Marco Zuppelli
ABSTRACT
The increasing diffusion of malware endowed with steganographic and cloaking capabilities requires tools and techniques for conducting research activities, testing real deployments and elaborating mitigation mechanisms. To investigate attacks targeting network and appliances, a core requirement concerns the availability of suitable traffic traces, which can be used to derive mathematical models for simulation or to develop machine-learning-based countermeasures. Unfortunately, the young nature of threats injecting secrets or cloaking their presence within network traffic, the high protocol-dependent nature of the various embedding processes, and privacy issues, prevent the vast diffusion of datasets to perform research. Therefore, in this paper we present pcapStego, a tool for creating network covert channels within .pcap files. This approach has two major advantages: it allows to prepare large datasets starting from real network traces, and it generates “replayable” conversations useful for both emulating attacks or conduct pentesting campaigns. To prove the effectiveness of the tool, we showcase the generation of network covert channels targeting IPv6 traffic, which is gaining momentum and it is expected to be a major target for future attacks.
- K. Cabaj, L. Caviglione, W. Mazurczyk, S. Wendzel, A. Woodward, and S. Zander. 2018. The new Threats of Information Hiding: the Road Ahead. IT Professional 20, 3 (2018), 31–39.Google Scholar
Digital Library
- B. Carrara and C. Adams. 2016. Out-of-band Covert Channels - A Survey. ACM Computing Surveys (CSUR) 49, 2 (2016), 1–36.Google ScholarDigital Library
- A. Carrega, L. Caviglione, M. Repetto, and M. Zuppelli. 2020. Programmable Data Gathering for Detecting Stegomalware. In Proceedings of the 2nd International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures (SecSoft). IEEE.Google Scholar
- L. Caviglione. 2021. Trends and Challenges in Network Covert Channels Countermeasures. Applied Sciences 11, 4 (2021).Google Scholar
- L. Caviglione, M. Choraś, I. Corona, A. Janicki, W. Mazurczyk, M. Pawlicki, and K. Wasielewska. 2020. Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection. IEEE Access (2020).Google Scholar
- L. Caviglione, W. Mazurczyk, M. Repetto, A. Schaffhauser, and M. Zuppelli. 2021. Kernel-level Tracing for Detecting Stegomalware and Covert Channels in Linux Environments. Computer Networks 191(2021), 108010.Google ScholarCross Ref
- S. Floyd and V. Paxson. 2001. Difficulties in Simulating the Internet. IEEE/ACm Transactions on Networking 9, 4 (2001), 392–403.Google ScholarDigital Library
- J. Fridrich, T. Pevnỳ, and J. Kodovskỳ. 2007. Statistically Undetectable jpeg Steganography: Dead Ends Challenges, and Opportunities. In Proceedings of the 9th workshop on Multimedia & security. ACM, 3–14.Google Scholar
- D. Gibert, C. Mateu, and J. Planes. 2020. The Rise of Machine Learning for Detection and Classification of Malware: Research Developments, Trends and Challenges. Journal of Network and Computer Applications 153 (2020), 102526.Google ScholarDigital Library
- J. Heidemann and C. Papdopoulos. 2009. Uses and Challenges for Network Datasets. In 2009 Cybersecurity Applications & Technology Conference for Homeland Security. IEEE, 73–82.Google Scholar
- J.-F. Lalande and S. Wendzel. 2013. Hiding Privacy Leaks in Android Applications Using Low-attention Raising Covert Channels. In 2013 International Conference on Availability, Reliability and Security. IEEE, 701–710.Google Scholar
- B. W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM 16, 10 (Oct. 1973), 613–615.Google ScholarDigital Library
- N. Lucena, G. Lewandowski, and S. Chapin. 2005. Covert Channels in IPv6. In Int. Workshop on Privacy Enhancing Technologies. Springer, 147–166.Google Scholar
- W. Mazurczyk. 2013. VoIP Steganography and its Detection - A Survey. Comput. Surveys 46, 2 (2013), 1–21.Google ScholarDigital Library
- W. Mazurczyk and L. Caviglione. 2014. Steganography in Modern Smartphones and Mitigation Techniques. IEEE Communications Surveys & Tutorials 17, 1 (2014), 334–357.Google ScholarDigital Library
- W. Mazurczyk and L. Caviglione. 2015. Information Hiding as a Challenge for Malware Detection. IEEE Security & Privacy 13, 2 (2015), 89–93.Google ScholarDigital Library
- W. Mazurczyk, K. Powójski, and L. Caviglione. 2019. IPv6 Covert Channels in the Wild. In Proceedings of the 3rd Central European Cybersecurity Conference. 1–6.Google Scholar
- M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho. 2019. A Survey of Network-based Intrusion Detection Data Sets. Computers & Security 86(2019), 147–167.Google ScholarDigital Library
- J. Saenger, W. Mazurczyk, J. Keller, and L. Caviglione. 2020. VoIP Network Covert Channels to Enhance Privacy and Information Sharing. Future Generation Computer Systems 111 (2020), 96–106.Google ScholarCross Ref
- N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad. 2019. Survey on SDN Based Network Intrusion Detection System Using Machine Learning Approaches. Peer-to-Peer Networking and Applications 12, 2 (2019), 493–501.Google ScholarCross Ref
- A. Thakkar and R. Lohiya. 2020. A Review of the Advancement in Intrusion Detection Datasets. Procedia Computer Science 167 (2020), 636–645.Google ScholarCross Ref
- S. Zander, G. Armitage, and P. Branch. 2007. A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys & Tutorials 9, 3 (2007), 44–57.Google ScholarDigital Library
Recommendations
Design and performance evaluation of reversible network covert channels
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and SecurityCovert channels nested within network traffic are important tools for allowing malware to act unnoticed or to stealthily exchange and exfiltrate information. Thus, understanding how to detect or mitigate their utilization is of paramount importance, ...
IPv6 Covert Channels in the Wild
CECC 2019: Proceedings of the Third Central European Cybersecurity ConferenceThe increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the most relevant, as ...
Towards Reversible Storage Network Covert Channels
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and SecurityThe use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance of the covert ...
Comments