Performance Evaluation of the Bro Covert Channel Detection (BroCCaDe) Framework

The Bro Covert Channel Detection (BroCCaDe) framework is a Bro extension for detecting covert channels in network protocols. This report describes a number of experiments we have carried out with BroCCaDe to measure its performance in terms of classification accuracy and performance (CPU and memory overhead). We tested BroCCaDe with a number of different traffic types and covert channels embedded in the IP TTL field, packet length, inter-packet time and packet rate. Our results show that BroCCaDe can identify these channels with a high accuracy (true positive rate of 98% and false negative rate of generally less than 1%). Our performance analysis reveals that BroCCaDe requires a small to moderate additional amount of RAM and CPU time. The overhead in terms of CPU time is generally less than 50% and the overhead in terms of memory is generally a few Megabytes, except for the entropy rate metric. Notably, a substantial proportion of the memory overhead is due to storing the feature values. Most of the CPU overhead is a result of the metric computation and feature extraction while the classification of flows requires very little CPU time. Our analysis also reveals which detection metrics are most useful for the detection of particular covert channels.