Steffen Wendzel

Mehdi Chourib, Steffen Wendzel, Wojciech Mazurczyk

The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have their own limitations, since they do not consider traffic specifics. We propose a novel adaptive warden strategy, capable of selecting active normalization rules by taking into account the characteristics of the observed network traffic. Our goal is to disturb the covert channel and provoke the covert peers to expose themselves more by increasing the number of packets required to perform a successful covert data transfer. Our evaluation revealed that the adaptive warden has better efficiency and effectiveness when compared to the dynamic warden because of its adaptive selection of normalization rules.

Steffen Wendzel, Luca Caviglione, Wojciech Mazurczyk et al.

Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band covert channels. To cope with this, a prime attempt has been done in 2015, with the introduction of the so-called hiding patterns, which allow to describe hiding techniques in a more abstract manner. Despite significant enhancements, the main limitation of such a taxonomy is that it only considers the case of network steganography. Therefore, this paper reviews both the terminology and the taxonomy of hiding patterns as to make them more general. Specifically, hiding patterns are split into those that describe the embedding and the representation of hidden data within the cover object. As a first research action, we focus on embedding hiding patterns and we show how they can be applied to multiple domains of steganography instead of being limited to the network scenario. Additionally, we exemplify representation patterns using network steganography. Our pattern collection is available under https://patterns.ztt.hs-worms.de.

Steffen Wendzel

Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easily as they do not modify header content but instead mimic typical network behavior such as TCP segments that arrive in a different order than they were sent. Contribution: In this paper, we show a protocol-independent approach to detect message ordering channels. Our approach is based on a modified compressibility score. We analyze the detectability of message ordering channels and whether several types of message ordering channels differ in their detectability. Results: Our results show that the detection of message ordering channels depends on their number of utilized PDUs. First, we performed a rough threshold selection by hand, which we later optimized using the C4.5 decision tree classifier. We were able to detect message ordering covert channels with an accuracy and F1 score of >= 99.5% and a false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4 PDUs, respectively. Simpler channels that only manipulate a sequence of two PDUs were detectable with an accuracy and F1 score of 94.5% and were linked to a false-positive rate of 5.19%. We thus consider our approach suitable for real-world detection scenarios with channels utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs should be improved further.

Wojciech Mazurczyk, Steffen Wendzel, Mehdi Chourib et al.

Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of market/research advantage. Considering the above, efforts are needed to develop effective countermeasures against such threats. Thus in this paper, based on the introduced novel warden taxonomy, we present and evaluate a new concept of a dynamic warden. Its main novelty lies in the modification of the warden's behavior over time, making it difficult for the adaptive covert communication parties to infer its strategy and perform a successful hidden data exchange. Obtained experimental results indicate the effectiveness of the proposed approach.

Steffen Wendzel

Steganography is the discipline that deals with concealing the existence of secret communications. Existing research already provided several fundamentals for defining steganography and presented a multitude of hiding methods and countermeasures for this research discipline. We identified that no work exists that discusses the process of applying steganography from an individual's perspective. This paper presents a phase model that explains pre-conditions of applying steganography as well as the decision-making process and the final termination of a steganographic communication. The model can be used to explain whether an individual can use steganography and to explain whether and why an individual desires to use steganography. Moreover, the model can be used in research publications to indicate the addressed model's phase of scientific contributions. Furthermore, our model can be used to teach the process of steganography-application to students.

Steffen Wendzel, Wojciech Mazurczyk, Sebastian Zander

Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.

Steffen Wendzel, Carolin Palmer

The research discipline of network steganography deals with the hiding of information within network transmissions, e.g. to transfer illicit information in networks with Internet censorship. The last decades of research on network steganography led to more than hundred techniques for hiding data in network transmissions. However, previous research has shown that most of these hiding techniques are either based on the same idea or introduce limited novelty, enabling the application of existing countermeasures. In this paper, we provide a link between the field of creativity and network steganographic research. We propose a framework and a metric to help evaluating the creativity bound to a given hiding technique. This way, we support two sides of the scientific peer review process as both authors and reviewers can use our framework to analyze the novelty and applicability of hiding techniques. At the same time, we contribute to a uniform terminology in network steganography.

Krzysztof Szczypiorski, Artur Janicki, Steffen Wendzel

In this paper we propose a new method for the evaluation of network steganography algorithms based on the new concept of "the moving observer". We considered three levels of undetectability named: "good", "bad", and "ugly". To illustrate this method we chose Wi-Fi steganography as a solid family of information hiding protocols. We present the state of the art in this area covering well-known hiding techniques for 802.11 networks. "The moving observer" approach could help not only in the evaluation of steganographic algorithms, but also might be a starting point for a new detection system of network steganography. The concept of a new detection system, called MoveSteg, is explained in detail.

Matthias Naumann, Steffen Wendzel, Wojciech Mazurczyk et al.

Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization --- just to mention a few. We present different design approaches for the embedding of hidden channels with micro protocols in digitized audio signals under consideration of different requirements. On the basis of experimental results, our design approaches are compared, and introduced into a protocol engineering approach for micro protocols.

Jernej Tonejc, Jaspreet Kaur, Adrian Karsten et al.

Building automation systems (BAS) are interlinked networks of hardware and software, which monitor and control events in the buildings. One of the data communication protocols used in BAS is Building Automation and Control networking protocol (BACnet) which is an internationally adopted ISO standard for the communication between BAS devices. Although BAS focus on providing safety for inhabitants, decreasing the energy consumption of buildings and reducing their operational cost, their security suffers due to the inherent complexity of the modern day systems. The issues such as monitoring of BAS effectively present a significant challenge, i.e., BAS operators generally possess only partial situation awareness. Especially in large and inter-connected buildings, the operators face the challenge of spotting meaningful incidents within large amounts of simultaneously occurring events, causing the anomalies in the BAS network to go unobserved. In this paper, we present the techniques to analyze and visualize the data for several events from BAS devices in a way that determines the potential importance of such unusual events and helps with the building-security decision making. We implemented these techniques as a mobile (Android) based application for displaying application data and as tools to analyze the communication flows using directed graphs.

Luca Caviglione, Jean-Francois Lalande, Wojciech Mazurczyk et al.

Smart environments integrate Information and Communication Technologies (ICT) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sustainability. In this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. However, the huge amount of sensitive data, social aspects and the mixed set of protocols offer many opportunities to inject hazards, exfiltrate information, mass profiling of citizens, or produce a new wave of attacks. This work reviews the major risks arising from the usage of ICT-techniques for smart environments, with emphasis on networking. Its main contribution is to explain the role of different stakeholders for causing a lack of security and to envision future threats by considering human aspects.

Steffen Wendzel, Wojciech Mazurczyk, Luca Caviglione et al.

Network steganography is the art of hiding secret information within innocent network transmissions. Recent findings indicate that novel malware is increasingly using network steganography. Similarly, other malicious activities can profit from network steganography, such as data leakage or the exchange of pedophile data. This paper provides an introduction to network steganography and highlights its potential application for harmful purposes. We discuss the issues related to countering network steganography in practice and provide an outlook on further research directions and problems.

Steffen Wendzel, Sebastian Zander, Bernhard Fechner et al.

Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.e. most of the techniques we surveyed are very similar. We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: While many current countermeasures were developed for specific channels, a pattern-oriented approach allows to apply one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

Wojciech Mazurczyk, Steffen Wendzel, Ignacio Azagra Villares et al.

Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. In this paper we introduce a characteristic called steganographic cost which is an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. Based on exemplary cases for single- and multi-method steganographic cost analyses we observe that it can be an important characteristic that allows to express hidden data carrier degradation - similarly as MSE (Mean-Square Error) or PSNR (Peak Signal-to-Noise Ratio) are utilized for digital media steganography. Steganographic cost can moreover be helpful to analyse the relationships between two or more steganographic methods applied to the same hidden data carrier.