A Support Vector Machine-based Framework for Detection of Covert Timing Channels

Covert channels exploit side channels within existing network resources to transmit secret messages. They are integrated into the elements of network resources that were not even designed for the purpose of communication. This means that traditional security features like firewalls cannot detect them. Their ability to evade detection makes covert channels a grave security concern. Hence, it is imperative to detect and disrupt them. However, a generic mechanism that can be used to detect a large variety of covert channels is missing. In this paper, we propose a Support Vector Machine (SVM)-based framework for reliable detection of covert communications. The machine learning framework utilizes the fingerprints derived from the traffic under investigation to classify the traffic as covert or overt. We trained our classifier using the fingerprints from four popular and diverse covert timing channel algorithms and tested each of them independently. We have shown that the machine learning framework has great potential to blindly detect covert channels, even when the covert message size is reduced.