Stego Intrusion Detection System(SIDS)

Michael Sieffert

Assured Information Security, Inc.

Topics Covered

• Steganography

• Steganalysis

• Misuse / Motivation

• SIDS structure

• Screenshots

• Demo?

• Future of SIDS

• Conclusion

Steganography

• “Art of covered writing”• Concealing the existence of communication

between two parties• Hiding data in common, unstructured areas of

media files– Transmitted via computer networks

• Many tools available freely that work with:– Image, music files– Text– TCP/IP header fields

Stego (continued)

(original) (carrier)

Steganalysis

• Detecting the presence of steganographic data

• Does a given file contain stego?– How sure can we be?

• Not always a certainty

– If so, is it possible to extract its contents?

• Many products / algorithms available that attempt to discover stego– Some algorithms are closed source or proprietary– Not organized into any consistent API

Potential for Misuse?

• Of course!

• Transmission/storage of illegal or proprietary data– Child pornography– Company secrets

• Terrorist message passing?

• Adversaries

• Intruders– Data exfiltration/infiltration

• Insider threat

Motivation

• Adversaries can use stego to communicate undetected– Even through our own networks– Manual attacks– Programmatic attacks

• A stealthy piece of malicious software is aware of network defenses, and will circumvent them

• An intelligent virus/trojan program could be using HTTP to transmit and receive data– Current network defense mechanisms will not stop this

• Firewall• Intrusion detection systems

• Corporate espionage gets easier!

Your network is at risk!

HTTP Image Transfer

• How many images are pulled into/out of your network daily?– Makes an attractive channel for stego’ed data transfer

• An attacker / virus could create (seemingly normal) HTTP traffic that contains important* data– Instructions for the program– Proprietary / sensitive information (secrets, credit card

numbers, etc)

SIDS

• Stego intrusion detection system– Aims to flag all HTTP traffic containing imagery that

tests positive for stego content (more protocols later)

• Gateway defense mechanism– Placed at a network border– In promiscuous mode, sniffs all HTTP traffic and

reconstructs (if necessary) any images transmitted– Tests each image against all known steganalysis

algorithms– Alerts user/administrator to presence of stego on their

networkNot a firewall!

High Level View

Algorithm 4Algorithm 3Algorithm 2Algorithm 1

Algorithm n

MasterDatabase

SIDS

FW

image1image2image3image4image5

Scanner

Internet

SIDS Highlights

• Plug-in interface for steganalysis algorithms– Allows SIDS to increase its effectiveness as new

methods are developed– Proprietary or sensitive algorithms can be used in

house

• Interface written in Java, making the GUI section of SIDS easily portable to a separate platform in the future

• SIDS machine does not even need an IP address, making it undetectable to an attacker

SIDS Screen Shots

- Statistics -

Shows last image testing positive for

stego

Graphs detailing the number of images captured / flagged

Screen Shots (continued)

- Recent Finds -

Details of individual images captured from

the wire

Summary of steganalysis information

Allows for manual inspection of images

Screen Shots (continued)

- Histograms -

Provide a breakdown of the most frequent

offender's IP addresses

Limitations

• Extremely high traffic can cause packet loss

• Only a handful of algorithms ship with SIDS currently– Working to add more algorithms– User can add their own– Attempting to establish a community standard

• User interface can be improved, made more lean

• Only HTTP, currently– Unable to examine encrypted data

Future of SIDS

• Always more protocols/places to check for stego– FTP, P2P, NNTP, IRC, ICMP, TCP/IP headers, Timing– Email (attachments), etc.

• Host based version of SIDS likely on the way– Continually checking all images found on a system for stego– Help catch use of stego storage (stuff that’s not sent across the

wire)

• Enterprise Edition• Hardware assisted steganalysis• Neural nets

Future of SIDS (continued)

• Best detection with newest steganalysis algorithms

• Moving towards the anti-virus model– Database of detection ‘signatures’ must be up to date

• Development of public database of detection algorithms– Developed as plug-ins for all versions of SIDS– Freely downloadable

Conclusion

• Stego is being used... and will continue to gain acceptance as a method of hiding in plain sight

• Defense is a hard problem

• Efficiency issues with loads of scanning / analysis

• Steganalysis is improving– Still behind the state of the art in steganography

• This trend will likely to continue as new forms of stego emerge

Questions..

• SIDS– Created by Dr. Leonard Popyack and Charles Green

(Assured Information Security, Inc.)– Code Authors:

• Rodney Forbes (daemons, plug-in interface)

• Mike Sieffert (Java GUI)

– Sponsored by Air Force Research Laboratory (AFRL), Air Force Information Warfare Battlelab (AFIWB)

• POC: Thomas Blake, AFRL/IFGB (blaket@rl.af.mil)