-
DYST (Did You See That?): An Amplified Covert Channel That Points To Previously Seen Data
Authors:
Steffen Wendzel,
Tobias Schmidbauer,
Sebastian Zillien,
Jörg Keller
Abstract:
Covert channels are stealthy communication channels that enable manifold adversary and legitimate scenarios, ranging from malware communications to the exchange of confidential information by journalists and censorship circumvention. We introduce a new class of covert channels that we call history covert channels. We further present a new paradigm: covert channel amplification. All covert channels…
▽ More
Covert channels are stealthy communication channels that enable manifold adversary and legitimate scenarios, ranging from malware communications to the exchange of confidential information by journalists and censorship circumvention. We introduce a new class of covert channels that we call history covert channels. We further present a new paradigm: covert channel amplification. All covert channels described until now need to craft seemingly legitimate flows or need to modify third-party flows, mimicking unsuspicious behavior. In contrast, history covert channels can communicate by pointing to unaltered legitimate traffic created by regular network nodes. Only a negligible fraction of the covert communication process requires the transfer of covert information by the covert channel's sender. This information can be sent through different protocols/channels. Our approach allows an amplification of the covert channel's message size, i.e., minimizing the fraction of actually transferred secret data by a covert channel's sender in relation to the overall secret data being exchanged. Further, we extend the current taxonomy for covert channels to show how history channels can be categorized. We describe multiple scenarios in which history covert channels can be realized, analyze the characteristics of these channels, and show how their configuration can be optimized.
△ Less
Submitted 7 June, 2024; v1 submitted 22 December, 2022;
originally announced December 2022.
-
Exploration of Differentiability in a Proton Computed Tomography Simulation Framework
Authors:
Max Aehle,
Johan Alme,
Gergely Gábor Barnaföldi,
Johannes Blühdorn,
Tea Bodova,
Vyacheslav Borshchov,
Anthony van den Brink,
Viljar Eikeland,
Gregory Feofilov,
Christoph Garth,
Nicolas R. Gauger,
Ola Grøttvik,
Håvard Helstrup,
Sergey Igolkin,
Ralf Keidel,
Chinorat Kobdaj,
Tobias Kortus,
Lisa Kusch,
Viktor Leonhardt,
Shruti Mehendale,
Raju Ningappa Mulawade,
Odd Harald Odland,
George O'Neill,
Gábor Papp,
Thomas Peitzmann
, et al. (25 additional authors not shown)
Abstract:
Objective. Algorithmic differentiation (AD) can be a useful technique to numerically optimize design and algorithmic parameters by, and quantify uncertainties in, computer simulations. However, the effectiveness of AD depends on how "well-linearizable" the software is. In this study, we assess how promising derivative information of a typical proton computed tomography (pCT) scan computer simulati…
▽ More
Objective. Algorithmic differentiation (AD) can be a useful technique to numerically optimize design and algorithmic parameters by, and quantify uncertainties in, computer simulations. However, the effectiveness of AD depends on how "well-linearizable" the software is. In this study, we assess how promising derivative information of a typical proton computed tomography (pCT) scan computer simulation is for the aforementioned applications.
Approach. This study is mainly based on numerical experiments, in which we repeatedly evaluate three representative computational steps with perturbed input values. We support our observations with a review of the algorithmic steps and arithmetic operations performed by the software, using debugging techniques.
Main results. The model-based iterative reconstruction (MBIR) subprocedure (at the end of the software pipeline) and the Monte Carlo (MC) simulation (at the beginning) were piecewise differentiable. Jumps in the MBIR function arose from the discrete computation of the set of voxels intersected by a proton path. Jumps in the MC function likely arose from changes in the control flow that affect the amount of consumed random numbers. The tracking algorithm solves an inherently non-differentiable problem.
Significance. The MC and MBIR codes are ready for the integration of AD, and further research on surrogate models for the tracking subprocedure is necessary.
△ Less
Submitted 12 May, 2023; v1 submitted 11 February, 2022;
originally announced February 2022.
-
Adaptive Warden Strategy for Countering Network Covert Storage Channels
Authors:
Mehdi Chourib,
Steffen Wendzel,
Wojciech Mazurczyk
Abstract:
The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have their own limitations, since they do not consider…
▽ More
The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have their own limitations, since they do not consider traffic specifics. We propose a novel adaptive warden strategy, capable of selecting active normalization rules by taking into account the characteristics of the observed network traffic. Our goal is to disturb the covert channel and provoke the covert peers to expose themselves more by increasing the number of packets required to perform a successful covert data transfer. Our evaluation revealed that the adaptive warden has better efficiency and effectiveness when compared to the dynamic warden because of its adaptive selection of normalization rules.
△ Less
Submitted 5 November, 2021;
originally announced November 2021.
-
A Revised Taxonomy of Steganography Embedding Patterns
Authors:
Steffen Wendzel,
Luca Caviglione,
Wojciech Mazurczyk,
Aleksandra Mileva,
Jana Dittmann,
Christian Krätzer,
Kevin Lamshöft,
Claus Vielhauer,
Laura Hartmann,
Jörg Keller,
Tom Neubert
Abstract:
Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band covert channels. To cope with this, a prime attempt ha…
▽ More
Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band covert channels. To cope with this, a prime attempt has been done in 2015, with the introduction of the so-called hiding patterns, which allow to describe hiding techniques in a more abstract manner. Despite significant enhancements, the main limitation of such a taxonomy is that it only considers the case of network steganography.
Therefore, this paper reviews both the terminology and the taxonomy of hiding patterns as to make them more general. Specifically, hiding patterns are split into those that describe the embedding and the representation of hidden data within the cover object.
As a first research action, we focus on embedding hiding patterns and we show how they can be applied to multiple domains of steganography instead of being limited to the network scenario. Additionally, we exemplify representation patterns using network steganography. Our pattern collection is available under https://patterns.ztt.hs-worms.de.
△ Less
Submitted 16 June, 2021;
originally announced June 2021.
-
Protocol-independent Detection of "Messaging Ordering" Network Covert Channels
Authors:
Steffen Wendzel
Abstract:
Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easi…
▽ More
Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easily as they do not modify header content but instead mimic typical network behavior such as TCP segments that arrive in a different order than they were sent.
Contribution: In this paper, we show a protocol-independent approach to detect message ordering channels. Our approach is based on a modified compressibility score. We analyze the detectability of message ordering channels and whether several types of message ordering channels differ in their detectability.
Results: Our results show that the detection of message ordering channels depends on their number of utilized PDUs. First, we performed a rough threshold selection by hand, which we later optimized using the C4.5 decision tree classifier. We were able to detect message ordering covert channels with an accuracy and F1 score of >= 99.5% and a false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4 PDUs, respectively. Simpler channels that only manipulate a sequence of two PDUs were detectable with an accuracy and F1 score of 94.5% and were linked to a false-positive rate of 5.19%. We thus consider our approach suitable for real-world detection scenarios with channels utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs should be improved further.
△ Less
Submitted 28 February, 2021;
originally announced March 2021.
-
Countering Adaptive Network Covert Communication with Dynamic Wardens
Authors:
Wojciech Mazurczyk,
Steffen Wendzel,
Mehdi Chourib,
Jörg Keller
Abstract:
Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of mar…
▽ More
Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of market/research advantage. Considering the above, efforts are needed to develop effective countermeasures against such threats. Thus in this paper, based on the introduced novel warden taxonomy, we present and evaluate a new concept of a dynamic warden. Its main novelty lies in the modification of the warden's behavior over time, making it difficult for the adaptive covert communication parties to infer its strategy and perform a successful hidden data exchange. Obtained experimental results indicate the effectiveness of the proposed approach.
△ Less
Submitted 28 February, 2021;
originally announced March 2021.
-
The New Threats of Information Hiding: the Road Ahead
Authors:
K. Cabaj,
L. Caviglione,
W. Mazurczyk,
S. Wendzel,
A. Woodward,
S. Zander
Abstract:
Compared to cryptography, steganography is a less discussed domain. However, there is a recent trend of exploiting various information hiding techniques to empower malware, for instance to bypass security frameworks of mobile devices or to exfiltrate sensitive data. This is mostly due to the need to counteract increasingly sophisticated security mechanisms, such as code analysis, runtime counterme…
▽ More
Compared to cryptography, steganography is a less discussed domain. However, there is a recent trend of exploiting various information hiding techniques to empower malware, for instance to bypass security frameworks of mobile devices or to exfiltrate sensitive data. This is mostly due to the need to counteract increasingly sophisticated security mechanisms, such as code analysis, runtime countermeasures, or real-time traffic inspection tools. In this perspective, this paper presents malware exploiting information hiding in a broad sense, i.e., it does not focus on classical covert channels, but also discusses other camouflage techniques. Differently from other works, this paper solely focuses on real-world threats observed in the 2011 - 2017 timeframe. The observation indicates a growing number of malware equipped with some form of data hiding capabilities and a lack of effective and universal countermeasures.
△ Less
Submitted 2 January, 2018;
originally announced January 2018.
-
Why Johnny Can't Use Stego: a Human-oriented Perspective on the Application of Steganography
Authors:
Steffen Wendzel
Abstract:
Steganography is the discipline that deals with concealing the existence of secret communications. Existing research already provided several fundamentals for defining steganography and presented a multitude of hiding methods and countermeasures for this research discipline.
We identified that no work exists that discusses the process of applying steganography from an individual's perspective. T…
▽ More
Steganography is the discipline that deals with concealing the existence of secret communications. Existing research already provided several fundamentals for defining steganography and presented a multitude of hiding methods and countermeasures for this research discipline.
We identified that no work exists that discusses the process of applying steganography from an individual's perspective. This paper presents a phase model that explains pre-conditions of applying steganography as well as the decision-making process and the final termination of a steganographic communication. The model can be used to explain whether an individual can use steganography and to explain whether and why an individual desires to use steganography. Moreover, the model can be used in research publications to indicate the addressed model's phase of scientific contributions. Furthermore, our model can be used to teach the process of steganography-application to students.
△ Less
Submitted 21 September, 2016;
originally announced September 2016.
-
Unified Description for Network Information Hiding Methods
Authors:
Steffen Wendzel,
Wojciech Mazurczyk,
Sebastian Zander
Abstract:
Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description metho…
▽ More
Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.
△ Less
Submitted 9 January, 2017; v1 submitted 23 December, 2015;
originally announced December 2015.
-
Creativity in Mind: Evaluating and Maintaining Advances in Network Steganographic Research
Authors:
Steffen Wendzel,
Carolin Palmer
Abstract:
The research discipline of network steganography deals with the hiding of information within network transmissions, e.g. to transfer illicit information in networks with Internet censorship. The last decades of research on network steganography led to more than hundred techniques for hiding data in network transmissions. However, previous research has shown that most of these hiding techniques are…
▽ More
The research discipline of network steganography deals with the hiding of information within network transmissions, e.g. to transfer illicit information in networks with Internet censorship. The last decades of research on network steganography led to more than hundred techniques for hiding data in network transmissions. However, previous research has shown that most of these hiding techniques are either based on the same idea or introduce limited novelty, enabling the application of existing countermeasures. In this paper, we provide a link between the field of creativity and network steganographic research. We propose a framework and a metric to help evaluating the creativity bound to a given hiding technique. This way, we support two sides of the scientific peer review process as both authors and reviewers can use our framework to analyze the novelty and applicability of hiding techniques. At the same time, we contribute to a uniform terminology in network steganography.
△ Less
Submitted 26 November, 2015;
originally announced November 2015.
-
"The Good, The Bad And The Ugly": Evaluation of Wi-Fi Steganography
Authors:
Krzysztof Szczypiorski,
Artur Janicki,
Steffen Wendzel
Abstract:
In this paper we propose a new method for the evaluation of network steganography algorithms based on the new concept of "the moving observer". We considered three levels of undetectability named: "good", "bad", and "ugly". To illustrate this method we chose Wi-Fi steganography as a solid family of information hiding protocols. We present the state of the art in this area covering well-known hidin…
▽ More
In this paper we propose a new method for the evaluation of network steganography algorithms based on the new concept of "the moving observer". We considered three levels of undetectability named: "good", "bad", and "ugly". To illustrate this method we chose Wi-Fi steganography as a solid family of information hiding protocols. We present the state of the art in this area covering well-known hiding techniques for 802.11 networks. "The moving observer" approach could help not only in the evaluation of steganographic algorithms, but also might be a starting point for a new detection system of network steganography. The concept of a new detection system, called MoveSteg, is explained in detail.
△ Less
Submitted 9 September, 2015; v1 submitted 20 August, 2015;
originally announced August 2015.
-
Micro protocol engineering for unstructured carriers: On the embedding of steganographic control protocols into audio transmissions
Authors:
Matthias Naumann,
Steffen Wendzel,
Wojciech Mazurczyk,
Jörg Keller
Abstract:
Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization --- just to mention a few. We present different desig…
▽ More
Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization --- just to mention a few. We present different design approaches for the embedding of hidden channels with micro protocols in digitized audio signals under consideration of different requirements. On the basis of experimental results, our design approaches are compared, and introduced into a protocol engineering approach for micro protocols.
△ Less
Submitted 28 May, 2015;
originally announced May 2015.
-
Visualizing BACnet data to facilitate humans in building-security decision-making
Authors:
Jernej Tonejc,
Jaspreet Kaur,
Adrian Karsten,
Steffen Wendzel
Abstract:
Building automation systems (BAS) are interlinked networks of hardware and software, which monitor and control events in the buildings. One of the data communication protocols used in BAS is Building Automation and Control networking protocol (BACnet) which is an internationally adopted ISO standard for the communication between BAS devices. Although BAS focus on providing safety for inhabitants,…
▽ More
Building automation systems (BAS) are interlinked networks of hardware and software, which monitor and control events in the buildings. One of the data communication protocols used in BAS is Building Automation and Control networking protocol (BACnet) which is an internationally adopted ISO standard for the communication between BAS devices. Although BAS focus on providing safety for inhabitants, decreasing the energy consumption of buildings and reducing their operational cost, their security suffers due to the inherent complexity of the modern day systems. The issues such as monitoring of BAS effectively present a significant challenge, i.e., BAS operators generally possess only partial situation awareness. Especially in large and inter-connected buildings, the operators face the challenge of spotting meaningful incidents within large amounts of simultaneously occurring events, causing the anomalies in the BAS network to go unobserved. In this paper, we present the techniques to analyze and visualize the data for several events from BAS devices in a way that determines the potential importance of such unusual events and helps with the building-security decision making. We implemented these techniques as a mobile (Android) based application for displaying application data and as tools to analyze the communication flows using directed graphs.
△ Less
Submitted 24 February, 2015; v1 submitted 23 February, 2015;
originally announced February 2015.
-
Analysis of Human Awareness of Security and Privacy Threats in Smart Environments
Authors:
Luca Caviglione,
Jean-Francois Lalande,
Wojciech Mazurczyk,
Steffen Wendzel
Abstract:
Smart environments integrate Information and Communication Technologies (ICT) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sustainability. In this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. However, the huge amount of sensitive data, social aspects and the mixed…
▽ More
Smart environments integrate Information and Communication Technologies (ICT) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sustainability. In this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. However, the huge amount of sensitive data, social aspects and the mixed set of protocols offer many opportunities to inject hazards, exfiltrate information, mass profiling of citizens, or produce a new wave of attacks. This work reviews the major risks arising from the usage of ICT-techniques for smart environments, with emphasis on networking. Its main contribution is to explain the role of different stakeholders for causing a lack of security and to envision future threats by considering human aspects.
△ Less
Submitted 3 February, 2015;
originally announced February 2015.
-
Hidden and Uncontrolled - On the Emergence of Network Steganographic Threats
Authors:
Steffen Wendzel,
Wojciech Mazurczyk,
Luca Caviglione,
Michael Meier
Abstract:
Network steganography is the art of hiding secret information within innocent network transmissions. Recent findings indicate that novel malware is increasingly using network steganography. Similarly, other malicious activities can profit from network steganography, such as data leakage or the exchange of pedophile data. This paper provides an introduction to network steganography and highlights i…
▽ More
Network steganography is the art of hiding secret information within innocent network transmissions. Recent findings indicate that novel malware is increasingly using network steganography. Similarly, other malicious activities can profit from network steganography, such as data leakage or the exchange of pedophile data. This paper provides an introduction to network steganography and highlights its potential application for harmful purposes. We discuss the issues related to countering network steganography in practice and provide an outlook on further research directions and problems.
△ Less
Submitted 8 July, 2014;
originally announced July 2014.
-
A Pattern-based Survey and Categorization of Network Covert Channel Techniques
Authors:
Steffen Wendzel,
Sebastian Zander,
Bernhard Fechner,
Christian Herdin
Abstract:
Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.…
▽ More
Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.e. most of the techniques we surveyed are very similar. We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: While many current countermeasures were developed for specific channels, a pattern-oriented approach allows to apply one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.
△ Less
Submitted 19 March, 2015; v1 submitted 11 June, 2014;
originally announced June 2014.
-
On Importance of Steganographic Cost For Network Steganography
Authors:
Wojciech Mazurczyk,
Steffen Wendzel,
Ignacio Azagra Villares,
Krzysztof Szczypiorski
Abstract:
Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. In this paper we introduce a characteristic called steganographic cost which is an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. Based on exemplary c…
▽ More
Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. In this paper we introduce a characteristic called steganographic cost which is an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. Based on exemplary cases for single- and multi-method steganographic cost analyses we observe that it can be an important characteristic that allows to express hidden data carrier degradation - similarly as MSE (Mean-Square Error) or PSNR (Peak Signal-to-Noise Ratio) are utilized for digital media steganography. Steganographic cost can moreover be helpful to analyse the relationships between two or more steganographic methods applied to the same hidden data carrier.
△ Less
Submitted 10 June, 2014;
originally announced June 2014.
-
Protocol Channels
Authors:
Steffen Wendzel
Abstract:
Covert channel techniques are used by attackers to transfer data in a way prohibited by the security policy. There are two main categories of covert channels: timing channels and storage channels. This paper introduces a new storage channel technique called a protocol channel. A protocol channel switches one of at least two protocols to send a bit combination to a destination. The main goal of a p…
▽ More
Covert channel techniques are used by attackers to transfer data in a way prohibited by the security policy. There are two main categories of covert channels: timing channels and storage channels. This paper introduces a new storage channel technique called a protocol channel. A protocol channel switches one of at least two protocols to send a bit combination to a destination. The main goal of a protocol channel is that packets containing covert information look equal to all other packets within a network, what makes a protocol channel hard to detect.
△ Less
Submitted 14 May, 2011; v1 submitted 11 September, 2008;
originally announced September 2008.
