Network covert timing channels are one way of attackers use to communicate with compromised host computers on the internet. (Cabuk, Brodley, & Shields, 2004, p. xx) says, “A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner, that can be difficult to detect.” Network covert timing channels are slightly different. Out of the two covert channels which are storage and timing. Timing channels involves a sender process that signals information to another by modulating its own use of system resources in such a way that this manipulation affects the real response time observed by the second process, (Cabuk, Brodley, & Shields, 2004, p. xx).
There are two types of covert timing channels that exist, passive and active. (Gianvecchio & Wang, 2007, p. xx) states, “active refers to covert timing channels that generate additional traffic to transmit information, while passive refers to covert timing channels that manipulate the timing of existing traffic.” These two types of covert timing channels have proven very effective in concealing data transfer over the internet.
Detection is broken down by two different sets of test shape and regularity. The shape of traffic is described by statistics, mean, and variance. The regularity of traffic is described by second or higher order statistics or correlation analysis. Entropy and conditional entropy have shown as promising ways of detection. (Gianvecchio & Wang, 2007, p. xx) says, “Entropy rate is the average entropy per random variable, can be used as a measure of complexity or regularity.” This allows administrators to distinguish between randomness of timing of packets and complexity.
Cabuk, S., Brodley, C. E., & Shields, C. (2004). ip covert timing channels. Proceedings of the 11th ACM conference on Computer and communications security – CCS ’04. doi:10.1145/1030083.1030108
Gianvecchio, S., & Wang, H. (2007). Detecting covert timing channels. Proceedings of the 14th ACM conference on Computer and communications security – CCS ’07. doi:10.1145/1315245.1315284