Detection of Covert Channel Encoding in Network Packet Delays

Covert channels are mechanisms for communicating information in ways that are difficult to detect. Data exfiltration can be an indication that a computer has been compromised by an attacker even when other intrusion detection schemes have failed to detect a successful attack. Covert timing channels use packet inter-arrival times, not header or payload embedded information, to encode covert messages. This paper investigates the channel capacity of Internet-based timing channels and proposes a methodology for detecting covert timing channels based on how close a source comes to achieving that channel capacity. A statistical approach is then used for the special case of binary codes

The Theory of Trackability with Applications to Sensor Networks

In this paper, we formalize the concept of tracking in a sensor network and develop a rigorous theory of {\em trackability} that investigates the rate of growth of the number of consistent tracks given a sequence of observations made by the sensor network. The phenomenon being tracked is modelled by a nondeterministic finite automaton and the sensor network is modelled by an observer capable of detecting events related, typically ambiguously, to the states of the underlying automaton. More formally, an input string, $Z^t$, of $t+1$ symbols (the sensor network observations) that is presented to a nondeterministic finite automaton, $M$, (the model) determines a set, ${\cal H}_M(Z^t)$, of state sequences (the tracks or hypotheses) that are capable of generating the input string $Z^t$. We study the growth of the size of this set, $|{\cal H}_M(Z^t)|$, as a function of the length of the input string, $t+1$. Our main result is that for a given automaton and sensor coverage, the worst-case rate of growth is either polynomial or exponential in $t$, indicating a kind of phase transition in tracking accuracy. The techniques we use include the Joint Spectral Radius, $\rho(\Sigma)$, of a finite set, $\Sigma$, of $(0,1)$-matrices derived from $M$. Specifically, we construct a set of matrices, $\Sigma$, corresponding to $M$ with the property that $\rho(\Sigma) \leq 1$ if and only if $|{\cal H}_M(Z^t)|$ grows polynomially in $t$. We also prove that for $(0,1)$-matrices, the decision problem $\rho(\Sigma)\leq 1$ is Turing decidable and, therefore, so is the problem of deciding whether worst case state sequence growth for a given automaton is polynomial or exponential. These results have applications in sensor networks, computer network security and autonomic computing as well as various tracking problems of recent interest involving detecting phenomena using noisy observations of hidden states

Performance Analysis of Mobile Agents for Filtering Data Streams on Wireless Networks

Wireless networks are an ideal environment for mobile agents, since their mobility allows them to move across an unreliable link to reside on a wired host, next to or closer to the resources that they need to use. Furthermore, client-specific data transformations can be moved across the wireless link and run on a wired gateway server, reducing bandwidth demands. In this paper we examine the tradeoffs faced when deciding whether to use mobile agents in a data-filtering application where numerous wireless clients filter information from a large data stream arriving across the wired network. We develop an analytical model and use parameters from filtering experiments conducted during a U.S. Navy Fleet Battle Experiment (FBE) to explore the model\u27s implications