Sonntag, 30. Juni 2019

New Pattern-based Countermeasures

Recently, two new papers got accepted at J.UCS and the CUING workshop. One presents a countermeasure for the Size Modulation pattern and the other presents a countermeasure for the Message Ordering pattern.

#1: Steffen Wendzel, Florian Link, Daniela Eller, Wojciech Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, Journal of Universal Computer Science (J.UCS), accepted.

Abstract: Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, developing effective countermeasures for these threats is important for the protection of individuals and organizations. However, due to the large number of available covert channel techniques, it is considered impractical to develop countermeasures for all existing covert channels. In recent years, researchers started to develop countermeasures that (instead of only countering one particular hiding technique) can be applied to a whole family of similar hiding techniques. These families are referred to as hiding patterns. Considering above, the main contribution of this paper is to introduce the concept of countermeasure variation. Countermeasure variation is a slight modification of a given countermeasure that was designed to detect covert channels of one specific hiding pattern so that the countermeasure can also detect covert channels that are representing other hiding patterns. We exemplify countermeasure variation using the compressibility score, the epsilon-similarity and the regularity metric originally presented by Cabuk et al. All three methods are used to detect covert channels that utilize the Inter-packet Times pattern and we show that countermeasure variation allows the application of these countermeasures to detect covert channels of the Size Modulation pattern, too.

----


#2: Steffen Wendzel: Protocol-independent Detection of `Messaging Ordering' Network Covert Channels, in Proc. Third International Workshop on Criminal Use of Information Hiding (CUING 2019), accepted.

Abstract: Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easily as they do not modify header content but instead mimic typical network behavior such as TCP segments that arrive in a different order than they were sent. Contribution: In this paper, we show a protocol-independent approach to detect message ordering channels. Our approach is based on a modified compressibility score. We analyze the detectabil-ity of message ordering channels and whether several types of message ordering channels differ in their detectability. Results: Our results show that the detection of message ordering channels depends on their number of utilized PDUs. First, we performed a rough threshold selection by hand, which we later optimized using the C4.5 decision tree classifier. We were able to detect message ordering covert channels with an accuracy and F 1 score of ≥ 99.5% and a false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4 PDUs, respectively. Simpler channels that only manipulate a sequence of two PDUs were detectable with an accuracy and F 1 score of 94.5% and were linked to a false-positive rate of 5.19%. We thus consider our approach suitable for real-world detection scenarios with channels utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs should be improved further.

Dienstag, 23. April 2019

Steganography News Article in Communications of the ACM

There is a new news article from Communications of the ACM about some of the research we conduct as well as about the CUING initiative, cf. here.

Donnerstag, 3. Januar 2019

New Paper Introduces a Dynamic Warden

Our new paper `Countering adaptive network covert communication with dynamic wardens' introduces a new type of warden to combat sophisticated network covert channels. Moreover does it introduces a novel warden taxonomy. It just appeared in FGCS Vol. 94:

Wojciech Mazurczyk, Steffen Wendzel, Mehdi Chourib, Jörg Keller: Countering Adaptive Network Covert Communication with Dynamic Wardens, Future Generation Computer Systems (FGCS), Vol. 94, pp. 712-725, Elsevier, 2019.
Impact factor: 4.639 (at time of publication).

AbstractNetwork covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of market/research advantage. Considering the above, efforts are needed to develop effective countermeasures against such threats. Thus in this paper, based on the introduced novel warden taxonomy, we present and evaluate a new concept of a dynamic warden. Its main novelty lies in the modification of the warden’s behavior over time, making it difficult for the adaptive covert communication parties to infer its strategy and perform a successful hidden data exchange. Obtained experimental results indicate the effectiveness of the proposed approach.

Dienstag, 11. September 2018

The Idea of Countermeasure Variation

There is upcoming work of us on modifying pattern-specific countermeasures so that they can also detect covert channels that are representing other patterns. We call this countermeasure variation. The related papers will be published in the next months and can be requested via e-mail are now available. [updated on Nov-29-2018]

Freitag, 31. August 2018

New Paper Featuring an Extension of the Pattern Taxonomy

This week, Steffen Wendzel presented a new paper on hiding patterns at the ARES CUING workshop:

W. Mazurczyk, S. Wendzel, K. Cabaj: Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach, in Proc. Second International Workshop on Criminal Use of Information Hiding (CUING 2018) at ARES, pp. 10:1-10:10, ACM, 2018.

This paper introduces two things: an extension of the existing pattern taxonomy and a new taxonomy of distributed covert channel techniques.

As this paper updates the existing pattern taxonomy, we updated our online pattern collection accordingly. Please note that some existing patterns have slightly different names (aliases) and identifiers now in order to provide a better numbering system.