Detection and Mitigation of Steganographic Malware

A new attack trend concerns the use of some form of steganography and information hiding to make malware stealthier and able to elude many standard security mechanisms. Therefore, this Thesis addresses the detection and the mitigation of this class of threats. In particular, it considers malware implementing covert communications within network traffic or cloaking malicious payloads within digital images. The first research contribution of this Thesis is in the detection of network covert channels. Unfortunately, the literature on the topic lacks of real traffic traces or attack samples to perform precise tests or security assessments. Thus, a propaedeutic research activity has been devoted to develop two ad-hoc tools. The first allows to create covert channels targeting the IPv6 protocol by eavesdropping flows, whereas the second allows to embed secret data within arbitrary traffic traces that can be replayed to perform investigations in realistic conditions. This Thesis then starts with a security assessment concerning the impact of hidden network communications in production-quality scenarios. Results have been obtained by considering channels cloaking data in the most popular protocols (e.g., TLS, IPv4/v6, and ICMPv4/v6) and showcased that de-facto standard intrusion detection systems and firewalls (i.e., Snort, Suricata, and Zeek) are unable to spot this class of hazards. Since malware can conceal information (e.g., commands and configuration files) in almost every protocol, traffic feature or network element, configuring or adapting pre-existent security solutions could be not straightforward. Moreover, inspecting multiple protocols, fields or conversations at the same time could lead to performance issues. Thus, a major effort has been devoted to develop a suite based on the extended Berkeley Packet Filter (eBPF) to gain visibility over different network protocols/components and to efficiently collect various performance indicators or statistics by using a unique technology. This part of research allowed to spot the presence of network covert channels targeting the header of the IPv6 protocol or the inter-packet time of generic network conversations. In addition, the approach based on eBPF turned out to be very flexible and also allowed to reveal hidden data transfers between two processes co-located within the same host. Another important contribution of this part of the Thesis concerns the deployment of the suite in realistic scenarios and its comparison with other similar tools. Specifically, a thorough performance evaluation demonstrated that eBPF can be used to inspect traffic and reveal the presence of covert communications also when in the presence of high loads, e.g., it can sustain rates up to 3 Gbit/s with commodity hardware. To further address the problem of revealing network covert channels in realistic environments, this Thesis also investigates malware targeting traffic generated by Internet of Things devices. In this case, an incremental ensemble of autoencoders has been considered to face the ''unknown'' location of the hidden data generated by a threat covertly exchanging commands towards a remote attacker. The second research contribution of this Thesis is in the detection of malicious payloads hidden within digital images. In fact, the majority of real-world malware exploits hiding methods based on Least Significant Bit steganography and some of its variants, such as the Invoke-PSImage mechanism. Therefore, a relevant amount of research has been done to detect the presence of hidden data and classify the payload (e.g., malicious PowerShell scripts or PHP fragments). To this aim, mechanisms leveraging Deep Neural Networks (DNNs) proved to be flexible and effective since they can learn by combining raw low-level data and can be updated or retrained to consider unseen payloads or images with different features. To take into account realistic threat models, this Thesis studies malware targeting different types of images (i.e., favicons and icons) and various payloads (e.g., URLs and Ethereum addresses, as well as webshells). Obtained results showcased that DNNs can be considered a valid tool for spotting the presence of hidden contents since their detection accuracy is always above 90% also when facing ''elusion'' mechanisms such as basic obfuscation techniques or alternative encoding schemes. Lastly, when detection or classification are not possible (e.g., due to resource constraints), approaches enforcing ''sanitization'' can be applied. Thus, this Thesis also considers autoencoders able to disrupt hidden malicious contents without degrading the quality of the image

Network Covert Channels: Review of Current State and Analysis of Viability of the use of X.509 Certificates for Covert Communications

The popularity of computer-based smuggling has increased as a result of organizations taking measures to prevent traditional means of data exfiltration. Most organizations depend on broad and heterogeneous communication networks, which provide numerous possibilities for malicious users to smuggle sensitive private information out of their boundaries. They can achieve that objective with the use of network covert channels, that apart from carrying the data outside of the organization, hide the fact that the communication is taking place. This study provides a comprehensive, up to date review of the current state of research in the field of network covert channels: hidden communication channels that abuse legitimate network communication channels. It also presents a novel technique to establish such channels based on the use Digital Certificates, along with an informal framework to exfiltrate data making use of the technique. It involves the use of the Transport Secure Layer protocol, a network protocol normally used to provide confidentiality and integrity services to applications. Several detection and prevention mechanisms and methodologies exist or have been proposed to counter the threats posed by this hidden communication channels. They are also identified and discussed in this work, explaining their applicability and limitations

Mobile Agents for Detecting Network Attacks Using Timing Covert Channels

This article addresses the problem of network attacks using steganographic techniques based on the manipulation of time relationships between IP packets. In the study, an efficient method to detect such attacks is presented. The proposed algorithm is based on the Change Observation Theory, and employs two types of agents: base and flying ones. The agents observe the time parameters of the network traffic, using proposed meta-histograms and trained machine learning algorithms, in the node where they were installed. The results of experiments using various machine learning algorithm are presented and discussed. The study showed that the Random Forest and MLP classifiers achieved the best detection results, yielding an area under the ROC curve (AUC) above 0.85 for the evaluation data. We showed a proof-of-concept for an attack detection method that combined the classification algorithm, the proposed anomaly metrics and the mobile agents. We claim that due to a unique feature of self-regulation, realized by destroying unnecessary agents, the proposed method can establish a new type of multi-agent intrusion detection system that can be applied to a wider group of IT systems

Analysis of Reversible Network Covert Channels

In the last years, the utilization of information hiding techniques for empowering modern strains of malware has become a serious concern for security experts. Such an approach allows attackers to act in a stealthy manner, for instance, to covertly exfiltrate confidential data or retrieve additional command & control payloads for the operation of malware. Therefore, the deep understanding of data hiding mechanisms is a core requirement, as it allows designing effective countermeasures. Unfortunately, the most recent evolution of information-hiding-capable threats enjoys reversible properties, i.e., the abused network flow is restored to its original form. Hence, detection approaches based on the comparison of different traffic samples may not work anymore. In this paper, we further investigate various methods for performing reversible data hiding for network covert channels. Specifically, we extend our previous research by considering different scenarios focusing on IPv4 traffic and HTTP conversations. The results confirm that reversibility can be used in various network conditions and is not impaired by middleboxes. In addition, engineering countermeasures or mitigation techniques could be difficult, thus requiring to consider reversible mechanisms already in the early design stages of a protocol/deployment

Internet of Things Applications - From Research and Innovation to Market Deployment

The book aims to provide a broad overview of various topics of Internet of Things from the research, innovation and development priorities to enabling technologies, nanoelectronics, cyber physical systems, architecture, interoperability and industrial applications. It is intended to be a standalone book in a series that covers the Internet of Things activities of the IERC – Internet of Things European Research Cluster from technology to international cooperation and the global "state of play".The book builds on the ideas put forward by the European research Cluster on the Internet of Things Strategic Research Agenda and presents global views and state of the art results on the challenges facing the research, development and deployment of IoT at the global level. Internet of Things is creating a revolutionary new paradigm, with opportunities in every industry from Health Care, Pharmaceuticals, Food and Beverage, Agriculture, Computer, Electronics Telecommunications, Automotive, Aeronautics, Transportation Energy and Retail to apply the massive potential of the IoT to achieving real-world solutions. The beneficiaries will include as well semiconductor companies, device and product companies, infrastructure software companies, application software companies, consulting companies, telecommunication and cloud service providers. IoT will create new revenues annually for these stakeholders, and potentially create substantial market share shakeups due to increased technology competition. The IoT will fuel technology innovation by creating the means for machines to communicate many different types of information with one another while contributing in the increased value of information created by the number of interconnections among things and the transformation of the processed information into knowledge shared into the Internet of Everything. The success of IoT depends strongly on enabling technology development, market acceptance and standardization, which provides interoperability, compatibility, reliability, and effective operations on a global scale. The connected devices are part of ecosystems connecting people, processes, data, and things which are communicating in the cloud using the increased storage and computing power and pushing for standardization of communication and metadata. In this context security, privacy, safety, trust have to be address by the product manufacturers through the life cycle of their products from design to the support processes. The IoT developments address the whole IoT spectrum - from devices at the edge to cloud and datacentres on the backend and everything in between, through ecosystems are created by industry, research and application stakeholders that enable real-world use cases to accelerate the Internet of Things and establish open interoperability standards and common architectures for IoT solutions. Enabling technologies such as nanoelectronics, sensors/actuators, cyber-physical systems, intelligent device management, smart gateways, telematics, smart network infrastructure, cloud computing and software technologies will create new products, new services, new interfaces by creating smart environments and smart spaces with applications ranging from Smart Cities, smart transport, buildings, energy, grid, to smart health and life. Technical topics discussed in the book include: • Introduction• Internet of Things Strategic Research and Innovation Agenda• Internet of Things in the industrial context: Time for deployment.• Integration of heterogeneous smart objects, applications and services• Evolution from device to semantic and business interoperability• Software define and virtualization of network resources• Innovation through interoperability and standardisation when everything is connected anytime at anyplace• Dynamic context-aware scalable and trust-based IoT Security, Privacy framework• Federated Cloud service management and the Internet of Things• Internet of Things Application

An approach towards anomaly based detection and profiling covert TCP/IP channels

Firewalls and detection systems have been used for preventing and detecting attacks by a wide variety of mechanisms. A problem has arisen where users and applications can circumvent security policies because of the particularities in the TCP/IP protocol, the ability to obfuscate the data payload, tunnel protocols, and covertly simulate a permitted communication. It has been shown that unusual traffic patterns may lead to discovery of covert channels that employ packet headers. In addition, covert channels can be detected by observing an anomaly in unused packet header fields. Presently, we are not aware of any schemes that address detecting anomalous traffic patterns that can potentially be created by a covert channel. In this work, we will explore the approach of combining anomaly based detection and covert channel profiling to be used for detecting a very precise subset of covert storage channels in network protocols. We shall also discuss why this method is more practical and industry-ready compared to the present research on how to profile and mitigate these types of attacks. Finally, we shall describe a specialized tool to passively monitor networks for these types of attacks and show how it can be used to build an efficient hybrid covert channel and anomaly based detection system

The design and implementation of a smart-parking system for Helsinki Area

The strain on the parking infrastructure for the general public has significantly grown as a result of the ever rising number of vehicles geared by the rapid population growth in urban areas. Consequently, finding a vacant parking space has become quite a challenging task, especially at peak hours. Drivers have to cycle back and forth a number of times before they finally find where to park. This leads to increased fuel consumption, air pollution, and increased likelihood of causing accidents, to mention but a few. Paying for the parking is not straight forward either, as the ticket machines, on top of being located at a distance, in many times, they have several payment methods drivers must prepare for. A system therefore, that would allow drivers to check for the vacant parking places before driving to a busy city, takes care of the parking fee for exact time they have used, manages electronic parking permit, is the right direction towards toppling these difficulties. The main objective of this project was to design and implement a system that would provide parking occupancy estimation, parking fee payment method, parking permit management and parking analytics for the city authorities. The project had three phases. The first and the second phases used qualitative approaches to validate our hypotheses about parking shortcoming in Helsinki area and the recruitment of participants to the pilot of the project, respectively. The third phase involved the design, implementation and installation of the system. The other objective was to study the challenges a smart parking system would face at different stages of its life cycle. The objectives of the project were achieved and the considered assumption about the challenges associated with parking in a busy city were validated. A smart parking system will allow drivers to check for available parking spaces beforehand, they are able to pay for the parking fee, they can get electronic parking permits, and the city authority can get parking analytics for the city plannin

Data Hiding and Its Applications

Data hiding techniques have been widely used to provide copyright protection, data integrity, covert communication, non-repudiation, and authentication, among other applications. In the context of the increased dissemination and distribution of multimedia content over the internet, data hiding methods, such as digital watermarking and steganography, are becoming increasingly relevant in providing multimedia security. The goal of this book is to focus on the improvement of data hiding algorithms and their different applications (both traditional and emerging), bringing together researchers and practitioners from different research fields, including data hiding, signal processing, cryptography, and information theory, among others