Zujany Salazar, H. Nguyen, Wissam Mallouli, A. Cavalli, Edgardo Montes de Oca
The fifth generation of mobile broadband is more than just an evolution to provide more mobile bandwidth, massive machine-type communications, and ultra-reliable and low-latency communications. It relies on a complex, dynamic and heterogeneous environment that implies addressing numerous testing and security challenges. In this paper we present 5Greplay, an open-source 5G network traffic fuzzer that enables the evaluation of 5G components by replaying and modifying 5G network traffic by creating and injecting network scenarios into a target that can be a 5G core service (e.g., AMF, SMF) or a RAN network (e.g., gNodeB). The tool provides the ability to alter network packets online or offline in both control and data planes in a very flexible manner. The experimental evaluation conducted against open-source based 5G platforms, showed that the target services accept traffic being altered by the tool, and that it can reach up to 9.56 Gbps using only 1 processor core to replay 5G traffic.
{"title":"5Greplay: a 5G Network Traffic Fuzzer - Application to Attack Injection","authors":"Zujany Salazar, H. Nguyen, Wissam Mallouli, A. Cavalli, Edgardo Montes de Oca","doi":"10.1145/3465481.3470079","DOIUrl":"https://doi.org/10.1145/3465481.3470079","url":null,"abstract":"The fifth generation of mobile broadband is more than just an evolution to provide more mobile bandwidth, massive machine-type communications, and ultra-reliable and low-latency communications. It relies on a complex, dynamic and heterogeneous environment that implies addressing numerous testing and security challenges. In this paper we present 5Greplay, an open-source 5G network traffic fuzzer that enables the evaluation of 5G components by replaying and modifying 5G network traffic by creating and injecting network scenarios into a target that can be a 5G core service (e.g., AMF, SMF) or a RAN network (e.g., gNodeB). The tool provides the ability to alter network packets online or offline in both control and data planes in a very flexible manner. The experimental evaluation conducted against open-source based 5G platforms, showed that the target services accept traffic being altered by the tool, and that it can reach up to 9.56 Gbps using only 1 processor core to replay 5G traffic.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"141 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127326943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Maxime Puys, Pierre-Henri Thevenon, Stéphane Mocanu
In this paper, we present a SCADA cybersecurity awareness and training program based on a Hands-On training using two twin cyber-ranges named WonderICS and G-ICS. These labs are built using a Hardware-In-the-Loop simulation system of the physical process developed by the two partners. The cyber-ranges allow replication of realistic Advanced Persistent Threat (APT) attacks and demonstration of known vulnerabilities, as they rely on real industrial control devices and softwares. In this work, we present both the demonstration scenarios used for awareness on WonderICS and the training programs developed for graduate students on G-ICS.
{"title":"Hardware-In-The-Loop Labs for SCADA Cybersecurity Awareness and Training","authors":"Maxime Puys, Pierre-Henri Thevenon, Stéphane Mocanu","doi":"10.1145/3465481.3469185","DOIUrl":"https://doi.org/10.1145/3465481.3469185","url":null,"abstract":"In this paper, we present a SCADA cybersecurity awareness and training program based on a Hands-On training using two twin cyber-ranges named WonderICS and G-ICS. These labs are built using a Hardware-In-the-Loop simulation system of the physical process developed by the two partners. The cyber-ranges allow replication of realistic Advanced Persistent Threat (APT) attacks and demonstration of known vulnerabilities, as they rely on real industrial control devices and softwares. In this work, we present both the demonstration scenarios used for awareness on WonderICS and the training programs developed for graduate students on G-ICS.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"106 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134513044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Daniela Pöhn, Sebastian Seeber, Tanja Hanauer, Jule Anna Ziegler, David Schmitz
In today’s networks, administrative access to Linux servers is commonly managed by Privileged Access Management (PAM). It is not only important to monitor these privileged accounts, but also to control segregation of duty and detect keys as well as accounts that potentially bypass PAM. Unprohibited access can become a business risk. In order to improve the security in a controlled manner, we establish IdMSecMan, a security management process tailored for identity and access management (IAM). Security management processes typically use the Deming Cycle or an adaption for continuous improvements of products, services, or processes within the network infrastructure. We adjust a security management process with visualization for IAM, which also shifts the focus from typical assets to the attacker. With the controlled cycles, the maturity of IAM is measured and can continually advance. This paper presents and applies the work in progress IdMSecMan to a motivating scenario in the field of Linux server. We evaluate our approach in a controlled test environment with first steps to roll it out in our data center. Last but not least, we discuss challenges and future work.
{"title":"Towards Improving Identity and Access Management with the IdMSecMan Process Framework","authors":"Daniela Pöhn, Sebastian Seeber, Tanja Hanauer, Jule Anna Ziegler, David Schmitz","doi":"10.1145/3465481.3470055","DOIUrl":"https://doi.org/10.1145/3465481.3470055","url":null,"abstract":"In today’s networks, administrative access to Linux servers is commonly managed by Privileged Access Management (PAM). It is not only important to monitor these privileged accounts, but also to control segregation of duty and detect keys as well as accounts that potentially bypass PAM. Unprohibited access can become a business risk. In order to improve the security in a controlled manner, we establish IdMSecMan, a security management process tailored for identity and access management (IAM). Security management processes typically use the Deming Cycle or an adaption for continuous improvements of products, services, or processes within the network infrastructure. We adjust a security management process with visualization for IAM, which also shifts the focus from typical assets to the attacker. With the controlled cycles, the maturity of IAM is measured and can continually advance. This paper presents and applies the work in progress IdMSecMan to a motivating scenario in the field of Linux server. We evaluate our approach in a controlled test environment with first steps to roll it out in our data center. Last but not least, we discuss challenges and future work.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"126 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133877586","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The open fronthaul interface is a standard protocol for a link between the radio units and the distributed unit in RAN, enabling different vendors interoperable. We study the security requirements of the open fronthaul interface for 5G networks. The O-RAN management plane (M-plane) mandates an end-to-end security using SSHv2, whereas the O-RAN control and user plane (CU-plane) do not support any security measure yet. We investigate MACsec for the CU-plane security, which is recommended as one of security options in the eCPRI specification. Furthermore, we implemented quantum-safe crypto solutions using a hybrid mode key exchange and signature schemes, which can be applied for the post-quantum SSH and MACsec protocols.
{"title":"Secure Open Fronthaul Interface for 5G Networks","authors":"J. Cho, Andrew Sergeev","doi":"10.1145/3465481.3470080","DOIUrl":"https://doi.org/10.1145/3465481.3470080","url":null,"abstract":"The open fronthaul interface is a standard protocol for a link between the radio units and the distributed unit in RAN, enabling different vendors interoperable. We study the security requirements of the open fronthaul interface for 5G networks. The O-RAN management plane (M-plane) mandates an end-to-end security using SSHv2, whereas the O-RAN control and user plane (CU-plane) do not support any security measure yet. We investigate MACsec for the CU-plane security, which is recommended as one of security options in the eCPRI specification. Furthermore, we implemented quantum-safe crypto solutions using a hybrid mode key exchange and signature schemes, which can be applied for the post-quantum SSH and MACsec protocols.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115833808","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mahmoud Abdallah, Nhien-An Le-Khac, Hamed Z. Jahromi, A. Jurcut
Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm introduces new attack vectors that do not exist in the conventional distributed networks. This paper develops a hybrid Intrusion Detection System (IDS) by combining the Convolutional Neural Network (CNN) and Long Short-Term Memory Network (LSTM). The proposed model is capable of capturing the spatial and temporal features of the network traffic. Two regularization techniques i.e., L2 Regularization () and dropout method are used to overcome with the overfitting problem. The proposed method improves the intrusion detection performance of zero-day attacks. The InSDN dataset — the most recent dataset for SDN networks is used to test and evaluate the performance of the proposed model. The results indicate that integrating the CNN with LSTM improves the intrusion detection performance and achieves an accuracy of 96.32%. The estimated accuracy is higher than the accuracy of each individual model. In addition, it is established that the regularization techniques improves the performance of the CNN algorithms in detecting new intrusions when compared to the standard CNN. The findings of this study facilitates the development of robust IDS systems for SDN environment.
{"title":"A Hybrid CNN-LSTM Based Approach for Anomaly Detection Systems in SDNs","authors":"Mahmoud Abdallah, Nhien-An Le-Khac, Hamed Z. Jahromi, A. Jurcut","doi":"10.1145/3465481.3469190","DOIUrl":"https://doi.org/10.1145/3465481.3469190","url":null,"abstract":"Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm introduces new attack vectors that do not exist in the conventional distributed networks. This paper develops a hybrid Intrusion Detection System (IDS) by combining the Convolutional Neural Network (CNN) and Long Short-Term Memory Network (LSTM). The proposed model is capable of capturing the spatial and temporal features of the network traffic. Two regularization techniques i.e., L2 Regularization () and dropout method are used to overcome with the overfitting problem. The proposed method improves the intrusion detection performance of zero-day attacks. The InSDN dataset — the most recent dataset for SDN networks is used to test and evaluate the performance of the proposed model. The results indicate that integrating the CNN with LSTM improves the intrusion detection performance and achieves an accuracy of 96.32%. The estimated accuracy is higher than the accuracy of each individual model. In addition, it is established that the regularization techniques improves the performance of the CNN algorithms in detecting new intrusions when compared to the standard CNN. The findings of this study facilitates the development of robust IDS systems for SDN environment.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"133 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121544525","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Megías, M. Kuribayashi, A. Rosales, W. Mazurczyk
Digital media have changed the classical model of mass media that considers the transmitter of a message and a passive receiver, to a model where users of the digital media can appropriate the contents, recreate, and circulate them. In this context, online social media are a suitable circuit for the distribution of fake news and the spread of disinformation. Particularly, photo and video editing tools and recent advances in artificial intelligence allow non-professionals to easily counterfeit multimedia documents and create deep fakes. To avoid the spread of disinformation, some online social media deploy methods to filter fake content. Although this can be an effective method, its centralized approach gives an enormous power to the manager of these services. Considering the above, this paper outlines the main principles and research approach of the ongoing DISSIMILAR project, which is focused on the detection of fake news on social media platforms using information hiding techniques, in particular, digital watermarking, combined with machine learning approaches.
{"title":"DISSIMILAR: Towards fake news detection using information hiding, signal processing and machine learning","authors":"D. Megías, M. Kuribayashi, A. Rosales, W. Mazurczyk","doi":"10.1145/3465481.3470088","DOIUrl":"https://doi.org/10.1145/3465481.3470088","url":null,"abstract":"Digital media have changed the classical model of mass media that considers the transmitter of a message and a passive receiver, to a model where users of the digital media can appropriate the contents, recreate, and circulate them. In this context, online social media are a suitable circuit for the distribution of fake news and the spread of disinformation. Particularly, photo and video editing tools and recent advances in artificial intelligence allow non-professionals to easily counterfeit multimedia documents and create deep fakes. To avoid the spread of disinformation, some online social media deploy methods to filter fake content. Although this can be an effective method, its centralized approach gives an enormous power to the manager of these services. Considering the above, this paper outlines the main principles and research approach of the ongoing DISSIMILAR project, which is focused on the detection of fake news on social media platforms using information hiding techniques, in particular, digital watermarking, combined with machine learning approaches.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124031777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the Tor-network are many single-vendor marketplace web sites with a wide range of offers. Some of these vendor websites could be hosted by the same operators. In this paper, a method is presented to find out similarities between these vendor websites to discover possible operational structures between them. In order to accomplish this, similarity values are determined between the darknet websites by combining various features from the different categories structure, content and metadata. A dataset is determined by a first execution of the method and manual validation. Based on this data set, important features are extracted using decision trees. The features of the category structure HTML-Tag, HTML-Class, HTML-DOM-Tree as well as the metadata features File Content and Links-To have proven to be particularly important and can very effectively highlight similarities between darknet web sites. Supported by the similarity detection method, it was found that only 49% of 258 single-vendor marketplaces were unique, i.e. no similar sites existed. In addition, it was possible to find several duplicates of vendor websites, which made up 20%.
{"title":"Discovery of Single-Vendor Marketplace Operators in the Tor-Network","authors":"Fabian Brenner, Florian Platzer, M. Steinebach","doi":"10.1145/3465481.3470026","DOIUrl":"https://doi.org/10.1145/3465481.3470026","url":null,"abstract":"In the Tor-network are many single-vendor marketplace web sites with a wide range of offers. Some of these vendor websites could be hosted by the same operators. In this paper, a method is presented to find out similarities between these vendor websites to discover possible operational structures between them. In order to accomplish this, similarity values are determined between the darknet websites by combining various features from the different categories structure, content and metadata. A dataset is determined by a first execution of the method and manual validation. Based on this data set, important features are extracted using decision trees. The features of the category structure HTML-Tag, HTML-Class, HTML-DOM-Tree as well as the metadata features File Content and Links-To have proven to be particularly important and can very effectively highlight similarities between darknet web sites. Supported by the similarity detection method, it was found that only 49% of 258 single-vendor marketplaces were unique, i.e. no similar sites existed. In addition, it was possible to find several duplicates of vendor websites, which made up 20%.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124521179","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Modern malware increasingly exploits information hiding to remain undetected while attacking. To this aim, network covert channels, i.e., hidden communication paths established within legitimate flows, can be used to exfiltrate data or exchange commands without getting noticed by firewalls, antivirus, and intrusion detection systems. Since the secret data can be directly injected in various portions of the stream or encoded via suitable alterations of the traffic, spotting hidden communications is a challenging and poorly generalizable task. Moreover, the majority of works addressed IPv4, thus leaving the detection of covert channels targeting IPv6 almost unexplored. This paper presents bccstego, i.e., an inspection framework for computing statistical indicators to reveal covert channels targeting the IPv6 header. The proposed approach has been designed to be easily extended, for instance to search for channels not known a priori. Numerical results demonstrate the effectiveness of our first tool in the bccstego framework as well as its ability to handle high-throughput IPv6 flows without adding additional delays.
{"title":"bccstego: A Framework for Investigating Network Covert Channels","authors":"M. Repetto, L. Caviglione, M. Zuppelli","doi":"10.1145/3465481.3470028","DOIUrl":"https://doi.org/10.1145/3465481.3470028","url":null,"abstract":"Modern malware increasingly exploits information hiding to remain undetected while attacking. To this aim, network covert channels, i.e., hidden communication paths established within legitimate flows, can be used to exfiltrate data or exchange commands without getting noticed by firewalls, antivirus, and intrusion detection systems. Since the secret data can be directly injected in various portions of the stream or encoded via suitable alterations of the traffic, spotting hidden communications is a challenging and poorly generalizable task. Moreover, the majority of works addressed IPv4, thus leaving the detection of covert channels targeting IPv6 almost unexplored. This paper presents bccstego, i.e., an inspection framework for computing statistical indicators to reveal covert channels targeting the IPv6 header. The proposed approach has been designed to be easily extended, for instance to search for channels not known a priori. Numerical results demonstrate the effectiveness of our first tool in the bccstego framework as well as its ability to handle high-throughput IPv6 flows without adding additional delays.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122762885","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stefania Bartoletti, Giuseppe Bianchi, D. Orlando, Ivan Palamà, N. Blefari-Melazzi
Most localization systems rely on measurements gathered from signals emitted by stations whose position is assumed known as ground truth, namely anchors. As demonstrated by a significant bulk of experimental research, location security is threatened when an attacker becomes able to tamper either the signals emitted by the stations, or convince the user that the anchor station is in a different position than the true one. With this paper, we first propose a formal threat model which captures the above-mentioned wide class of attacks, and permits to quantitatively evaluate how tampering of one or more anchor locations undermines the user’s localization accuracy. We specifically derive a Cramér Rao Bound for the localization error, and we assess a number of example scenarios. We believe that our study may provide a useful formal benchmark for the design and analysis of detection and mitigation solutions.
{"title":"Location Security under Reference Signals’ Spoofing Attacks: Threat Model and Bounds","authors":"Stefania Bartoletti, Giuseppe Bianchi, D. Orlando, Ivan Palamà, N. Blefari-Melazzi","doi":"10.1145/3465481.3470098","DOIUrl":"https://doi.org/10.1145/3465481.3470098","url":null,"abstract":"Most localization systems rely on measurements gathered from signals emitted by stations whose position is assumed known as ground truth, namely anchors. As demonstrated by a significant bulk of experimental research, location security is threatened when an attacker becomes able to tamper either the signals emitted by the stations, or convince the user that the anchor station is in a different position than the true one. With this paper, we first propose a formal threat model which captures the above-mentioned wide class of attacks, and permits to quantitatively evaluate how tampering of one or more anchor locations undermines the user’s localization accuracy. We specifically derive a Cramér Rao Bound for the localization error, and we assess a number of example scenarios. We believe that our study may provide a useful formal benchmark for the design and analysis of detection and mitigation solutions.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114762819","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Digital transformation of many companies and government administrations, now accelerated by the pandemic, provides cybercriminals an increased opportunity of incorporating various types of information hiding techniques into the malicious software and by that perform different types of attacks. By leveraging data hiding methods, attackers can, e.g., exfiltrate confidential information, enable covert transfers between the compromised victim’s machine and an attacker-operated infrastructure, or stealthily transmit additional malicious tools. Furthermore, in the digital era, any type of digital channel can be exploited for data hiding, e.g., digital images, video or audio content, text, or network traffic. That is why it is of great importance to be acquainted with the different techniques that cybercriminals can utilize to design and introduce effective countermeasures and identify/eliminate these threats when they appear. Obfuscation is a popular technique in the software development domain which makes the code illegible and which protects the implemented algorithms and business logic from unauthorized disclosure. In this paper, we investigate whether code obfuscation can be abused for information hiding purposes. The core idea of the proposed information hiding method is to replace some randomly generated strings being a part of the introduced dead code with the encoded secret message. The performed experimental evaluation and obtained results confirm that such process can be easily adopted for data hiding, thus countermeasures need to be adjusted accordingly.
{"title":"Data Hiding Using Code Obfuscation","authors":"Paweł Rajba, W. Mazurczyk","doi":"10.1145/3465481.3470086","DOIUrl":"https://doi.org/10.1145/3465481.3470086","url":null,"abstract":"Digital transformation of many companies and government administrations, now accelerated by the pandemic, provides cybercriminals an increased opportunity of incorporating various types of information hiding techniques into the malicious software and by that perform different types of attacks. By leveraging data hiding methods, attackers can, e.g., exfiltrate confidential information, enable covert transfers between the compromised victim’s machine and an attacker-operated infrastructure, or stealthily transmit additional malicious tools. Furthermore, in the digital era, any type of digital channel can be exploited for data hiding, e.g., digital images, video or audio content, text, or network traffic. That is why it is of great importance to be acquainted with the different techniques that cybercriminals can utilize to design and introduce effective countermeasures and identify/eliminate these threats when they appear. Obfuscation is a popular technique in the software development domain which makes the code illegible and which protects the implemented algorithms and business logic from unauthorized disclosure. In this paper, we investigate whether code obfuscation can be abused for information hiding purposes. The core idea of the proposed information hiding method is to replace some randomly generated strings being a part of the introduced dead code with the encoded secret message. The performed experimental evaluation and obtained results confirm that such process can be easily adopted for data hiding, thus countermeasures need to be adjusted accordingly.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120963114","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: