Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Steganalysis Embedding Percentage Determination with Learning Vector Quantization

Steganography (stego) is used primarily when the very existence of a communication signal is to be kept covert. Detecting the presence of stego is a very difficult problem which is made even more difficult when the embedding technique is not known. This article presents an investigation of the process and necessary considerations inherent in the development of a new method applied for the detection of hidden data within digital images. We demonstrate the effectiveness of learning vector quantization (LVQ) as a clustering technique which assists in discerning clean or non-stego images from anomalous or stego images. This comparison is conducted using 7 featuresover a small set of 200 observations with varying levels of embedded information from 1% to 10% in increments of 1%. The results demonstrate that LVQ not only more accurately identify when an image contains LSB hidden information when compared to k-means or using just the raw feature sets, but also provides a simple method for determining the percentage of embedding given low information embedding percentages. Abstract ©2006 IEEE