详情

原文传递 Covert Communication Detection (CoCoDe).

题名：	Covert Communication Detection (CoCoDe).
作者：	Cabaj, K.
摘要：	This project studied covert communication channels and especially focused on means for detecting distributed covert networks. Covert communication channels (alsoknown as network steganography) allows a hidden sender and hidden receiver to exchange secret data. These covert communication channels can be used to conductcommand and control of malicious servers, exfiltrate confidential data, or download further malicious code without the user being made aware. Thus, the topic of covertchannel detection is a very important one to any large organization with sensitive data and particularly the Department of Defense (i.e., Intellectual Property, Patents,For Official Use Only Data, and military Personally Identifiable Information).Hundreds of techniques can be used to create covert channels – some of the most common techniques are to place data into unused fields of network protocolheaders, change the size of network packets, manipulate inter-packet timing/order, or alter header elements (e.g., HTTP plaintext header lines). As adversaries grownin capability, more and more complex forms of covert channels will appear becoming increasingly difficult to detect and increasing in bandwidth. This includes, forexample, steganographic botnets where all communication between bots is realized using some form of data hiding. The most concerning type of information hiding forbotnets involves the study of Distributed Network Covert Channels (DNCCs).Over the course of 3.5 years, the 5-member research team (the PI, Co-PI, a PhD student, and two Masters students) utilized theoretical and experimental approachesto conduct covert channel research focusing on DNCCs. Their effort can be described in three phases:1. In the first phase of the project, the team focused on theoretical studies concerning creation of stealth channels using information hiding patterns and methods fordetection. The team worked on identifying components of the TCP/IP protocols that are most susceptible to data hiding, analyzing the key aspects of the hidingpatterns, and understanding the current state of the domain taxonomy. The team’s main contribution during this phase was extending the information hiding patternsconcept including modification of the pattern analysis process and extending the current taxonomy with new patterns.2. In the second phase, the team focused on experimental studies to analyze the theory of DNCCs by developing a classification scheme, prioritizing performance, andcharacterizing performance features. The research team developed and implemented several different types of DNCCs to investigate these various DNCC properties.For example, changing the number of utilized flows, transmitters, receivers, the number of simultaneously utilized steganographic methods, and different networkingenvironments from typical IP-based networks to IoT-based ones.3. In the last phase, the researchers focused on studying the detectability of various DNCCs. The team proposed, used, and analyzed several approaches to study howefficiently DNCCs can be detected when facing a determined adversary using advanced covert communication means. The team explored various detection analysistechniques including: data mining, itemset trees; and machine Learning techniques. The results show that the best detection accuracy is achieved when the multipleapproaches are combined. Lastly, the team generated and posted a unique steganography dataset which is freely available.Overall, the research team produced four conference papers and two journal articles. The conference papers were published in the annual Availability, Reliability andSecurity (ARES) conference during the years 2018, 2019, 2020, and 2021 which is sponsored by the Association for Computing Machinery (ACM). The ARESconference, and ACM in particular, has a high academic pedigree. The two journal papers were both published in reasonable journals in 2020 and 2021.
总页数：	77 pages