Bandwidth and detection of packet length covert channels

Abstract

This thesis explores the detectability and robustness of packet length covert channels. We discovered that packet length covert channels, where a rogue user modulates the length of a Transport Control Protocol packet, can be detected while monitoring traffic of a large network. The bandwidth of these channels can be successfully estimated as well as the channels themselves detected using statistical inference. In addition, we observed that there is an inverse relationship between the volitionality in networks with respect to packet lengths and the detectability of these channels, and between packet length and channel bandwidth. For a large network like a college department, the bandwidth of a covert channel could be in the tens of megabytes over the course of a day.