research-article

bccstego: A Framework for Investigating Network Covert Channels

Authors:

Matteo Repetto,

Luca Caviglione,

Marco ZuppelliAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 68, Pages 1 - 7

https://doi.org/10.1145/3465481.3470028

Published: 17 August 2021 Publication History

Abstract

Modern malware increasingly exploits information hiding to remain undetected while attacking. To this aim, network covert channels, i.e., hidden communication paths established within legitimate flows, can be used to exfiltrate data or exchange commands without getting noticed by firewalls, antivirus, and intrusion detection systems. Since the secret data can be directly injected in various portions of the stream or encoded via suitable alterations of the traffic, spotting hidden communications is a challenging and poorly generalizable task. Moreover, the majority of works addressed IPv4, thus leaving the detection of covert channels targeting IPv6 almost unexplored.

This paper presents bccstego, i.e., an inspection framework for computing statistical indicators to reveal covert channels targeting the IPv6 header. The proposed approach has been designed to be easily extended, for instance to search for channels not known a priori. Numerical results demonstrate the effectiveness of our first tool in the bccstego framework as well as its ability to handle high-throughput IPv6 flows without adding additional delays.

References

[1]

2021. DPDK Programmer’s Guide. Technical Documentation. https://doc.dpdk.org/guides/prog_guide/

[2]

David Barach, Leonardo Linguaglossa, Damjan Marion, Pierre Pfister, Salvatore Pontarelli, and Dario Rossi. 2018. High-speed Software Data Plane via Vectorized Packet Processing. IEEE M COM 56, 12 (December 2018), 97–103.

Digital Library

[3]

Bernhards Blumbergs, Mauno Pihelgas, Markus Kont, Olaf Maennel, and Risto Vaarandi. 2016. Creating and detecting IPv6 transition mechanism-based information exfiltration covert channels. In Nordic Conference on Secure IT Systems. Springer, 85–100.

[4]

Krzysztof Cabaj, Luca Caviglione, Wojciech Mazurczyk, Steffen Wendzel, Alan Woodward, and Sebastian Zander. 2018. The new threats of information hiding: The road ahead. IT Professional 20, 3 (2018), 31–39.

Digital Library

[5]

Alessandro Carrega, Luca Caviglione, Matteo Repetto, and Marco Zuppelli. 2020. Programmable Data Gathering for Detecting Stegomalware. In 6th IEEE Conference on Network Softwarization (NetSoft). Ghent, Belgium.

[6]

Luca Caviglione. 2021. Trends and Challenges in Network Covert Channels Countermeasures. Applied Sciences 11, 4 (2021).

[7]

Luca Caviglione, Michał Choraś, Igino Corona, Artur Janicki, Wojciech Mazurczyk, Marek Pawlicki, and Katarzyna Wasielewska. 2021. Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection. IEEE Access 9(2021), 5371–5396.

[8]

Luca Caviglione, Wojciech Mazurczyk, Matteo Repetto, Andreas Schaffhauser, and Marco Zuppelli. 2021. Kernel-level tracing for detecting stegomalware and covert channels in Linux environments. Computer Networks 191(2021), 108010. https://doi.org/10.1016/j.comnet.2021.108010

[9]

Luca Deri. 2004. Improving passive packet capture: Beyond device polling. In Proceedings of SANE 2004. Amsterdam, The Netherlands, 85–93.

[10]

Cristian Estan, Ken Keys, David Moore, and George Varghese. 2004. Building a better NetFlow. ACM SIGCOMM Computer Communication Review 34, 4 (2004), 245–256.

Digital Library

[11]

Sangjin Han, Keon Jang, Aurojit Panda, Shoumik Palkar, Dongsu Han, and Sylvia Ratnasamy. 2015. SoftNIC: A Software NIC to Augment Hardware. Technical Report UCB/EECS-2015-155. University of California, Berkeley. http://www.eecs.berkeley.edu/Pubs/TechRpts/2015/EECS-2015-155.html

[12]

Eddie W Kohler, Robert Tappan Morris, Benjie Chen, John Jannotti, and Frans M. Kaashoek. 2000. The click modular router. Publication: ACM Transactions on Computer Systems 18, 3 (August 2000).

Digital Library

[13]

G. Lewandowski, N. Lucena, and S. Chapin. 2006. Analyzing Network-aware Active Wardens in IPv6. In Int. Workshop on Information Hiding. Springer, 58–77.

[14]

N. Lucena, G. Lewandowski, and S. Chapin. 2005. Covert Channels in IPv6. In Int. Workshop on Privacy Enhancing Technologies. Springer, 147–166.

[15]

Lukasz Makowski and Paola Grosso. 2019. Evaluation of virtualization and traffic filtering methods for container networks. Future Generation Computer Systems 93 (April 2019), 345–357.

[16]

Wojciech Mazurczyk and Luca Caviglione. 2014. Steganography in modern smartphones and mitigation techniques. IEEE Communications Surveys & Tutorials 17, 1 (2014), 334–357.

Digital Library

[17]

Wojciech Mazurczyk and Luca Caviglione. 2015. Information Hiding as a Challenge for Malware Detection. IEEE Security & Privacy 13, 2 (2015), 89–93.

Digital Library

[18]

Wojciech Mazurczyk, Krystian Powójski, and Luca Caviglione. 2019. IPv6 covert channels in the wild. In Proceedings of the 3rd Central European Cybersecurity Conference. 1–6.

Digital Library

[19]

Michele Paolino, Nikolay Nikolaev, Jeremy Fanguede, and Daniel Raho. 2015. SnabbSwitch user space virtual switch benchmark and performance optimization for NFV. In 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN). San Francisco, CA – USA, 86–92.

[20]

Steve Pope and David Riddoch. 2011. Introduction to OpenOnload—Building Application Transparency and Protocol Conformance into Application Acceleration Middleware. Whitepaper. http://www.moderntech.com.hk/sites/default/files/whitepaper/SF-105918-CD-1_Introduction_to_OpenOnload_White_Paper.pdf

[21]

M. Repetto, A. Carrega, and R. Rapuzzi. 2021. An architecture to manage security operations for digital service chains. Future Generation Computer Systems 115 (February 2021), 251–266.

[22]

Luigi Rizzo. 2012. netmap: A Novel Framework for Fast Packet I/O. In 2012 USENIX Annual Technical Conference (USENIX ATC 12). Boston, MA, 101–112.

Digital Library

[23]

Steffen Wendzel, Sebastian Zander, Bernhard Fechner, and Christian Herdin. 2015. Pattern-based survey and categorization of network covert channel techniques. ACM Computing Surveys (CSUR) 47, 3 (2015), 1–26.

Digital Library

[24]

Sebastian Zander, Grenville Armitage, and Philip Branch. 2007. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys & Tutorials 9, 3 (2007), 44–57.

Digital Library

Cited By

Asharani RVidyalakshmi K(2024)A Comparative Analysis on Exploration of Stegosploits across Various Media Formats2024 International Conference on Knowledge Engineering and Communication Systems (ICKECS)10.1109/ICKECS61492.2024.10616568(1-8)Online publication date: 18-Apr-2024
https://doi.org/10.1109/ICKECS61492.2024.10616568
Cassavia NCaviglione LGuarascio MLiguori AZuppelli M(2024)Learning autoencoder ensembles for detecting malware hidden communications in IoT ecosystemsJournal of Intelligent Information Systems10.1007/s10844-023-00819-862:4(925-949)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10844-023-00819-8
AL-Khulaidi NZahary AHazaa MNasser A(2023)Covert Channel Detection and Generation Techniques: A Survey2023 3rd International Conference on Emerging Smart Technologies and Applications (eSmarTA)10.1109/eSmarTA59349.2023.10293582(01-09)Online publication date: 10-Oct-2023
https://doi.org/10.1109/eSmarTA59349.2023.10293582
Show More Cited By

Recommendations

Implementing a passive network covert timing channel

The paper concerns passive network covert timing channels, in which the channel senders reside in intermediate nodes (e.g. router, gateway) and forward the passing-by packets in a carefully planned manner to covertly transmit the information. In this ...
Robust Network Covert Communications Based on TCP and Enumerative Combinatorics

The problem of communicating covertly over the Internet has recently received considerable attention from both industry and academic communities. However, the previously proposed network covert channels are plagued by their unreliability and very low ...
Low-attention forwarding for mobile network covert channels
CMS'11: Proceedings of the 12th IFIP TC 6/TC 11 international conference on Communications and multimedia security

In a real-world network, different hosts involved in covert channel communication run different covert channel software as well as different versions of such software, i.e. these systems use different network protocols for a covert channel. A program ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Horizon 2020 Framework Programme

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
133
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)2

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Asharani RVidyalakshmi K(2024)A Comparative Analysis on Exploration of Stegosploits across Various Media Formats2024 International Conference on Knowledge Engineering and Communication Systems (ICKECS)10.1109/ICKECS61492.2024.10616568(1-8)Online publication date: 18-Apr-2024
https://doi.org/10.1109/ICKECS61492.2024.10616568
Cassavia NCaviglione LGuarascio MLiguori AZuppelli M(2024)Learning autoencoder ensembles for detecting malware hidden communications in IoT ecosystemsJournal of Intelligent Information Systems10.1007/s10844-023-00819-862:4(925-949)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10844-023-00819-8
AL-Khulaidi NZahary AHazaa MNasser A(2023)Covert Channel Detection and Generation Techniques: A Survey2023 3rd International Conference on Emerging Smart Technologies and Applications (eSmarTA)10.1109/eSmarTA59349.2023.10293582(01-09)Online publication date: 10-Oct-2023
https://doi.org/10.1109/eSmarTA59349.2023.10293582
Bedi PJindal VDua A(2023)SPYIPv6: Locating Covert Data in One or a Combination of IPv6 Header Field(s)IEEE Access10.1109/ACCESS.2023.331817211(103486-103501)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3318172
Bedi PDua AJindal V(2023)FIHIM: a framework for information hiding in IPv6 using micro-protocolsInternational Journal of Information Technology10.1007/s41870-023-01511-4Online publication date: 4-Oct-2023
https://doi.org/10.1007/s41870-023-01511-4
Zuppelli MRepetto MSchaffhauser AMazurczyk WCaviglione L(2022)Code Layering for the Detection of Network Covert Channels in Agentless SystemsIEEE Transactions on Network and Service Management10.1109/TNSM.2022.317675219:3(2282-2294)Online publication date: Sep-2022
https://doi.org/10.1109/TNSM.2022.3176752
Wang JZhang LLi ZGuo YCheng LDu W(2022)CC-Guard: An IPv6 Covert Channel Detection Method Based on Field Matching2022 IEEE 24th Int Conf on High Performance Computing & Communications; 8th Int Conf on Data Science & Systems; 20th Int Conf on Smart City; 8th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00219(1416-1421)Online publication date: Dec-2022
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00219
Dua AJindal VBedi P(2022)Detecting and Locating Storage-Based Covert Channels in Internet Protocol Version 6IEEE Access10.1109/ACCESS.2022.321513210(110661-110675)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3215132
Dua AJindal VBedi P(2022)DICCh-D: Detecting IPv6-Based Covert Channels Using DNNInformation, Communication and Computing Technology10.1007/978-3-031-20977-2_4(42-53)Online publication date: 12-Nov-2022
https://doi.org/10.1007/978-3-031-20977-2_4
Caviglione L(2022)Privacy-Leaking and Steganographic Threats in Wireless Connected EnvironmentsTowards a Wireless Connected World: Achievements and New Technologies10.1007/978-3-031-04321-5_2(17-34)Online publication date: 18-May-2022
https://doi.org/10.1007/978-3-031-04321-5_2

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents