CUING
8th International Workshop on Cyber Use of Information Hiding
-
Jul 31, 2024
-
SR08
-
08:45 — 14:45
Workshop Chairs
- → Wojciech Mazurczyk
- → Philipp Amann
- → Luca Caviglione
- → Angelo Consoli
- → Peter Kieseberg
- → Joerg Keller
Accepted Paper
A Case Study on the Detection of Hash-Chain-based Covert Channels Using Heuristics and Machine Learning
Jeff Schymiczek
(University of Helsinki, Finland), Tobias Schmidbauer
(Nuremberg Institute of Technology, Germany), Steffen Wendzel
(Worms University of Applied Sciences, Germany)
Full Paper
Reversible network covert channels are a security threat that allows its users to restore the carrier object before sending it to the overt receiver, drawing detection challenging. Some of these covert channels utilize computational intensive operations, such as the calculation of cryptographic hash chains. Currently, these computational intensive reversible covert channels are considered difficult to detect.
This paper proposes ways of utilizing shape analysis of packet runtime distributions to detect such computational intensive covert channels. To this end, we simulated the latency of traffic modified by a hash-chain based covert channel by adding mock hash-reconstruction runtimes to runtimes of legitimate ping traffic. After qualitatively observing the changes in the empirical probability distribution between modified and natural traffic, we investigated machine learning algorithms for their ability to detect the covert channel’s presence. We show that a decision tree-based AdaBoost classifier using the investigated statistical measures as input vector and a convolutional neural network applied directly to the packet runtime empirical probability distribution are able to classify sets of 50 ping measurements with high accuracy for low to medium high latency connections. Our approach improves significantly over previous work done on the detection of computational intensive covert
channels as our approach both requires smaller sampling window sizes and achieves significantly higher detection rates on the same reference dataset.
Workshop CUING
Workshop CUING
This paper proposes ways of utilizing shape analysis of packet runtime distributions to detect such computational intensive covert channels. To this end, we simulated the latency of traffic modified by a hash-chain based covert channel by adding mock hash-reconstruction runtimes to runtimes of legitimate ping traffic. After qualitatively observing the changes in the empirical probability distribution between modified and natural traffic, we investigated machine learning algorithms for their ability to detect the covert channel’s presence. We show that a decision tree-based AdaBoost classifier using the investigated statistical measures as input vector and a convolutional neural network applied directly to the packet runtime empirical probability distribution are able to classify sets of 50 ping measurements with high accuracy for low to medium high latency connections. Our approach improves significantly over previous work done on the detection of computational intensive covert
channels as our approach both requires smaller sampling window sizes and achieves significantly higher detection rates on the same reference dataset.
How to evade modern web cryptojacking detection tools? A review of practical findings
Pawel Rajba
(University of Wroclaw, Poland), Krzysztof Chmiel
(University of Wroclaw, Poland)
Full Paper
One of the foundations of cryptocurrencies based on proof-of-work consensus is mining. This is an activity which consumes a lot of computational resources, so malicious actors introduce cryptojacking malware to exploit users computers and in result use their victim resources. Cryptojacking emerged several years ago together with the increasing adoption and prevalence of cryptocurrencies. This type of malware may have several types, but in this paper we consider malicious scripts embedded into the websites. As the threat is real and we hear regularly about affected websites including major web content providers, in this paper we analyzed selected promising detection methods based on more sophisticated techniques which are not only based on blacklisting which is the most common way of preventing this kind of attacks. The analysis resulted in findings showing all the considered solutions can be tricked from the controlled server. Fortunately, we also show the ways how the considered solutions can be improved, so the proposed methods can be efficient again.
Workshop CUING
Workshop CUING
Trustworthiness and explainability of a watermarking and machine learning-based system for image modification detection to combat disinformation
Andrea Rosales
(Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Spain), Agnieszka Malanowska
(Warsaw University of Technology, Poland), Tanya Koohpayeh Araghi
(Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Barcelona, Spain, Spain), Minoru Kuribayashi
(Center for Data-driven Science and Artificial Intelligence at Tohoku University Japan, Japan), Marcin Kowalczyk
(Warsaw University of Technology, Poland), Daniel Blanche-Tarragó
(Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Center, Spain), Wojciech Mazurczyk
(Warsaw University of Technology, Poland), David Megías
(Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Barcelona, Spain, Spain)
Full Paper
The widespread of digital platforms, that prioritize content based on engagement metrics and reward content creators accordingly, has contributed to the expansion of disinformation with all its social and political impact. We propose a verification system to counterbalance disinformation in two stages. First, a system that allows media industries to watermark their image and video content.
Second, a user platform for news consumers to verify if images and video over the internet have been modified. However, digital platforms, often developed as black boxes that hide their rationale from users and prioritize the investor’s interests over ethical and social concerns, have contributed to this disinformation and to a general lack of trust in verification systems. In this paper, we address trustworthiness and explainability in the development of the user platform to increase its trustworthiness and acceptance based on three iterations of an international user study.
Workshop CUING
Workshop CUING
Second, a user platform for news consumers to verify if images and video over the internet have been modified. However, digital platforms, often developed as black boxes that hide their rationale from users and prioritize the investor’s interests over ethical and social concerns, have contributed to this disinformation and to a general lack of trust in verification systems. In this paper, we address trustworthiness and explainability in the development of the user platform to increase its trustworthiness and acceptance based on three iterations of an international user study.
ZW-IDS: Zero-Watermarking-based network Intrusion Detection System using data provenance
Omair Faraj
(Telecom SudParis, Institut Polytechnique de Paris, France), David Megias
(Internet Interdisciplinary Institute, Universitat Oberta de Catalunya, Spain), Joaquin Garcia-Alfaro
(Telecom SudParis, Institut Polytechnique de Paris, France)
Full Paper
In the rapidly evolving digital world, network security is a critical concern. Traditional security measures often fail to detect unknown attacks, making anomaly-based Network Intrusion Detection Systems (NIDS) using Machine Learning (ML) vital. However, these systems face challenges such as computational complexity and misclassification errors. This paper presents ZW-IDS, an innovative approach to enhance anomaly-based NIDS performance. We propose a two-layer classification NIDS integrating zero-watermarking with data provenance and ML. The first layer uses Support Vector Machines (SVM) with ensemble learning model for feature selection. The second layer generates unique zero-watermarks for each data packet using data provenance information. This approach aims to reduce false alarms, improve computational efficiency, and boost NIDS classification performance. We evaluate ZW-IDS using the CICIDS2017 dataset and compare its performance with other multi-method ML and Deep Learning (DL) solutions.
Workshop CUING
Workshop CUING
Natural Language Steganography by ChatGPT
Martin Steinebach
(Fraunhofer, Germany)
Full Paper
Natural language steganography as well as natural language watermarking have been challenging because of the complexity and lack of noise in natural language. But with the advent of LLMs like ChatGPT, controlled synthesis of written language has become available. In this work, we show how ChatGPT can be utilized to generate synthetic texts of a given topic that act as stego covers for hidden messages.
Workshop CUING
Workshop CUING
Single-image steganalysis in real-world scenarios based on classifier inconsistency detection
Daniel Lerch-Hostalot
(Universitat Oberta de Catalunya, Spain), David Megías Jimenez
(Universitat Oberta de Catalunya, Spain)
Full Paper
This paper presents an improved method for estimating the accuracy of a model based on images intended for prediction, enhancing
the standard Detection of Classifier Inconsistencies (DCI) method. The conventional DCI method typically requires a large enough set of images from the same source to provide accurate estimations, which limits its practicality. Our enhanced approach overcomes this limitation by generating a set of images from a single original image, thereby enabling the application of the standard DCI method without requiring more than one target image. This method ensures that the generated images maintain the statistical properties of the original, preserving any embedded steganographic messages, through the use of non-destructive image manipulations such as flips, rotations, and shifts. Experimental results demonstrate that our method produces results comparable to those of the traditional DCI method, effectively estimating model accuracy with as few as 32 generated images. The robustness of our approach is also confirmed in challenging scenarios involving cover source mismatch (CSM), making it a viable solution for real-world applications.
Workshop CUING
Workshop CUING
the standard Detection of Classifier Inconsistencies (DCI) method. The conventional DCI method typically requires a large enough set of images from the same source to provide accurate estimations, which limits its practicality. Our enhanced approach overcomes this limitation by generating a set of images from a single original image, thereby enabling the application of the standard DCI method without requiring more than one target image. This method ensures that the generated images maintain the statistical properties of the original, preserving any embedded steganographic messages, through the use of non-destructive image manipulations such as flips, rotations, and shifts. Experimental results demonstrate that our method produces results comparable to those of the traditional DCI method, effectively estimating model accuracy with as few as 32 generated images. The robustness of our approach is also confirmed in challenging scenarios involving cover source mismatch (CSM), making it a viable solution for real-world applications.
Are Deepfakes a Game-changer in Digital Images Steganography Leveraging the Cover-Source-Mismatch?
Arthur Méreur
(Troyes University of Technology, France), Antoine Mallet
(Troyes University of Technology, France), Rémi Cogranne
(Troyes University of Technology, France)
Full Paper
This work explores the potential of synthetic media generated by AI, often referred to as Deepfakes, as a source of cover-objects for steganography. Deepfakes offer a vast and diverse pool of media, potentially improving steganographic security by leveraging cover-source mismatch, a challenge in steganalysis where training and testing data come from different sources.
The present paper proposes an initial study on Deepfakes' effectiveness in the field of steganography. More precisely, we propose an initial study to assess the impact of Deepfakes on image steganalysis performance in an operational environment. Using a wide range of image generation models and state-of-the-art methods in steganography and steganalysis, we show that Deepfakes can significantly exploit the cover-source mismatch problem but that mitigation solutions also exist. The empirical findings can inform future research on steganographic techniques that exploit cover-source mismatch for enhanced security.
Workshop CUING
Workshop CUING
The present paper proposes an initial study on Deepfakes' effectiveness in the field of steganography. More precisely, we propose an initial study to assess the impact of Deepfakes on image steganalysis performance in an operational environment. Using a wide range of image generation models and state-of-the-art methods in steganography and steganalysis, we show that Deepfakes can significantly exploit the cover-source mismatch problem but that mitigation solutions also exist. The empirical findings can inform future research on steganographic techniques that exploit cover-source mismatch for enhanced security.
A Comprehensive Pattern-based Overview of Stegomalware
Fabian Strachanski
(University of Duisburg-Essen, Germany), Denis Petrov
(Worms University of Applied Sciences, Germany), Tobias Schmidbauer
(Nuremberg Institute of Technology, Germany), Steffen Wendzel
(Worms University of Applied Sciences, Germany)
Full Paper
In recent years, malware is increasingly using steganographic methods (so-called stegomalware) to remain hidden as long as possible. It not only covers its tracks on the infected system, but also tries to hide its communication with adversary infrastructure.
This paper reviews 105 stegomalware cases on the basis of 142 reports, ranging from digital media (audio, video, images) to text and network steganography. For this purpose, the covert channels used by the malware are categorized and introduced using a pattern-based approach. Our survey reveals that solely a small set of patterns are used and the most frequent methods rely on modulation of states and values. We also analyzed the commonalities of media, text and network stegomalware and found that least significant bit (LSB) steganography is exclusively utilized for media steganography. Our results indicate, that only a small variation of network protocols, media types and hiding methods are utilized by stegomalware and therefore, research may focus on these to counter malicious activities covered by steganography.
Workshop CUING
Workshop CUING
This paper reviews 105 stegomalware cases on the basis of 142 reports, ranging from digital media (audio, video, images) to text and network steganography. For this purpose, the covert channels used by the malware are categorized and introduced using a pattern-based approach. Our survey reveals that solely a small set of patterns are used and the most frequent methods rely on modulation of states and values. We also analyzed the commonalities of media, text and network stegomalware and found that least significant bit (LSB) steganography is exclusively utilized for media steganography. Our results indicate, that only a small variation of network protocols, media types and hiding methods are utilized by stegomalware and therefore, research may focus on these to counter malicious activities covered by steganography.
No Country for Leaking Containers: Detecting Exfiltration of Secrets Through AI and Syscalls
Marco Zuppelli
(Institute for Applied Mathematics and Information Technologies, Italy), Massimo Guarascio
(ICAR-CNR, Italy), Luca Caviglione
(CNR - IMATI, Italy), Angelica Liguori
(ICAR-CNR, Italy)
Full Paper
Containers offer lightweight execution environments for implementing microservices or cloud-native applications. Owing to their ubiquitous diffusion jointly with the complex interplay of hardware, computing, and network resources, effectively enforcing container security is a difficult task. Specifically, runtime detection of threats poses many challenges since containers are often immutable (i.e., they cannot be instrumented or inspected), and many malware deploys obfuscation or elusive mechanisms. Therefore, in this work we propose a deep-learning-based approach for identifying the presence of two containers colluding to covertly leak secret information. In more detail, we consider a threat actor trying to exfiltrate a 4,096-bit private TLS key via five different covert channels. To decide whether containers are colluding for leaking data, the deep learning model is fed with statistical indicators of the syscalls, which are built starting from simple counters. Results indicate the effectiveness of our approach, even if some adjustments are needed to reduce the number of false positives.
Workshop CUING
Workshop CUING
Robust and Homomorphic Covert Channels in Streams of Numeric Data
Jörg Keller
(FernUniversität in Hagen, Germany), Carina Heßeling
(FernuUniversitaet Hagen, Germany), Steffen Wendzel
(Worms University of Applied Sciences, Germany)
Full Paper
A steganographic network storage channel that uses a carrier with a stream of numeric data must consider the possibility that the carrier data is processed before the covert receiver can extract the secret data. A sensor data stream, which we take as an example scenario, may be scaled by multiplication, shifted into a different range by addition, or two streams might be merged by adding their values. This raises the question if the storage channel can be made robust against such carrier modifications. On the other hand, if the pieces of secret data are numeric as well, adding and merging two streams each comprising covert data might be exploited to form a homomorphic covert channel. We investigate both problems together as they are related and give positive and negative results. In particular, we present the first homomorphic storage covert channel. Moreover, we show that such type of covert channel is not restricted to sensor data streams, but that very different scenarios are possible.
Workshop CUING
Workshop CUING
Detail CUING 02/05
8th International Workshop on Cyber Use of Information Hiding to be held in conjunction with the 19th International Conference on Availability, Reliability and Security
The increasing number of Internet users, availability of storage and network resources, and proliferation of as-a-Service frameworks, leads to a new-wave of offensive campaigns targeting the virtual world. With the diffusion of improved defensive methods, attackers now utilize more and more sophisticated techniques to perform their malicious activities. In recent years, information hiding has emerged as one of the most sophisticated and effective mechanisms for launching attacks. Threat actors now regularly use information hiding to elude countermeasures and prevent reversing the attack chain. More recently, hiding techniques have been deployed to create covert channels, i.e., parasitic communications paths nested in network traffic and digital objects, mainly to cloak command & control communications. Unfortunately, detection and mitigation of threats taking advantage of information hiding are hard tasks that pose many new challenges for digital forensics analysts, academics, law enforcement agencies, and security professionals.
The aim of the International Workshop on Cyber Use of Information Hiding (CUIng) is to bring together researchers, practitioners, law enforcement representatives, and security professionals in the area of analysis of information hiding techniques when used in cyberspace. Techniques, mechanisms, and ideas that fall in the scope of the workshop are not limited to classic digital steganography applications or the creation and mitigation of covert communications. Therefore, CUIng also welcomes works that pertain to camouflaging/masking/hiding various types of data, e.g., identities, behaviors of processes, and communication flows. To present a more complete picture of the novel research on hiding methods and their utilization by the attackers, submissions dealing with impersonation or mimicking are encouraged as well, especially to address information hiding in a complete manner, for instance, to discuss ideas for fighting misuse of privacy-enhancing technologies.
This year the CUING workshop is co-organized together with DISSIMILAR (Detection of fake newS on SocIal MedIa pLAtfoRms) project.
Moreover, the extended versions of all accepted papers will be considered for publication in a special issue of the Journal of Cyber Security and Mobility (indexed in Scopus).
The aim of the International Workshop on Cyber Use of Information Hiding (CUIng) is to bring together researchers, practitioners, law enforcement representatives, and security professionals in the area of analysis of information hiding techniques when used in cyberspace. Techniques, mechanisms, and ideas that fall in the scope of the workshop are not limited to classic digital steganography applications or the creation and mitigation of covert communications. Therefore, CUIng also welcomes works that pertain to camouflaging/masking/hiding various types of data, e.g., identities, behaviors of processes, and communication flows. To present a more complete picture of the novel research on hiding methods and their utilization by the attackers, submissions dealing with impersonation or mimicking are encouraged as well, especially to address information hiding in a complete manner, for instance, to discuss ideas for fighting misuse of privacy-enhancing technologies.
This year the CUING workshop is co-organized together with DISSIMILAR (Detection of fake newS on SocIal MedIa pLAtfoRms) project.
Moreover, the extended versions of all accepted papers will be considered for publication in a special issue of the Journal of Cyber Security and Mobility (indexed in Scopus).
Keynote:
Statistical Models of digital images for Adversarial Methods in steganography and AI-based generation
While a vast majority of digital image forensics approaches are based on machine learning and, recently, exploits the extremely high accuracy of deep learning, these approaches generally provide a low-level of understanding and interpretability.
In the speech, we will present statistical models that allow assessing detectability of information hidden in digital images. We will review how such models can be used to design original adversarial methods that minimizes the statistical detectability.
Last, but not least, we will study the possible application of a similar adversarial method for AI-based generation of digital images.
About the speaker:
Rémi Cogranne received the Ph.D. degree in systems safety and optimization from the University of Technology of Troyes (UTT), France, in 2011. He was regularly invited as a Visiting Scholar with Binghamton University, from 2014 to 2020. He has been an Associate Professor with UTT, since 2013. His research interests include hypothesis testing applied to image forensics, steganalysis, steganography, and computer networks. He has published more than 80 articles, among which two received the best paper awards, and three International patents. He is an Elected Member of IEEE Technical Committee on IFS a member of the Editorial Board of several international journals and conferences. He has been the general chair of IEEE WIFS 2022, the General Chair of ACM IH&MMSec 2019, the TPC Chair of IEEE WIFS 2021, and the Main Organizer of ALASKA Steganalysis Challenge (https://alaska.utt.fr).
Topics of interest include, but are not limited to 03/05
- Cyber information hiding techniques
- Studies regarding the use of information hiding in cybercrime
- Analysis of cybercrime cases related to information hiding
- New steganographic & steganalysis methods
- Local, air-gapped, and network covert channels
- Side channels and less obvious usage of information hiding techniques
- Digital watermarking of multimedia content and network traffic
- Stegomalware-related research, including techniques and detection
- Novel countermeasures against information hiding techniques: detection, prevention, limitation
- Evasion, obfuscation, and anti-forensics techniques used in cyberattacks
- Traffic type obfuscation techniques, e.g., traffic morphing
- Hiding covert communication within network attacks, e.g., DDoS, SPAM, etc.
- Underground marketplaces and their business models (e.g., legal and technical aspects of darknet)
- Information-hiding-based botnets and their mitigation
- Information hiding based on adversarial learning and generative AI
- Utilization of AI/ML techniques for improved data hiding techniques and detection methods
- Information hiding in AI/ML models and datasets
- Utilization of information hiding techniques to fight disinformation
- Privacy enhancing techniques
- Aspects and methods for sharing strategic intelligence
- Abusing legitimate social media, cloud-based services, etc. for information hiding purposes
Workshop Chairs 04/05
Workshop Chairs
Program Committee
Soumya Banerjee
|
CNAM-CEDRIC LAB, INRIA-EVA, Paris, France
Krzysztof Cabaj
|
Warsaw University of Technology, Poland
Michal Choras
|
Bydgoszcz University of Science and Technology, Poland
Jana Dittmann
|
Otto-von-Guericke University Magdeburg, Germany
Mordechai Guri
|
Ben-Gurion University of the Negev, Israel
Zbigniew Kotulski
|
Warsaw University of Technology, Poland
Rafal Kozik
|
Bydgoszcz University of Science and Technology, Poland
Christian Kraetzer
|
Otto-von-Guericke University Magdeburg, Germany
David Megias
|
Universitat Oberta de Catalunya, Spain
Aleksandra Mileva
|
University Goce Delcev, Republic of Macedonia
Marek Pawlicki
|
Bydgoszcz University of Science and Technology, Poland
Zbigniew Piotrowski
|
Military University of Technology, Poland
Steffen Wendzel
|
Worms University of Applied Sciences and FernUniversität in Hagen, Germany
Milad Taleby Ahvanooey
|
Nanjing University, China
Maria Carla Calzarossa
|
University of Pavia, Italy
Marco Cremonini,
|
University of Milan, Italy
Mattia Epifani
|
CNR, Italy
Massimo Guarascio
|
CNR – ICAR, Italy
Stefan Katzenbeisser
|
University of Passau, Germany
Minoru Kuribayashi
|
Okayama University, Japan
Jean-Francois Lalande
|
CentraleSupélec, France
Daniel Lerch-Hostalot
|
Universitat Oberta de Catalunya, Spain
Shujun Li
|
University of Kent, UK
Pawel Rajba
|
University of Wroclaw, Poland
Martin Steinebach
|
Fraunhofer SIT, Germany
Hui Tian
|
National Huaqiao University, China
Tanja Zseby
|
Vienna University of Technology, Austria
Marco Zuppelli
|
CNR – IMATI, Italy
Tobias Schmidbauer
|
Nuremberg Institute of Technology, Germany
Avinash Srinivasan
|
United States Naval Academy, USA
Remi Cogranne
|
Troyes University of Technology, France
Submission 05/05
Submission Guidelines
The submission guidelines valid for the workshop are the same as for the ARES conference.
Important Dates
Extended Submission Deadline
May 14, 2024
Author Notification
Jun 02, 2024
Proceedings Version
Jun 18, 2024
Conference
Jul 30
—
Aug 02, 2024