A comparative analysis of detection metrics for covert timing channels

Methods to detect covert timing channels (CTCs) can be categorized into three broad classes: shape tests which include the Kolmogorov-Smirnov (KS) test, entropy tests which include first order entropy test, corrected conditional entropy (CCE) test, and Kullback-Leibler (KL) divergence test, and regularity tests. This paper contributes towards understanding and advancing the state-of-the-art of CTC detection methods. First, we present a detailed analysis of the performance of the well-known tests that are used to detect three main types of CTCs, namely, JitterBug, model-based CTC (MB-CTC) and time-replay CTC (TR-CTC). The performance analysis is carried out in an enterprise-like setting, employing large traffic traces. The detection methods are compared with respect to their applicability, computational complexity, and the classification rates for the three types of CTCs. In addition to evaluating the existing methods, we propose a new shape test based on the Welch's t-test and compare its performance with existing detection methods. We show that the classification rate of Welch's t-test is at least at par with other existing detection methods while having a relatively lower computational cost. The results also show that the Welch's t-test outperforms the CCE test in detecting JitterBug, while the CCE test has a better performance in detecting the TR-CTC. Furthermore, both tests perform comparably on the MB-CTC. Finally, we study the feasibility of using a multi-feature SVM classifier to increase the classification rate. We show that by combining the Welch's t-test we are able to increase the classification rate of MB-CTCs from 0.67 (using a single regularity measure) to 0.94.