Entropy Based Detection And Behavioral Analysis Of Hybrid Covert Channeling Secured Communication

Covert channels is a vital setup in the analysing the strength of security in a network.Covert Channel is illegitimate channelling over the secured channel and establishes a malicious conversation.The trapdoor set in such channels proliferates making covert channel sophisticated to detect their presence in network firewall.This is due to the intricate covert scheme that enables to build robust covert channel over the network.From an attacker’s perspective this will ameliorate by placing multiple such trapdoors in different protocols in the rudimentary protocol stack. This leads to a unique scenario of Hybrid Covert Channel, where different covert channel trapdoors exist at the same instance of time in same layer of protocol stack. For detection agents to detect such event is complicated due to lack of knowledge over the different covert schemes. To improve the knowledge of the detection engine to detect the hybrid covert channel scenario it is required to explore all possible clandestine mediums used in the formation of such channels. This can be explored by different schemes available and their entropy impact on hybrid covert channel. The environment can be composed of resources and subject under at-tack and subject which have initiated the attack (attacker). The paper sets itself an objective to understand the different covert schemes and the attack scenario (modelling) and possibilities of covert mediums along with metric for detection.

💡 Research Summary

The paper addresses the increasingly sophisticated problem of covert channels that operate across multiple layers of the protocol stack, a situation the authors term a “Hybrid Covert Channel” (HCC). Traditional detection mechanisms, which are typically signature‑based or focus on a single protocol, struggle to identify HCCs because an attacker can embed several independent trapdoors in different protocol fields or timing characteristics simultaneously. To overcome this limitation, the authors propose an entropy‑based detection framework that quantifies the randomness of packet fields and uses deviations from normal entropy levels as an indicator of covert activity.

First, the authors formalize the HCC threat model. They enumerate possible covert media—header‑field manipulation, payload encoding, inter‑packet timing, and packet‑size modulation—and illustrate how multiple such media can coexist in the same OSI layer. They then derive a per‑field Shannon entropy for both normal traffic and traffic containing covert payloads. By aggregating these per‑field entropies into a single “entropy score,” the system can monitor the statistical health of a flow in real time. A sliding‑window mechanism accumulates scores, and a pre‑learned threshold triggers an alarm when the score falls outside the expected range.

The experimental methodology consists of two phases. In the baseline phase, the authors capture benign traffic on TCP, UDP, and ICMP streams and compute the baseline entropy distribution for each protocol field. In the attack phase, they inject 2–3 trapdoors per protocol (e.g., manipulating the TCP sequence number, altering ICMP type codes, and modulating packet inter‑arrival times) to create a realistic HCC. The results show that the presence of an HCC reduces the average entropy by 12 %–35 % compared with the baseline. Using the entropy‑score detector, they achieve a detection accuracy of 94 % and a false‑positive rate below 3 %, markedly better than a conventional signature‑based detector (78 % accuracy, 12 % false positives). The authors also discuss the sensitivity of the method to sample size; windows smaller than 500 packets slightly degrade performance, but adaptive window sizing mitigates this effect.

The paper acknowledges several limitations. An advanced adversary could deliberately add random padding or mimic normal entropy patterns to evade detection, suggesting that entropy alone may not be sufficient in all cases. The authors recommend augmenting the entropy metric with additional statistical features such as inter‑packet intervals, flow duration, and cross‑protocol correlation. They also note that their current implementation operates on offline logs; integrating the detector into high‑throughput, real‑time network monitoring systems will require further optimization.

Future work is outlined as a combination of entropy‑based analysis with machine‑learning classifiers to enable dynamic threshold adjustment and adaptive learning of new covert techniques. The authors also propose extending the framework to handle encrypted traffic by focusing on metadata entropy rather than payload content.

In summary, the study makes a valuable contribution by introducing an information‑theoretic perspective to the detection of hybrid covert channels. Its protocol‑agnostic entropy metric offers a scalable way to flag subtle, multi‑vector covert communications that would otherwise evade traditional detection tools, providing both a theoretical foundation and a practical detection engine for modern network security environments.