Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc.

Published byAmberly Bennett Modified over 9 years ago

Similar presentations

Presentation on theme: "Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc."— Presentation transcript:

1 Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc.

2 Topics Covered Steganography Steganalysis Misuse / Motivation SIDS structure Screenshots Demo? Future of SIDS Conclusion

3 Steganography “Art of covered writing” Concealing the existence of communication between two parties Hiding data in common, unstructured areas of media files –Transmitted via computer networks Many tools available freely that work with: –Image, music files –Text –TCP/IP header fields

4 Stego (continued) (original) (carrier)

5 Steganalysis Detecting the presence of steganographic data Does a given file contain stego? –How sure can we be? Not always a certainty –If so, is it possible to extract its contents? Many products / algorithms available that attempt to discover stego –Some algorithms are closed source or proprietary –Not organized into any consistent API

6 Potential for Misuse? Of course! Transmission/storage of illegal or proprietary data –Child pornography –Company secrets Terrorist message passing? Adversaries Intruders –Data exfiltration/infiltration Insider threat

7 Motivation Adversaries can use stego to communicate undetected –Even through our own networks –Manual attacks –Programmatic attacks A stealthy piece of malicious software is aware of network defenses, and will circumvent them An intelligent virus/trojan program could be using HTTP to transmit and receive data –Current network defense mechanisms will not stop this Firewall Intrusion detection systems Corporate espionage gets easier! Your network is at risk!

8 HTTP Image Transfer How many images are pulled into/out of your network daily? –Makes an attractive channel for stego’ed data transfer An attacker / virus could create (seemingly normal) HTTP traffic that contains important* data –Instructions for the program –Proprietary / sensitive information (secrets, credit card numbers, etc)

9 SIDS Stego intrusion detection system –Aims to flag all HTTP traffic containing imagery that tests positive for stego content (more protocols later) Gateway defense mechanism –Placed at a network border –In promiscuous mode, sniffs all HTTP traffic and reconstructs (if necessary) any images transmitted –Tests each image against all known steganalysis algorithms –Alerts user/administrator to presence of stego on their network Not a firewall!

10 High Level View Algorithm 4 Algorithm 3 Algorithm 2 Algorithm 1 Algorithm n Master Database SIDS FW image1 image2 image3 image4 image5 Scanner Internet

11 SIDS Highlights Plug-in interface for steganalysis algorithms –Allows SIDS to increase its effectiveness as new methods are developed –Proprietary or sensitive algorithms can be used in house Interface written in Java, making the GUI section of SIDS easily portable to a separate platform in the future SIDS machine does not even need an IP address, making it undetectable to an attacker

12 SIDS Screen Shots - Statistics - Shows last image testing positive for stego Graphs detailing the number of images captured / flagged

13 Screen Shots (continued) - Recent Finds - Details of individual images captured from the wire Summary of steganalysis information Allows for manual inspection of images

14 Screen Shots (continued) - Histograms - Provide a breakdown of the most frequent offender's IP addresses

15 Limitations Extremely high traffic can cause packet loss Only a handful of algorithms ship with SIDS currently –Working to add more algorithms –User can add their own –Attempting to establish a community standard User interface can be improved, made more lean Only HTTP, currently –Unable to examine encrypted data

16 Future of SIDS Always more protocols/places to check for stego –FTP, P2P, NNTP, IRC, ICMP, TCP/IP headers, Timing –Email (attachments), etc. Host based version of SIDS likely on the way –Continually checking all images found on a system for stego –Help catch use of stego storage (stuff that’s not sent across the wire) Enterprise Edition Hardware assisted steganalysis Neural nets

17 Future of SIDS (continued) Best detection with newest steganalysis algorithms Moving towards the anti-virus model –Database of detection ‘signatures’ must be up to date Development of public database of detection algorithms –Developed as plug-ins for all versions of SIDS –Freely downloadable

18 Conclusion Stego is being used... and will continue to gain acceptance as a method of hiding in plain sight Defense is a hard problem Efficiency issues with loads of scanning / analysis Steganalysis is improving –Still behind the state of the art in steganography This trend will likely to continue as new forms of stego emerge

19 Questions.. SIDS –Created by Dr. Leonard Popyack and Charles Green (Assured Information Security, Inc.) –Code Authors: Rodney Forbes (daemons, plug-in interface) Mike Sieffert (Java GUI) –Sponsored by Air Force Research Laboratory (AFRL), Air Force Information Warfare Battlelab (AFIWB) POC: Thomas Blake, AFRL/IFGB (blaket@rl.af.mil)

Download ppt "Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc."

Similar presentations

Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Steganography Part 2 – Detection and Research. Introduction to Steganalysis What is steganalysis?  The art of detecting messages hidden by steganography.

Steganography Part 2 – Detection and Research. Introduction to Steganalysis What is steganalysis?  The art of detecting messages hidden by steganography.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –

Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –
Troubleshooting methods. Module contents  Avaya Wireless tools  Avaya Wireless Client Manager  Avaya Wireless AP Manager  Hardware indicators  Non.

Troubleshooting methods. Module contents  Avaya Wireless tools  Avaya Wireless Client Manager  Avaya Wireless AP Manager  Hardware indicators  Non.

Similar presentations

Ads by Google