Identification of and automated support for an efficient covert channel analysis process

Intrusion detection is a 'hard' problem. Finding malicious traffic such as covert channels against the background of normal network traffic is difficult, due to the false alarms raised by automated tools. One proposed solution to this detection problem is to provide a human analyst with a probability-based detection suite of tools which seek to characterize normal network traffic and create a model.;The Sliding Window Anomaly Detector (SWAD) can be used to analyse network traffic and separate it into anomalous and normal traffic. The malicious traffic is expected to be a subset of the anomalous traffic. Analysis of the anomalous traffic requires an analyst extract data from a database using hand-crafted queries. This process is poorly understood and undocumented.;The goal of this thesis is to identify the work processes and flows of the data sifting phase of intrusion detection using SWAD. The identified flows can then be used to increase operator efficiency, including the development of tools to support the analyst in the sifting process. The work flows and processes are documented for use in validation and for future research.;This research is validated through the creation of an analysis tool from a set of requirements extracted from the work flows. User testing will be used to show that the work flows can be utilized to create tools and train users to perform the sifting process in a manner that is more efficient than is currently used.;Keywords. Covert Channel Detection, Data Sifting, SWAD.