Date of Award

Spring 3-2019

Document Type


Degree Name

Doctor of Philosophy in Cyber Operations (PhDCO)


Computer Science

First Advisor

Kyle Cronin

Second Advisor

Michael Ham

Third Advisor

Joshua Stroschein

Fourth Advisor

Crystal Pauli


This quasi-experimental before-and-after study examined the performance impacts of detecting X.509 covert channels in the Suricata intrusion detection system. Relevant literature and previous studies surrounding covert channels and covert channel detection, X.509 certificates, and intrusion detection system performance were evaluated. This study used Jason Reaves’ X.509 covert channel proof of concept code to generate malicious network traffic for detection (2018). Various detection rules for intrusion detection systems were created to aid in the detection of the X.509 covert channel. The central processing unit (CPU) and memory utilization impacts that each rule had on the intrusion detection system was studied and analyzed. Statistically significant figures found that the rules do have an impact on the performance of the system, some more than others. Finally, pathways towards future related research in creating efficient covert channel detection mechanisms were identified.