Real-time Covert Timing Channels Detection in a Networked Virtual Environment

Research Areas: Network Security

Principal Investigator: Anyi Liu

Despite extensive research on malware and Trojan horses, covert channels are still one of the top most threats in computer security. These attacks, launched through specially crafted content or manipulating timing characteristics, transmit inside credentials to adversaries while their behavior remains undetected. Current research efforts in this area model the statistics of legitimate network traffic in order to detect the existence of malicious insiders or Trojan horses. These efforts, however, are not applicable to highly dynamic and noisy environment, such as cloud computing environment, because their approaches rely heavily on historic traffic or tedious model training. To address such concerns we propose in this project a real-time, wavelet-based approach to detect covert timing channels (CTC). The novelty of our approach comes from not only leveraging a secure virtual machines (VM) to mimic the vulnerable virtual machine. Our approach for detection is general enough to detect CTC and does not require access to historic traffic. Experimental results and evaluation show the merits of our approach for CTC detection in terms of overall performance including high detection rate and low false positive rate.

Personnel

Students: • Sashidar Avula

Representative Publications

    • A. Liu, J. X. Chen, H. Wechsler, "Detecting Covert Timing Channels in a Networked Virtual Environment," The Ninth IFIP WG 11.9 International Conference on Digital Forensics (ICDF '13). Orlando, Florida, USA, January 2013.
    • A. Liu, J. X. Chen, and L. Yang, "Real-time Detection of Covert Channels in Highly Virtualized Environments," Critical Infrastructure Protection V, Springer-Verlag Press, 2011, pp.151-164, ISBN 978-3-642-24863-4.

Keywords: Covert Timing Channel(CTC), Discrete Wavelet-based Multi-resolution Transformation (DWMT), information security, intrusion detection