Abstract

Web traffic accounts for more than half of Internet traffic today. Camouflaging covert timing channels in Web traffic would be advantageous for concealment. In this paper, we investigate the possibility of disguising network covert timing channels as HTTP traffic to avoid detection. Extensive research has shown that Internet traffic, including HTTP traffic, exhibits self-similarity and long range persistence. Existing covert timing channels that mimic i.i.d. legitimate traffic cannot imitate HTTP traffic because these covert traffic patterns are not long range dependent. The goal of this work is to design a covert timing channel that can be camouflaged as HTTP traffic. To this end, we design a covert timing channel whose inter-arrival times are long range dependent and have the same marginal distribution as the interarrival times for new HTTP connection traffic. These inter-arrival times are constructed by combining a Fractional Auto-Regressive Integrated Moving Average (FARIMA) time series and an i.i.d. cryptographically secure random sequence. Experiments are conducted on PlanetLab, and the results are validated against recent real traffic trace data. Our experiments demonstrate that the traffic from this timing channel traffic is statistically indistinguishable from legitimate HTTP traffic and undetectable by all current detection schemes for timing channels.

Date of this Version

12-2009