ENTROPY BASED DETECTION ANDBEHAVIORAL ANALYSIS OF HYBRID COVERT CHANNELIN SECURED COMMUNICATION

(1)

DOI : 10.5121/ijnsa.2015.7304 39

Anjan K

1

, Srinath N K

1

and Jibi Abraham

2

1

Department of Computer Science and Engineering, R V College of Engineering, Bengaluru,India 2

Department of Computer Engineering and Information Technology, College of Engineering, Pune, India

A

BSTRACT

Covert channels is a vital setup in the analysing the strength of security in a network. Covert Channel is illegitimate channelling over the secured channel and establishes a malicious conversation. The trap-door set in such channels proliferates making covert channel sophisticated to detect their presence in network firewall. This is due to the intricate covert scheme that enables to build robust covert channel over the network. From an attacker's perspective this will ameliorate by placing multiple such trapdoors in different protocols in the rudimentary protocol stack. This leads to a unique scenario of “Hybrid Covert Channel", where different covert channel trapdoors exist at the same instance of time in same layer of protocol stack. For detection agents to detect such event is complicated due to lack of knowledge over the different covert schemes. To improve the knowledge of the detection engine to detect the hybrid covert channel scenario it is required to explore all possible clandestine mediums used in the formation of such channels. This can be explored by different schemes available and their entropy impact on hybrid covert channel. The environment can be composed of resources and subject under at-tack and subject which have initiated the attack (attacker). The paper sets itself an objective to understand the different covert schemes and the attack scenario (modelling) and possibilities of covert mediums along with metric for detection.

.

K

EYWORDS

Covert Channel, Subliminal Channel, Network Forensics, Kleptography, Trapdoors, Covert Schemes

1.I

NTRODUCTION

Global internet consists of massive devices connected to it with numerous applications running on it. There is frequent inherent threat of intentional exposure of the confidential and sensitive information over secured channel. Such threats are implemented using "Covert Channel" which compromises very important attribute "Privacy"of secured channel. Covert channel is defined in different ways based on scenarios of establishment of covert channel and is non-concrete.

(2)

International Journal of Netw This clearly states the policy communication channel was env simple covert channel can be vis channel in the communication.

Covertchannelinformationexchan implementation of such langua proliferated into multiple protoc complex to detect such clan-desti mechanism for ameliorated devel have such multiple trapdoors eith

Multiple trapdoors can be implem the different covert channel var coherent covert channel. Such ch Channel [3] is homogeneous com instance of time. Hybrid covert c to assess the composition of the H is depicted in [3] and figure 2.

Fig.2. The covert channel was first int [11]. Extensive work is carried ou forensics [6] based. Scenario bas to understand the detection bette basis for detection. Modelling the

twork Security & Its Applications (IJNSA) Vol.7, No.3, Ma icy violation constraint, but does not consider

nvisaged as a communication channel by the system visualizedin [3] where channel comprises of both cov

Fig.1. Covert Channel Visualization

angeisbasedcovertlanguagespre-negotiated by the cov uages uses intricate encoding schemes. These sche ocols, where each such protocol will be a trapdoor. T

estine mediums. SETUP attack [18] makes uses of m velopment of covert channel. A hybrid covert channel

ither in the same layer on in different layers.

lemented in the same layer or in different layers.Imple ariants at the same instance of time tends to behav channel is termed as “Hybrid Covert Channel". A H omposition of two or more covert channel variants exi t channel may not have strict composition. It becomes Hybrid Covert Channel. An instance of the hybrid co

2. Hybrid Covert Channel in Transport Layer

introduced in the traditional confinement problem as out in devising the detection methods which can be on

ased analysis of the covert channel detections [3][7] tter. Monitoring the unusual traffic [14] in the networ the covert timing channel process as Poisson’s distribu

May 2015

40 r whether the em designer. A overt and overt

overt users and hemes may be . This makes it multi-trapdoor el scenario may

plementation of ave as a single Hybrid Covert xisting at same es complicated covert channel

(3)

way to detect such activity. Il Sequence Charts (MSC) [9].This to detect hybrid covert channel b

2.C

OVERT

C

OMMUNICAT

In Network communication, cove (a) covert data exchange and (b) covert indication

In covert data exchange, covert d in rudimentary protocols. This pipeline problem, where there ex inside the other such that d2< d1

transportation of crude oil. In F known or undocumented in the legitimate pipe. This type of the schemes will be simple placeme clandestine field in the traditio network covert channel.

Second form of covert commun language not known to others. I encoding scheme to leak informa 1 is the language that covert u environment. This sophisticated decoding the language might be q

The best real time classical exam leaks the answers to Student Y f presence of invigilating officer. triggers an event to student Y. F coughs. Same schema holds goo continuous clock events that com Y.Some of the other forms of cov

Illegitimate information flows can be tracked throu his paper employs a statistical protocol based entropy

based on analysis made on packet headers.

TION

T

YPES

vert communication amongst a pair of users can take t nd

t data is exchanged between the covert users by hidin is form of covert communication can best be und exists two pipesp1 and p2 of diameters d1 and d2 resp

1. These pipes are setup between two geographical p

Figure 3, the inner pipe p2 of diameter d2 is the co

he design and used for smuggling oil. The outer p he covert communication type will not have pre-defin

ent of covert data (trapdoor creation) directly in to t tional network protocol stack. This channel is calle

Fig.3. Classical Pipeline Problem

unication is the covert indication. Covert users comm . In Figure 4, the covert sender and receiver share an mation. This information encoding scheme as seen fro users employ to communicate in a secured legitim ted communication is visible to our detection engi

e quite difficult in many situations.

ample of such communication is Examination Problem for an objective type examination paper in an exami r. For each choice in a question, student X makes a . For instance to communicate choice A to student ood in case network communication where covert us

ommunicate some form of action to be performed b overt indication in network scenario include

41 rough Message y detection [1]

e two forms;

ing covert data nderstood with spectively, one l places for the covert pipe not pipe p1 is the

ned encoding o the identified lled as simple

municate in a an information from the figure timate network gine; however

(4)

International Journal of Netw

• Encoding ASCII charac mathematical operation o • Repeated sending of ackn

is listening to. Receiver h to this server. This valu character.

• Retrieving the packet information to the covert • Using logical operators l

3.C

OVERT

C

HANNEL

V

AR

Covert channel are categorized b communication like the shared r the communication. The covert c

• Noisy Covert Channe

both Overt and covert u • Noiseless Covert Cha

parties.

• Storage Covert Chan indirectly read or writes R/W in hard disk. • Timing Covert Chan

modulating the resource receiver.

• Simple Network Cov

rudimentary protocols

• Steganographic Chan

receiver collude to pr communication is happ

• Subliminal Channel

typically proved undete

• Supraliminal Channe

semantic content of co similar to mimic functi

twork Security & Its Applications (IJNSA) Vol.7, No.3, Ma

Fig.4. Classical Examination Problem

acter set in Sequence number. Decoding the same n on sequence number. This can either be in TCP or In cknowledge packet to an unknown server where the co r has to count the number of time the acknowledge pa alue can later on mapped to ASCII table for retrie

t sorting order numbering in IPSec frames whic ert receiver.

s like the XOR with sequence number to get the covert

RIANTS

d based on different aspects of the overall entities inv d resources, backdoor/trapdoor placement and parties t channel general classification is given below –

nel [14] is a communication channel which has rt users.

hannel [14] is the communication channel used sole

annel [14] involves the sender and the receiver eith es in to storage location. The implementation can be

nnel [14] [13] involves the sender signalling the in rces in such a way that real response time is obse

overt Channel [14] (SNCC) exists by creating a ls used in network protocol suite.

annel [3] is a means of communication where prevent an observer being able to reliably det ppening.

[15]- is a covert channel in a cryptographic etectable.

nel [12] - A supraliminal channel encodes inform cover data, generating innocent communication ctions.

May 2015

42 e by applying In IP ID fields. covert receiver packet was sent rieving suitable

hich serves as

ert data.

involved in the ies involved in

as presence of

olely by covert

ther directly or be on file-lock,

information by bserved by the

a trapdoor in

re sender and etect whether

hic algorithm,

(5)

• Hybrid Covert Chan

covert channels existin covert channel is diffi Mixed composition of channel and is of a g instance noisy covert network layer or applic

4.A

TTACK

M

ODELLING

The attack modelling [4] can be these scenarios are designed and in direct or encoded format; dir clandestine medium in the netw using encoding scheme and that i

The intricate design, choosing of way for successful undetectable mediums may be difficult and he is given below and will be used f

This important formation scenari .

4.1Scenario - 1

The attack scenarios have three e and Eve is legitimate entity/use legitimate users hence it is scen Bob and Eve is legitimate chann covert channel. Alice and Bo information and is mentioned in d

While Eve is communicating wi over the covert channel. Once w would also stop communication snatched from Bob's machine. Th strong trapdoor so as to thwart Hybrid covert channel. Such po Network Covert Channel in the I

nnel [4] is co-existence of two or more differen ting at same instance of time. The composition of ifficult to assess from third party which is tryin of covert channel variants behave as single coh greatest threat to the legitimate network enviro

rt channel in transport layer with subliminal lication layer.

e based on different scenarios and placement covert u nd built to fulfil certain objectives. Covert users can

irect communication is merely placement of covert twork protocol. Alternatively the covert user can c t is known only to the covert users.

of clandestine mediums (trapdoors) and encoding sch le establishment of covert channel. Detecting such hence detection metric called covertness index is use

for assessment in the attack scenarios.

arios of covert channels where attack can be devised is

e entities - Alice, Bob and Eve; Alice and Bob are cov user. The scenario comprises of the combination o

enario of noisy covert channel. The channel establis nnel comprising of covert channel and between Alic Bob have pre-established channel to communicate

n dotted lines in the figure 5.

with Bob over legitimate channel, Alice would extrac e when the communication between Bob and Eve is ion with Bob. Further Alice and eve can share the The covert channel implemented between Alice and B

rt the detection methods. Such trapdoors can be de possible composition can be Subliminal channel in th

IP, both at network layer.

43 ent variants of of the Hybrid ing to detect. oherent covert ironment. For al channel in

t users. Each of n communicate rt data over an n communicate

scheme paves a h strong covert sed.The metric

is given below

covert attackers of covert and lished between lice and Eve is ate the attack

(6)

This combination will prove e The covertness index for Netw

where P (Ut) = U

The covertness index for sublimi

IPSec make use of AES-XCB implantation - Sequence Numbe random number generator algor seed.

As per [7] the trapdoors can be d formation. However this will not headers.

Fig.5. Noise Covert Channel

effective in hop-to-hop routing and can avoid any twork Covert Channel in Network Layer (IPv4)-

e P(T) = Probability ofa trapdoor card Universal set of all possibletrapdoors

inal channel in IPSec - ESP format

BC-MAC cipher suite and ESP format allow tw ber field and padding. The maximum number of ro orithm is 16. Out of which 5 rounds are used for g

e detected under the assumption stated in the hybrid co ot be the same if multiple trapdoors are set in each of

May 2015

44 ny detections.

two trapdoors rounds in AES generating the

(7)

4.2 Scenario-2

This scenario is built on the thr users in sub-network are compr communication from the sub ne Channel. This sub network can b

Fig.6. Noisel The scenario can have multi-tr trapdoor can move from one pro or can be combination trapdoors particular index.

5.C

OVERT

S

CHEMES AND

The covert schemes are crucial f obscured way. More sophisticat samples of covert schemes were presented here.

Scheme 1

The IP ID is field used for ident covert scheme used for this field • Intentional use of only ce • Scheme is designed by th

field.

• The Covert receiver ap character.

For instance a simple scheme performing modulus operation o encoding a character ‘c’ is

hreat model of noiseless covert channel, where the r promised. This sub-network is connected to other n network to all the other networks is built using a H be similar to bot-net as described in [8].

eless Covert Channel with Hybrid Covert Channel trapdoor or protocol hopped hybrid covert chann rotocol to another protocol during the hop-to-hop com ors in multiple level in the protocol suite. Hence the

D THEIR EMBODIMENT

l for conveying the covert data over communication ated scheme likely not to be retrieved by detection ere discussed in section 2 of this paper and detailed

entification of the packet and is used for the routing ld is based on following strategy-

certain IP ID's while having conversation with Covert the covert sender for embedding covert characters in

applies the scheme used by the sender to retriev

e that can be used for this field is extracting the of the character set size. General notation for this

45 resources and r network. The Hybrid Covert

nnel [16]. The ommunication here can be no

on channel in a on entity. Few ed schemes are

g purpose. The

ert receiver. in to the IP ID

eve the covert

(8)

International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.3, May 2015

46 Where ( ) is the encoding function, R is the IP ID value and n is the size of the character set. For an ASCII character set, n = 256

Example: If IP ID = 26702 and if the character to be sent is `M' Then ( ) = 26702 − 1 256 = `M'

To convey a covert message, the covert sender has select IP ID in such a way as to match with

( ).

Scheme 2

Another prominent scheme used is on the sequence number where maximum range is

4,294,967,296 numbers as it is 32 bit field. To communicate covertly under this scheme following strategy is employed-

• Sequence number is multiplied with value of character set and bound is declared with maximum limit.

• The receiver side retrieves the sequence number and then divides it by character set size. The encoding function ( ) is given below-

Where S is the initial sequence number and n is the size of the character set. The decoding function is ( ’) is given below –

Where ’ is the decoded character and ’ is the received sequence number.

For instance to send a character `I' covertly over the channel, the sender would have to choose 1235037038 as sequence number and the max. value is derived as 65535 * 256 = 16777216

Therefore the decoded character is ( ’) = 1235037038=16777216 = 73, The value 73 when mapped back to ASCII Table is the character `I'.

Scheme 3

Another scheme which has tremendous effect on the bandwidth is the modulation of TCP timestamps or use of timing element in the network protocol. TCP timestamps is in the options field of the TCP header which indicates the round trip time of the packets. The TCP process accurately calculates the next retransmission of TCP segment which was failed to be acknowledged. If the character is to be covertly sent using this scheme following strategy is used.

• Get the binary representation of the character and extract bits from the least significant bit.

(9)

47 TCP segment.

• Covert receiver will extract the LSB of the timestamp and store the same until it is a byte.

Let be the binary representation of the character `c' and FLSB(Bc) be the encoding function for

encoding the covert bits in TCP timestamp.

6.E

NTROPY BASED COVERT CHANNEL ANALYSIS

The entropy [2] in communication network indicates the number of bits required to encode a character over the channel as stated by Shannon Entropy theory. This is based on the frequency of the characters in given string and the size of the alphabet. The entropy measure also checks for uncertainty of the random variable.

Let A be finite set of characters such that | | ≥ 1 and any character` ’ ∈ . A is sequence of symbols which is a string, each of alphabet in string ∈ A. For instance let cbbacabbac_be

sequence of symbols that needs to be transmitted over network then its sequence of bits represents the coded symbol sequence which may be 101110011011100010. Then the entropy for such scenario is defined as –

where ∈ | | and | | > 1, pi is the probability of the occurrence of symbol ‘c’ in the string and n gives the length of the string. To transmit a message “network” over the communication network, following are the calculated entropy for each alphabet –

The frequency of all the characters in a string with unique symbols will be same, since the word

“network” has unique symbols the frequency is 0.143. Let X be string for which the entropy is to be calculated, here X may word like network or stream of numbers then

H(X)=[(0.143log20.143) + (0.143log20.143) + (0.143log20.143) +(0.143log20.143) + (0.1 43log20.143) + (0.143log20.143) + (0.143log20.143)]

H(X)=2:803

It requires 3 bits to represent each symbol in the given string and 21 bits are required to represent the entire string. Further the appropriate line coding technique has to be chosen to represent them in the transmission line. So in general entropy of X where each alphabet is a unique symbol is

In a covert channel scenario, the covert user has to be chosen the message in such a way that the entropy of string should always be less that number of bits available for that field in the protocol header.

(10)

International Journal of Netw The IP ID presented in the sch X the minimum of 21 bits are

The covert channel occupies 25 header or protocol header simpl channel capacity ratio will be low

This makes the detection of cove fields for analysis.

In general,

for robust covert channel constr covert channel will be greater protocols is actually setting up o entropy for such scenarios is d scheme. Also in the scenario of hybrid covert channel where the figure 7 and figure 8 shows the a

twork Security & Its Applications (IJNSA) Vol.7, No.3, Ma cheme 1 of this paper has 16 bits in the IP heade re required. Hence capacity of the covert channel i

25% of total IP header space. Multiple trapdoors (t) ply doubles the covert channel capacity. However th ow thus making it robust ie.,

vert bits much difficult as the detection systems needs

struction where [7]the covertness index for such m r than 0.5. The multiple trapdoors through a proto p of multiple covert channels in the communication n

dispersed across multiple making it difficult to un of multi-trapdoors covert channel behaves like a sin e effect of the entropy is doubled. The below results accurate expected behaviour discussed in this paper

-Fig.7. IP Entropy analysis

Fig.8. TCP Entropy Analysis

May 2015

48 der, so to send

l is

t) [5] [4] in IP the entropy to

ds to scan more

multi-trapdoor tocol or set of n network. The understand the single coherent ts shown in the

(11)

49 The results indicate the multiple trapdoors used in hybrid covert channel yields to a higher entropy value and low channel to entropy ratio (C/E). The constant C/E ratio also indicates the consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channel. This implies that the covert schemes used in Hybrid covert channel is difficult detect in secured communication.

7.R

ESULTS AND

D

ISCUSSIONS

The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in that protocol. i.e.,

where Tm is the max number of trapdoors possible in that protocol Ts is the no. of Trapdoors set.

The analysis of the trapdoor setting is performed on protocols like IPv4, TCP and IPSec, SSL/TLS. The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP is merely based on placing the covert data in any of its header fields. The table 1 shows effect of varying the number of trapdoors in IPv4 protocol.

Table1.Multi-TrapdoorAnalysisofIPv4 Sl.No

.

TrapdoorName No.ofTrap doors

No. o fTrapdoor

Algorith m

Covertness Index

EntropyC/E

1 NetworkCovert Channel-IPv4-Single

4 1 NIL 0.25 2.803 0.089

2 NetworkCovert Channel-IPv4-dual

4 2 NIL 0.5 5.606 0.17

3 NetworkCovert Channel-IPv4-triple

4 3 NIL 0.75 11.21 0.358

(12)

Fig.9

Table 2.

Multi-The graph of Trapdoors Vs the C number of the trapdoors in IPSe based protocol is simple and prov the changing trapdoor that has trapdoors are involved it is diffic shows change in the trapdoor cou covertness index can be minima based on the algorithm used in i However to increase the comple bits is feasible in chosen prime n index for such channels is discus

Fig.10. Entropy V Sl.No.TrapdoorName

1 SubliminalChan nel-IPSecESP-1 2 SubliminalChan

nel-IPSecESP-2 3 SubliminalChan

nel-IPSecESP-3

g.9. Entropy Vs Covertness Index in IPv4

-Trapdoor Analysis of Subliminal Channel in IPSec

e Covertness Index is show in the figure 10 where in Sec ESP makes covertness index constant. The trapd rovides seven fields for placing the covert data. The ta s an effect on the covertness index. When more nu ficult to detect the composition of the covert channel. T ount that has an effect in the detection. However the c

al. The trapdoor setting in the subliminal channel in n its cipher suite. This is purely called as random or plexity of the subliminal to thwart detection the rand e number. This forms Newton Subliminal Channel. Th ussed in the table 4

Vs Covertness Index in IPSec based subliminal channel No.ofTrapd

oors No.

of Trapdoorsu

Algorithm CovertnessI ndex

Entropy C

n 2 1

AES- XCBC-MAC

0.15 2.803 0.

n - -

AES- XCBC-MAC

0.47 4.78 0.

n - -

AES- XCBC-MAC

0.47 5.21 0.

May 2015

50 increase in the pdoors in TCP table 3 depicts number of the l. The figure 11 changes in the in SSL/TLS is oracle channel. ndomization of The covertness

C/E

.14

.35

(13)

Table 3. Multi-T Sl.No.TrapdoorName

1 NetworkCovertC

hannel-TCP-1

2 NetworkCovertC

hannel-TCP-2

3 NetworkCovertC

hannel-TCP-3 The graph of covertness index V 12. The higher entropy value fo [10] is able to detect the activi Hybrid Covert channel is not fea and IPv4 as this become easily de

Fig.11. Entrop Table4.Multi-Sl.No.TrapdoorName

1 SubliminalC hannel(Oracl

e)-SSL/TLS-1 2. SubliminalC

hannel(Oracl

e)-SSL/TLS-2 3 SubliminalC

hannel(Oracl

e)-SSL/TLS-3

Trapdoor Analysis of Network covert channel in TCP No.ofTrapd

oors No.

of Trapdoorsu sed

Entropy C

C 1

7 1 NIL 0.142 2.803 0.

C 2

7 2 NIL 0.28 5.606 0.

C 3

7 3 NIL 0.42 11.21 0.

Vs the trapdoor in the subliminal channel is shown for the some of the formation indicates that the dete ivity and this give clear indication of the higher de

easible for the combinations of the Network covert ch detectable combination.

opy Vs Covertness Index in Covert Channel based on TCP -TrapdoorAnalysisofSubliminalChannelinSSL/TLS

No.ofTrapd oors

No. of Trapdoorsu

Entropy C

- -

SSLCi-pherSuite

0.25 2.803 0.

- -

SSLCi-pherSuite

0.58 3.67 0.

- -

SSLCi-pherSuite

0.58 3.67 0.

51 C/E

.14 .28 .14

n in the figure etection engine detection rates. channel in TCP

C/E

.14

.35

(14)

Fig.12. Covertne

8.C

ONCLUSION

Covert schemes are difficult to taken in protocol header. This pr be malware code. Entropy based covert symbol in a protocol. Thi in a better way. It is unacceptable of administrator. It is inference t entropy which makes it difficul principle to detect such events.

A

CKNOWLEDGEMENT

AnjanKoundinya thanks Late Computer Science and Enginee igniting the passion for research.

R

EFERENCES

[1] Description of Detec net/projects/papers/html/cctde. [2] Description of the Entropy calc

[Online; accessed 16-Feb-2015 [3] KoundinyaAnjan and Jibi Ab channel. In Third Internation Chennai, India, 2010. Springer [4] Jibi Abraham, Anjan K, Srin channel in secured communica 2014.

[5] Bo Yuan Chaim Sanders, Jac Network Covert Channels. 201 [6] RajarathnamChandramouli an internet: Issues, approaches, an

ness Index for Subliminal Channel based on SSL/TLS

to understand from third party entity as they obscure provides an opportunity for embedding any data whi sed analysis gives the actual number of bits used to his gives clearly metric to understand the covert chan ble to have malicious conversation of the network eve e this experiment that the hybrid covert channel has h ult to detect. It is required to concentrate on stron

e Dr. V.K Ananthashayana, Erstwhile Head, De neering, M.S.Ramaiah Institute of Tech-nology, Ba

h.

ection Approaches at the URL. http e.html, 2014. [Online; accessed 15-Feb-2015].

alculation at the URL. http://www. shannonentrop 15].

Abraham. Behaviour analysis of transport layer based onal Conference on Net-work Security and Application,

er-Verlag LNCS series.

inath N K. Attack modelling and behavioral analysis of ication. ACEEE In-ternational Journal of Network Security Jacob Valletta.Employing Entropy in the Detection and

012.

and Koduvayur P. Subbalakshmi. Covert chan-nel for and experiences. 5(1):4150, July 2007.

May 2015

52 ure the content hich may even to represent the hannel schemes ven in presence high degree of onger detection

e-partment of Bangalore, for

ttp://gray-world. ropy.netmark.pl/,

(15)

[7] Anjan K Koundinya et.al... Co In ADCONS 2011, pages 582-[8] JaideepChandrashekar et.al. E

Proceedings of 12th Internati September 2009.

[9] LoicHelou, Claude Jard, and SPV'03, Volume 3, April 2003 [10] Anjan K Koundinya and Jibi Detection Engine, volume 1 of 2010.

[11] B. W. Lampson. A Note on the [12] Enping Li and Scott Craver. A of the 11th ACM workshop o 2009.

[13] Clay Shields SarderCabuk, Ca 2004.

[14] Clay Shields SarderCabuk, Information and System Secur [15] Gustavus J Simmons. The Sub [16] Steffen Wendzel. Protocol Cha [17] Andreas Willig. A short introd

1999.

[18] Adam Young and Moti Yung 220-240, 2004.

AUTHOR’S

AnjanK has received his B University,Belgaum,India in 2007 A Science and Engineering, M.S.Rama been awarded Best Performer PG 20 includes NetworkSecurityandCrypto Ph.D in Computer Science and Engi as Assistant Professorin Dept.of Co Engineering, Bengaluru, India.

SrinathNK has his M.E degree in S Roorkee University, in 1986 and Ph in 2009.His areas of research inte Distributed Computing, DBMS ,Mic PG, Dept of Computer Science and

JibiAbraham has received he BITS,Rajasthan,India in 199 and University , Belgaum , India in 2 fresearch interests include Network of Wireless Sensor Networks and A Head in Dept. of CEIT, College of E

Covertness analysis of subliminal channels in legitimate c -591. Springer- Verlag LNCS series, 2012

Exploiting temporal persistence to detect covert botnet ational Symposium, RAID 2009, pages 326{345, Saint-d Marc Zeitoun.Covert channels Saint-detection in protocols us 03.

bi Abraham. Design of Transport Layer Based Hybrid C of 4. International Journal of Ad hoc,Sensor and Ubiquitou the Con_nement Problem.Communication of the ACM, 197 . A supraliminal channel in a wireless phone application,.I on Multimedia and security, pages 7{18, Princeton, New Carla Brodley. IP covert timing channels : Design and dete , Carla Brodley. IP covert channel detection.ACM T urity, Volume 12(Article 22), 2009.

ubliminal Channel and Digital Signatures.Springer-Verlag, hannels.HAKIN9, 2009.

oduction to queuing theory.lecture notes at Technical Univ ng, Malicious Cryptography. First edition. Wiley

Publish-B.E degree from Visveswariah Technological And his master degre from Department of Computer aiahInstitute of Technology ,Bangalore, India.He has 010 for his academic excellence.His area so fresearch ography,Agile Software Engineering.He ispursuing ineeing fromVTU,Belgaum. He is currently working Computer Science and Engineering, RV College of

Systems Engineering and Operations Research from hD degree from Avinash Lingum University,India erests include Operations Research, Parallel and croprocessor. His isworking as Professor and Dean d Engineering,RVCollege of Engineering.

er M.S degree in Software Systems from nd PhD degree from Visveswariah Technological 2008 in the area of Network Security.He rarea so routing algorithms ,Cryptography ,Network Security Algorithms Design.She is working as Professor and Engineering Pune.

53 communication et channels,. In -Malo, France, using scenarios. Covert Channel tous Computing, 973.

,.In Proceedings ew Jersey, USA, etection. CCS, 4, Transaction on g, 1998.