Recently, four of our papers got accepted at J.UCS and at the ARES CUING workshop.
#1: Steffen Wendzel, Florian Link, Daniela Eller, Wojciech Mazurczyk:
Detection of Size Modulation Covert Channels Using Countermeasure
Variation, Journal of Universal Computer Science (J.UCS), accepted.
Abstract: Network covert channels enable stealthy communications for malware
and data exfiltration. For this reason, developing effective
countermeasures for these threats is important for the protection of
individuals and organizations. However, due to the large number of
available covert channel techniques, it is considered impractical to
develop countermeasures for all existing covert channels.
In recent years, researchers started to develop countermeasures that
(instead of only countering one particular hiding technique) can be
applied to a whole family of similar hiding techniques. These families
are referred to as hiding patterns.
Considering above, the main contribution of this paper is to introduce
the concept of countermeasure variation. Countermeasure
variation is a slight modification of a given countermeasure that was
designed to detect covert channels of one specific hiding pattern so
that the countermeasure can also detect covert channels that are
representing other hiding patterns.
We exemplify countermeasure variation using the compressibility score,
the epsilon-similarity and the regularity metric originally presented
by Cabuk et al. All three methods are used to detect covert channels
that utilize the Inter-packet Times pattern and we show that
countermeasure variation allows the application of these countermeasures
to detect covert channels of the Size Modulation pattern, too.
#2: Steffen Wendzel: Protocol-independent Detection of `Messaging Ordering'
Network Covert Channels, in Proc. Third International Workshop on
Criminal Use of Information Hiding (CUING 2019), accepted.
Abstract: Detection methods are available for several known covert channels.
However, a type of covert channel that received little attention within
the last decade is the "message ordering" channel. Such a covert
channel changes the order of PDUs (protocol data units, i.e. packets)
transferred over the network to encode hidden information. The advantage
of these channels is that they cannot be blocked easily as they do not
modify header content but instead mimic typical network behavior such as
TCP segments that arrive in a different order than they were sent.
Contribution: In this paper, we show a protocol-independent approach to
detect message ordering channels. Our approach is based on a modified
compressibility score. We analyze the detectabil-ity of message ordering
channels and whether several types of message ordering channels differ
in their detectability.
Results: Our results show that the detection of message ordering
channels depends on their number of utilized PDUs. First, we performed a
rough threshold selection by hand, which we later optimized using the
C4.5 decision tree classifier. We were able to detect message ordering
covert channels with an accuracy and F 1 score of ≥ 99.5% and a
false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4
PDUs, respectively. Simpler channels that only manipulate a sequence of
two PDUs were detectable with an accuracy and F 1 score of 94.5% and
were linked to a false-positive rate of 5.19%. We thus consider our
approach suitable for real-world detection scenarios with channels
utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs
should be improved further.
#3: Wojciech Mazurczyk, Przemysław Szary, Steffen Wendzel and Luca
Caviglione: Towards Reversible Storage Network Covert Channels, in Proc.
Third International Workshop on Criminal Use of Information Hiding
(CUING 2019), accepted.
Abstract: The use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance of the covert channels in terms of undetectability and capacity. To not void the stealthiness of the channel, an important feature is the ability of restoring the carrier embedding the secret information into its original form. However, the development of such techniques mainly targets the domain of digital media steganography. Therefore, this paper applies the concept of reversible data hiding to storage network covert channels. To prove the effectiveness of our idea, a prototypical implementation of a channel exploiting IPv4 flows is presented along with its performance evaluation.
#4: Tobias Schmidbauer, Steffen Wendzel, Aleksandra Mileva and Wojciech
Mazurczyk: Introducing Dead Drops to Network Steganography using
ARP-Caches and SNMP-Walks, in Proc. Third International Workshop on
Criminal Use of Information Hiding (CUING 2019), accepted.
Abstract: Network covert channels enable various secret data exchange
scenarios among two or more secret parties via a communication network.
The diversity of the existing network covert channel techniques has
rapidly increased due to research during the last couple of years and
most of them share the same characteristics, i.e., they require a direct
communication between the participating partners. However, it is
sometimes simply not possible or it can raise suspicions to communicate
directly. That is why, in this paper we introduce a new concept we call
``dead drop'', i.e., a covert network storage which does not depend on
the direct network traffic exchange between covert communication sides.
Instead, the covert sender stores secret information in the ARP (Address
Resolution Protocol) cache of an unaware host that is not involved in
the hidden data exchange. Thus, the ARP cache is used as a covert
network storage and the accumulated information can then be extracted by
the covert receiver using SNMP (Simple Network Management Protocol).