Open access repository

Home Open access repository

In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).

» Openaccess proceedings » Eleventh International Network Conference (INC 2016)

Eleventh International Network Conference (INC 2016)

Eleventh International Network Conference (INC 2016)
Frankfurt, Germany, July 19-21, 2016
ISBN: 978-1-84102-410-3

Title: On the Performance of Anomaly Detection Systems Uncovering Traffic Mimicking Covert Channels
Author(s): Johannes Bouche, Denis Hock, Martin Kappes
Reference: pp19-24
Keywords: Anomaly Detection, Mimicry, Covert Channels, Snort
Abstract: Anomaly Detection Systems aim to construct accurate network traffic
models with the objective to discover yet unknown malicious network
traffic patterns. In this paper, we study the use of the same methods
in order to create a covert channel which is not discovered by Anomaly
Detection Systems and can be used to exfiltrate (malicous) traffic
from a network. The channel is created by imitating current network
traffic behaviour as detected by passive network analysis. Moreover,
we present methods for calculating thresholds for the bandwidth of the
channel such that, with high probability, the resulting traffic falls
within the margins of the Anomaly Detection System under
consideration. We also present results of practical experiments with
commonly used Anomaly Detection Systems showing the practical
applicability of our approach.
Download count: 1203

How to get this paper:

Download a free PDF copy of this paperBuy this book at

PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.