Abstract
We present an improved network attack evasion technique that allows malicious two-way communication and bypasses popular host and network intrusion techniques/systems that use deep packet inspection, signature analysis, and traffic behavior. The attack is based on previous research that leverages legitimate network traffic (existing or intuitively generated) from different contexts and reuses it to communicate malicious content. Still, contrary to previous research, the proposed approach: (i) provides increased bandwidth and allows us to exfiltrate large amounts of data with improved execution times while avoiding detection, and (ii) removes the administration privilege constraint that existed in previous implementations. Both novelties now make the attack feasible in real-world scenarios. We present two different attack implementations in different contexts, i.e., scripts/commands two-way communication and large data transfer. We test and validate our two implemented attacks using four popular NIDS, eight of the most popular endpoint protection solutions, and a Data Leakage Prevention System (DLP). Finally, we include a comparison of findings between our implementations of attacks and previous studies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Marpaung, J., Sain, M., Lee, H.-J.: Survey on malware evasion techniques: state of the art and challenges. In: 2012 14th International Conference on Advanced Communication Technology (ICACT), pp. 744–749 (2012)
Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1), 1–22 (2019). https://doi.org/10.1186/s42400-019-0038-7
Zanero, S.: Flaws and frauds in the evaluation of IDS/IPS technologies. In: Proceedings of FIRST. Citeseer (2007)
Stergiopoulos, G., Lygerou, E., Tsalis, N., Tomaras, D., Gritzalis, D.: Avoiding network and host detection using packet bit-masking: In: Proceedings of the 17th International Joint Conference on e-Business and Telecommunications, pp. 52–63. SCITEPRESS - Science and Technology Publications, Lieusaint, Paris, France (2020)
Yetiser, T.: Mutation Engine Report. VIRUS-L Digest. 5 (1992)
Lakhina, A., Papagiannaki, K., Crovella, M., Diot, C., Kolaczyk, E.D., Taft, N.: Structural analysis of network traffic flows. In: Proceedings of the Joint International Conference on Measurement and Modeling of Computer Systems - SIGMETRICS 2004/PERFORMANCE 2004. p. 61. ACM Press, New York (2004)
Stergiopoulos, G., Talavari, A., Bitsikas, E., Gritzalis, D.: Automatic detection of various malicious traffic using side channel features on TCP packets. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 346–362. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99073-6_17
Prasse, P., Machlica, L., Pevný, T., Havelka, J., Scheffer, T.: Malware detection by analysing network traffic with neural networks. In: 2017 IEEE Security and Privacy Workshops (SPW), pp. 205–210 (2017)
Marteau, P.: Sequence covering for efficient host-based intrusion detection. IEEE Trans. Inf. Forensics Secur. 14, 994–1006 (2019). https://doi.org/10.1109/TIFS.2018.2868614
Maass, M.: A theory and tools for applying sandboxes effectively. 1904944 Bytes (2018). https://doi.org/10.1184/R1/6714425.V1
Vokorokos, L.: Application security through sandbox virtualization. APH 12 (2014). https://doi.org/10.12700/APH.12.1.2015.1.6
Jaber, A.N., Zolkipli, M.F., Shakir, H.A., Jassim, M.R.: Host based intrusion detection and prevention model against DDoS attack in cloud computing. In: Xhafa, F., Caballé, S., Barolli, L. (eds.) 3PGCIC 2017. LNDECT, vol. 13, pp. 241–252. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-69835-9_23
Qin, T., Chen, R., Wang, L., He, C.: LMHADC: lightweight method for host based anomaly detection in cloud using mobile agents. In: 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1–8 (2018)
Adi, K., Hamza, L., Pene, L.: Automatic security policy enforcement in computer systems. Comput. Secur. 73, 156–171 (2018). https://doi.org/10.1016/j.cose.2017.10.012
Ashfaq, R.A.R., Wang, X.-Z., Huang, J.Z., Abbas, H., He, Y.-L.: Fuzziness based semi-supervised learning approach for intrusion detection system. Inf. Sci. 378, 484–497 (2017). https://doi.org/10.1016/j.ins.2016.04.019
Besharati, E., Naderan, M., Namjoo, E.: LR-HIDS: logistic regression host-based intrusion detection system for cloud environments. J. Ambient. Intell. Humaniz. Comput. 10(9), 3669–3692 (2018). https://doi.org/10.1007/s12652-018-1093-8
Chawla, A., Lee, B., Fallon, S., Jacob, P.: Host based intrusion detection system with combined CNN/RNN model. In: Alzate, C., et al. (eds.) ECML PKDD 2018. LNCS (LNAI), vol. 11329, pp. 149–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-13453-2_12
Nobakht, M., Sivaraman, V., Boreli, R.: A host-based intrusion detection and mitigation framework for smart home IoT using OpenFlow. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), Salzburg, Austria. pp. 147–156. IEEE (2016)
Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, USA, vol. 2, p. 7. USENIX Association (2006)
Meidan, Y., et al.: Network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput. 17, 12–22 (2018). https://doi.org/10.1109/MPRV.2018.03367731
Sun, R., Shi, L., Yin, C., Wang, J.: An improved method in deep packet inspection based on regular expression. J. Supercomput. 75(6), 3317–3333 (2018). https://doi.org/10.1007/s11227-018-2517-0
Umbarkar, S., Shukla, S.: Analysis of heuristic based feature reduction method in intrusion detection system. In: 2018 5th International Conference on Signal Processing and Integrated Networks (SPIN), pp. 717–720 (2018)
Boero, L., Cello, M., Marchese, M., Mariconti, E., Naqash, T., Zappatore, S.: Statistical fingerprint-based intrusion detection system (SF-IDS). Int. J. Commun. Syst. 30, e3225 (2017). https://doi.org/10.1002/dac.3225
Abubakar, A., Pranggono, B.: Machine learning based intrusion detection system for software defined networks. In: 2017 Seventh International Conference on Emerging Security Technologies (EST), Canterbury, pp. 138–143. IEEE (2017)
Al-Qatf, M., Lasheng, Y., Al-Habib, M., Al-Sabahi, K.: Deep learning approach combining sparse autoencoder with SVM for network intrusion detection. IEEE Access. 6, 52843–52856 (2018). https://doi.org/10.1109/ACCESS.2018.2869577
Liu, Z., et al.: Deep learning approach for IDS: using DNN for network anomaly detection. In: Yang, X.-S., Sherratt, S., Dey, N., Joshi, A. (eds.) Fourth International Congress on Information and Communication Technology, pp. 471–479. Springer, Singapore (2020)
Papamartzivanos, D., Mármol, F.G., Kambourakis, G.: Introducing deep learning self-adaptive misuse network intrusion detection systems. IEEE Access 7, 13546–13560 (2019). https://doi.org/10.1109/ACCESS.2019.2893871
Cheng, T.-H., Lin, Y.-D., Lai, Y.-C., Lin, P.-C.: Evasion techniques: sneaking through your intrusion detection/prevention systems. IEEE Commun. Surv. Tutorials. 14, 1011–1020 (2012). https://doi.org/10.1109/SURV.2011.092311.00082
Dyrmose, M.: Beating the IPS. SANS Institute (2013)
Särelä, M., Kyöstilä, T., Kiravuo, T., Manner, J.: Evaluating intrusion prevention systems with evasions: evaluating intrusion prevention systems with evasions. Int. J. Commun. Syst. 30, e3339 (2017). https://doi.org/10.1002/dac.3339
March, M.O., Gsec, G.: A Discussion of Covert Channels and Steganography. Presented at the (2002)
Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutor. 9, 44–57 (2007). https://doi.org/10.1109/COMST.2007.4317620
Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack - extended version. Centr. Eur. J. Comput. Sci. 4(2), 45–66 (2014). https://doi.org/10.2478/s13537-014-0205-6
Rowland, C.H.: Covert channels in the TCP/IP protocol suite. FM. (1997). https://doi.org/10.5210/fm.v2i5.528
Kolias, C., Kambourakis, G., Stavrou, A., Gritzalis, S.: Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset. IEEE Commun. Surv. Tutor. 18, 184–208 (2016). https://doi.org/10.1109/COMST.2015.2402161
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Secure Networks Inc Calgary Alberta (1998)
Kunhare, N., Tiwari, R., Dhar, J.: Network packet analysis in real time traffic and study of snort IDS during the variants of DoS attacks. In: Abraham, A., Shandilya, S.K., Garcia-Hernandez, L., Varela, M.L. (eds.) HIS 2019. AISC, vol. 1179, pp. 362–375. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-49336-3_36
Cui, C., Xue, L., Chiu, C., Kondikoppa, P., Park, S.: DMCTCP: desynchronized multi-channel TCP for high speed access networks with tiny buffers. In: 2014 23rd International Conference on Computer Communication and Networks (ICCCN), pp. 1–8 (2014)
Joncheray, L.: A simple active attack against TCP. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, USA, vol. 5, p. 2. USENIX Association (1995)
Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L.: Investigating the problem of IDS false alarms: an experimental study using Snort. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 253–267. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-09699-5_17
El-Hajj, W., Al-Tamimi, M., Aloul, F.: Real traffic logs creation for testing intrusion detection systems: real traffic logs creation for testing intrusion detection systems. Wirel. Commun. Mob. Comput. 15, 1851–1864 (2015). https://doi.org/10.1002/wcm.2471
Gibbs, P.: Intrusion Detection Evasion Techniques and Case Studies. SANS Institute (2017)
Martin, S.: Anti-IDS Tools and Tactics. SANS Institute (2001)
Ring, M., Landes, D., Hotho, A.: Detection of slow port scans in flow-based network traffic. PLoS ONE 13, e0204507 (2018). https://doi.org/10.1371/journal.pone.0204507
Kim, D., et al.: DynODet: detecting dynamic obfuscation in malware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 97–118. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_5
Alazab, A., Khresiat, A.: New strategy for mitigating of SQL injection attack. IJCA 154, 1 (2016). https://doi.org/10.5120/ijca2016911974
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the 19th International Conference on World Wide Web - WWW 2010, Raleigh, North Carolina, USA, p. 281. ACM Press (2010)
Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium, USA, vol. 15. USENIX Association (2006)
Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of the 13th ACM conference on Computer and communications security - CCS 2006, Alexandria, Virginia, USA, pp. 59–68. ACM Press (2006)
Valenza, A., Demetrio, L., Costa, G., Lagorio, G.: WAF-A-MoLE: an adversarial tool for assessing ML-based WAFs. SoftwareX. 11, 100367 (2020). https://doi.org/10.1016/j.softx.2019.100367
Banescu, S., Pretschner, A.: A Tutorial on software obfuscation. In: Advances in Computers, pp. 283–353. Elsevier, Amsterdam (2018)
Metke, A.R., Ekl, R.L.: Security technology for smart grid networks. IEEE Trans. Smart Grid 1, 99–107 (2010). https://doi.org/10.1109/TSG.2010.2046347
Butun, I., Morgera, S.D., Sankar, R.: A survey of intrusion detection systems in wireless sensor networks. IEEE Commun. Surv. Tutor. 16, 266–282 (2014). https://doi.org/10.1109/SURV.2013.050113.00191
Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61996-8_29
Goyal, P., Goyal, A.: Comparative study of two most popular packet sniffing tools-Tcpdump and Wireshark. In: 2017 9th International Conference on Computational Intelligence and Communication Networks (CICN), Girne, pp. 77–81. IEEE (2017)
Botta, A., Dainotti, A., Pescape, A.: Do you trust your software-based traffic generator? IEEE Commun. Mag. 48, 158–165 (2010). https://doi.org/10.1109/MCOM.2010.5560600
Javali, C., Revadigar, G.: Network web traffic generator for cyber range exercises. In: 2019 IEEE 44th Conference on Local Computer Networks (LCN), Osnabrueck, Germany, pp. 308–315. IEEE (2019)
Ouyang, W., Zhang, X., Wang, D., Zhang, J., Tang, J.: A survey of network traffic generation. In: Third International Conference on Cyberspace Technology (CCT 2015), Beijing, China, p. 6. Institution of Engineering and Technology (2015)
Benson, A.R., Kumar, R., Tomkins, A.: Modeling user consumption sequences. In: Proceedings of the 25th International Conference on World Wide Web - WWW 2016, Montral, Qubec, Canada. pp. 519–529. ACM Press (2016)
Lo, C., Frankowski, D., Leskovec, J.: Understanding behaviors that lead to purchasing: a case study of pinterest. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, California, USA, pp. 531–540. ACM (2016)
Cheng, J., Lo, C., Leskovec, J.: Predicting intent using activity logs: how goal specificity and temporal range affect user behavior. In: Proceedings of the 26th International Conference on World Wide Web Companion - WWW 2017 Companion, Perth, Australia, pp. 593–601. ACM Press (2017)
Dupret, G.E., Piwowarski, B.: A user browsing model to predict search engine click data from past observations. In: Proceedings of the 31st Annual International ACM SIGIR Conference on Research and Development in Information Retrieval - SIGIR 2008, Singapore, Singapore, p. 331. ACM Press (2008)
Roosta, S.H.: Parallel Processing and Parallel Algorithms. Springer, New York (2000). https://doi.org/10.1007/978-1-4612-1220-1
Mittal, S., Vetter, J.: A survey of architectural approaches for data compression in cache and main memory systems. IEEE Trans. Parallel Distrib. Syst. 27, 1524–1536 (2016). https://doi.org/10.1109/TPDS.2015.2435788
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948.tb01338.x
Burks, D.: Security onion. Securityonion. blogspot.com (2012)
Wagenseil, P.: Best antivirus 2020: free antivirus and paid software (2020). https://www.tomsguide.com/us/best-antivirus,review-2588.html
Williams, M.: The best antivirus software for 2020 (2020). https://www.techradar.com/best/best-antivirus
Acknowledgment
This work was supported, in part, by the Ministry of Digital Governance, Greece, through a research grant offered to the Research Centre of Athens University of Economics & Business (RC/AUEB). The research grant aims at, mainly, developing innovative methodologies for implementing the National Cybersecurity Strategy of Greece (2020-25).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Dedousis, P., Stergiopoulos, G., Gritzalis, D. (2021). An Improved Bit Masking Technique to Enhance Covert Channel Attacks in Everyday IT Systems. In: Obaidat, M.S., Ben-Othman, J. (eds) E-Business and Telecommunications. ICETE 2020. Communications in Computer and Information Science, vol 1484. Springer, Cham. https://doi.org/10.1007/978-3-030-90428-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-90428-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90427-2
Online ISBN: 978-3-030-90428-9
eBook Packages: Computer ScienceComputer Science (R0)