Mimic: An active covert channel that evades regularity-based detection

A covert timing channel is a hidden communication channel based on network timing that an attacker can use to sneak secrets out of a secure system. Active covert channels, in which the attacker uses a program to automatically generate innocuous traffic to use as a medium for embedding the covert channel, are especially problematic, as they allow the attacker to output large amounts of secret data. Further, it is relatively easy to create an active covert channel that outputs traffic with the same delay distribution as legitimate traffic. However, these channels are generally detectable due to their regularity – as they are generate by a computer program, they do not have the variations found in human-generated traffic. In this work, we show how to build a an active covert channel that generates traffic in a purposefully irregular manner. In particular, we propose Mimic, an active covert channel that mimics both the shape and regularity of legitimate traffic to disguise its presence. Mimic includes two modules, a shape modeler and a regularity modeler, for learning about the statistical properties of real traffic and generating traffic with the same properties. The main novelty of Mimic stems from its ability to produce irregular patterns similar to those of legitimate traffic while maintaining the distribution shape. To measure the effectiveness of our mechanism, we run experiments for both detection and throughput over a LAN and over the Internet. Our results show that Mimic can generate channels with a wide range of regularity values, making it undetectable by any known detection technique, without sacrificing channel capacity.