WoDiCoF - A Testbed for the Evaluation of (Parallel) Covert Channel Detection Algorithms

With the increasing number of steganography-capable malware and the increasing trend of stealthy data exfiltrations, network covert channels are becoming a crucial security threat - also for critical infrastructures (CIs): network covert channels enable the stealthy remote-control of malware nested in a CI and allow to exfiltrate sensitive data, such as sensor values, firmware or configuration parameters. We present WoDiCoF, a distributed testbed, accessible for the international research community to perform a unified evaluation of detection algorithms for network covert channels. In comparison to existing works, our testbed is designed for upcoming big- data scenarios, in which huge traffic recordings must be analyzed for covert channels. It is the first testbed to allow the testing of parallel detection algorithms. To evaluateWoDiCoF, we took a detection algorithm published in ACM CCS/TISSEC, verified several of the original results and enhanced the understanding of its performance by considering previously unconsidered parameters. By parallelizing the algorithm, we could moreover achieve a speed-up of 2.89 with three nodes