Professional Documents
Culture Documents
Network Based Intrusion Detection To Detect Steganographic Communication Channels - On The Example of Images
Network Based Intrusion Detection To Detect Steganographic Communication Channels - On The Example of Images
Abstract
Today we find a wide variety of Intrusion Detection
Systems (IDS). They can detect attacks against
network services or certain hosts. These attacks often
violate integrity, availability and confidentiality of a
IT-System or its data. One attack against data is the
loss of confidentiality. With the help of stegographic
tools one can hide data in a cover media and transmit
it over the network. At this time nowadays no
Intrusion Detection System is available to detect this
security violation. In this paper we discuss the design
of an IDS that is able to detect steganographic
communication in image data. Future Intrusion
Response Systems (IRS) could be trigged by the IDS
to react in accordance to the policy.
Steganalysis
Today we find a wide variety of different techniques
to prove the usage of steganographic algorithms for
digital image data, see for example in [1] or [20]. In
our first investigations we limit our system to detect
2.2 Chi-Square-Test
The Chi-Square-Test (CST) [2] is based on the
comparison of distribution functions. The attack uses
statistical features of an image to detect hidden
messages while most used steganographic algorithms
do not pay attention to the statistical properties of the
cover image. The changes can be detected/proved for
example with Chi-Square-Tests. The result is the
likelihood that a message is embedded. For further
information we refer to [1], [4], [5] and [9].
So there are some implementations that use the ChiSquare-Test. A very famous and powerful
tool is Stegdetect [10] from Niels Provos. Stegdetect
is an automated tool for detecting steganographic
content in images. It is capable of detecting several
different steganographic methods to embed hidden
information in JPEG images. Currently, the detectable schemes are jsteg, jphide, invisible secrets,
outguess 01.3b, F5, appendX, and camouflage.
4. Experimental Results
For testing the success and limits, we test this system
in several environments. The success of the system
can be divided into three parts. First part: The system
is successful if every image that has been transmitted
from or to the network could be captured and
analysed by the system. Second part: the system is
successful if the analysis routine classified every
collected image in a correct way. This means there
are no false positives and no false negatives. This is a
very theoretical assumption, so if we have a
minimum of false positives and false negatives the
system works successfully. The third part tries to
determine an embeding capacity limit to perform
reliable detection. For our simulations, we create a
typical web scenario (comp. figure 1) with one client,
one IDS and one webserver. For more transparency
we first explain the used hard and software
components as well as the test set. The Intrusion
Detection System is a Pentium 4 1,8 GHz with 512
MB RAM and one 3 Com 905 network interface is
installed. The IDS-operating system is Linux, kernel
2.4.19 and glibc 2.3. As database management system
(DBMS) we use MySQL-DBMS in version 4.0.15.
The client (A) is a Pentium III 800 MHz notebook
with 256 MB RAM. The operating system is a
Windows 2000 including SP3. The webserver (B) is a
IRIX 6.4 on an IP27 architecture with Apache 1.3.27.
In the following figure 2 you see the structure of the
test scenario schematically.
5. Conclusion
This document described very briefly a network
based Intrusion Detection System to detect
steganographic content in images. It is one of the first
IDS to detect hidden communication channel in
digital images. The extension of Intrusion Detection
Systems to steganalysis techniques will close an
existing gap. In our test environment we evaluate the
general functionality. The main problems are related
to packet processing/packet loss. In this first
approach we only monitor TCP-connections (HTTP
and FTP). In these connections we look for JPEGpictures, with the CST we can analyse these images
in case of using steganographic tools. Furthermore,
there are further programs that can embed in GIFs
(EzStego) [8] or bitmaps. Our approach is scalable
and can be extend to steganalysis algorithm that are
able detect messages in other image formats or even
other media types like audio. For example MP3-data
(MP3Stego) [18] and WAV-data (Stegowav) [19] are
used for a covert-communication and steganalysis
tools are under way to detect the hidden channels
here too, see [20]. An extension to further schemes
can be easily set up. In future we plan to monitor
connections in which sound files like WAVs or mp3
will be transmitted.
Open questions are for example: How to handle the
5. Acknowledgements
The information in this document is provided as is,
and no guarantee or warranty is given or implied that
the information is fit for any particular purpose. The
user thereof uses the information at its sole risk and
liability. The work described in this paper has been
supported in part by the European Commission
through the IST Programme under Contract IST2002-507932 ECRYPT.
6. References
[1] Stefan Katzenbeisser and Fabien A. P. Petitcolas,
Information Hiding Technics for Steganography and Digital
Watermarking, Artech House 2002.
[2] Andreas Westfeld and A. Pfitzmann, Attacks on
Steganographic Systems, 3rd International Workshop,
Lecture Notes in Computer Science, Springer Verlag Berlin
2000.
[3] Neil F. Johnson and Sushil Jajodia, Steganalysis of
Images Created Using Current Steganography Software,
Lecture Notes in Computer Science 1998.
[4] Andreas Westfeld, Steganography Software F5,
http://wwwrn.inf.tu-dresden.de/~westfeld/f5.html 2003.
[5] Jessica Fridrich and Miroslav Goljan and Dorin Hogea,
Steganalysis of JPEG Images: Breaking the F5 Algorithm,
5th Information Hiding Workshop 2002.
[6] Andreas Westfeld, F5 - Ein steganographischer
Algorithmus: Hohe Kapazitt trotz verbesserter Angriffe,
http://www.inf.tu-dresden.de/~aw4/publikationen.html
2001.
[7] Neil F. Johnson and Sushil Jajodia, Steganalysis of
Images Created Using Current Steganography Software,
Lecture Notes in Computer Science 1998.
[8] Romana Machado, Hide and recover encrypted data in
your GIF files with Steg, http://http://www.stego.com,
2003.
[9] Derek Upham, Jsteg, http://islab.oregonstate.edu/
documents/ftpsites/berkeley/jsteg, 2003.
[10] Nils Provos, Steganography Detection with Stegdetect,
http://www.outguess.org/detection.php, 2004.
[11] Ralf Spenneberg, Intrusion Detection fr LinuxServer, Markt+Technik Verlag 2003.
[12] Derek Atkins and Paul Buis and Chris Hare and Robert
Kelly, Internet Security Professional Reference, New
Riders Publishing 1997.
[13] Intrusion Detection Subgroup, Report on the NS/EP
Implications of Intrusion Detection Technology Research
Development 1997.
[14] Josef Helden and Stefan Karsch, Grundlagen
Forderungen und Marktbersicht fr Intrusion Detection
Systeme (IDS) und Intrusion Response Systeme (IRS)
1998.
[15] Brian Caswell and Marty Roesch,The Open Source
Network Intrusion Detection System, http://www.snort.org
2004.
[16] Internet Security Systems Inc. http://www.iss.net 2003.
[17] Cisco Systems, Network Security An Executive
Overview,http://www.cisco.com/warp/public/cc/so/neso/sqs
o/netsp_pl.pdf 2003.
[18] Petitcolas, Fabien, MP3Stego,
http://www.petitcolas.net/fabien/steganography/mp3steg
2004.
[19] StegoWav, http://www.jjtc.com/stegoarchive
/stego/softwaredos.html 2004.
[20] J. Fridrich, Feature-Based Steganalysis for JPEG
Images and its Implications for Future Design of
Steganographic Schemes, to appear in The 6th Information
Hiding Workshop, Toronto, CA, May 2335.
[21]DACH Security, Bestandsaufnahme, Konzepte,
Anwendungen, Perspektiven, 2004.
[22] Jana Dittmann; Stephan Klink; Andreas Lang; Martin
Steinebach:
Wasserzeichenuntersttzende
Firewalls:
Enterprise Security: Grundlagen,
Strategien, Anwendungen, Realisierungen; Patrick Horster
(Eds.) it Verlag fr Informationstechnik GmbH,
Hhenkirchen, pp. 246 257, 2002