Trends and Challenges in Network Covert Channels Countermeasures

Proceedings of the 16th International Conference on Availability, Reliability and Security

Mazurczyk

et al. 2021

Self Cite

Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band covert channels. To cope with this, a prime attempt has been done in 2015, with the introduction of the so-called hiding patterns, which allow to describe hiding techniques in a more abstract manner. Despite significant enhancements, the main limitation of such a taxonomy is that it only considers the case of network steganography.Therefore, this paper reviews both the terminology and the taxonomy of hiding patterns as to make them more general. Specifically, hiding patterns are split into those that describe the embedding and the representation of hidden data within the cover object.This work is licensed under a Creative Commons Attribution International 4.0 License.

Section: Anticipated Steganography Developments In the Context Of Patternsmentioning

confidence: 99%

A Revised Taxonomy of Steganography Embedding Patterns

Wendzel¹,

Proceedings of the 16th International Conference on Availability, Reliability and Security

Mazurczyk

et al. 2021

Self Cite

“…To prevent having a favorable setting, the content of messages have been randomly generated. This models an attacker who adopts an additional encryption layer or scrambling scheme to mimic the random nature of legitimate Flow Label values, in order to avoid statistical signatures that can make the detection easier [8]- [11].…”

Section: A Testbed Preparationmentioning

confidence: 99%

“…As a consequence, detection and mitigation of network covert channels are prime tasks to fully address the security of modern network scenarios. Unfortunately, literature mainly focused on threats exploiting IPv4, hence leaving the IPv6 counterpart largely unexplored [6], [9]- [11]. Besides, the inspection process is often tightly coupled with the used information hiding method: this makes the detection poorly generalizable and could lead to non-negligible computational burdens (e.g., to check protocol fields via deep packet inspection [12]).…”

Section: Introductionmentioning

confidence: 99%

Code Augmentation for Detecting Covert Channels Targeting the IPv6 Flow Label

2021 IEEE 7th International Conference on Network Softwarization (NetSoft)

Zuppelli

Mazurczyk

et al. 2021

Self Cite

Information hiding is at the basis of a new-wave of malware able to elude common detection mechanisms or remain unnoticed for long periods. To this aim, a key approach exploits network covert channels, i.e., abusive communication paths nested within a legitimate traffic flow. The increasing diffusion of IPv6 makes it attractive for an attacker, especially for the presence of the Flow Label field, which can be manipulated to contain up to 20 secret bits per packet. Unfortunately, gathering data to implement a standalone detection mechanism or to support third-party security tools is a poorly generalizable process and often leads to scalability issues. This paper showcases how to take advantage of code augmentation features (i.e., the extended Berkeley Packet Filter) to detect covert channels targeting the IPv6 Flow Label. To prove its effectiveness, the proposed approach has been tested against Internet-wide traffic traces collected in the wild. Results indicate that it is possible to spot the channel while mitigating the computational burden and the memory footprint.

“…The detection of a network covert channel is a nontrivial and poorly generalizable problem [4]. Spotting hidden communications within a bulk of network flows typically requires to implement attack-specific methodologies or to perform deep packet inspection, which poses scalability problems [9]. Moreover, security tools can not detect IPv6 covert channels out of the box [8], and many of them even have issues in handling IPv6 traffic as well as conversations exploiting v4/v6 transitional mechanisms [10].…”

Section: Introductionmentioning

confidence: 99%

“…The detection of covert channels targeting IPv6 is of prime importance today to fully assess security of modern network scenarios and to mitigate the advancement of stegomalware and other information hiding attacks [1][2][3]. Nevertheless, scalability of the approach should be considered as a design constraint, since inspection processes should not penalize legitimate traffic flows, e.g., by adding additional delays or disrupt the perceived Quality of Experience [1,4,9]. To this aim, we introduce bccstego, a framework that can be used for detecting network covert channels in the header of IPv6 packets.…”

Section: Introductionmentioning

confidence: 99%

bccstego: A Framework for Investigating Network Covert Channels

Repetto

Proceedings of the 16th International Conference on Availability, Reliability and Security

Zuppelli

2021

Self Cite

Modern malware increasingly exploits information hiding to remain undetected while attacking. To this aim, network covert channels, i.e., hidden communication paths established within legitimate flows, can be used to exfiltrate data or exchange commands without getting noticed by firewalls, antivirus, and intrusion detection systems. Since the secret data can be directly injected in various portions of the stream or encoded via suitable alterations of the traffic, spotting hidden communications is a challenging and poorly generalizable task. Moreover, the majority of works addressed IPv4, thus leaving the detection of covert channels targeting IPv6 almost unexplored.This paper presents bccstego, i.e., an inspection framework for computing statistical indicators to reveal covert channels targeting the IPv6 header. The proposed approach has been designed to be easily extended, for instance to search for channels not known a priori. Numerical results demonstrate the effectiveness of our first tool in the bccstego framework as well as its ability to handle high-throughput IPv6 flows without adding additional delays. CCS CONCEPTS• Networks → Network performance evaluation; • Security and privacy → Network security; Domain-specific security and privacy architectures.