{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T08:44:31Z","timestamp":1773305071423,"version":"3.50.1"},"reference-count":57,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2009,4,1]],"date-time":"2009-04-01T00:00:00Z","timestamp":1238544000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2009,4]]},"abstract":"<jats:p>A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.<\/jats:p>","DOI":"10.1145\/1513601.1513604","type":"journal-article","created":{"date-parts":[[2009,5,19]],"date-time":"2009-05-19T16:47:42Z","timestamp":1242751662000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":120,"title":["IP Covert Channel Detection"],"prefix":"10.1145","volume":"12","author":[{"given":"Serdar","family":"Cabuk","sequence":"first","affiliation":[{"name":"Hewlett-Packard Laboratories"}]},{"given":"Carla E.","family":"Brodley","sequence":"additional","affiliation":[{"name":"Tufts University"}]},{"given":"Clay","family":"Shields","sequence":"additional","affiliation":[{"name":"Georgetown University"}]}],"member":"320","published-online":{"date-parts":[[2009,4]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"IP checksum covert channels and selected hash collision. Tech. rep","author":"Abad C.","unstructured":"Abad , C. 2001. IP checksum covert channels and selected hash collision. Tech. rep ., University of California . Abad, C. 2001. IP checksum covert channels and selected hash collision. Tech. rep., University of California."},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the Workshop on Multimedia Security (MMSEC\u201902)","author":"Ahsan K.","unstructured":"Ahsan , K. and Kundur , D . 2002. Practical data hiding in TCP\/IP . In Proceedings of the Workshop on Multimedia Security (MMSEC\u201902) , 63--70. Ahsan, K. and Kundur, D. 2002. Practical data hiding in TCP\/IP. In Proceedings of the Workshop on Multimedia Security (MMSEC\u201902), 63--70."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/258612.258631"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1005140.1005152"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the IEEE International Conference on Communications (ICC\u201993)","author":"Berrou C.","unstructured":"Berrou , C. , Glavieux , A. , and Thitimajshima , P . 1993. Near Shannon limit error-correcting coding and decoding: Turbo codes . In Proceedings of the IEEE International Conference on Communications (ICC\u201993) , 2, 1064--1070. Berrou, C., Glavieux, A., and Thitimajshima, P. 1993. Near Shannon limit error-correcting coding and decoding: Turbo codes. In Proceedings of the IEEE International Conference on Communications (ICC\u201993), 2, 1064--1070."},{"key":"e_1_2_1_7_1","volume-title":"Phase-Locked Loops: Design, Simulation and Applications","author":"Best R. E.","unstructured":"Best , R. E. 2003. Phase-Locked Loops: Design, Simulation and Applications , 5 th Ed. McGraw-Hill Professional . Best, R. E. 2003. Phase-Locked Loops: Design, Simulation and Applications, 5th Ed. McGraw-Hill Professional.","edition":"5"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/579090"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030108"},{"key":"e_1_2_1_10_1","volume-title":"CCTT: Covert channel tunneling tool. Tech. rep., The Gray-World Team.","author":"Castro S.","year":"2003","unstructured":"Castro , S. 2003 . CCTT: Covert channel tunneling tool. Tech. rep., The Gray-World Team. Castro, S. 2003. CCTT: Covert channel tunneling tool. Tech. rep., The Gray-World Team."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.2005.844059"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1162\/0148926042728449"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/166237.166256"},{"key":"e_1_2_1_14_1","unstructured":"Common Criteria. 1998. Common criteria for information technology security evaluation version 2.0 Ed. ISO\/IEC Standard 15408. Common Criteria . 1998. Common criteria for information technology security evaluation version 2.0 Ed. ISO\/IEC Standard 15408."},{"key":"e_1_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Cox D. R. and Lewis P. A. W. 1966. The Statistical Analysis of Series of Events. Chapman and Hall. Cox D. R. and Lewis P. A. W. 1966. The Statistical Analysis of Series of Events . Chapman and Hall.","DOI":"10.1007\/978-94-011-7801-3"},{"key":"e_1_2_1_16_1","first-page":"6","article-title":"Loki2 (the implementation)","volume":"51","author":"Daemon","year":"1997","unstructured":"Daemon 9. 1997 . Loki2 (the implementation) . Phrack 51 , 6 . Daemon9. 1997. Loki2 (the implementation). Phrack 51, 6.","journal-title":"Phrack"},{"key":"e_1_2_1_17_1","first-page":"6","article-title":"Project Loki","volume":"49","author":"Daemon","year":"1996","unstructured":"Daemon 9. 1996 . Project Loki . Phrack 49 , 6 . Daemon9. 1996. Project Loki. Phrack 49, 6.","journal-title":"Phrack"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/360051.360056"},{"key":"e_1_2_1_19_1","unstructured":"Department of Defense. 1985. Trusted computer system evaluation criteria 5200.28-STD Washington: Government Publishing Office. Department of Defense . 1985. Trusted computer system evaluation criteria 5200.28-STD Washington: Government Publishing Office."},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the 3rd International Workshop on Information Hiding (IH\u201900)","author":"Dogu T. M.","unstructured":"Dogu , T. M. and Ephremides , A . 2000. Covert information transmission through the use of standard collision resolution algorithms . In Proceedings of the 3rd International Workshop on Information Hiding (IH\u201900) , 419--433. Dogu, T. M. and Ephremides, A. 2000. Covert information transmission through the use of standard collision resolution algorithms. In Proceedings of the 3rd International Workshop on Information Hiding (IH\u201900), 419--433."},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the Workshop on Privacy Enhancing Technologies (PET\u201902)","author":"Giffin J.","unstructured":"Giffin , J. , Greenstadt , R. , Litwack , P. , and Tibbetts , R . 2002. Covert messaging through TCP timestamps . In Proceedings of the Workshop on Privacy Enhancing Technologies (PET\u201902) , 2482, 194--208. Giffin, J., Greenstadt, R., Litwack, P., and Tibbetts, R. 2002. Covert messaging through TCP timestamps. In Proceedings of the Workshop on Privacy Enhancing Technologies (PET\u201902), 2482, 194--208."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.2002.801405"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1987.233153"},{"key":"e_1_2_1_24_1","unstructured":"GNU. 2003. GNU zip utility. http:\/\/www.gzip.org. GNU . 2003. GNU zip utility. http:\/\/www.gzip.org."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/49.68448"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the 1st International Workshop on Information Hiding (IH\u201996)","author":"Handel T.","unstructured":"Handel , T. and Sandford , M . 1996. Hiding data in the OSI network model . In Proceedings of the 1st International Workshop on Information Hiding (IH\u201996) . Springer-Verlag, 23--38. Handel, T. and Sandford, M. 1996. Hiding data in the OSI network model. In Proceedings of the 1st International Workshop on Information Hiding (IH\u201996). Springer-Verlag, 23--38."},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the 10th USENIX Security Symposium (SECURITY\u201901)","author":"Handley M.","unstructured":"Handley , M. and Paxson , V . 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics . In Proceedings of the 10th USENIX Security Symposium (SECURITY\u201901) , 9. Handley, M. and Paxson, V. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium (SECURITY\u201901), 9."},{"key":"e_1_2_1_28_1","unstructured":"Hauser V. 1999. Placing backdoors through firewalls. Tech. rep. The Hacker\u2019s Choice. Hauser V. 1999. Placing backdoors through firewalls. Tech. rep. The Hacker\u2019s Choice."},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of Workshop on Security Protocols Verification (SPV\u201903)","author":"Helouet L.","unstructured":"Helouet , L. , Jard , C. , and Zeitoun , M . 2003. Covert channels detection in protocols using scenarios . In Proceedings of Workshop on Security Protocols Verification (SPV\u201903) , 21--25. Helouet, L., Jard, C., and Zeitoun, M. 2003. Covert channels detection in protocols using scenarios. In Proceedings of Workshop on Security Protocols Verification (SPV\u201903), 21--25."},{"key":"e_1_2_1_30_1","volume-title":"Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Tech. rep","author":"Henry P. A.","unstructured":"Henry , P. A. 2000. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Tech. rep ., CyberGuard Corporation . Henry, P. A. 2000. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Tech. rep., CyberGuard Corporation."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-1992-13-404"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the IEEE Computer Society Symposium of Research in Security and Privacy (SP\u201991)","author":"Karger P. A.","unstructured":"Karger , P. A. and Wray , J. C . 1991. Storage channels in disk arm optimization . In Proceedings of the IEEE Computer Society Symposium of Research in Security and Privacy (SP\u201991) , 52--61. Karger, P. A. and Wray, J. C. 1991. Storage channels in disk arm optimization. In Proceedings of the IEEE Computer Society Symposium of Research in Security and Privacy (SP\u201991), 52--61."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/357369.357374"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.106972"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014077"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 14th ACM-SIAM Symposium on Discrete Algorithms (SIAM\u201903)","author":"Li M.","unstructured":"Li , M. , Chen , X. , Li , X. , Ma , B. , and Vitanyi , P . 2003. The similarity metric . In Proceedings of the 14th ACM-SIAM Symposium on Discrete Algorithms (SIAM\u201903) . Society for Industrial and Applied Mathematics, 863--872. Li, M., Chen, X., Li, X., Ma, B., and Vitanyi, P. 2003. The similarity metric. In Proceedings of the 14th ACM-SIAM Symposium on Discrete Algorithms (SIAM\u201903). Society for Industrial and Applied Mathematics, 863--872."},{"key":"e_1_2_1_37_1","doi-asserted-by":"crossref","unstructured":"Li M. and Lampson W. 1997. An Introduction to Kolmogorov Complexity and Its Application 2nd Ed. Springer. Li M. and Lampson W. 1997. An Introduction to Kolmogorov Complexity and Its Application 2nd Ed. Springer.","DOI":"10.1007\/978-1-4757-2606-0"},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the 1st IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON\u201904)","author":"Li S.","unstructured":"Li , S. and Ephremides , A . 2004. A network layer covert channel in ad-hoc wireless networks . In Proceedings of the 1st IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON\u201904) , 88--96. Li, S. and Ephremides, A. 2004. A network layer covert channel in ad-hoc wireless networks. In Proceedings of the 1st IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON\u201904), 88--96."},{"key":"e_1_2_1_39_1","unstructured":"Loewenstem D. Hirsh H. Yianilos P. and Noordewier M. 1995. DNA sequence classification using compression-based induction. Tech. rep. DIMACS. Loewenstem D. Hirsh H. Yianilos P. and Noordewier M. 1995. DNA sequence classification using compression-based induction. Tech. rep. DIMACS."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766906"},{"key":"e_1_2_1_41_1","volume-title":"Error Correction Coding: Mathematical Methods and Algorithms","author":"Moon T. K.","unstructured":"Moon , T. K. 2005. Error Correction Coding: Mathematical Methods and Algorithms . Wiley-Interscience . Moon, T. K. 2005. Error Correction Coding: Mathematical Methods and Algorithms. Wiley-Interscience."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.5555\/882490.884220"},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the 9th Annual Conference on Computer Assurance (COMPASS\u201994)","author":"Moskowitz I. S.","unstructured":"Moskowitz , I. S. and Kang , M. H . 1994. Covert channels - Here to stay? In Proceedings of the 9th Annual Conference on Computer Assurance (COMPASS\u201994) . National Institute of Standards and Technology, 235--244. Moskowitz, I. S. and Kang, M. H. 1994. Covert channels - Here to stay? In Proceedings of the 9th Annual Conference on Computer Assurance (COMPASS\u201994). National Institute of Standards and Technology, 235--244."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/11558859_19"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/90.392383"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the IEEE International Conference on Communications (ICC\u201995)","author":"Rosenberg C.","unstructured":"Rosenberg , C. , Guillemin , F. , and Mazumdar , R . 1995. New approach for traffic characterization in ATM networks . In Proceedings of the IEEE International Conference on Communications (ICC\u201995) , 142, 87--90. Rosenberg, C., Guillemin, F., and Mazumdar, R. 1995. New approach for traffic characterization in ATM networks. In Proceedings of the IEEE International Conference on Communications (ICC\u201995), 142, 87--90."},{"key":"e_1_2_1_48_1","doi-asserted-by":"crossref","unstructured":"Rowland C. 1997. Covert channels in the TCP\/IP protocol suite. Tech. rep. First Monday. Rowland C. 1997. Covert channels in the TCP\/IP protocol suite. Tech. rep. First Monday.","DOI":"10.5210\/fm.v2i5.528"},{"key":"e_1_2_1_49_1","volume-title":"Chaos Communication Congress.","author":"Rutkowska J.","year":"2004","unstructured":"Rutkowska , J. 2004 . The implementation of passive covert channels in the Linux kernel. Tech. rep ., Chaos Communication Congress. Rutkowska, J. 2004. The implementation of passive covert channels in the Linux kernel. Tech. rep., Chaos Communication Congress."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/800179.1124633"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/DCC.2006.13"},{"key":"e_1_2_1_52_1","doi-asserted-by":"crossref","unstructured":"Simmons G. J. 1984. The prisoner\u2019s problem and the subliminal channel. In Advances in Cryptography 51--67. Simmons G. J. 1984. The prisoner\u2019s problem and the subliminal channel. In Advances in Cryptography 51--67.","DOI":"10.1007\/978-1-4684-4730-9_5"},{"key":"e_1_2_1_53_1","volume-title":"Covert shells. Tech. rep","author":"Smith J. C.","unstructured":"Smith , J. C. 2000. Covert shells. Tech. rep ., SANS Institute Information Security Reading Room . Smith, J. C. 2000. Covert shells. Tech. rep., SANS Institute Information Security Reading Room."},{"key":"e_1_2_1_54_1","volume-title":"Proceedings of the International Conference on Information and Communications Security (ICS\u201903)","author":"Sohn T.","unstructured":"Sohn , T. , Moon , J. , Lee , S. , Lee , D. H. , and Lim , J . 2003a. Covert channel detection in the ICMP payload using support vector machine . In Proceedings of the International Conference on Information and Communications Security (ICS\u201903) , 828--835. Sohn, T., Moon, J., Lee, S., Lee, D. H., and Lim, J. 2003a. Covert channel detection in the ICMP payload using support vector machine. In Proceedings of the International Conference on Information and Communications Security (ICS\u201903), 828--835."},{"key":"e_1_2_1_55_1","volume-title":"Proceedings of the International Conference on Information and Communications Security (ICS\u201903)","author":"Sohn T.","unstructured":"Sohn , T. , Seo , J.-T. , and Moon , J . 2003b. A study on the covert channel detection of TCP\/IP header using support vector machine . In Proceedings of the International Conference on Information and Communications Security (ICS\u201903) , 313--324. Sohn, T., Seo, J.-T., and Moon, J. 2003b. A study on the covert channel detection of TCP\/IP header using support vector machine. In Proceedings of the International Conference on Information and Communications Security (ICS\u201903), 313--324."},{"key":"e_1_2_1_56_1","unstructured":"United Nations. 1948. Universal declaration of human rights. 217A 3. United Nations . 1948. Universal declaration of human rights. 217A 3."},{"key":"e_1_2_1_57_1","volume-title":"NZIX-II trace archive","author":"WAND Research Group","unstructured":"WAND Research Group . 2001. NZIX-II trace archive . University of Waikato Computer Science Department. http :\/\/pma.nlanr.net\/Traces\/long\/nzix2.html. WAND Research Group. 2001. NZIX-II trace archive. University of Waikato Computer Science Department. http:\/\/pma.nlanr.net\/Traces\/long\/nzix2.html."},{"key":"e_1_2_1_58_1","unstructured":"Wehner S. 2004. Analyzing network traffic and worms using compression. Tech. rep. Centrum Wiskunde and Informatica. Wehner S. 2004. Analyzing network traffic and worms using compression. Tech. rep. Centrum Wiskunde and Informatica."},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/RISP.1991.130767"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1513601.1513604","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1513601.1513604","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T13:57:58Z","timestamp":1750255078000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1513601.1513604"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009,4]]},"references-count":57,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2009,4]]}},"alternative-id":["10.1145\/1513601.1513604"],"URL":"https:\/\/doi.org\/10.1145\/1513601.1513604","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2009,4]]},"assertion":[{"value":"2006-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2009-04-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}