Real-Time Detection of Covert Timing Channels Using a Parallel System

As network data rates continue to increase, implementing real-time network security applications require a scalable computing platform. Multi-core parallel processing devices provide a way to scale network security applications. Covert timing channel (CTC) detection is one type of network security application that could benet from large scale parallelization. Network CTCs enable secret communication between hosts by modulating the inter-packet delays of an overt application. A variety of techniques for creating and detecting covert timing channels have been studied. To enable quick detection, we introduce a covert timing channel detection tool which can be easily adapted to include new detection tests. CTC detection in high-speed enterprise network settings must be performed in a small amount of time to properly react to the presence of flows carrying covert channels. We present an implementation of our parallel covert timing channel detection tool using the Tilera TilePro64 card, an MPPA-based architecture. We examine the effectiveness of our detection technique for detecting model-based and time-replay covert timing channels using four common detection techniques; the Kullback-Liebler Divergence, Kolmogorov-Smirnov, regularity and first order entropy tests. Our experiments evaluate the true and false positive rates, as well as the effects of changing the sample size and the number of cores used.