Design and Performance Evaluation of Reversible Network Covert Channels

Covert channels nested within network traffic are becoming important tools for allowing malware to act unnoticed or to stealthily exchange and exfiltrate information. Thus, understanding how to detect or mitigate their utilization is of paramount importance, especially to counteract the rise of increasingly sophisticated threats. In this perspective, the literature proposed different approaches, including distributed wardens, which can be used to collect traffic in different portions of the network and compare the samples to check for discrepancies revealing the hidden communications. However, the use of some form of reversibility, i.e., being able to restore the exploited network carrier to its original form before the injection, can represent a hazard to such a detection scheme. Therefore, in this work we introduce and evaluate the performances of different techniques used to endow network covert channels with reversibility. Results indicate that providing reversibility in an efficient manner is possible but the used protocol plays a major role.