Using hierarchical statistical analysis and deep neural networks to detect covert timing channels

Covert timing channels provide a mechanism to leak data across different entities. Manipulating the timing between packet arrivals is a well-known example of such approach. The time based property makes the detection of the hidden messages impossible by traditional security protecting mechanisms such as proxies and firewalls. This paper introduces a new generic hierarchical-based model to detect covert timing channels. The detection process consists of the analysis of a set of statistical metrics at consecutive hierarchical levels of the inter-arrival times flows. The statistical metrics considered are: mean, median, standard deviation, entropy, Root of Average Mean Error (RAME). A real statistical metrics timing channel dataset of covert and overt channel instances is created. The generated dataset is set to be either flat where the statistical metrics are calculated on all flows of data or hierarchal (5 levels of hierarchy were considered) where the statistical metrics are computed on sub parts of the flow as well. Following this method, 5 different datasets were generated, and used to train/test a deep neural network based model. Performance results about accuracy and model training time showed that the hierarchical approach outperforms the flat one by 4 to 10 percent (in terms of accuracy) and was able to achieve short model training time (in terms of seconds). When compared to the Support Vector Machine (SVM) classifier, the deep neural network achieved a better accuracy level (about 2.3% to 12% depends on the used kernel) and significantly shorter model training time (few seconds versus few 100’s of seconds). This paper also explores the importance of the used metrics in each level of the detection process.