model was then tested against an independent set of feature points derived from an arbitrary traffic under investigation. Results show that the mechanism is very efficient in blind and generalized detection of covert channels. The presented approach and results have been published in national and international conferences and journals.

Subject Area

Computer Engineering|Computer science

Recommended Citation

Shrestha, Pradhumna L, "An innovative approach to analyze and detect a broad class of timing-based covert communications" (2014). ETD collection for University of Nebraska - Lincoln. AAI3667019.