3.1 RULA (RAPID UPPER LIMB ASSESSMENT) FUNDAMENTOS DEL MÉTODO

Network covert channels are usually designed in order to hide the fact that information is exchanged in the system. Thus, it is important to design a covert channel such that it is extremely difficult for a network observer, even with complete knowledge of the covert communication scheme, to detect the covert channel. In this section we study the stealthi- ness property of different elements of the proposed covert communication scheme including the covert transmitter and the covert receiver.

Covert Receiver

As the covert receiver is a completely passive entity in the proposed covert communication scheme, it is undetectable even if the covert channel is detected. Moreover, since the covert transmitter does not need to know the identity of the covert receiver, the covert receiver is safe even if the covert transmitter is compromised or its information is exposed to a system observer.

Covert Transmitter and the Covert Channel

The proposed covert communication scheme is designed based on the concept of behavioral mimicry. In other words, the covert transmitter is designed to mimic the same transmission characteristics as a normal user of the system even though it is committed to maintain the covert communication with the covert receiver. According to the design description of the proposed covert communication scheme, it can be observed that the structure of the contention resolution algorithm of the covert transmitter is specifically designed to approximate the transmission pattern of a regular transmitter of the network. In this way, the covert transmitter is capable of blending itself into the group of ordinary nodes that share the wireless channel and remain undetected.

On the other hand, system observers are equipped with a set of tools that are specif- ically designed to detect covert channels. Thus, in order to evaluate the undetectability of the proposed covert communication scheme the covert channel is tested against two of the most well-known statistical tests that are used to detect covert channels in communi- cation network. In what follows, the effectiveness of the Kolmogorov-Smirnov test, and the regularity test in detecting the proposed covert channel is investigated.

Kolmogorov-Smirnov Test Analysis

Kolmogorov-Smirnov test (i.e., KS-test) is designed as a measure to show the difference in the cumulative distribution function of the sampled data from the covert transmitter’s traffic as compared to the distribution of the legitimate traffic of the same network. This test has been already used in detecting watermarked inter-packet delays, and it is a major tool in detecting timing covert channels [37]. Let S(x) be the empirical distribution of the inter-packet delays of the covert traffic. Let F (x) be the cumulative distribution function of inter-packet delays of the legitimate traffic in the same system. The KS-test is defined as follows:

Hs = sup

x |S(x) − F (x)|.

(4.23) The test result is the answer to the validity of the null hypothesis that the two samples

Figure 4.3: Kolmogorov-Smirnov shape test for different simulation scenarios.

are drawn from the same distribution. In this way, the null hypothesis is rejected (i.e., a covert channel may exist) if the value of Hs is beyond a predefined threshold (e.g., 0.05).

Figure 4.3 illustrates the difference between the cumulative distribution function of the inter-packet delays of the legitimate traffic and the covert traffic. According to the graph, the peak difference between the two distributions is less than 5% which is an acceptable margin for the KS-test. Such a small difference makes it extremely difficult for an observer to detect any abnormal behavior in the system based on first level statistical tests such as the KS-test. In other words, the test accepts the null hypothesis that the channel access pattern of the covert transmitter follows a similar probability distribution function as compared to the one that is exhibited by normal users of the wireless channel.

Figure 4.3 also highlights how the covert transmitter systematically adapts its behavior in order to emulate the same transmission pattern as an ordinary user of the system. According to the discussion in Section 4.3.3, the covert transmitter postpones the expansion of its transmission window by α stages in order to compensate for the extra delay caused

by the synchronization process. Therefore, the covert transmitter gets to have a slightly higher transmission rate up to the point where it starts expanding its transmission window (i.e., the first peak of the graph). Eventually, by expanding the size of the contention window the covert transmitter has to wait longer before its next retransmission attempt. Thus, the covert transmitter is forced to lag behind an ordinary user of the system until the point in which the contention window of a regular user is large enough such that the wait times for both covert transmitter and regular users converge (second extreme point of the graph). This adapting behavior is the key design feature of the proposed covert channel that enables the covert transmitter to track the transmission pattern of ordinary nodes in the network and mimic their behavioral fingerprints in order to avoid detection.

Regularity Test Analysis

In addition to the first level statistical tests (e.g., the KS-test), the stealthiness property of the covert channel is analyzed against the regularity test [35]. In principle, the regularity test is designed to detect the temporal abnormal behaviors of the covert transmitter. More precisely, the variance of the inter-packet delays of a normal network traffic flow changes over time due to different network events and channel conditions (e.g., packet loss, conges- tion). In fact, regular users of the system have the same reaction to sudden events in the network. Hence, the characteristics of the normal traffic of the network changes constantly during the course of communication. However, as the covert transmitter is committed to transmit a particular covert message, it may not be able to react to the changes in the network condition similar to other nodes in the system. The regularity test is meant to detect such behavioral differences and track down covert activities.

To calculate the regularity test score, samples of the inter-packet delays are collected and then spread into multiple sets of size γ. The standard deviation of each set is calculated to derive the regularity score Hr as follows:

Hr = std(|σ i− σj|

σi

, _{∀i, j, i < j).} (4.24)

Figure 4.4: Regularity test for different simulation scenarios.

ith _{set of inter-packet delays. A high regularity score means large variance in the statistical}

properties of the samples of each set which signals a constant change of behavior in the sampled traffic. In contrast, a low value for Hr depicts a set of regular inter packet delays

that is likely being controlled by another process and may contain other information (e.g., a covert message).

Figure 4.4 shows the regularity score of the covert transmitter and the same score for ordinary users assuming γ = 50. According to the graph, the covert transmitter’s regularity score is extremely close to the score of regular users in all four scenarios. In other words, the covert transmitter has managed to blend itself into the crowd well enough such that even its temporal behaviors are matched with normal users of the system.

The key in maintaining the regularity score of the covert traffic lies in the design of the contention resolution algorithm at the covert transmitter, and the effect of the covert clock on the functionality of the covert channel. By design, the covert clock changes according to activities of other nodes in the system. Thus, channel activities (i.e., packet transmission) of members of the covert set are considered as clock ticks for the covert clock. If the channel

condition changes in a way that normal network users have to wait for a longer period of time between consecutive packet transmissions (e.g., reduction of channel capacity, high error rates, etc), the covert clock advances with a slower pace. Consequently, the covert transmitter has to wait longer, in order to capture enough clock ticks, between any two consecutive packet transmission attempts. In contrast, if the wireless channel provides a higher transmission rate to normal users of the network, the covert clock would increase much faster. This immediately leads into a faster packet transmission rate at the covert transmitter.

By coupling the covert message modulation process to the channel activities of normal nodes in the network, the covert transmitter can constantly follow network events and modify its transmission characteristics in order to mimic the transmission pattern of normal users of the system. Such an adaptive behavior is an advantage of the proposed covert communication scheme as compared to other covert channel designs in the literature in which the regularity score is artificially controlled by switching from one transmission mode to another [40], or by replaying previously sampled traffic traces of the legitimate traffic and switch from one sample set to another one periodically [38].