WoDiCoF - A Testbed for the Evaluation of (Parallel) Covert Channel Detection Algorithms
Ralf Keidel (Worms University of Applied Sciences, Germany)
Steffen Wendzel (Worms University of Applied Sciences, Germany)
Sebastian Zillien (Worms University of Applied Sciences, Germany)
Eric S. Conner (Worms University of Applied Sciences, Germany)
Georg Haas (Worms University of Applied Sciences, Germany)
Abstract: With the increasing number of steganography-capable malware and the increasing trend of stealthy data exfiltrations, network covert channels are becoming a crucial security threat - also for critical infrastructures (CIs): network covert channels enable the stealthy remote-control of malware nested in a CI and allow to exfiltrate sensitive data, such as sensor values, firmware or configuration parameters.
We present WoDiCoF, a distributed testbed, accessible for the international research community to perform a unified evaluation of detection algorithms for network covert channels. In comparison to existing works, our testbed is designed for upcoming big- data scenarios, in which huge traffic recordings must be analyzed for covert channels. It is the first testbed to allow the testing of parallel detection algorithms.
To evaluateWoDiCoF, we took a detection algorithm published in ACM CCS/TISSEC, verified several of the original results and enhanced the understanding of its performance by considering previously unconsidered parameters. By parallelizing the algorithm, we could moreover achieve a speed-up of 2.89 with three nodes.
Keywords: covert channels, information hiding, network steganography, parallel computing, scientific methodology, testbeds
Categories: D.4.6, K.6.5, K.7.m