Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc.

Topics Covered Steganography Steganalysis Misuse / Motivation SIDS structure Screenshots Demo? Future of SIDS Conclusion

Steganography “Art of covered writing” Concealing the existence of communication between two parties Hiding data in common, unstructured areas of media files –Transmitted via computer networks Many tools available freely that work with: –Image, music files –Text –TCP/IP header fields

Stego (continued) (original) (carrier)

Steganalysis Detecting the presence of steganographic data Does a given file contain stego? –How sure can we be? Not always a certainty –If so, is it possible to extract its contents? Many products / algorithms available that attempt to discover stego –Some algorithms are closed source or proprietary –Not organized into any consistent API

Potential for Misuse? Of course! Transmission/storage of illegal or proprietary data –Child pornography –Company secrets Terrorist message passing? Adversaries Intruders –Data exfiltration/infiltration Insider threat

Motivation Adversaries can use stego to communicate undetected –Even through our own networks –Manual attacks –Programmatic attacks A stealthy piece of malicious software is aware of network defenses, and will circumvent them An intelligent virus/trojan program could be using HTTP to transmit and receive data –Current network defense mechanisms will not stop this Firewall Intrusion detection systems Corporate espionage gets easier! Your network is at risk!

HTTP Image Transfer How many images are pulled into/out of your network daily? –Makes an attractive channel for stego’ed data transfer An attacker / virus could create (seemingly normal) HTTP traffic that contains important* data –Instructions for the program –Proprietary / sensitive information (secrets, credit card numbers, etc)

SIDS Stego intrusion detection system –Aims to flag all HTTP traffic containing imagery that tests positive for stego content (more protocols later) Gateway defense mechanism –Placed at a network border –In promiscuous mode, sniffs all HTTP traffic and reconstructs (if necessary) any images transmitted –Tests each image against all known steganalysis algorithms –Alerts user/administrator to presence of stego on their network Not a firewall!

High Level View Algorithm 4 Algorithm 3 Algorithm 2 Algorithm 1 Algorithm n Master Database SIDS FW image1 image2 image3 image4 image5 Scanner Internet

SIDS Highlights Plug-in interface for steganalysis algorithms –Allows SIDS to increase its effectiveness as new methods are developed –Proprietary or sensitive algorithms can be used in house Interface written in Java, making the GUI section of SIDS easily portable to a separate platform in the future SIDS machine does not even need an IP address, making it undetectable to an attacker

SIDS Screen Shots - Statistics - Shows last image testing positive for stego Graphs detailing the number of images captured / flagged

Screen Shots (continued) - Recent Finds - Details of individual images captured from the wire Summary of steganalysis information Allows for manual inspection of images

Screen Shots (continued) - Histograms - Provide a breakdown of the most frequent offender's IP addresses

Limitations Extremely high traffic can cause packet loss Only a handful of algorithms ship with SIDS currently –Working to add more algorithms –User can add their own –Attempting to establish a community standard User interface can be improved, made more lean Only HTTP, currently –Unable to examine encrypted data

Future of SIDS Always more protocols/places to check for stego –FTP, P2P, NNTP, IRC, ICMP, TCP/IP headers, Timing – (attachments), etc. Host based version of SIDS likely on the way –Continually checking all images found on a system for stego –Help catch use of stego storage (stuff that’s not sent across the wire) Enterprise Edition Hardware assisted steganalysis Neural nets

Future of SIDS (continued) Best detection with newest steganalysis algorithms Moving towards the anti-virus model –Database of detection ‘signatures’ must be up to date Development of public database of detection algorithms –Developed as plug-ins for all versions of SIDS –Freely downloadable

Conclusion Stego is being used... and will continue to gain acceptance as a method of hiding in plain sight Defense is a hard problem Efficiency issues with loads of scanning / analysis Steganalysis is improving –Still behind the state of the art in steganography This trend will likely to continue as new forms of stego emerge

Questions.. SIDS –Created by Dr. Leonard Popyack and Charles Green (Assured Information Security, Inc.) –Code Authors: Rodney Forbes (daemons, plug-in interface) Mike Sieffert (Java GUI) –Sponsored by Air Force Research Laboratory (AFRL), Air Force Information Warfare Battlelab (AFIWB) POC: Thomas Blake, AFRL/IFGB