Covert Communication Detection (CoCoDe)

This project studied covert communication channels and especially focused on means for detecting distributed covert networks. Covert communication channels (also known as network steganography) allows a hidden sender and hidden receiver to exchange secret data. These covert communication channels can be used to conduct command and control of malicious servers, exfiltrate confidential data, or download further malicious code without the user being made aware. Thus, the topic of covert channel detection is a very important one to any large organization with sensitive data and particularly the Department of Defense. Hundreds of techniques can be used to create covert channels some of the most common techniques are to place data into unused fields of network protocol headers, change the size of network packets, manipulate inter-packet timing/order, or alter header elements (e.g., HTTP plaintext header lines). As adversaries grown in capability, more and more complex forms of covert channels will appear becoming increasingly difficult to detect and increasing in bandwidth. This includes, for example, steganographic botnets where all communication between bots is realized using some form of data hiding. The most concerning type of information hiding for botnets involves the study of Distributed Network Covert Channels (DNCCs). Over the course of 3.5 years, the 5-member research team (the PI, Co-PI, a PhD student, and two Masters students) utilized theoretical and experimental approaches to conduct covert channel research focusing on DNCCs. Overall, the research team produced four conference papers and two journal articles. The conference papers were published in the annual Availability, Reliability and Security (ARES) conference during the years 2018, 2019, 2020, and 2021 which is sponsored by the Association for Computing Machinery (ACM). The ARES conference, and ACM in particular, has a high academic pedigree.