Silence Speaks Volumes: A New Paradigm for Covert Communication via History Timing Patterns

TL;DR

The paper tackles covert communication in networks by advancing History Covert Channels (HCC) through the Silent History Protocol (SHP), which uses relative timing pointers to reference legitimate traffic instead of altering payloads. SHP leverages flexible timing inputs, POIs, and signal channels to amplify covert data while avoiding centralized clock dependency, achieving higher throughput and robustness than prior work like DYST. The authors provide a complete parameterization, implement a Python/Scapy-based proof of concept, and evaluate SHP under delay, jitter, packet loss, and various overt traffic levels, while assessing detectability via KS-tests, compressibility, and ML-based approaches. The study highlights both the stealth capabilities and the defense challenges, offering practical guidance for tuning SHP and for designing countermeasures against history-based covert channels. The work emphasizes an ongoing arms race between covert-channel techniques and detection strategies, underlining the need for adaptive defenses in real-world networks.

Abstract

A Covert Channel (CC) exploits legitimate communication mechanisms to stealthily transmit information, often bypassing traditional security controls. Among these, a novel paradigm called History Covert Channels (HCC) leverages past network events as reference points to embed covert messages. Unlike traditional timing- or storage-based CCs, which directly manipulate traffic patterns or packet contents, HCCs minimize detectability by encoding information through small pointers to historical data. This approach enables them to amplify the size of transmitted covert data by referring to more bits than are actually embedded. Recent research has explored the feasibility of such methods, demonstrating their potential to evade detection by repurposing naturally occurring network behaviors as a covert transmission medium. This paper introduces a novel method for establishing and maintaining covert communication links using relative pointers to network timing patterns, which minimizes the reliance of the HCC on centralized timekeeping and reduces the likelihood of being detected by standard network monitoring tools. We also explore the tailoring of HCCs to optimize their robustness and undetectability characteristics. Our experiments reveal a better bitrate compared to previous work.

Figures (19)

• Figure 1: Illustration of a HCC, where the sender references a secret message by embedding a small pointer to prior legitimate traffic.
• Figure 2: Clock synchronization inaccuracy for a CC based on high accuracy clock synchronization. While CS and CR are close to each other, they may synchronize to an NTP server further away, thereby limiting the robustness of timing-based CC.
• Figure 3: Covert transmission using relative input sources: The CR measures the (time or count) delta between his reception of the start signal and the POI marked by the pointer packet.
• Figure 4: Measured entropy of different network-timing input sources. The numbers behind IPDs and ICDs indicate the applied rounding factor ($\epsilon$), where 6 represents no rounding and 4 corresponds to rounding to four decimal places. For comparison, the entropy of full packet data bytes—representing non-timing-based input sources—is shown at the bottom.
• Figure 5: IPDs without (top) and with (bottom) subchanneling. In congested networks, the IPD is often close to zero. When traffic is divided into subchannels, input values become more diverse, which increases entropy.