Tcp Covert Timing Channels: Design And Detection

Exploiting packets' timing information for covert communication in the Internet has been explored by several network timing channels and watermarking schemes. Several of them embed covert information in the inter-packet delay. These channels, however can be detected based an the perturbed traffic pattern, and their decoding accuracy could be degraded by jitter packet loss and packet reordering events. In this paper we propose a novel TCP-based timing channel, named TCP-Script to address these shortcomings. TCPScript embeds messages in "normal" TCP data bursts and exploits TCP's feedback and reliability service to increase the decoding accuracy. Our theoretical capacity analysis and extensive experiments have shown that TCPScript offers much higher channel capacity and decoding accuracy than an IP timing channel and JitterBug. On the countermeasure, we have proposed three new metrics to detect aggressive TCPScript channels.