Skip to main content
SpringerLink
Log in

An Improved Bit Masking Technique to Enhance Covert Channel Attacks in Everyday IT Systems

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICETE 2020)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1484))

Included in the following conference series:

  • 262 Accesses

Abstract

We present an improved network attack evasion technique that allows malicious two-way communication and bypasses popular host and network intrusion techniques/systems that use deep packet inspection, signature analysis, and traffic behavior. The attack is based on previous research that leverages legitimate network traffic (existing or intuitively generated) from different contexts and reuses it to communicate malicious content. Still, contrary to previous research, the proposed approach: (i) provides increased bandwidth and allows us to exfiltrate large amounts of data with improved execution times while avoiding detection, and (ii) removes the administration privilege constraint that existed in previous implementations. Both novelties now make the attack feasible in real-world scenarios. We present two different attack implementations in different contexts, i.e., scripts/commands two-way communication and large data transfer. We test and validate our two implemented attacks using four popular NIDS, eight of the most popular endpoint protection solutions, and a Data Leakage Prevention System (DLP). Finally, we include a comparison of findings between our implementations of attacks and previous studies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Marpaung, J., Sain, M., Lee, H.-J.: Survey on malware evasion techniques: state of the art and challenges. In: 2012 14th International Conference on Advanced Communication Technology (ICACT), pp. 744–749 (2012)

    Google Scholar 

  2. Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1), 1–22 (2019). https://doi.org/10.1186/s42400-019-0038-7

    Article  Google Scholar 

  3. Zanero, S.: Flaws and frauds in the evaluation of IDS/IPS technologies. In: Proceedings of FIRST. Citeseer (2007)

    Google Scholar 

  4. Stergiopoulos, G., Lygerou, E., Tsalis, N., Tomaras, D., Gritzalis, D.: Avoiding network and host detection using packet bit-masking: In: Proceedings of the 17th International Joint Conference on e-Business and Telecommunications, pp. 52–63. SCITEPRESS - Science and Technology Publications, Lieusaint, Paris, France (2020)

    Google Scholar 

  5. Yetiser, T.: Mutation Engine Report. VIRUS-L Digest. 5 (1992)

    Google Scholar 

  6. Lakhina, A., Papagiannaki, K., Crovella, M., Diot, C., Kolaczyk, E.D., Taft, N.: Structural analysis of network traffic flows. In: Proceedings of the Joint International Conference on Measurement and Modeling of Computer Systems - SIGMETRICS 2004/PERFORMANCE 2004. p. 61. ACM Press, New York (2004)

    Google Scholar 

  7. Stergiopoulos, G., Talavari, A., Bitsikas, E., Gritzalis, D.: Automatic detection of various malicious traffic using side channel features on TCP packets. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 346–362. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99073-6_17

    Chapter  Google Scholar 

  8. Prasse, P., Machlica, L., Pevný, T., Havelka, J., Scheffer, T.: Malware detection by analysing network traffic with neural networks. In: 2017 IEEE Security and Privacy Workshops (SPW), pp. 205–210 (2017)

    Google Scholar 

  9. Marteau, P.: Sequence covering for efficient host-based intrusion detection. IEEE Trans. Inf. Forensics Secur. 14, 994–1006 (2019). https://doi.org/10.1109/TIFS.2018.2868614

    Article  Google Scholar 

  10. Maass, M.: A theory and tools for applying sandboxes effectively. 1904944 Bytes (2018). https://doi.org/10.1184/R1/6714425.V1

  11. Vokorokos, L.: Application security through sandbox virtualization. APH 12 (2014). https://doi.org/10.12700/APH.12.1.2015.1.6

  12. Jaber, A.N., Zolkipli, M.F., Shakir, H.A., Jassim, M.R.: Host based intrusion detection and prevention model against DDoS attack in cloud computing. In: Xhafa, F., Caballé, S., Barolli, L. (eds.) 3PGCIC 2017. LNDECT, vol. 13, pp. 241–252. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-69835-9_23

    Chapter  Google Scholar 

  13. Qin, T., Chen, R., Wang, L., He, C.: LMHADC: lightweight method for host based anomaly detection in cloud using mobile agents. In: 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1–8 (2018)

    Google Scholar 

  14. Adi, K., Hamza, L., Pene, L.: Automatic security policy enforcement in computer systems. Comput. Secur. 73, 156–171 (2018). https://doi.org/10.1016/j.cose.2017.10.012

    Article  Google Scholar 

  15. Ashfaq, R.A.R., Wang, X.-Z., Huang, J.Z., Abbas, H., He, Y.-L.: Fuzziness based semi-supervised learning approach for intrusion detection system. Inf. Sci. 378, 484–497 (2017). https://doi.org/10.1016/j.ins.2016.04.019

    Article  Google Scholar 

  16. Besharati, E., Naderan, M., Namjoo, E.: LR-HIDS: logistic regression host-based intrusion detection system for cloud environments. J. Ambient. Intell. Humaniz. Comput. 10(9), 3669–3692 (2018). https://doi.org/10.1007/s12652-018-1093-8

    Article  Google Scholar 

  17. Chawla, A., Lee, B., Fallon, S., Jacob, P.: Host based intrusion detection system with combined CNN/RNN model. In: Alzate, C., et al. (eds.) ECML PKDD 2018. LNCS (LNAI), vol. 11329, pp. 149–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-13453-2_12

    Chapter  Google Scholar 

  18. Nobakht, M., Sivaraman, V., Boreli, R.: A host-based intrusion detection and mitigation framework for smart home IoT using OpenFlow. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), Salzburg, Austria. pp. 147–156. IEEE (2016)

    Google Scholar 

  19. Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, USA, vol. 2, p. 7. USENIX Association (2006)

    Google Scholar 

  20. Meidan, Y., et al.: Network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput. 17, 12–22 (2018). https://doi.org/10.1109/MPRV.2018.03367731

    Article  Google Scholar 

  21. Sun, R., Shi, L., Yin, C., Wang, J.: An improved method in deep packet inspection based on regular expression. J. Supercomput. 75(6), 3317–3333 (2018). https://doi.org/10.1007/s11227-018-2517-0

    Article  Google Scholar 

  22. Umbarkar, S., Shukla, S.: Analysis of heuristic based feature reduction method in intrusion detection system. In: 2018 5th International Conference on Signal Processing and Integrated Networks (SPIN), pp. 717–720 (2018)

    Google Scholar 

  23. Boero, L., Cello, M., Marchese, M., Mariconti, E., Naqash, T., Zappatore, S.: Statistical fingerprint-based intrusion detection system (SF-IDS). Int. J. Commun. Syst. 30, e3225 (2017). https://doi.org/10.1002/dac.3225

    Article  Google Scholar 

  24. Abubakar, A., Pranggono, B.: Machine learning based intrusion detection system for software defined networks. In: 2017 Seventh International Conference on Emerging Security Technologies (EST), Canterbury, pp. 138–143. IEEE (2017)

    Google Scholar 

  25. Al-Qatf, M., Lasheng, Y., Al-Habib, M., Al-Sabahi, K.: Deep learning approach combining sparse autoencoder with SVM for network intrusion detection. IEEE Access. 6, 52843–52856 (2018). https://doi.org/10.1109/ACCESS.2018.2869577

    Article  Google Scholar 

  26. Liu, Z., et al.: Deep learning approach for IDS: using DNN for network anomaly detection. In: Yang, X.-S., Sherratt, S., Dey, N., Joshi, A. (eds.) Fourth International Congress on Information and Communication Technology, pp. 471–479. Springer, Singapore (2020)

    Google Scholar 

  27. Papamartzivanos, D., Mármol, F.G., Kambourakis, G.: Introducing deep learning self-adaptive misuse network intrusion detection systems. IEEE Access 7, 13546–13560 (2019). https://doi.org/10.1109/ACCESS.2019.2893871

    Article  Google Scholar 

  28. Cheng, T.-H., Lin, Y.-D., Lai, Y.-C., Lin, P.-C.: Evasion techniques: sneaking through your intrusion detection/prevention systems. IEEE Commun. Surv. Tutorials. 14, 1011–1020 (2012). https://doi.org/10.1109/SURV.2011.092311.00082

    Article  Google Scholar 

  29. Dyrmose, M.: Beating the IPS. SANS Institute (2013)

    Google Scholar 

  30. Särelä, M., Kyöstilä, T., Kiravuo, T., Manner, J.: Evaluating intrusion prevention systems with evasions: evaluating intrusion prevention systems with evasions. Int. J. Commun. Syst. 30, e3339 (2017). https://doi.org/10.1002/dac.3339

    Article  Google Scholar 

  31. March, M.O., Gsec, G.: A Discussion of Covert Channels and Steganography. Presented at the (2002)

    Google Scholar 

  32. Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutor. 9, 44–57 (2007). https://doi.org/10.1109/COMST.2007.4317620

    Article  Google Scholar 

  33. Mileva, A., Panajotov, B.: Covert channels in TCP/IP protocol stack - extended version. Centr. Eur. J. Comput. Sci. 4(2), 45–66 (2014). https://doi.org/10.2478/s13537-014-0205-6

    Article  Google Scholar 

  34. Rowland, C.H.: Covert channels in the TCP/IP protocol suite. FM. (1997). https://doi.org/10.5210/fm.v2i5.528

    Article  Google Scholar 

  35. Kolias, C., Kambourakis, G., Stavrou, A., Gritzalis, S.: Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset. IEEE Commun. Surv. Tutor. 18, 184–208 (2016). https://doi.org/10.1109/COMST.2015.2402161

  36. Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Secure Networks Inc Calgary Alberta (1998)

    Google Scholar 

  37. Kunhare, N., Tiwari, R., Dhar, J.: Network packet analysis in real time traffic and study of snort IDS during the variants of DoS attacks. In: Abraham, A., Shandilya, S.K., Garcia-Hernandez, L., Varela, M.L. (eds.) HIS 2019. AISC, vol. 1179, pp. 362–375. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-49336-3_36

    Chapter  Google Scholar 

  38. Cui, C., Xue, L., Chiu, C., Kondikoppa, P., Park, S.: DMCTCP: desynchronized multi-channel TCP for high speed access networks with tiny buffers. In: 2014 23rd International Conference on Computer Communication and Networks (ICCCN), pp. 1–8 (2014)

    Google Scholar 

  39. Joncheray, L.: A simple active attack against TCP. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, USA, vol. 5, p. 2. USENIX Association (1995)

    Google Scholar 

  40. Tjhai, G.C., Papadaki, M., Furnell, S.M., Clarke, N.L.: Investigating the problem of IDS false alarms: an experimental study using Snort. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 253–267. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-09699-5_17

    Chapter  Google Scholar 

  41. El-Hajj, W., Al-Tamimi, M., Aloul, F.: Real traffic logs creation for testing intrusion detection systems: real traffic logs creation for testing intrusion detection systems. Wirel. Commun. Mob. Comput. 15, 1851–1864 (2015). https://doi.org/10.1002/wcm.2471

    Article  Google Scholar 

  42. Gibbs, P.: Intrusion Detection Evasion Techniques and Case Studies. SANS Institute (2017)

    Google Scholar 

  43. Martin, S.: Anti-IDS Tools and Tactics. SANS Institute (2001)

    Google Scholar 

  44. Ring, M., Landes, D., Hotho, A.: Detection of slow port scans in flow-based network traffic. PLoS ONE 13, e0204507 (2018). https://doi.org/10.1371/journal.pone.0204507

    Article  Google Scholar 

  45. Kim, D., et al.: DynODet: detecting dynamic obfuscation in malware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 97–118. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_5

    Chapter  Google Scholar 

  46. Alazab, A., Khresiat, A.: New strategy for mitigating of SQL injection attack. IJCA 154, 1 (2016). https://doi.org/10.5120/ijca2016911974

    Article  Google Scholar 

  47. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the 19th International Conference on World Wide Web - WWW 2010, Raleigh, North Carolina, USA, p. 281. ACM Press (2010)

    Google Scholar 

  48. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium, USA, vol. 15. USENIX Association (2006)

    Google Scholar 

  49. Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of the 13th ACM conference on Computer and communications security - CCS 2006, Alexandria, Virginia, USA, pp. 59–68. ACM Press (2006)

    Google Scholar 

  50. Valenza, A., Demetrio, L., Costa, G., Lagorio, G.: WAF-A-MoLE: an adversarial tool for assessing ML-based WAFs. SoftwareX. 11, 100367 (2020). https://doi.org/10.1016/j.softx.2019.100367

    Article  Google Scholar 

  51. Banescu, S., Pretschner, A.: A Tutorial on software obfuscation. In: Advances in Computers, pp. 283–353. Elsevier, Amsterdam (2018)

    Google Scholar 

  52. Metke, A.R., Ekl, R.L.: Security technology for smart grid networks. IEEE Trans. Smart Grid 1, 99–107 (2010). https://doi.org/10.1109/TSG.2010.2046347

    Article  Google Scholar 

  53. Butun, I., Morgera, S.D., Sankar, R.: A survey of intrusion detection systems in wireless sensor networks. IEEE Commun. Surv. Tutor. 16, 266–282 (2014). https://doi.org/10.1109/SURV.2013.050113.00191

    Article  Google Scholar 

  54. Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61996-8_29

    Chapter  Google Scholar 

  55. Goyal, P., Goyal, A.: Comparative study of two most popular packet sniffing tools-Tcpdump and Wireshark. In: 2017 9th International Conference on Computational Intelligence and Communication Networks (CICN), Girne, pp. 77–81. IEEE (2017)

    Google Scholar 

  56. Botta, A., Dainotti, A., Pescape, A.: Do you trust your software-based traffic generator? IEEE Commun. Mag. 48, 158–165 (2010). https://doi.org/10.1109/MCOM.2010.5560600

    Article  Google Scholar 

  57. Javali, C., Revadigar, G.: Network web traffic generator for cyber range exercises. In: 2019 IEEE 44th Conference on Local Computer Networks (LCN), Osnabrueck, Germany, pp. 308–315. IEEE (2019)

    Google Scholar 

  58. Ouyang, W., Zhang, X., Wang, D., Zhang, J., Tang, J.: A survey of network traffic generation. In: Third International Conference on Cyberspace Technology (CCT 2015), Beijing, China, p. 6. Institution of Engineering and Technology (2015)

    Google Scholar 

  59. Benson, A.R., Kumar, R., Tomkins, A.: Modeling user consumption sequences. In: Proceedings of the 25th International Conference on World Wide Web - WWW 2016, Montral, Qubec, Canada. pp. 519–529. ACM Press (2016)

    Google Scholar 

  60. Lo, C., Frankowski, D., Leskovec, J.: Understanding behaviors that lead to purchasing: a case study of pinterest. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, California, USA, pp. 531–540. ACM (2016)

    Google Scholar 

  61. Cheng, J., Lo, C., Leskovec, J.: Predicting intent using activity logs: how goal specificity and temporal range affect user behavior. In: Proceedings of the 26th International Conference on World Wide Web Companion - WWW 2017 Companion, Perth, Australia, pp. 593–601. ACM Press (2017)

    Google Scholar 

  62. Dupret, G.E., Piwowarski, B.: A user browsing model to predict search engine click data from past observations. In: Proceedings of the 31st Annual International ACM SIGIR Conference on Research and Development in Information Retrieval - SIGIR 2008, Singapore, Singapore, p. 331. ACM Press (2008)

    Google Scholar 

  63. Roosta, S.H.: Parallel Processing and Parallel Algorithms. Springer, New York (2000). https://doi.org/10.1007/978-1-4612-1220-1

    Book  MATH  Google Scholar 

  64. Mittal, S., Vetter, J.: A survey of architectural approaches for data compression in cache and main memory systems. IEEE Trans. Parallel Distrib. Syst. 27, 1524–1536 (2016). https://doi.org/10.1109/TPDS.2015.2435788

    Article  Google Scholar 

  65. Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948.tb01338.x

    Article  MathSciNet  MATH  Google Scholar 

  66. Burks, D.: Security onion. Securityonion. blogspot.com (2012)

    Google Scholar 

  67. Wagenseil, P.: Best antivirus 2020: free antivirus and paid software (2020). https://www.tomsguide.com/us/best-antivirus,review-2588.html

  68. Williams, M.: The best antivirus software for 2020 (2020). https://www.techradar.com/best/best-antivirus

Download references

Acknowledgment

This work was supported, in part, by the Ministry of Digital Governance, Greece, through a research grant offered to the Research Centre of Athens University of Economics & Business (RC/AUEB). The research grant aims at, mainly, developing innovative methodologies for implementing the National Cybersecurity Strategy of Greece (2020-25).

Author information

Authors and Affiliations

  1. Department of Informatics, Athens University of Economics and Business, Athens, Greece

    Panagiotis Dedousis, George Stergiopoulos & Dimitris Gritzalis

  2. Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece

    George Stergiopoulos

Authors
  1. Panagiotis Dedousis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. George Stergiopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dimitris Gritzalis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dimitris Gritzalis .

Editor information

Editors and Affiliations

  1. University of Jordan, Amman, Jordan

    Mohammad S. Obaidat

  2. Paris 13 University, Villetaneuse, France

    Jalel Ben-Othman

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dedousis, P., Stergiopoulos, G., Gritzalis, D. (2021). An Improved Bit Masking Technique to Enhance Covert Channel Attacks in Everyday IT Systems. In: Obaidat, M.S., Ben-Othman, J. (eds) E-Business and Telecommunications. ICETE 2020. Communications in Computer and Information Science, vol 1484. Springer, Cham. https://doi.org/10.1007/978-3-030-90428-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90428-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90427-2

  • Online ISBN: 978-3-030-90428-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation