{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,2]],"date-time":"2026-05-02T00:47:09Z","timestamp":1777682829892,"version":"3.51.4"},"reference-count":34,"publisher":"SAGE Publications","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JHS"],"published-print":{"date-parts":[[2020,12,23]]},"abstract":"<jats:p>The application nature of HTTP protocol allows the creation of a covert timing channel based on different features of this protocol (or different levels) that has not been addressed in previous research. In this article, the entropy-based detection method was designed and implemented. The attacker can adjust the amount of channel entropy by controlling measures such as changing the channel\u2019s level or creating noise on the channel to protect from the analyzer\u2019s detection. As a result, the entropy threshold is not always constant for detection. By comparing the entropy from different levels of the channel and the analyzer, we concluded that the analyzer must investigate traffic at all possible levels. We also illustrated that by making noise on a covert channel, its capacity would decrease, but as entropy increases, it would be harder to detect it.<\/jats:p>","DOI":"10.3233\/jhs-200642","type":"journal-article","created":{"date-parts":[[2020,12,1]],"date-time":"2020-12-01T16:03:53Z","timestamp":1606838633000},"page":"255-266","source":"Crossref","is-referenced-by-count":2,"title":["Entropy-based analyzing anomaly WEB traffic"],"prefix":"10.1177","volume":"26","author":[{"given":"Mehrdad","family":"Nasseralfoghara","sequence":"first","affiliation":[{"name":"Faculty of Engineering, Imam Khomeini International University, Iran. E-mails:\u00a0mnaser1992@gmail.com,\u00a0hamidreza.hamidi@eng.ikiu.ac.ir"}]},{"given":"HamidReza","family":"Hamidi","sequence":"additional","affiliation":[{"name":"Faculty of Engineering, Imam Khomeini International University, Iran. E-mails:\u00a0mnaser1992@gmail.com,\u00a0hamidreza.hamidi@eng.ikiu.ac.ir"}]}],"member":"179","reference":[{"key":"10.3233\/JHS-200642_ref1","unstructured":"T.-S.\u00a0Ahn, J.-W.\u00a0Jung, H.-H.\u00a0Sung, D.-W.\u00a0Lee and T.-D.\u00a0Park, Turbo Equalization for Covert Communication in Underwater Channel, Eighth International Conference on Ubiquitous and Future Networks (ICUFN), IEEE, 2016."},{"key":"10.3233\/JHS-200642_ref2","doi-asserted-by":"crossref","unstructured":"R.\u00a0Archibald and D.\u00a0Ghosal, A covert timing channel based on fountain codes, in: Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE 11th International Conference on, 2012, pp.\u00a0970\u2013977.","DOI":"10.1109\/TrustCom.2012.21"},{"issue":"5","key":"10.3233\/JHS-200642_ref4","first-page":"13","article-title":"Covert timing channel detection based on statistical methods","volume":"2","author":"Beyrami","year":"2014","journal-title":"Journal of Electronic & Cyber Defence"},{"key":"10.3233\/JHS-200642_ref5","unstructured":"E.\u00a0Brown, B.\u00a0Yuan, D.\u00a0Johnson and P.\u00a0Lutz, Covert channels in the HTTP network protocol: Channel characterization and detecting man-in-the-middle attacks, in: International Conference on Cyber Warfare and Security, 2010, p.\u00a056."},{"key":"10.3233\/JHS-200642_ref6","doi-asserted-by":"crossref","unstructured":"S.\u00a0Cabuk, C.E.\u00a0Brodley and C.\u00a0Shields, IP covert timing channels: Design and detection, in: Proceedings of the 11th ACM Conference on Computer and Communications Security, 2004, pp.\u00a0178\u2013187.","DOI":"10.1145\/1030083.1030108"},{"key":"10.3233\/JHS-200642_ref7","doi-asserted-by":"publisher","DOI":"10.1145\/1513601.1513604"},{"key":"10.3233\/JHS-200642_ref8","doi-asserted-by":"crossref","unstructured":"B.\u00a0Carrara and C.\u00a0Adams, A survey and taxonomy aimed at the detection and measurement of covert channels, in: Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security, 2016, pp.\u00a0115\u2013126.","DOI":"10.1145\/2909827.2930800"},{"key":"10.3233\/JHS-200642_ref9","unstructured":"A.\u00a0Chen, W.\u00a0Brad Moore, H.\u00a0Xiao, A.\u00a0Haeberlen, L.\u00a0Thi, X.\u00a0Phan, M.\u00a0Sherr and W.\u00a0Zhou, Detecting covert timing channels with time-deterministic replay, in: 11th {USENIX} Symposium on Operating Systems Design and Implementation, {OSDI}, Vol.\u00a014, 2014."},{"key":"10.3233\/JHS-200642_ref10","doi-asserted-by":"publisher","DOI":"10.1109\/CISS.2008.4558568"},{"key":"10.3233\/JHS-200642_ref11","doi-asserted-by":"crossref","unstructured":"T.P.\u00a0Coleman and N.\u00a0Kiyavash, Practical codes for queueing channels: An algebraic, state-space, message-passing approach, in: Information Theory Workshop, ITW\u201908, IEEE, 2008, pp.\u00a0318\u2013322.","DOI":"10.1109\/ITW.2008.4578677"},{"key":"10.3233\/JHS-200642_ref12","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_12"},{"key":"10.3233\/JHS-200642_ref14","doi-asserted-by":"crossref","unstructured":"T.S.\u00a0Han and K.\u00a0Kobayashi, Mathematics of Information and Coding, American Mathematical Society, 2007.","DOI":"10.1090\/mmono\/203"},{"key":"10.3233\/JHS-200642_ref15","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2009.4959876"},{"key":"10.3233\/JHS-200642_ref16","unstructured":"K.S.\u00a0Lee, H.\u00a0Wang and H.\u00a0Weatherspoon, {PHY} covert channels: Can you see the idles?, in: 11th {USENIX} Symposium on Networked Systems Design and Implementation, {NSDI}, Vol.\u00a014, 2014, pp.\u00a0173\u2013185."},{"issue":"2","key":"10.3233\/JHS-200642_ref17","doi-asserted-by":"publisher","first-page":"199","DOI":"10.1007\/s11235-010-9368-1","article-title":"Network covert timing channel with distribution matching","volume":"49","author":"Liu","year":"2012","journal-title":"Telecommunication Systems"},{"key":"10.3233\/JHS-200642_ref18","doi-asserted-by":"crossref","unstructured":"G.\u00a0Liu, J.\u00a0Zhai, Y.\u00a0Dai and Z.\u00a0Wang, Covert timing channel with distribution matching, in: Multimedia Information Networking and Security, MINES\u201909. International Conference on, Vol.\u00a01, 2009, pp.\u00a0565\u2013568.","DOI":"10.1109\/MINES.2009.280"},{"key":"10.3233\/JHS-200642_ref19","doi-asserted-by":"crossref","unstructured":"J.\u00a0Liu, W.\u00a0Yang, L.\u00a0Huang and W.\u00a0Chen, A Detection-Resistant Covert Timing Channel Based on Geometric Huffman Coding, International Conference on Wireless Algorithms, Systems, and Applications, Springer, Cham, 2018.","DOI":"10.1007\/978-3-319-94268-1_26"},{"key":"10.3233\/JHS-200642_ref20","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Liu, D.\u00a0Ghosal, F.\u00a0Armknecht, A.R.\u00a0Sadeghi, S.\u00a0Schulz and S.\u00a0Katzenbeisser, Hide and seek in time robust covert timing channels, in: European Symposium on Research in Computer Security, 2009, pp.\u00a0120\u2013135.","DOI":"10.1007\/978-3-642-04444-1_8"},{"key":"10.3233\/JHS-200642_ref21","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-16435-4_15"},{"key":"10.3233\/JHS-200642_ref22","doi-asserted-by":"crossref","unstructured":"W.\u00a0Mazurczyk, S.\u00a0Wendzel, S.\u00a0Zander, A.\u00a0Houmansadr and K.\u00a0Szczypiorski, Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures, John Wiley & Sons, 2016.","DOI":"10.1002\/9781119081715"},{"issue":"1","key":"10.3233\/JHS-200642_ref23","doi-asserted-by":"publisher","first-page":"517","DOI":"10.1109\/COMST.2017.2748278","article-title":"Survey and systematization of secure device pairing","volume":"20","author":"Mikhail","year":"2018","journal-title":"Communications Surveys & Tutorials IEEE"},{"key":"10.3233\/JHS-200642_ref24","doi-asserted-by":"crossref","unstructured":"M.\u00a0Nasseralfoghara and H.\u00a0Hamidi, Web covert timing channels detection based on entropy, in: 5th International Conference on Web Research (ICWR), Tehran, Iran, 2019, pp.\u00a012\u201315.","DOI":"10.1109\/ICWR.2019.8765291"},{"key":"10.3233\/JHS-200642_ref25","doi-asserted-by":"publisher","DOI":"10.1109\/THS.2010.5654967"},{"issue":"3","key":"10.3233\/JHS-200642_ref26","first-page":"35","article-title":"Simulation and evaluation of jitter and packet loss noises influence on covert timing channel performance","volume":"2","author":"Saadati","year":"2014","journal-title":"Journal of Electronic & Cyber Defence"},{"key":"10.3233\/JHS-200642_ref27","first-page":"273","article-title":"Survey of information security","volume":"50","author":"Shen","year":"2007","journal-title":"SCI CHINA SER F"},{"key":"10.3233\/JHS-200642_ref28","doi-asserted-by":"publisher","DOI":"10.3390\/info10040148"},{"key":"10.3233\/JHS-200642_ref29","doi-asserted-by":"crossref","unstructured":"R.M.\u00a0Stillman, Detecting IP covert timing channels by correlating packet timing with memory content, in: Southeastcon, IEEE, 2008, pp.\u00a0204\u2013209.","DOI":"10.1109\/SECON.2008.4494286"},{"key":"10.3233\/JHS-200642_ref30","unstructured":"US Department of Defense, Trusted Computer System Evaluation Criteria, Palgrave Macmillan, London, 1985. ISBN 978-0-333-53947-7."},{"issue":"6","key":"10.3233\/JHS-200642_ref31","doi-asserted-by":"publisher","first-page":"1217","DOI":"10.1016\/j.comnet.2010.11.007","article-title":"Liquid: A detection-resistant covert timing channel based on IPD shaping","volume":"55","author":"Walls","year":"2011","journal-title":"Computer networks"},{"key":"10.3233\/JHS-200642_ref32","doi-asserted-by":"crossref","unstructured":"J.\u00a0Wang Le Guan, L.\u00a0Liu and D.\u00a0Zha, Implementing a Covert Timing Channel Based on Mimic Function, International Conference on Information Security Practice and Experience, Springer, Cham, 2014.","DOI":"10.1007\/978-3-319-06320-1_19"},{"key":"10.3233\/JHS-200642_ref33","doi-asserted-by":"publisher","DOI":"10.1007\/11556992_37"},{"key":"10.3233\/JHS-200642_ref34","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1016\/j.jnca.2017.10.019","article-title":"Concealed in web surfing: Behavior-based covert channels in HTTP","volume":"101","author":"Yao","year":"2018","journal-title":"Journal of Network and Computer Applications"},{"key":"10.3233\/JHS-200642_ref35","first-page":"458","article-title":"Stealthier inter-packet timing covert channels","volume":"2011","author":"Zander","year":"2011","journal-title":"Networking"},{"key":"10.3233\/JHS-200642_ref36","doi-asserted-by":"publisher","first-page":"9292","DOI":"10.1109\/ACCESS.2018.2802783","article-title":"A covert channel over volte via adjusting silence periods","volume":"6","author":"Zhang","year":"2018","journal-title":"IEEE Access"}],"container-title":["Journal of High Speed Networks"],"original-title":[],"link":[{"URL":"https:\/\/content.iospress.com\/download?id=10.3233\/JHS-200642","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T08:44:15Z","timestamp":1777452255000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/full\/10.3233\/JHS-200642"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,23]]},"references-count":34,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.3233\/jhs-200642","relation":{},"ISSN":["1875-8940","0926-6801"],"issn-type":[{"value":"1875-8940","type":"electronic"},{"value":"0926-6801","type":"print"}],"subject":[],"published":{"date-parts":[[2020,12,23]]}}}