Wojciech Mazurczyk

Bartosz Lipinski, Wojciech Mazurczyk, Krzysztof Szczypiorski

Steganographic methods allow the covert exchange of secret data between parties aware of the procedure. The cloud computing environment is a new and hot target for steganographers, and currently not many solutions have been proposed. This paper proposes CloudSteg which is a steganographic method that allows the creation of a covert channel based on hard disk contention between the two cloud instances that reside on the same physical machine. Experimental results conducted using open source cloud environment OpenStack, show that CloudSteg is able to achieve a bandwidth of about 0.1 bps which is 1000 times higher than is known from the state-of-the-art version.

Mehdi Chourib, Steffen Wendzel, Wojciech Mazurczyk

The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have their own limitations, since they do not consider traffic specifics. We propose a novel adaptive warden strategy, capable of selecting active normalization rules by taking into account the characteristics of the observed network traffic. Our goal is to disturb the covert channel and provoke the covert peers to expose themselves more by increasing the number of packets required to perform a successful covert data transfer. Our evaluation revealed that the adaptive warden has better efficiency and effectiveness when compared to the dynamic warden because of its adaptive selection of normalization rules.

Steffen Wendzel, Luca Caviglione, Wojciech Mazurczyk et al.

Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band covert channels. To cope with this, a prime attempt has been done in 2015, with the introduction of the so-called hiding patterns, which allow to describe hiding techniques in a more abstract manner. Despite significant enhancements, the main limitation of such a taxonomy is that it only considers the case of network steganography. Therefore, this paper reviews both the terminology and the taxonomy of hiding patterns as to make them more general. Specifically, hiding patterns are split into those that describe the embedding and the representation of hidden data within the cover object. As a first research action, we focus on embedding hiding patterns and we show how they can be applied to multiple domains of steganography instead of being limited to the network scenario. Additionally, we exemplify representation patterns using network steganography. Our pattern collection is available under https://patterns.ztt.hs-worms.de.

Wojciech Mazurczyk, Steffen Wendzel, Mehdi Chourib et al.

Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of market/research advantage. Considering the above, efforts are needed to develop effective countermeasures against such threats. Thus in this paper, based on the introduced novel warden taxonomy, we present and evaluate a new concept of a dynamic warden. Its main novelty lies in the modification of the warden's behavior over time, making it difficult for the adaptive covert communication parties to infer its strategy and perform a successful hidden data exchange. Obtained experimental results indicate the effectiveness of the proposed approach.

Krzysztof Cabaj, Marcin Gregorczyk, Wojciech Mazurczyk

Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages' sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.

Wojciech Mazurczyk, Maciej Karas, Krzysztof Szczypiorski et al.

In this paper a new information hiding method for Skype videoconference calls - YouSkyde - is introduced. A Skype traffic analysis revealed that introducing intentional losses into the Skype video traffic stream to provide the means for clandestine communication is the most favourable solution. A YouSkyde proof-of-concept implementation was carried out and its experimental evaluation is presented. The results obtained prove that the proposed method is feasible and offer a steganographic bandwidth as high as 0.93 kbps, while introducing negligible distortions into transmission quality and providing high undetectability.

Krzysztof Cabaj, Wojciech Mazurczyk

Currently, different forms of ransomware are increasingly threatening Internet users. Modern ransomware encrypts important user data and it is only possible to recover it once a ransom has been paid. In this paper we show how Software-Defined Networking (SDN) can be utilized to improve ransomware mitigation. In more detail, we analyze the behavior of popular ransomware - CryptoWall - and, based on this knowledge, we propose two real-time mitigation methods. Then we designed the SDN-based system, implemented using OpenFlow, which facilitates a timely reaction to this threat, and is a crucial factor in the case of crypto ransomware. What is important is that such a design does not significantly affect overall network performance. Experimental results confirm that the proposed approach is feasible and efficient.

Steffen Wendzel, Wojciech Mazurczyk, Sebastian Zander

Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.

Matthias Naumann, Steffen Wendzel, Wojciech Mazurczyk et al.

Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization --- just to mention a few. We present different design approaches for the embedding of hidden channels with micro protocols in digitized audio signals under consideration of different requirements. On the basis of experimental results, our design approaches are compared, and introduced into a protocol engineering approach for micro protocols.

Wojciech Mazurczyk, Szymon Drobniak, Sean Moore

Current network security systems are progressively showing their limitations. One credible estimate is that only about 45% of new threats are detected. Therefore it is vital to find a new direction that cybersecurity development should follow. We argue that the next generation of cybersecurity systems should seek inspiration in nature. This approach has been used before in the first generation of cybersecurity systems; however, since then cyber threats and environment have evolved significantly, and accordingly the first-generation systems have lost their effectiveness. A next generation of bio-inspired cybersecurity research is emerging, but progress is hindered by the lack of a framework for mapping biological security systems to their cyber analogies. In this paper, using terminology and concepts from biology, we describe a cybersecurity ecology and a framework that may be used to systematically research and develop bio-inspired cybersecurity.

Wojciech Mazurczyk, Luca Caviglione

Information hiding techniques are increasingly utilized by the current malware to hide its existence and communication attempts. In this paper we highlight this new trend by reviewing the most notable examples of malicious software that shows this capability.

Luca Caviglione, Jean-Francois Lalande, Wojciech Mazurczyk et al.

Smart environments integrate Information and Communication Technologies (ICT) into devices, vehicles, buildings and cities to offer an increased quality of life, energy efficiency and economical sustainability. In this perspective, the individual has a core role and so has networking, which enables such entities to cooperate. However, the huge amount of sensitive data, social aspects and the mixed set of protocols offer many opportunities to inject hazards, exfiltrate information, mass profiling of citizens, or produce a new wave of attacks. This work reviews the major risks arising from the usage of ICT-techniques for smart environments, with emphasis on networking. Its main contribution is to explain the role of different stakeholders for causing a lack of security and to envision future threats by considering human aspects.

Luca Caviglione, Wojciech Mazurczyk

The Apple operating system (iOS) has so far proved resistant to information-hiding techniques, which help attackers covertly communicate. However, Siri - a native iOS service that controls iPhones and iPads via voice commands - could change this trend.

Elzbieta Rzeszutko, Wojciech Mazurczyk

The alarming rise in the quantity of malware in the last few years poses a serious challenge to the security community and requires urgent response. However, current countermeasures seem to be no longer effective. Thus, it is our belief that it is now time for researchers and security experts to turn to nature in the search for novel inspirations for defense systems. Nature has provided species with a whole range of offensive and defensive techniques, which have been developing and improving in the course of billions of years of evolution. The extremely diverse living conditions have promoted a large variation in the devised bio-security solutions. In this paper we introduce a novel PROTECTION framework in which common denominators of the encountered offensive and defensive means are proposed and presented. The bio-inspired solutions are discussed in the context of cybersecurity, where some principles have already been adopted. The deployment of the whole nature-based framework should aid the design and improvement process of modern cyber-defense systems.

Wojciech Mazurczyk, Elżbieta Rzeszutko

For ages people have sought inspiration in nature. Biomimicry has been the propelling power of such inventions, like Velcro tape or "cat's eyes" - retroreflective road marking. At the same time, scientists have been developing biologically inspired techniques: genetic algorithms, neural and sensor networks, etc. Although at a first glance there is no direct inspiration behind offensive and defensive techniques seen in the Internet and the patterns present in nature, closer inspection reveals many analogies between these two worlds. Botnets, DDoS (Distributed Denial of Service) attacks, IDS/IPSs (Intrusion Detection/Prevention Systems), and others, all employ strategies which very closely resemble actions undertaken by certain species of the kingdoms of living things. The main conclusion of the analysis is that security community should turn to nature in search of new offensive and defensive techniques for virtual world security.

Wojciech Mazurczyk, Luca Caviglione

By offering sophisticated services and centralizing a huge volume of personal data, modern smartphones changed the way we socialize, entertain and work. To this aim, they rely upon complex hardware/software frameworks leading to a number of vulnerabilities, attacks and hazards to profile individuals or gather sensitive information. However, the majority of works evaluating the security degree of smartphones neglects steganography, which can be mainly used to: i) exfiltrate confidential data via camouflage methods, and ii) conceal valuable or personal information into innocent looking carriers. Therefore, this paper surveys the state of the art of steganographic techniques for smartphones, with emphasis on methods developed over the period 2005 to the second quarter of 2014. The different approaches are grouped according to the portion of the device used to hide information, leading to three different covert channels, i.e., local, object and network. Also, it reviews the relevant approaches used to detect and mitigate steganographic attacks or threats. Lastly, it showcases the most popular software applications to embed secret data into carriers, as well as possible future directions.

Steffen Wendzel, Wojciech Mazurczyk, Luca Caviglione et al.

Network steganography is the art of hiding secret information within innocent network transmissions. Recent findings indicate that novel malware is increasingly using network steganography. Similarly, other malicious activities can profit from network steganography, such as data leakage or the exchange of pedophile data. This paper provides an introduction to network steganography and highlights its potential application for harmful purposes. We discuss the issues related to countering network steganography in practice and provide an outlook on further research directions and problems.

Wojciech Mazurczyk, Steffen Wendzel, Ignacio Azagra Villares et al.

Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. In this paper we introduce a characteristic called steganographic cost which is an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. Based on exemplary cases for single- and multi-method steganographic cost analyses we observe that it can be an important characteristic that allows to express hidden data carrier degradation - similarly as MSE (Mean-Square Error) or PSNR (Peak Signal-to-Noise Ratio) are utilized for digital media steganography. Steganographic cost can moreover be helpful to analyse the relationships between two or more steganographic methods applied to the same hidden data carrier.

Pawel Kopiczko, Wojciech Mazurczyk, Krzysztof Szczypiorski

The paper proposes StegTorrent a new network steganographic method for the popular P2P file transfer service-BitTorrent. It is based on modifying the order of data packets in the peer-peer data exchange protocol. Unlike other existing steganographic methods that modify the packets' order it does not require any synchronization. Experimental results acquired from prototype implementation proved that it provides high steganographic bandwidth of up to 270 b/s while introducing little transmission distortion and providing difficult detectability.

Wojciech Mazurczyk, Maciej Karas, Krzysztof Szczypiorski

This paper introduces SkyDe (Skype Hide), a new steganographic method that utilizes Skype encrypted packets with silence to provide the means for clandestine communication. It is possible to reuse packets that do not carry voice signals for steganographic purposes because Skype does not use any silence suppression mechanism. The method's proof-of-concept implementation and first experimental results are presented. They prove that the method is feasible and offers steganographic bandwidth as high as 2.8 kbps.

Artur Janicki, Wojciech Mazurczyk, Krzysztof Szczypiorski

TranSteg (Trancoding Steganography) is a fairly new IP telephony steganographic method that functions by compressing overt (voice) data to make space for the steganogram by means of transcoding. It offers high steganographic bandwidth, retains good voice quality and is generally harder to detect than other existing VoIP steganographic methods. In TranSteg, after the steganogram reaches the receiver, the hidden information is extracted and the speech data is practically restored to what was originally sent. This is a huge advantage compared with other existing VoIP steganographic methods, where the hidden data can be extracted and removed but the original data cannot be restored because it was previously erased due to a hidden data insertion process. In this paper we address the issue of steganalysis of TranSteg. Various TranSteg scenarios and possibilities of warden(s) localization are analyzed with regards to the TranSteg detection. A steganalysis method based on MFCC (Mel-Frequency Cepstral Coefficients) parameters and GMMs (Gaussian Mixture Models) was developed and tested for various overt/covert codec pairs in a single warden scenario with double transcoding. The proposed method allowed for efficient detection of some codec pairs (e.g., G.711/G.729), whilst some others remained more resistant to detection (e.g., iLBC/AMR).

Wojciech Mazurczyk, Krzysztof Szczypiorski, Bartosz Jankowski

The paper presents initial step toward new network anomaly detection method that is based on traffic visualisation. The key design principle of the proposed approach is the lack of direct, linear time dependencies for the created network traffic visualisations. The method's feasibility is demonstrated in network steganography environment by presenting steg-tomography methodology and developing the dedicated visualisation tool. To authors' best knowledge this is the first utilization of network traffic visualisations for steganalysis purposes.

Jozef Lubacz, Wojciech Mazurczyk, Krzysztof Szczypiorski

The paper presents basic principles of network steganography, which is a comparatively new research subject in the area of information hiding, followed by a concise overview and classification of network steganographic methods and techniques.

Wojciech Mazurczyk

Steganography is an ancient art that encompasses various techniques of information hiding, the aim of which is to secret information into a carrier message. Steganographic methods are usually aimed at hiding the very existence of the communication. Due to the rise in popularity of IP telephony, together with the large volume of data and variety of protocols involved, it is currently attracting the attention of the research community as a perfect carrier for steganographic purposes. This paper is a survey of the existing VoIP steganography (steganophony) methods and their countermeasures.

Elzbieta Zielinska, Wojciech Mazurczyk, Krzysztof Szczypiorski

Steganography is a general term referring to all methods for the embedding of additional secret content into some form of carrier, with the aim of concealment of the introduced alterations. The choice of the carrier is nearly unlimited, it may be an ancient piece of parchment, as well as a network protocol header. Inspired by biological phenomena, adopted by man in the ancient times, it has been developed over the ages. Present day steganographic methods are far more sophisticated than their ancient predecessors, but the main principles have remained unchanged. They typically rely on the utilization of digital media files or network protocols as a carrier, in which secret data is embedded. This paper presents the evolution of the hidden data carrier from the ancient times till the present day and pinpoints the observed development trends, with special emphasis on network steganography.

Artur Janicki, Wojciech Mazurczyk, Krzysztof Szczypiorski

The typical approach to steganography is to compress the covert data in order to limit its size, which is reasonable in the context of a limited steganographic bandwidth. TranSteg (Trancoding Steganography) is a new IP telephony steganographic method that was recently proposed that offers high steganographic bandwidth while retaining good voice quality. In TranSteg, compression of the overt data is used to make space for the steganogram. In this paper we focus on analyzing the influence of the selection of speech codecs on hidden transmission performance, that is, which codecs would be the most advantageous ones for TranSteg. Therefore, by considering the codecs which are currently most popular for IP telephony we aim to find out which codecs should be chosen for transcoding to minimize the negative influence on voice quality while maximizing the obtained steganographic bandwidth.