Special issue: Network forensics and challenges for cybersecurity

Vol. 69, n° 7-8, July-August 2014
Content available on Springerlink

Guest editors
Wojciech Mazurczyk, Warsaw University of Technology, Poland
Krzysztof Szczypiorski, Warsaw University of Technology, Poland
Hui Tian, National Huaqiao University, China


Wojciech Mazurczyk, Krzysztof Szczypiorski, Hui Tian

3G IP Multimedia Subsystem based framework for lawful interception

Dohoon Kim1, Jungbean Lee1, Young-Gab Kim2, Byungsik Yoon3, and Hoh Peter In1

(1) Korea University, Seoul, Korea
(2) Catholic University of Daegu, Gyeongbuk, Korea
(3) Electronics and Telecommunicating Research Institute (ETRI), Daejeon, Korea

Abstract Issues related to lawful interception, such as invasion of privacy and efficient investigation, are presently at the forefront of social consciousness. Interception technology has to consistently evolve in order to keep pace with new and varied network structures. Thus, standard lawful interception documents that are appropriate for the existing PSTN, 2G and 3G, and packet-based communication are being proposed. In particular, newly arising services based on IP Multimedia Subsystems (IMSs) that support multimedia streaming, data transmission, and voice over IP, make lawful interception even more imperative. In this paper, we propose an architecture for IMS/Session Initiation Protocol based Lawful Interception (LI) in wireless 3G networks. We also propose LI techniques that are differentiated according to the IMS characteristics where content service providers are separated from network providers. Using the standards of dynamic triggering technologies for commissioning the authority to intercept among multiple network providers as a basis, we analyze IMS architecture and service operation methods. We then propose an LI architecture that is appropriate for IMS services. In addition, we present the results of a quality of service performance analysis conducted on our proposed interception architecture for various numbers of IMS users.
Keywords IP Multimedia Subsystem (IMS) – Session Initiation Protocol (SIP) – Lawful Interception (LI) – Dynamic triggering – Architecture performance analysis

On the testing of network cyber threat detection methods on spam example

Robert Filasiak1, Maciej Grzenda1, 2, Marcin Luckner2, and Pawel Zawistowski2

(1) Orangel Labs Poland, Warsaw, Poland
(2) Warsaw University of Technology, Poland

Abstract As a response to the increasing number of cyber threats, novel detection and prevention methods are constantly being developed. One of the main obstacles hindering the development and evaluation of such methods is the shortage of reference data sets. What is proposed in this work is a way of testing methods detecting network threats. It includes a procedure for creating realistic reference data sets describing network threats and the processing and use of these data sets in testing environments. The proposed approach is illustrated and validated on the basis of the problem of spam detection. Reference data sets for spam detection are developed, analysed and used to both generate the requested volume of simulated traffic and analyse it using machine learning algorithms. The tests take into account both the accuracy and performance of threat detection methods under real load and constrained computing resources.
Keywords Network Intrusion Detection Systems (NIDS)Flow analysisSpam detectionNetwork data sets

Cheetah: a space-efficient HNB-based NFAT approach to supporting network forensics

Bo-Chao Cheng1, Guo-Tan Liao1, Hsu-Chen Huang1, and Ping-Hai Hsu2

(1) National Chung Cheng University, Chiayi, Taiwan
(2) Industrial Technology Research Institute, Hsinchu, Taiwan

Abstract The popularity of the Internet has increased the ease of online access to malicious software, and the amount of software designed to perform denial-of-service (DoS) attacks is incalculable. This enables hackers to use online resources to easily launch attacks, posing serious threats to network security. The ultimate solution to increasingly severe DoS attacks is to identify the sources of the attacks; this is known as an IP traceback or forensics. However, the Network Forensic Analysis Tool is limited by the storage space, which significantly reduces the effects of the traceback. We proposed a Cheetah mechanism, which was proposed to overcome the disadvantage of requiring a significant data storage requirement. This involved using mechanic learning to filter irrelevant data, thereby retaining only the evidence related to DoS attacks to perform subsequent tracebacks. The experiment results confirmed that the proposed mechanism can reduce the quantity of data that requires storage and maintain a certain level of forensic accuracy.
Keywords Network securityNetwork forensicsIP tracebackHidden naive Bayes (HNB)

Efficient searchable ID-based encryption with a designated server

Tsu-Yang Wu1, 2, Tung-Tso Tsai3,and Yuh-Min Tseng3

(1) Harbin Institute of Technology, Shenzhen, China
(2) Shenzhen Key Laboratory of Internet Information Collaboration, Shenzhen, China
(3) National Changhua University of Education, Taiwan, Republic of China

Abstract Public key encryption with keyword search (PEKS) is a mechanism that allows one to extract e-mails containing a particular keyword by providing a trapdoor corresponding to the keyword. And parties without the trapdoor are unable to learn any information about the extracted e-mails. Meanwhile, a PEKS scheme is also suitable to provide a secure storage system in cloud computing environment. However, in a PEKS scheme, a secure channel must be established to transmit trapdoors. A PEKS scheme with a designated server, termed dPEKS, removes the requirement of the secure channel while retaining the same functionality of PEKS. Up to date, the related studies on dPEKS are all based on the pairing-based public key system. No work focuses on dPEKS based on ID-based systems, termed dIBEKS. In this article, we propose the first dIBEKS scheme that possesses the advantage (removing certificate management) of ID-based systems. Security analysis is given to demonstrate that our scheme is provably secure and can resist off-line keyword guessing attacks. When compared with previously proposed dPEKS schemes, our scheme has better performance in terms of computational time.
Keywords Searchable public key encryptionDesignated serverIdentity-basedBilinear pairings

Syndrome trellis codes based on minimal span generator matrix

Weiwei Liu, Guangjie Liu and Yuewei Dai

Nanjing University of Science and Technology, China

Abstract To improve the embedding efficiency of steganography, syndrome coding based on the coding theory has attracted many researchers’ attentions. In this paper, we make use of the relationship between syndrome coding for minimizing additive distortion and maximum likelihood decoding for linear codes to analyze the main parameters of convolutional codes which influence the embedding efficiency. And, the new syndrome trellis codes based on minimal span generator matrix is proposed. It can be considered an alternative construction of the state-of-the-art syndrome trellis codes (STCs) proposed by Filler and Fridrich recently. Experimental results show that the proposed scheme owns the same embedding performance to STCs and achieve the reduced time complexity and storage requirement meanwhile.
Keywords SteganographySyndrome codingSyndrome trellis codesMinimal span generator matrix

Hidden and under control – A survey and outlook on covert channel-internal control protocols

Steffen Wendzel1 and Jörg Keller2

(1) Fraunhofer FKIE, Bonn, Germany
(2) FernUniversität in Hagen, Germany

Abstract Network covert channels are policy-breaking and stealthy communication channels in computer networks. These channels can be used to bypass Internet censorship, to exfiltrate data without raising attention, to allow a safe and stealthy communication for members of political oppositions and for spies, to hide the communication of military units at the battlefield from the enemy, and to provide stealthy communication for today’s malware, especially for botnets. To enhance network covert channels, researchers started to add protocol headers, so-called micro-protocols, to hidden payload in covert channels. Such protocol headers enable fundamental features such as reliability, dynamic routing, proxy capabilities, simultaneous connections, or session management for network covert channels—features which enrich future botnet communications to become more adaptive and more stealthy than nowadays. In this survey, we provide the first overview and categorization of existing micro-protocols. We compare micro-protocol features and present currently uncovered research directions for these protocols. Afterwards, we discuss the significance and the existing means for micro-protocol engineering. Based on our findings, we propose further research directions for micro-protocols. These features include to introduce multi-layer protocol stacks, peer auto-configuration, and peer group communication based on micro-protocols, as well as to develop protocol translation in order to achieve inter-connectivity for currently separated overlay networks.
Keywords Network covert channelCovert channel-internal control protocolsMicro-protocolsInformation hiding

Adaptive JPEG steganography with new distortion function

Fengyong Li, Xinpeng Zhang, Jiang Yu  and Wenfeng Shen 

Shanghai University, China

Abstract This paper presents an adaptive steganographic scheme in JPEG images by designing a novel distortion function. While some previous works employed distortion functions based on coefficient difference, we point out that the data embedding on coefficients with larger absolute values may cause less steganalytic detectability. In the proposed scheme, the distortion function is derived from both the coefficient residual and coefficient value, which measures the risks of detection due to the modification on cover data. With an exhaustive searching method, the parameters of the proposed distortion function are optimized. Then, we may employ syndrome trellis coding to embed the secret data into JPEG images when keeping a low risk. This way, the modifications are forced into high textured areas in JPEG images, and experimental results demonstrate that the steganographic security is improved by the designed distortion function.
Keywords Steganography – Distortion function – Steganalysis

Efficient wet paper embedding for steganography with multilayer construction

Xinpeng Zhang1, Chuan Qin2 and Liquan Shen1

(1) Shanghai University, China
(2) University of Shanghai for Science and Technology, China

Abstract This work proposes an efficient data hiding scheme for wet paper channel by using a multilayer construction, in which a number of node-bits in different layers are derived from all cover bits and used to carry the secret data. By applying the wet paper coding method to the node-bits and altering the changeable cover bits, the node-bits are modified into their desired values and the secret data are embedded in a layer-by-layer manner. An equilibration mechanism is also introduced to flip the denser changeable cover bits with higher probability. This way, paper folding method is equivalent to a special case of the proposed scheme, and a family of data hiding methods with more flexible relative payload and higher embedding efficiency can be generated.
Keywords Steganography – Wet paper channel – Embedding efficiency

Steganalysis of transcoding steganography

Artur Janicki, Wojciech Mazurczyk and Krzysztof Szczypiorski

(1) Warsaw University of Technology, Poland

Abstract Transcoding steganography (TranSteg) is a fairly new IP telephony steganographic method that functions by compressing overt (voice) data to make space for the steganogram by means of transcoding. It offers high steganographic bandwidth, retains good voice quality, and is generally harder to detect than other existing VoIP steganographic methods. In TranSteg, after the steganogram reaches the receiver, the hidden information is extracted, and the speech data is practically restored to what was originally sent. This is a huge advantage compared with other existing VoIP steganographic methods, where the hidden data can be extracted and removed, but the original data cannot be restored because it was previously erased due to a hidden data insertion process. In this paper, we address the issue of steganalysis of TranSteg. Various TranSteg scenarios and possibilities of warden(s) localization are analyzed with regards to the TranSteg detection. A novel steganalysis method based on Gaussian mixture models and mel-frequency cepstral coefficients was developed and tested for various overt/covert codec pairs in a single warden scenario with double transcoding. The proposed method allowed for efficient detection of some codec pairs (e.g., G.711/G.729), while some others remained more resistant to detection (e.g., iLBC/AMR).
Keywords IP telephony – Network steganography – Steganalysis – MFCC parameters – Gaussian mixture models

Steganalysis of prediction mode modulated data-hiding algorithms in H.264/AVC video stream

Songbin Li1, Haojiang Deng2, Hui Tian3, and Qiongxing Dai1

(1) Chinese Academy of Sciences, Haikou, China
(2) National Network New Media Engineering Research Center, Beijing, China
(3) National Huaqiao University, Xiamen, China

Abstract In the intra-frame coding of H.264/AVC, information hiding can be implemented by modulating the prediction modes of 4 × 4 luminance blocks. Because such kind of methods has characteristics of high speed, good concealment, and so on, it is very suitable to build the covert communication system based on video communications and brings a great public security threat. Therefore, it is important to study its steganalysis method. In this paper, we first analyzed the changes of remarkable characteristics in intra-frame coding caused by modulating intra-prediction modes for information hiding, and found that the inherent correlation among the prediction modes in different 4 × 4 luminance blocks belonging to an intra-frame coding macroblock was changed. According to several different positional relationships of the adjacent 4 × 4 blocks in spatial domain, we designed statistical models corresponding to the prediction mode correlation to make quantitative extraction of these correlation characteristics. An information hiding detector was constructed based on the support vector machine. Based on the constructed detector, the experimental results show that the mean of the detection accuracy, recall ratio, and precision ratio are all excellent for different test video sequences.
Keywords H.264/AVCSteganalysisIntra-frame codingPrediction mode correlation