This paper presents a new behavior based covert channel utilizing the database update mechanism of anti-virus software. It is highly covert due to unattended, frequent, automatic signature database update operations performed by the software. The design of the covert channel is described; its properties are discussed and demonstrated by a reference implementation. This paper uses these points to strengthen the inclusion of behavior-based covert channels within standard covert channel taxonomy.
Date of creation, presentation, or exhibit
Department, Program, or Center
Department of Computing Security (GCCIS)
Anthony, D.; Johnson, D.; Lutz, P.; and Yuan, B., "A Behavior Based Covert Channel within Anti-Virus Updates" (2012). Accessed from
RIT – Main Campus