TCP covert timing channels: Design and detection

Xiapu Luo, Edmond W.W. Chan, Kow Chuen Chang

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

72 Citations (Scopus)


Exploiting packets' timing information for covert communication in the Internet has been explored by several network timing channels and watermarking schemes. Several of them embed covert information in the inter-packet delay. These channels, however, can be detected based on the perturbed traffic pattern, and their decoding accuracy could be degraded by jitter, packet loss and packet reordering events. In this paper, we propose a novel TCP-based timing channel, named TCP-Script to address these shortcomings. TCPScript embeds messages in "normal" TCP data bursts and exploits TCP's feedback and reliability service to increase the decoding accuracy. Our theoretical capacity analysis and extensive experiments have shown that TCPScript offers much higher channel capacity and decoding accuracy than an IP timing channel and JitterBug. On the countermeasure, we have proposed three new metrics to detect aggressive TCPScript channels.
Original languageEnglish
Title of host publicationProceedings of the International Conference on Dependable Systems and Networks
Number of pages10
Publication statusPublished - 13 Oct 2008
Event2008 International Conference on Dependable Systems and Networks, DSN-2008 - Anchorage, AK, United States
Duration: 24 Jun 200827 Jun 2008


Conference2008 International Conference on Dependable Systems and Networks, DSN-2008
Country/TerritoryUnited States
CityAnchorage, AK

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications


Dive into the research topics of 'TCP covert timing channels: Design and detection'. Together they form a unique fingerprint.

Cite this