01333403

Network Based Intrusion Detection to Detect Steganographic Communication Channels - On the Example of Images

Danny Hesse, Jana Dittmann, Andreas Lang

Otto-von-Guericke University of Magdeburg, Germany AMSL Advanced Multimedia and Security Lab

{danny.hesse, andreas.lang, jana.dittmann}@iti.cs.uni-magdeburg.de

Abstract

Today we find a wide variety of Intrusion Detection Systems (IDS). They can detect attacks against network services or certain hosts. These attacks often violate integrity, availability and confidentiality of a IT-System or its data. One attack against data is the loss of confidentiality. With the help of stegographic tools one can hide data in a cover media and transmit it over the network. At this time nowadays no Intrusion Detection System is available to detect this security violation. In this paper we discuss the design of an IDS that is able to detect steganographic communication in image data. Future Intrusion Response Systems (IRS) could be trigged by the IDS to react in accordance to the policy.

1. Motivation and Introduction

Beside the advantage of worldwide network connections for enabling services and communication between people the design of the communication protocols has some disadvantages regarding to security. Therefore to prevent attacks Intrusion Prevention Systems (IPS) become very popular recently, see [21], thus Intrusion Detection Systems [11] seem less be effective to provide security by being re-active. On the one hand IPS offer better ways to secure a computer system in an active manner. One the other hand, IPS does not allow to analyse potential security leakages effectively. For example steganographic communication could be used for violate a security policy. IPS systems would need to analyze the communication online to perform active steganalysis. As described in [22] an online analysis is time consuming and needs the complete

transmitted data to decide if there is a covered channel initiated. Thus for detecting image or audio steganography, an IPS would need to interrupt the online communication to perform steganalysis and to decide allowing or disallowing the communication. This approach would lead in most cases to quality of services problems or would need an expensive scalable hardware support. Therefore in our paper we show, how to use steganalysis within IDS to detect steganographic communication with offline analysis. In our paper, we discuss how to use traditional techniques from ID (looking for attacks against the network protocols, (network) applications or operating systems) in combination with steganalysis techniques in general. Beside conceptual work we introduce a Network based Intrusion Detection System (NIDS) that is able to capture the network traffic on the wire and look for potential cover-mediums. As modularised approach different steganalysis tools can be integrated. In our example implementation we use the well-known Chi-Square-Test [2] to distinguish between a clean or unclean data. In the section 2 we briefly introduce steganographical tools and steganalysis approaches. In section 3 we discuss our design concept for combining IDS and steganalysis. Experimental results are presented in section 4 and section 5 summarizes our work.

2. Brief Overview: Steganography and Steganalysis

Today we find a wide variety of different techniques to prove the usage of steganographic algorithms for digital image data, see for example in [1] or [20]. In our first investigations we limit our system to detect

Proceedings of the 30th EUROMICRO Conference (EUROMICRO04) 1089-6503/04 $ 20.00 IEEE

steganographic content in images. In the next two section we briefly describe two steganalysis approaches to motivate the general idea.

2.1 Visual Attacks

Generally, a visual attack [2] tries to visualize the changes of a steganographic application. The Result of a visual attack is a more or less noised picture. The decision whether the image has an embedded message or not, depends upon the subjectively feeling of the observer and can therefore difficult implemented for an automatic detection. Furthermore the modern steganography tools like the algorithms Jsteg [9] and F5 [4] are robust against visual attacks and thus they are not considered in our system design.

2.2 Chi-Square-Test

The Chi-Square-Test (CST) [2] is based on the comparison of distribution functions. The attack uses statistical features of an image to detect hidden messages while most used steganographic algorithms do not pay attention to the statistical properties of the cover image. The changes can be detected/proved for example with Chi-Square-Tests. The result is the likelihood that a message is embedded. For further information we refer to [1], [4], [5] and [9]. So there are some implementations that use the Chi-Square-Test. A very famous and powerful tool is Stegdetect [10] from Niels Provos. Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detect-able schemes are jsteg, jphide, invisible secrets, outguess 01.3b, F5, appendX, and camouflage.

3. Design of the Intrusion Detection System

In this section we describe our design of the Intrusion Detection System that detect the existence of a steganographic message in image data.

3.1 Problem Analysis and Challenges

There are many Intrusion Detection Systems available. For example the wide used Open Source software Snort [15] the commercial products ISS RealSecure [16] or Cisco NetRanger [17]. There are also steganalysis tools like Stegdetect, as introduced in Section 2. The currently available Intrusion Detection Systems have no methods to detect covert channels in digital images and the steganalysis tools have no functions to monitor network connections. That is why we combine techniques from Intrusion Detection and Steganalysis to a new Intrusion Detection System.

3.2 Design Concept

Generally, there are two different ways to implement Intrusion Detection Systems [11], [14]. On the one side there are host-based systems (HIDS). One the other side there are network based systems. Host based systems monitor one IT-System alternatively they support the attack detection on application or operating system level. Network based systems supports the attack detection on network level [12], [14]. In contrast to NIDS the HIDS are able to detect attacks in the encrypted host specific network traffic. But the main disadvantage of a host-based system is, that it can only detect intrusions against one system, which is observed by the host. Network based systems are able to monitor more than one system by using one or several sensors. In our application area for steganography detection the goal is to capture the whole traffic in a network and therefore network-based monitoring becomes favored in this implementations. Generally, the NIDS consist of five Subsystems [14]. A component for data collection, a component for data analysis, a storage-component, an IDS-management and a result visualisation are also necessary. The 5 components are described below. The Packer Capture Engine (PCE) captures the traffic from the wire. In promiscuous mode, the network interface can collect the traffic address independent. For technical background and conditions for network based data collection, please look at [12]. In our implementation we use this module to process all packets on the wire. The system supports the TCP-Protocol, at the moment. Furthermore, it can track more than one tcp-connection by using threads. If a tcp-connection is finished (by tcp-fin or time-out) the collected data will be analysed in the analysis module. In the analyses module we use the Chi-Square-Test introduced in Section 2. So we can detect the usage of many steganographic tools like Jsteg, Jphide or EzStego. Due to the openness of the design we are able to extent our system easily for example to F5 [4] and [5] in future. In the following we explain the modules of the IDS and whose tasks. The result of the analysis module will be stored in the database. Also the parameters of the communication are stored in the database. A short description of the values that will be stored in the database is below. All parameters for each module are configurable in the module itself. At the moment there is no central management module. In future we plan to implement a central management, so that parameters for data collection, analysis and storage can be manipulated in one ore extra module. There is a HTML-Interface that is used for resultpresentation or visualisation. With this interface one can directly see the values that are stored in the database. So one directly see when a hidden or steganographic communication was done or not. Please look at figure 2 for a visual representation, it shows the basic architecture of the database.


The first value is the Unix_Timestamp, with this value one can specify the time of the (hidden) communication. The Source_IP, Destination_IP, Source_Port and Destination_Port are used to determine the kind of the communication. With the Mime_Typ one can distinguish between the different types e.g. JPEG, BMP, GIF. The analysis field contains the result of the Chi-Square-Test. Possible values are no stego message detected or !!stego message detected!!. In this case one have all parameters that are necessary to specify the communication between to IT-systems.

4. Experimental Results

For testing the success and limits, we test this system in several environments. The success of the system can be divided into three parts. First part: The system is successful if every image that has been transmitted from or to the network could be captured and analysed by the system. Second part: the system is successful if the analysis routine classified every collected image in a correct way. This means there are no false positives and no false negatives. This is a very theoretical assumption, so if we have a minimum of false positives and false negatives the system works successfully. The third part tries to determine an embeding capacity limit to perform reliable detection. For our simulations, we create a typical web scenario (comp. figure 1) with one client, one IDS and one webserver. For more transparency we first explain the used hard and software components as well as the test set. The Intrusion Detection System is a Pentium 4 1,8 GHz with 512 MB RAM and one 3 Com 905 network interface is installed. The IDS-operating system is Linux, kernel 2.4.19 and glibc 2.3. As database management system (DBMS) we use MySQL-DBMS in version 4.0.15. The client (A) is a Pentium III 800 MHz notebook with 256 MB RAM. The operating system is a Windows 2000 including SP3. The webserver (B) is a IRIX 6.4 on an IP27 architecture with Apache 1.3.27. In the following figure 2 you see the structure of the test scenario schematically.

Figure 1 Schematical structure of the test scenario.The client (A) visits a website on (B). The test website consists of text and about 100 images. These images are JPEGS with a size varying from 20 KB to 500 KB. In a predefined selection of about 20 images we have embedded a message using Jsteg with a message length varying from 10 to 100% of the

maximum embeding capacity. The task of the IDS is to detect the transfer of potential cover-media's (like JPEGS). The next step is to analyse the collected data with the Chi-Square-Test from [2]. In our scenario the IDS was able to detect every image, so the system was overall successful in our test environment for both first test goals. In regard to our third test goal due to the speed of computation and in computing the CST the biggest problem is that we could not detect small messages. In this case small means messages that are less than 0.5 percent of the maximum embeding capacity. These are the false negative results. In this case the system works unsuccessful. In figure 2 you see the result of the test. You see a shortcut of the analysed database. In high-performance networks (>=100 Mbit), networks with high packet density and bandwidth there is a packet loss problem. In these networks the IDS cannot process all the packets on the wire. The result is a damaged and non-coherent image data. To minimize these problems one can establish traffic filter that filters the traffic to relevant data. We only analyse TCP-connections so there is no need to look up in UDP or ICMP-connections. The other problem during packet processing is the performance of the steganalysis algorithm (Chi-Square-Test). For a small set of images the test is rather fast. But websites usually consists of huge numbers of images, which would have to be analysed simultaneously. Therefore the Chi-Square-Test is performed after storing the data in the database.

5. Conclusion

This document described very briefly a network based Intrusion Detection System to detect steganographic content in images. It is one of the first IDS to detect hidden communication channel in digital images. The extension of Intrusion Detection Systems to steganalysis techniques will close an existing gap. In our test environment we evaluate the general functionality. The main problems are related to packet processing/packet loss. In this first approach we only monitor TCP-connections (HTTP and FTP). In these connections we look for JPEG-pictures, with the CST we can analyse these images in case of using steganographic tools. Furthermore, there are further programs that can embed in GIFs (EzStego) [8] or bitmaps. Our approach is scalable and can be extend to steganalysis algorithm that are able detect messages in other image formats or even other media types like audio. For example MP3-data (MP3Stego) [18] and WAV-data (Stegowav) [19] are used for a covert-communication and steganalysis tools are under way to detect the hidden channels here too, see [20]. An extension to further schemes can be easily set up. In future we plan to monitor connections in which sound files like WAVs or mp3

will be transmitted.Open questions are for example: How to handle the


positive classified media data, how to protocol or store the data, what is the impact and consequences of positive detection and how to handle false positives? What are useful re-actions on positive detections? Is it possible to formulate a set of rules with security policy languages? Is it possibly to integrate the approach into IPS?

5. Acknowledgements

The information in this document is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. The work described in this paper has been supported in part by the European Commission through the IST Programme under Contract IST-2002-507932 ECRYPT.

6. References

[1] Stefan Katzenbeisser and Fabien A. P. Petitcolas, Information Hiding Technics for Steganography and Digital Watermarking, Artech House 2002. [2] Andreas Westfeld and A. Pfitzmann, Attacks on Steganographic Systems, 3rd International Workshop, Lecture Notes in Computer Science, Springer Verlag Berlin 2000.[3] Neil F. Johnson and Sushil Jajodia, Steganalysis of Images Created Using Current Steganography Software, Lecture Notes in Computer Science 1998. [4] Andreas Westfeld, Steganography Software F5, http://wwwrn.inf.tu-dresden.de/~westfeld/f5.html 2003. [5] Jessica Fridrich and Miroslav Goljan and Dorin Hogea, Steganalysis of JPEG Images: Breaking the F5 Algorithm, 5th Information Hiding Workshop 2002. [6] Andreas Westfeld, F5 - Ein steganographischer Algorithmus: Hohe Kapazitt trotz verbesserter Angriffe, http://www.inf.tu-dresden.de/~aw4/publikationen.html2001.[7] Neil F. Johnson and Sushil Jajodia, Steganalysis of Images Created Using Current Steganography Software, Lecture Notes in Computer Science 1998. [8] Romana Machado, Hide and recover encrypted data in your GIF files with Steg, http://http://www.stego.com,

2003.[9] Derek Upham, Jsteg, http://islab.oregonstate.edu/documents/ftpsites/berkeley/jsteg, 2003. [10] Nils Provos, Steganography Detection with Stegdetect, http://www.outguess.org/detection.php, 2004. [11] Ralf Spenneberg, Intrusion Detection fr Linux-Server, Markt+Technik Verlag 2003. [12] Derek Atkins and Paul Buis and Chris Hare and Robert Kelly, Internet Security Professional Reference, New Riders Publishing 1997. [13] Intrusion Detection Subgroup, Report on the NS/EP Implications of Intrusion Detection Technology Research Development 1997. [14] Josef Helden and Stefan Karsch, Grundlagen Forderungen und Marktbersicht fr Intrusion Detection Systeme (IDS) und Intrusion Response Systeme (IRS) 1998.[15] Brian Caswell and Marty Roesch,The Open Source Network Intrusion Detection System, http://www.snort.org2004.[16] Internet Security Systems Inc. http://www.iss.net 2003. [17] Cisco Systems, Network Security An Executive Overview,http://www.cisco.com/warp/public/cc/so/neso/sqso/netsp_pl.pdf 2003. [18] Petitcolas, Fabien, MP3Stego, http://www.petitcolas.net/fabien/steganography/mp3steg2004.[19] StegoWav, http://www.jjtc.com/stegoarchive/stego/softwaredos.html 2004. [20] J. Fridrich, Feature-Based Steganalysis for JPEG Images and its Implications for Future Design of Steganographic Schemes, to appear in The 6th Information Hiding Workshop, Toronto, CA, May 2335. [21]DACH Security, Bestandsaufnahme, Konzepte, Anwendungen, Perspektiven, 2004. [22] Jana Dittmann; Stephan Klink; Andreas Lang; Martin Steinebach: Wasserzeichenuntersttzende Firewalls: Enterprise Security: Grundlagen, Strategien, Anwendungen, Realisierungen; Patrick Horster (Eds.) it Verlag fr Informationstechnik GmbH, Hhenkirchen, pp. 246 257, 2002

Figure 2 Visual representation of the database.


footer1:

01333403

Documents