Steganographic techniques and covert channels are becoming exploited by a wide-range of malware to avoid detection and bypass network security tools. With the ubiquitous difusion of IoT nodes, such ofensive schemes are expected to be used to exfiltrate data or to covertly orchestrate botnets composed of resource-constrained nodes (e.g., as it happens in Mirai). Therefore, in this paper, we present a machine learning technique for the detection of network covert channels targeting the TTL field of IPv4 datagrams. Specifically, we propose to use Autoencoders to reveal anomalous trafic behaviors. The experimental evaluation performed over realistic trafic traces showcases the efectiveness of our approach.
The Internet of Things (IoT) paradigm allows to create advanced services able to interact with
the physical world and to remotely operate large-scale infrastructures. As a result, the number
of applications taking advantage of IoT technologies is now almost unbounded. For instance,
cost-efective sensors and devices are used for entertainment and health purposes, to access and
manage industrial control systems, as well as to automatize homes and buildings. Unfortunately,
the tight coupling between devices and physical entities, the resource-constrained nature of
many nodes, and the lack of rigorous development or configuration processes, are at the basis
of countless security and privacy flaws [
Despite IoT nodes are often considered simple devices, they can be used to implement efective
threats. As an example, the Mirai malware allows to create a large-scale botnet of devices with
limited computing and connectivity resources, which has been used to launch Distributed Denial
of Service (DDoS) attacks against many international organizations and sensitive targets [
Therefore, in this work we address the problem of detecting network covert channels targeting
the TTL field of IPv4 datagrams. In fact, the resource-constrained nature of IoT devices, including
the use of “lean” TCP/IP protocol stacks to tame complexity, prevent malware to implement
sophisticated covert channels or computing-intensive network steganography algorithms. To
develop our detection methods, we take advantage of autoencoders, which are neural networks
where the target of the network is the data itself. Autoencoders allow to reduce dimensionality
and to learn eficient encoding, whereas they are a convenient choice when in absence of a
labeled dataset. This is of prime importance when addressing malware exploiting network covert
channels, since it often remains undetected or undocumented until major reverse engineering
or forensics investigations [
Covert Channel
Secret encoded
in the TTL
Firewall (Home Gateway) Legitimate Traffic
Legitimate Traffic + Covert Channel
Remote C&C Server
IOT Ecosystem Figure 1: Attack model considering a malware sending data towards a remote command and control facility via a network covert channel created within the TTL field of IPv4 trafic.
IoT scenarios, the literature mainly focuses on timing channels, for instance to detect cloaked
communications in SCADA applications [
Summing up, the contributions of this work are: the design of a machine-learning-capable approach for detecting covert channels targeting IoT ecosystems, and a performance evaluation campaign based on realistic trafic traces commonly used in the literature. Since countermeasures could be also deployed at the border of the network in nodes with limited capabilities (e.g., home gateways) emphasis has been put on the footprint required by the proposed approach.
The remainder of the paper is structured as follows. Section 2 provides details on the considered attack model, Section 3 introduces our approach to detect covert channels targeting the TTL of IPv4 datagrams, and Section 4 showcases numerical results. Finally, Section 5 concludes the paper and outlines possible future research directions.
This section discusses the attack model taking advantage of a network covert channel. Figure
1 showcases the general reference scenario. Specifically, we consider an attacker able to take
control of one or more IoT nodes, for instance by dropping a malicious payload via a phishing
campaign [
Even if the literature abounds of techniques for creating cloaked communication paths within
network flows and real-world threats taking advantage of information hiding are multiplying
[
In general, channels targeting the TTL should alter datagrams in a limited manner in order to
avoid macroscopic per-flow signatures [
This section describes the deep learning-based approach adopted to identify the presence of covert channels within trafic flows. In our scenario, the detector takes the form of an unsupervised deep neural network. The main benefit of our approach is the possibility of the model to raise alarms also on never seen attacks: this is a frequent case when dealing with covert channels, since they are often undocumented and unknown a priori. Moreover, this solution allows for coping with the lack of labeled data issue, typical of our application scenario.
Specifically, our solution allows for learning a neural encoder-decoder network aiming at compressing the input data (represented by metrics computed over the trafic generated by the IoT network) within a latent space, which is then used to reconstruct the original information. Here, the main idea is that the legitimate input data should be slightly afected by the encoding/decoding procedures performed by the model, therefore the original distributions 2Data collected for IEEE TMC 2018, University of New South Wales, Sydney. Available online at: https://iotanalytics. unsw.edu.au/iottraces.html [Last Accessed: June 2022]. 80 60 40 20 skip connection skip connection 0 61 32 48 64 80 96 112 128 441 160 176 192 208 224 240 255 0
TTL substantially remain unchanged after this process. By contrast, anomalous instances will exhibit deviant values that can lead to failures in the input reconstruction.
Although the idea to use the reconstruction error as an anomaly score to identify deviant
behaviors is not new itself, the adoption of unsupervised techniques (and in particular of
autoencoder-based solutions) for detecting covert channels is quite unexplored [
Figure 3 shows the considered neural architecture. As shown, the architecture is composed of two main components, named Encoder and Decoder, respectively. Let = {1, . . . , } be a set of numeric features (in our scenario, a set of statistics computed on the network trafic flow yielded in a time slot). The former subnet allows for mapping z = enc(x) the input data with a latent space (encoding), whereas the second one maps the features extracted by the encoder with the output y = dec(z) (decoding). Gradient descent is used to learn the model weights by minimizing a suitable reconstruction loss. In this paper, we adopted the Mean Square Error, i.e., () = 1 ∑︀ ‖xi − yi‖2.
Notably, the architecture shown in Figure 3 exhibits two main diferences with respect to a standard encoder-decoder model: (i) Skip Connections are used to boost the predictive performances of the model and to reduce the number of iterations required for the learning algorithm convergence, and (ii) a hybrid approach including the usage of Sparse Dense Layers is adopted to make the autoencoder more robust to noise, especially since attacks often exhibit slight diferences compared with normal behaviors. In more detail, the idea behind Skip Connections is to “help” the learning phase of the decoder by providing as input to each layer of the decoder both the previous and the correspondent encoder layer. As regard the use of Sparse Dense Layers, this allows for yielding a wider number of discriminative features that can be used to extract a more efective latent representation.
Figure 4 shows how the detection of covert channels targeting the TTL of IPv4 datagrams
is performed. Without loss of generality, we assume to monitor an infinite datastream, i.e.,
the trafic produced by the various IoT nodes continuously feeds our detection mechanism.
At pre-fixed time intervals (corresponding to a time slot in Figure 4), we compute a number
of statistics to describe the behavior of the TTL fields composing the aggregate trafic flow.
This operation can be performed without impacting on the overall trafic and by using limited
computing resources (see, e.g., the use of the extended Berkeley Packet Filter (eBPF) [
In this section we present the performance of the approach based on autoencoders. Preliminary, we discuss the used dataset, then we showcase numerical results.
To evaluate the efectiveness of our approach for detecting network covert channels targeting
IoT ecosystems, we prepared an artificial dataset starting from the trafic traces made available in
[
... packeti-p slotj slotj-1 phones and laptops. We then obtained a 1-week long dataset with an overall throughput in the 5 − 36 kbit/s range, generated by 28 IoT endpoints, such as speakers, lights, cameras, and hubs.
To implement the considered attack template in a realistic manner, we modeled the presence of a threat tampering a single IoT device. As an example, the attacker could gain access to the assets of the victim via phishing or by exploiting some ad-hoc CVEs3. In our scenario, we considered a malicious software targeting the Dropcam camera, which has been used to send/exfiltrate sensitive data towards a remote C&C facility. To have a dataset containing fair amounts of “legitimate” and cloaked conversations, we assumed that the IoT device has been tampered on September 27, thus the Dropcam has been under control of the attacker for 3 days.
To create the various storage network covert channels, we used the tool available in [21],
which allows to directly rewrite the trafic captures and implement realistic attack conditions.
As discussed in Section 2, to not make the detection trivial, we encoded bits 1 and 0 in TTL
values equal to 64 and 100, respectively. Moreover, we randomly interleaved packets containing
hidden data with legitimate/unaltered packets in order to prevent long bursts of manipulated
TTL values. In fact, the latter could reduce the stealthiness of the covert channel leading to
a trivial detection [
To test our approach for revealing the presence of network covert channels within trafic aggregates, we developed a prototype in Python based on the TensorFlow4 library. The trafic dataset presented in Section 4.1 has been processed to obtain the following information: a progressive timestamp, the number of incoming packets within a given time slot, the average and median values of observed TTLs, the values of the 10ℎ, 25ℎ, 75ℎ and 90ℎ percentile, minimum and maximum TTLs, as well as a label indicating the presence of the attack (i.e., for testing purposes). Recalling that our approach exploits a “slotted” architecture (see Figure 4), in this work we consider a time slot with a duration of 5 seconds.
The dataset has been divided in training and test sets by using a temporal split. Specifically: (i) the data gathered in the first 96 hours only contains legitimate trafic and has been used for the learning phase of the autoencoder, whereas (ii) the remaining instances compose the test set. As a result, the training and the test set have 69, 116 and 51, 837 instances, respectively. To normalize the input data feeding the model, a pre-processing phase has been performed. In essence, a MinMax normalization has been used to map each feature in the range {− 1, 1} in order to improve the stability of the learning process.
As discussed in Section 3, the proposed model is a neural network composed of two subnets. The Encoder has four fully-connected dense layers. Three layers have been instantiated with 32, 16, and 8 neurons and equipped with a ReLU (Rectified Linear Unit) activation function. The fourth layer is the latent space and can be thought as a dense layer (shared between the encoder and the decoder) including 4 neurons, and it is equipped with a ReLU activation function. The Decoder is composed again of three fully-connected dense layers with the same dimensions and activation function. Finally, the output layer is instantiated with the same size of the input, and equipped with a Tanh activation function. This choice has been made since we want to yield an output ranging in {− 1, 1}. The model is trained over 16 epochs with a batch size of 16.
To assess the detection capabilities, we computed the following performance metrics. Let us define as the number of positive cases correctly classified, as the number of negative cases incorrectly classified as positive, as the number of positive cases incorrectly classified as negative, and as the number of negative cases correctly classified. Then, we considered the following metrics: the Accuracy, defined as the fraction of cases correctly classified, i.e., + + + + , the Precision and the Recall to measure the accuracy in identifying attacks and avoiding false alarms, i.e., + and + , respectively. We also considered the F-Measure to summarize the overall system performances as the harmonic mean of Precision and Recall.
Lastly, to perform experiments, we used a machine equipped with 32 Gb RAM, an Intel i7-4790K CPU @4.00GHz and an 1Tb SSD disk drive.
Since the outlierness threshold can influence the detection capability of the proposed approach, we investigated its impact. 4TensorFlow machine learning library. Available online at: https://www.tensorflow.org/ [Last Accessed: June 2022].
As the autoencoder model is trained only against legitimate data (i.e., clean trafic produced by IoT nodes), we computed the outlierness degree for each slot composing the training set. We then selected as the anomaly threshold the values corresponding to the 90ℎ, 95ℎ and 99ℎ percentiles. A detailed breakdown is depicted in Figure 5.
Table 1 reports experimental results obtained by taking into account diferent outlierness thresholds computed over the training set. As shown, collected values exhibit an intuitive behavior, i.e., when a more restrictive threshold is selected (99ℎ percentile), the approach exhibits a good precision (∼ 94%), but a percentage of slots containing a network covert channel is not correctly recognized. By contrast, a looser threshold value (90ℎ percentile) allows to improve the probability of detection (∼ 99% of recall), but a higher number of false alarms are raised. This can be mitigated by considering our mechanism as a first stage of a more complex detection chain, which can trigger more resource-consuming approaches such as deep packet inspection. Yet, the best setting is the one where the 95ℎ percentile is used, since it guarantees the highest value in terms of F-Measure. This represents the best trade of between probability of detecting the presence of a covert communication and false alarm rate.
Moreover, Figure 6 portraits the distribution of the outlierness degree for a window including a marked number of compromised time slots. As it can be seen, the outlierness degree exhibits higher values than the ones reported in Figure 5. In some cases, the outlierness is one order of magnitude higher than the outlierness max value computed on the training set. This event represents the presence of a covert communications within the bulk of trafic, thus leading to a “deviation” in the output of the neural network.
Lastly, as regards the feasibility of deploying our approach in realistic settings, we point out that its resource footprint is very limited. In more detail, gathering information about the TTL usually accounts for an additional packet delay of ∼ 100 ns when using eBPF and 1 ms with a C implementation exploiting libpcap over commodity hardware. Instead, apart the training phase, which can be done ofline, the average prediction time is 0.0132 ms. Another important aspect concerns the “stateless” nature of the approach. In fact, the used neural architecture performs the detection of covert communications by using information on the overall trafic (grouped in time slots), which prevents memory consumption due to the need of storing information with a per-flow granularity. Thus, the proposed approach should be considered suitable for being implemented in home gateways often used in production-quality IoT ecosystems.
In this paper, we presented a lightweight mechanism based on autoencoders for detecting network covert channels targeting IoT scenarios. Results indicated the efectiveness of our approach, i.e., the method can achieve the values of ∼ 91% and ∼ 94% for the accuracy and the precision, respectively. Although our solution addresses a specific case, it can be easily generalized to handle diferent network covert channels and environments, e.g., by considering an ensemble of specialized detectors combined to reveal attacks on diferent carriers.
Future works aim at refining the proposed framework by considering other types of network covert channels. At the same time, part of our ongoing research is devoted to develop some form of “intermediate” representations, which can be used to exploit a unique mechanism to face diferent threats. We are working towards general metrics that could partially compensate the tight-coupling between the used hiding methodology/protocol and the countermeasure.
This work has been partially supported by the H2020 Program within the framework of SIMARGL (Grant Agreement No. 833042), and CyberSec4Europe (Grant Agreement No. 830929). in mobile networks, in: Proceedings of the 2014 Conference on Internet Measurement Conference, 2014, pp. 173–180. [19] G. Hinton, R. Salakhutdinov, Reducing the dimensionality of data with neural networks,
Science 313 (2006) 504 – 507. [20] Y. Bengio, L. Pascal, P. Dan, H. Larochelle, Greedy layer-wise training of deep networks, in: Advances in Neural Information Processing Systems, volume 19, MIT Press, 2007, pp. 153–160. [21] M. Zuppelli, L. Caviglione, pcapstego: A tool for generating trafic traces for experimenting with network covert channels, in: The 16th International Conference on Availability, Reliability and Security, 2021, pp. 1–8. [22] P. McLaren, G. Russell, B. Buchanan, Mining malware command and control traces, in: 2017 Computing Conference, 2017, pp. 788–794.