Resolving Network Packet Length Covert Channels

Abstract

The continuous and rapidly advancing developments in network technology seem to encourage hackers to find new ways to breach a system’s security policy; consequently, compromising confidential information. When the interpretation of a security model adopted by a system is violated by a communication between two users, or processes operating on their behalf, it is said that the two users are communicating indirectly or covertly. This thesis deals with detecting and resolving network packet length covert channels. These channels are notoriously known to be risky, invisible, and undetectable. The thesis introduces and develops three new approaches to resolve covert channels. Furthermore, the thesis introduces an approach that accurately detects this notorious type of channels. Combined together, the four (4) approaches form a system that is proven to be successful in detecting and resolving network packet length covert channels. The first approach eliminates covert channels by hiding the true identity of a system’s user from the process or processes that represent him or her inside that system. This approach not only completely eliminates the known and potential covert channels, but also those that are unknown, never detected, and/or undetectable by the system. The second approach eliminates network packet length covert channels by altering the covert message in a way that the intended receiver gets an unintended message – a totally different and useless message. Two term-based similarity tests (cosine and dice coefficient similarity tests) were successfully computed and showed zero (0) similarity score while a semantic similarity test (MCS Method) shows 0.0405626 similarity score. These results indicate that this approach effectively resolves any potential covert channel. The third approach is an enhanced version of the previous approach. It reduces its overheads up to 50 %. With this third approach, the term-based similarity tests show zero (0) similarity score and the semantic similarity test shows 0.0674704 similarity score. These results again show that there are no similarities between the covert intended message and its distorted and altered form that was obtained using this approach. The fourth and last approach is a machine learning-based detection approach to detect network packet length covert channels. It attained an excellent degree of detection accuracy: 98% with zero (0) False Negative (FN) and 0.02 False Positive (FP) classification errors.