Mimic: An Active Covert Channel That Evades Regularity-based Detection

A covert timing channel is a hidden communication channel based on network timing that an attacker can use to sneak secrets out of a secure system. Active covert channels, in which the attacker uses a program to automatically generate innocuous traffic to use as a medium for embedding the covert channel, are especially problematic, as they allow the attacker to output large amounts of secret data. A promising technique for detecting covert timing channels focuses on using entropy-based tests. This technique can reliably detect known covert timing channels by using a combination of entropy (EN) and conditional entropy (CE) to detect anomalies in shape and regularity, respectively. The CE test is particularly effective at detecting regularity in active covert channels.In this work, we show that these detection techniques can be defeated by an active covert channel that generates traffic in a purposefully irregular manner. In particular, we propose Mimic, an active covert channel that mimics both the shape and regularity of legitimate traffic to disguise its presence. Mimic includes two modules, a shape modeler and a regularity modeler, for learning about the statistical properties of real traffic and generating traffic with the same properties. The main novelty of Mimic stems from its ability to smooth out the shape of the distribution while maintaining the regularity patterns of legitimate traffic. To measure the effectiveness of our mechanism, we ran experiments for both detection and throughput over a LAN and over the Internet. Our results show that Mimic is undetectable by any known detection technique at without loss of throughput.