The Internet of Things (IoT) paradigm allows to create advanced services able to interact with the physical world and to remotely operate large-scale infrastructures. As a result, the number of applications taking advantage of IoT technologies is now almost unbounded. For instance, cost-effective sensors and devices are used for entertainment and health purposes, to access and manage industrial control systems, as well as to automatize homes and buildings. Unfortunately, the tight coupling between devices and physical entities, the resource-constrained nature of many nodes, and the lack of rigorous development or configuration processes, are at the basis of countless security and privacy flaws [1].
Despite IoT nodes are often considered simple devices, they can be used to implement effective threats. As an example, the Mirai malware allows to create a large-scale botnet of devices with limited computing and connectivity resources, which has been used to launch Distributed Denial of Service (DDoS) attacks against many international organizations and sensitive targets [2].
In addition, IoT nodes can be enumerated to infer details on the physical deployment [3] and their traffic can be inspected to implement various side-channel-based techniques or to conduct reconnaissance campaigns [4]. Therefore, a major effort is devoted to make IoT ecosystems more secure, but this could be partially voided by the recent trend of developing malware able to remain undetected and bypass classical network security mechanisms. This new class of threats takes advantage of various information hiding and steganographic techniques to conceal malicious payloads in innocent-looking software assets, retrieve additional configuration files without being noticed, or covertly exfiltrate hidden information [5]. Among the various attack mechanisms, the adoption of network covert channels, i.e., cloaked and parasitic communication paths nested within legitimate traffic flows, is gaining momentum. Specifically, network covert channels can be exploited to establish Command & Control (C&C) communications, as well as to bypass intrusion detection/prevention systems and firewalls for stealthily exchange vast volumes of personal data [5,4]. A recent example of attack using a network covert channel is Sunburst, which hides commands in HTTP traffic 1 . Due to the ubiquitous availability of devices always connected to the Internet, their intrinsic interaction with sensitive data, as well as several design flaws and limitations, completely assessing the security of IoT deployments requires also to consider threats endowed with network covert channels capabilities. To develop suitable mitigation techniques, machine learning approaches demonstrated to be effective for detecting a multitude of network attacks and to implement general intrusion detection mechanisms [6]. Unfortunately, countermeasures against network covert channels are poorly-generalizable, since each hiding mechanism and network protocol have specific traits and behaviors [7]. For instance, using some form of AI to reveal a channel hidden within DNS traffic [8] requires a complete different inspection mechanism and metrics compared to the case of parasitic communications targeting IPv6 conversations [9]. As a result, the literature abounds of attack-specific detection methodologies and working towards a unique framework is still an open research problem (see, e.g., [10] for a recent survey on the topic). A different case concerns the detection of timing channels, which are created by encoding information in temporal statistics of network traffic. To this aim, the secret information is usually hidden within the inter-packet time or in the throughput characterizing a specific stream or network conversation [5,7]. Owing to the protocol-agnostic trait of timing protocols, several works using machine learning have been proposed [11] even by exploiting techniques originally introduced for image processing [12].
Therefore, in this work we address the problem of detecting network covert channels targeting the TTL field of IPv4 datagrams. In fact, the resource-constrained nature of IoT devices, including the use of "lean" TCP/IP protocol stacks to tame complexity, prevent malware to implement sophisticated covert channels or computing-intensive network steganography algorithms. To develop our detection methods, we take advantage of autoencoders, which are neural networks where the target of the network is the data itself. Autoencoders allow to reduce dimensionality and to learn efficient encoding, whereas they are a convenient choice when in absence of a labeled dataset. This is of prime importance when addressing malware exploiting network covert channels, since it often remains undetected or undocumented until major reverse engineering or forensics investigations [13]. As regards prior works considering covert channels targeting IoT scenarios, the literature mainly focuses on timing channels, for instance to detect cloaked communications in SCADA applications [14] or in the Constrained Application Protocol [15].
Summing up, the contributions of this work are: the design of a machine-learning-capable approach for detecting covert channels targeting IoT ecosystems, and a performance evaluation campaign based on realistic traffic traces commonly used in the literature. Since countermeasures could be also deployed at the border of the network in nodes with limited capabilities (e.g., home gateways) emphasis has been put on the footprint required by the proposed approach.
The remainder of the paper is structured as follows. Section 2 provides details on the considered attack model, Section 3 introduces our approach to detect covert channels targeting the TTL of IPv4 datagrams, and Section 4 showcases numerical results. Finally, Section 5 concludes the paper and outlines possible future research directions.
This section discusses the attack model taking advantage of a network covert channel. Figure 1 showcases the general reference scenario. Specifically, we consider an attacker able to take control of one or more IoT nodes, for instance by dropping a malicious payload via a phishing campaign [1]. The infected device will then create a network covert channel to exfiltrate data towards a remote C&C server or to exchange commands with the attacker, e.g., to configure a backdoor or operate a botnet. Relying upon a network covert channel allows to bypass a firewall or specific security policies enforced by a middlebox, such as a home gateway.
Even if the literature abounds of techniques for creating cloaked communication paths within network flows and real-world threats taking advantage of information hiding are multiplying [5,7,16], the resource-limited nature of IoT nodes poses constraints on the complexity of the covert channel. As a consequence, the embedding mechanism should be simple in order to not disclose the presence of the malware due to perceptible lags or anomalous depletion of batteries. At the same time, since IoT traffic often requires some form of Quality of Experience (e.g., to not postpone the execution of commands sent by the user), traffic alterations and the introduction of additional delays should be limited. Therefore, we consider a malware cloaking data within the TTL field of the IPv4 header [7]. In more detail, the TTL is manipulated to implement a storage network covert channel and transport arbitrary information. Due to the varying nature of the TTL and to not appear suspicious, the malware should not directly write the secret data in the field [17]. Rather, it can encode the bits 1 and 0 by increasing or decreasing the observed TTL of a suitable threshold or by using most common values as "high" and "low" signals. Finding proper TTL values is not trivial, since their difference should be ample enough to absorb fluctuations caused by alterations of the routing and to prevent decoding errors, while not reducing the stealthiness of the channel. To design the covert channel, the attacker usually investigates the targeted network to understand "clean" traffic conditions and adapt the hiding mechanism. To tune the channel, we considered the collection of IoT traffic made available in [3]. As an example, we showcase results for the 24-hour slice of data captured from September 22, 2016 at 16:00 to September 23, 2016 at 16:00, CEST 2 . Without loss of generality and to prevent burdening results, we removed IPv6, ICMP, DNS and NTP conversations, in addition to multicast/broadcast traffic. Figure 2 depicts heatmaps for the collected TTL values. As depicted in Figure 2a, the values observed for the TTL are clusterized, especially in the 32 β 64 and 208 β 224 ranges. This requires the attacker to encode information without using values never observed in normal conditions. Yet, traffic conditions are not static, hence, we refined our analysis by resetting the observed values each hour. Figure 2b portraits results. As shown, some values of the TTL are always present in the traffic (e.g., those around 48), whereas others have an intermittent behavior. For instance, datagrams with a TTL equal to 128 are present only for 3 hours (i.e., from 13-th to the 16-th hours). This puts constraints on the temporal location of channels using a TTL equal to 128 as well as on their duration.
In general, channels targeting the TTL should alter datagrams in a limited manner in order to avoid macroscopic per-flow signatures [17]. Moreover, TTL values highly depend on the type of nodes, hosts and appliances exchanging traffic through the network. In fact, Android and iOS devices as well as Linux hosts generate traffic with a default TTL of 64, whereas Windows nodes use a default TTL of 128 [18]. Thus another important trade off should aim at avoiding to make the channel detectable via simple host/OS fingerprinting mechanism
This section describes the deep learning-based approach adopted to identify the presence of covert channels within traffic flows. In our scenario, the detector takes the form of an unsupervised deep neural network. The main benefit of our approach is the possibility of the model to raise alarms also on never seen attacks: this is a frequent case when dealing with covert channels, since they are often undocumented and unknown a priori. Moreover, this solution allows for coping with the lack of labeled data issue, typical of our application scenario. Specifically, our solution allows for learning a neural encoder-decoder network aiming at compressing the input data (represented by metrics computed over the traffic generated by the IoT network) within a latent space, which is then used to reconstruct the original information. Here, the main idea is that the legitimate input data should be slightly affected by the encoding/decoding procedures performed by the model, therefore the original distributions substantially remain unchanged after this process. By contrast, anomalous instances will exhibit deviant values that can lead to failures in the input reconstruction.
Although the idea to use the reconstruction error as an anomaly score to identify deviant behaviors is not new itself, the adoption of unsupervised techniques (and in particular of autoencoder-based solutions) for detecting covert channels is quite unexplored [6,11,10]. Hence, the use of autoencoders [19,20] represents an effective approach to the unsupervised task of learning a compressed representation able to effectively summarize the main information contained in the input data. In essence, it can be thought as a neural network whose aim consists in yielding as output a duplicate (as close as possible) similar to the input data.
Figure 3 shows the considered neural architecture. As shown, the architecture is composed of two main components, named Encoder and Decoder, respectively. Let π₯ = {π₯ 1 , . . . , π₯ π } be a set of numeric features (in our scenario, a set of statistics computed on the network traffic flow yielded in a time slot). The former subnet allows for mapping z = enc(x) the input data with a latent space (encoding), whereas the second one maps the features extracted by the encoder with the output y = dec(z) (decoding). Gradient descent is used to learn the model weights by minimizing a suitable reconstruction loss. In this paper, we adopted the Mean Square Error, i.e., πΏππ π π ππΈ (π₯) = 1
π βx i β y i β 2 . Notably, the architecture shown in Figure 3 exhibits two main differences with respect to a standard encoder-decoder model: (i) Skip Connections are used to boost the predictive performances of the model and to reduce the number of iterations required for the learning algorithm convergence, and (ii) a hybrid approach including the usage of Sparse Dense Layers is adopted to make the autoencoder more robust to noise, especially since attacks often exhibit slight differences compared with normal behaviors. In more detail, the idea behind Skip Connections is to "help" the learning phase of the decoder by providing as input to each layer of the decoder both the previous and the correspondent encoder layer. As regard the use of Sparse Dense Layers, this allows for yielding a wider number of discriminative features that can be used to extract a more effective latent representation.
Figure 4 shows how the detection of covert channels targeting the TTL of IPv4 datagrams is performed. Without loss of generality, we assume to monitor an infinite datastream, i.e., the traffic produced by the various IoT nodes continuously feeds our detection mechanism. At pre-fixed time intervals (corresponding to a time slot in Figure 4), we compute a number of statistics to describe the behavior of the TTL fields composing the aggregate traffic flow. This operation can be performed without impacting on the overall traffic and by using limited computing resources (see, e.g., the use of the extended Berkeley Packet Filter (eBPF) [9]). In more detail, we compute metrics such as the min, average, max, different percentiles, etc., starting from TTL values gathered from the packets composing the inspected traffic aggregate. First, an autoencoder, pretrained only against legitimate data flows, is used to reproduce the statistics, then reconstruction error is computed for the current example as the MSE between π₯ and π¦. Finally, if the error is lesser than a given outlierness threshold, the current data are labeled as "normal" and exploited to update the model, otherwise a warning is raised.
In this section we present the performance of the approach based on autoencoders. Preliminary, we discuss the used dataset, then we showcase numerical results.
To evaluate the effectiveness of our approach for detecting network covert channels targeting IoT ecosystems, we prepared an artificial dataset starting from the traffic traces made available in [3]. In more detail, we used datasets containing traffic collected from September 22, 2016 at 16:00 to September 29, 2016 at 16:00, CEST. Similarly to the example of Section 2, we removed IPv6, ICMP, DNS and NTP conversations as well as multicast/broadcast traffic. To avoid unwanted signatures/fingerprints, we also removed traffic generated by non-IoT devices, such as mobile phones and laptops. We then obtained a 1-week long dataset with an overall throughput in the 5 β 36 kbit/s range, generated by 28 IoT endpoints, such as speakers, lights, cameras, and hubs.
To implement the considered attack template in a realistic manner, we modeled the presence of a threat tampering a single IoT device. As an example, the attacker could gain access to the assets of the victim via phishing or by exploiting some ad-hoc CVEs 3 . In our scenario, we considered a malicious software targeting the Dropcam camera, which has been used to send/exfiltrate sensitive data towards a remote C&C facility. To have a dataset containing fair amounts of "legitimate" and cloaked conversations, we assumed that the IoT device has been tampered on September 27, thus the Dropcam has been under control of the attacker for 3 days.
To create the various storage network covert channels, we used the tool available in [21], which allows to directly rewrite the traffic captures and implement realistic attack conditions. As discussed in Section 2, to not make the detection trivial, we encoded bits 1 and 0 in TTL values equal to 64 and 100, respectively. Moreover, we randomly interleaved packets containing hidden data with legitimate/unaltered packets in order to prevent long bursts of manipulated TTL values. In fact, the latter could reduce the stealthiness of the covert channel leading to a trivial detection [17]. Such a behavior can be ascribed to an attacker switching the hidden communication among two states (i.e., exfiltrate data and not manipulate traffic) to remain unnoticed via elusive mechanisms. To avoid further statistical signatures, the secret data transmitted over the covert channel has been modeled with randomly-generated strings: this represents an attacker using some obfuscation technique, e.g., encryption or scrambling [22]. Concerning the volume of data transmitted within the covert channel, we modeled each day of attack with a different template. Specifically, we considered the exfiltration of 69, 80, and 64 kbit of data. Such volumes can represent sensitive information like several username+password pairs or configuration details of a specific IoT device or smart hub. Moreover, assuming covert transmissions in the 64 β 80 kbit range allowed to have an IoT node accounting for a variable amount of steganographically-modified traffic. In more detail, the compromised IoT node manipulates the 18%, 1%, and 12% of the overall daily traffic, respectively.
To test our approach for revealing the presence of network covert channels within traffic aggregates, we developed a prototype in Python based on the TensorFlow4 library. The traffic dataset presented in Section 4.1 has been processed to obtain the following information: a progressive timestamp, the number of incoming packets within a given time slot, the average and median values of observed TTLs, the values of the 10 π‘β , 25 π‘β , 75 π‘β and 90 π‘β percentile, minimum and maximum TTLs, as well as a label indicating the presence of the attack (i.e., for testing purposes). Recalling that our approach exploits a "slotted" architecture (see Figure 4), in this work we consider a time slot with a duration of 5 seconds.
The dataset has been divided in training and test sets by using a temporal split. Specifically: (i) the data gathered in the first 96 hours only contains legitimate traffic and has been used for the learning phase of the autoencoder, whereas (ii) the remaining instances compose the test set. As a result, the training and the test set have 69, 116 and 51, 837 instances, respectively. To normalize the input data feeding the model, a pre-processing phase has been performed. In essence, a MinMax normalization has been used to map each feature in the range {β1, 1} in order to improve the stability of the learning process.
As discussed in Section 3, the proposed model is a neural network composed of two subnets. The Encoder has four fully-connected dense layers. Three layers have been instantiated with 32, 16, and 8 neurons and equipped with a ReLU (Rectified Linear Unit) activation function. The fourth layer is the latent space and can be thought as a dense layer (shared between the encoder and the decoder) including 4 neurons, and it is equipped with a ReLU activation function. The Decoder is composed again of three fully-connected dense layers with the same dimensions and activation function. Finally, the output layer is instantiated with the same size of the input, and equipped with a Tanh activation function. This choice has been made since we want to yield an output ranging in {β1, 1}. The model is trained over 16 epochs with a batch size of 16.
To assess the detection capabilities, we computed the following performance metrics. Let us define π π as the number of positive cases correctly classified, πΉ π as the number of negative cases incorrectly classified as positive, πΉ π as the number of positive cases incorrectly classified as negative, and π π as the number of negative cases correctly classified. Then, we considered the following metrics: the Accuracy, defined as the fraction of cases correctly classified, i.e., π π +π π π π +πΉ π +πΉ π +π π , the Precision and the Recall to measure the accuracy in identifying attacks and avoiding false alarms, i.e., π π π π +πΉ π and π π π π +πΉ π , respectively. We also considered the F-Measure to summarize the overall system performances as the harmonic mean of Precision and Recall.
Lastly, to perform experiments, we used a machine equipped with 32 Gb RAM, an Intel i7-4790K CPU @4.00GHz and an 1Tb SSD disk drive.
Since the outlierness threshold can influence the detection capability of the proposed approach, we investigated its impact. As the autoencoder model is trained only against legitimate data (i.e., clean traffic produced by IoT nodes), we computed the outlierness degree for each slot composing the training set. We then selected as the anomaly threshold the values corresponding to the 90 π‘β , 95 π‘β and 99 π‘β percentiles. A detailed breakdown is depicted in Figure 5.
Table 1 reports experimental results obtained by taking into account different outlierness thresholds computed over the training set. As shown, collected values exhibit an intuitive behavior, i.e., when a more restrictive threshold is selected (99 π‘β percentile), the approach exhibits a good precision (βΌ 94%), but a percentage of slots containing a network covert channel is not correctly recognized. By contrast, a looser threshold value (90 π‘β percentile) allows to improve the probability of detection (βΌ 99% of recall), but a higher number of false alarms are raised. This can be mitigated by considering our mechanism as a first stage of a more complex detection chain, which can trigger more resource-consuming approaches such as deep packet inspection. Yet, the best setting is the one where the 95 π‘β percentile is used, since it guarantees the highest value in terms of F-Measure. This represents the best trade off between probability of detecting the presence of a covert communication and false alarm rate.
Moreover, Figure 6 portraits the distribution of the outlierness degree for a window including a marked number of compromised time slots. As it can be seen, the outlierness degree exhibits higher values than the ones reported in Figure 5. In some cases, the outlierness is one order of magnitude higher than the outlierness max value computed on the training set. This event represents the presence of a covert communications within the bulk of traffic, thus leading to a "deviation" in the output of the neural network.
Lastly, as regards the feasibility of deploying our approach in realistic settings, we point out that its resource footprint is very limited. In more detail, gathering information about the TTL usually accounts for an additional packet delay of βΌ 100 ns when using eBPF and 1 ms with a C implementation exploiting libpcap over commodity hardware. Instead, apart the training phase, which can be done offline, the average prediction time is 0.0132 ms. Another important aspect concerns the "stateless" nature of the approach. In fact, the used neural architecture performs the detection of covert communications by using information on the overall traffic (grouped in time slots), which prevents memory consumption due to the need of storing information with a per-flow granularity. Thus, the proposed approach should be considered suitable for being implemented in home gateways often used in production-quality IoT ecosystems.
In this paper, we presented a lightweight mechanism based on autoencoders for detecting network covert channels targeting IoT scenarios. Results indicated the effectiveness of our approach, i.e., the method can achieve the values of βΌ 91% and βΌ 94% for the accuracy and the precision, respectively. Although our solution addresses a specific case, it can be easily generalized to handle different network covert channels and environments, e.g., by considering an ensemble of specialized detectors combined to reveal attacks on different carriers.
Future works aim at refining the proposed framework by considering other types of network covert channels. At the same time, part of our ongoing research is devoted to develop some form of "intermediate" representations, which can be used to exploit a unique mechanism to face different threats. We are working towards general metrics that could partially compensate the tight-coupling between the used hiding methodology/protocol and the countermeasure.
This work has been partially supported by the H2020 Program within the framework of SIMARGL (Grant Agreement No. 833042), and CyberSec4Europe (Grant Agreement No. 830929).