Steffen Wendzel

Hochschule Worms · ZTT

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques...

Building Automation Systems (BAS) are crucial to monitor and control buildings, ranging from small homes to critical infrastructure, such as airports or military facilities. A major problem in this context is the security of BAS communication protocols and devices. The building automation and control networking protocol (BACnet) is integrated into...

A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited...

Covert channels are unforeseen and stealthy communication channels that enable manifold adversary scenarios, such as the covert exfiltration of confidential data or the stealthy orchestration of botnets. However, they can also allow the exchange of confidential information by journalists. All covert channels described until now therefore need to cr...

Network covert channels are applied for the secret exfiltration of confidential data, the stealthy operation of malware, and legitimate purposes, such as censorship circumvention. In recent decades, some major detection methods for network covert channels have been developed. In this paper, we investigate two highly cited detection methods for cove...

Objective. Gradient-based optimization using algorithmic derivatives can be a useful technique to improve engineering designs with respect to a computer-implemented objective function. Likewise, uncertainty quantification through computer simulations can be carried out by means of derivatives of the computer simulation. However, the effectiveness o...

Objective. Proton therapy is highly sensitive to range uncertainties due to the nature of the dose deposition of charged particles. To ensure treatment quality, range verification methods can be used to verify that the individual spots in a pencil beam scanning treatment fraction match the treatment plan. This study introduces a novel metric for pr...

During the last decade, the Internet of Things (IoT) has become a central enabler for technological developments and services, such as ambient assisted living and localization services. Billions of smart devices have been sold, with many aged devices still in use today. In several cases, such aged smart devices do not receive security updates after...

The Bergen proton Computed Tomography (pCT) is a prototype detector under construction. It aims to have the capability to track and measure ions’ energy deposition to minimize uncertainty in proton treatment planning. It is a high granularity digital tracking calorimeter, where the first two layers will act as tracking layers to obtain positional i...

Every scientific domain benefits from a unified understanding and categorization of terms. This article highlights lessons learned from several years of taxonomy and terminology research in a cybersecurity domain.

Attacks on industrial control systems (ICS) have been intensively studied during the last decade. Malicious alternations of ICS can appear in several different ways, e.g., in changed network traffic patterns or in modified data stored on ICS components. While several heuristics and machine learning methods have been proposed to analyze different ty...

A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited...

A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited...

Challenge-response authentication is an essential and omnipresent network service. Thus, it is a lucrative target for attackers to transport covert information. We present two covert channels in nonce-based network authentication that allow the encrypted transfer of covert information. Both channels exploit fundamental problems , not contained to t...

The number of Android devices in both home and professional environments is growing rapidly and, as time passes, so does the number of aging devices. Outdated devices are often less secure, e.g., due to a lack of available patches. Thus, environments in which such devices are deployed tend to possess a broader attack surface. Therefore, in this wo...

``Hiding patterns'' are an abstraction for describing various steganographic and information hiding approaches. Originally introduced in 2014, they have been subject to modifications and improvements through the years. In this paper, we review the development of the hiding patterns approach and propose a new definition for part of the terminology.

Within the last few years, indirect network-level covert channels have experienced a renaissance with new ideas and evolving concepts. Logical network separation may now be crossed and the sending and receiving activities can be performed with temporal distance between sending and receiving operations. Despite these new developments, all indirect n...

In current research, reversible network-level covert channels are receiving more and more attention. The restoration of the original data leaves little evidence for detection, especially if the implementation is plausibly deniable. Recently, such a channel based on one-time password hash chains has been published. The covert channel uses repeated c...

Im Bereich der Informatik konnte bereits aufgezeigt werden, dass es eine geringere Anzahl an weiblichen Autoren von wissenschaftlichen Publikationen gibt. Wir untersuchen die Frage, ob es ein ähnliches Verhältnis bei Publikationen im Teilbereich Cybersecurity gibt, ob Frauen seltener zitiert werden als Männer und ob ein Trend in den letzten 10 Jahr...

This special issue presents five articles that address the topic of replicability and scientific methodology in information security research, featuring two extended articles from the 2021 International Workshop on Information Security Methodology and Replication Studies (IWSMR). This special issue also comprises two distinguished dissertations.

Algorithmic derivatives can be useful to quantify uncertainties and optimize parameters using computer simulations. Whether they actually are, depends on how "well-linearizable" the program is. Proton computed tomography (pCT) is a medical imaging technology with the potential to increase the spatial accuracy of the dose delivered in proton-beam ra...

The DICOM (Digital Imaging and COmmunication in Medicine) standard provides a framework for a diagnostically-accurate representation, processing, transfer, storage and display of medical imaging data. Information hiding in DICOM is currently limited to the application of digital media steganography and watermarking techniques on the media parts of...

Guest editorial for the special issue Multidisciplinary solutions to modern cybersecurity challenges.

Over the last few years, people have been reshaping their homes into smart hubs owing to a wide array of Internet of Things (IoT) devices, including interconnected lights, locks, sensors, cameras, actuators, wearables, and appliances accessible through the Internet that can be controlled locally via voice or remotely though mobile phones. As a cons...

In the last years, the utilization of information hiding techniques for empowering modern strains of malware has become a serious concern for security experts. Such an approach allows attackers to act in a stealthy manner, for instance, to covertly exfiltrate confidential data or retrieve additional command & control payloads for the operation of m...

The Internet of Things (IoT) and the Industrial Internet of Things (IIoT) are fast growing areas. Therefore, several protocols are specifically designed for these domains. CoAP (Constrained Application Protocol) is one of the more common ones. This lightweight protocol typically communicates over UDP, but can also use TCP and other carrier protocol...

Attacks on industrial control systems (ICS) have been intensively studied during the last decade. Malicious alternations of ICS can appear in several different ways, e.g. in changed network traffic patterns or in the data stored on ICS’ components. While several heuristics and machine learning methods have been proposed to analyze different types o...

The protection of industrial control systems (ICS) is crucial for a robust provision of essential services for the modern society. Stealthy and steganographic attacks are a considerable threat against the reliability and security of such ICS. Several ICS components are maintained via the popular Totally Integrated Automation (TIA) project software....

The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have...

Was haben alle Supercomputer der Welt, mehr als 75 % der Internet-Server und ein Großteil der Systeme in Microsofts Azure-Cloud gemeinsam? Sie alle nutzen Linux! Das offene Betriebssystem hält die IT-Welt zusammen und ist eine wichtige Grundlage in jedem IT-Beruf oder im Informatikstudium. Wie Linux genau funktioniert und wie Sie sich sicher im Lin...

This special issue was desired to foster the progress in research on the development of novel defense methods in information security, especially for sophisticated and networked/hyper-connected systems, including those within IoT and CPS scenarios.

The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have...

Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band cove...

The appearance of novel ideas for network covert channels leads to an urge for developing new detection approaches. One of these new ideas are reversible network covert channels that are able to restore the original overt information without leaving any direct evidence of their appearance. Some of these reversible covert channels are based upon com...

The number of citations attracted by publications is a key criteria for measuring their success. To avoid discriminating newer research, such a metric is usually measured in average yearly citations. Understanding and characterizing how citations behave have been prime research topics, yet investigations targeting the cybersecurity domain seem to b...

The increasing application of ICT technologies to medicine opens new usage patterns. Among the various standards, the Digital Imaging and COmmunication in Medicine (DICOM) has been gaining momentum, mainly due to its complete coverage of the diagnostic pipeline, including key applications such as CT, MRI and ultra-sound scanners. However, owing to...

Background Proton computed tomography (pCT) and radiography (pRad) are proposed modalities for improved treatment plan accuracy and in situ treatment validation in proton therapy. The pCT system of the Bergen pCT collaboration is able to handle very high particle intensities by means of track reconstruction. However, incorrectly reconstructed and s...

Dieses Buch liefert das Fundament, um die Konzeption von TCP/IP- und IoT-Netzwerken und ihre Sicherheit in einer zunehmend vernetzten Welt zu verstehen. Es erläutert Angriffe und Schutzmechanismen und vereint praxisrelevantes Know-how mit den wissenschaftlichen Grundlagen und aktuellen Forschungsideen zu einem umfassenden Werk. Dabei legt der Autor...

Dieses Kapitel befasst sich mit Angriffen auf die Netzwerkprotokolle der verschiedenen Schichten des TCP/IP-Modells. Beginnend mit der Netzzugangsschicht werden schließlich Angriffe auf die Anwendungsschicht erläutert.

In recent years, malware is increasingly applying means of hidden communication. The emergence of network-capable stegomalware applies such methods to communication networks. In this paper, we introduce and evaluate two covert channels that utilize reconnections to transmit hidden information in WiFi networks. We implement these covert channels in...

Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band cove...

In recent years, malware is increasingly applying means of hidden communication. The emergence of network-capable stegomalware applies such methods to communication networks. In this paper, we introduce and evaluate two covert channels that utilize reconnections to transmit hidden information in WiFi networks. We implement these covert channels in...

Original paper: https://doi.org/10.1016/j.future.2018.12.047 Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can...

Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of...

Message Queuing Telemetry Transport (MQTT) is a publish-subscribe protocol which is currently popular in Internet of Things (IoT) applications. Recently its 5.0 version has been introduced and ensuring that it is capable of providing services in a secure manner is of great importance. It must be noted that holistic security analysis should also eva...

Covert channels enable stealthy communications over innocent appearing carriers. They are increasingly applied in the network context. However, little work is available that exploits cryptographic primitives in the networking context to establish such covert communications. We present a covert channel between two devices where one device authentica...

We present a covert channel between two network devices where one authenticates itself with Lamport's one-time passwords based on a cryptographic hash function. Our channel enables plausible deniability. We also present countermeasures to detect the presence of such a covert channel, which are non-trivial because hash values are randomly looking bi...

Data of industrial control systems (ICS) are increasingly subject to cyber attacks which should be detected by approaches such as anomaly detection before they can take effect. However, examples such as Stuxnet, Industroyer or Triton show that, despite all the precautions taken, it is still possible to overcome anomaly detection systems and cause d...

The European Interdisciplinary Cybersecurity Conference – EICC 2020 aims at establishing a venue for the exchange of information on cybersecurity and its many aspects between academics and practitioners in Europe. EICC was formerly known as the Central European Cybersecurity Conference – CECC and has been rebranded to underscore the interdisciplina...

In recent years, research started to focus on the scientific fundamentals of information security. These fundamentals include several important aspects such as the unified description of attacks and countermeasures, the reproducibility of experiments and means to achieve this reproducibility, the sharing of research data and code, the discussion of...

Recently, new methods were discovered to secretly store information in network protocol caches by exploiting functionalities of ARP and SNMP. Such a covert storage cache is referred to as a "Dead Drop". In our present research, we demonstrate that hidden information can also be stored on systems with an active NTP service. We present one method bas...

Covert channels nested within network traffic are important tools for allowing malware to act unnoticed or to stealthily exchange and exfiltrate information. Thus, understanding how to detect or mitigate their utilization is of paramount importance, especially to counteract the rise of increasingly sophisticated threats. In this perspective, the li...

Published in ACM Computing Reviews (ISSN 1530-6585), Review #: CR147026. Full-text: http://www.computingreviews.com/review/review_review.cfm?review_id=147026&listname=todaysissuebook Timothy Carone provides a visionary outlook on what will probably be called our digitized future. The book is split into 11 chapters. First, the author introduces au...

Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, developing effective countermeasures for these threats is important for the protection of individuals and organizations. However, due to the large number of available covert channel techniques, it is considered impractical to develop counterme...

Network covert channels are a part of the information hiding research area that deals with the secret transfer of information over communication networks. Covert channels can be utilized, for instance, for data leakage and stealthy malware communications. While data hiding in communication networks has been studied within the last years for several...

The understanding of the inner workings of a research community is essential to evaluate the impact of an author as well as to decide where and how to publish results. One of the key metrics is the number of citations that a publication receives. In parallel, information security is now a key and strategic area, partially fueled by the advent of th...

Full-text: http://www.wendzel.de/dr.org/files/Papers/thesis_with_cover.pdf Network information hiding is the research discipline that deals with the concealment of network transmissions or their characteristics. It serves as an umbrella for multiple research domains, namely network covert channel research, network steganography research, and traff...

“Smart” has gradually infiltrating all areas of people's daily life and the environments where we lead our life. The term of “Smart Industrial Environment” can be used to refer to each aspect of the industrial environments focused on the future, being smart vehicles, smart systems of transportation, smart devices (wearables and smartphones), smart...

Network covert channels enable various secret data exchange scenarios among two or more secret parties via a communication network. The diversity of the existing network covert channel techniques has rapidly increased due to research during the last couple of years and most of them share the same characteristics, i.e., they require a direct communi...

The use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance of the covert channels in terms of undetectability and capacity. To not void the stealthiness of the channel, a...

Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of...

Today, digital forensics experts must operate in a multidisciplinary environment that requires mastery of many disciplines, including law, computer science, finance, networking, data mining, and criminal justice. Meanwhile, cybercriminal activities often compel law-enforcement agencies to investigate across international borders, which means dealin...

Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of o...

In this paper we describe the implementation and detection of a novel approach for a TCP retransmission-based covert channel. We implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based network channels, namely the ε-similarity and the compressibility. The ε-similarity originally measur...

Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, the development of effective countermeasures for covert channels is significant for the protection of individuals and organizations. However, due to the number of available covert channel hiding techniques, it can be considered impractical to...

Die Bedeutung der digitalen Infrastruktur, insbesondere von Netzwerken, ist in den letzten zehn Jahren kontinuierlich gestiegen. Das gilt gleichermaßen für die IT-Sicherheit. Denn ohne sichere Netzwerke können Technologien wie Künstliche Intelligenz oder das Internet der Dinge weder betrieben noch weiterentwickelt werden. Dieses Buch liefert das F...

In network information hiding, hiding patterns are used to describe hiding methods and their taxonomy. In this paper, we analyze the current state of hiding patterns and we further improve their taxonomy. In order to more thoroughly characterize and understand data hiding methods applied to communication networks we propose to distinguish between s...

The understanding of the inner workings of a research community is essential for the success of an author's academic publications. One of the key metrics for the evaluation of researchers is the number of citations that their publications receive. To understand citation behavior of an academic community, existing publication's citations can be stud...

Dieses Kapitel befasst sich mit Angriffen auf die Netzwerkprotokolle der verschiedenen Schichten des TCP/IP-Modells. Beginnend mit der untersten Schicht des TCP/IP-Modells werden schließlich Angriffe auf die Anwendungsschicht erläutert.

Dieses Kapitel führt Sie in die Grundzüge der IT-Sicherheit für Netzwerke ein. Es erläutert Grundbegriffe und elementare Konzepte, die zum Verständnis der folgenden Kapitel von Bedeutung sind.

Dieses Kapitel führt die Grundlagen der IT-Sicherheit ein. Es betrachtet die wichtigsten Begriffe samt Schutzzielen, zentrale Aspekte von Authentifizierung und Zugriffsschutz, das Thema Privatsphäre sowie Schadsoftware. Außerdem gibt es einen Einblick in nicht-technische Bereiche, die mit der IT-Sicherheit in Verbindung stehen. Das Kapitel schließt...

Dieses Kapitel stellt eine Einführung in die Kryptografie dar. Es behandelt Grundbegriffe sowie historische Verfahren (Caesar, Vigenère, Vernam) und deren Kryptoanalyse (Friedman-Angriff und Kasiski-Test). Anschließend vermittelt es die Funktionsweise bedeutsamer Strom- und Blockchiffren ((3)DES und AES) sowie die Grundlagen von Zufallszahlengenera...

Dieses Kapitel führt in die IT-Sicherheit für das Internet der Dinge (IoT) ein. Zunächst wird definiert, was das IoT ist und weshalb IT-Sicherheit im IoT sich von der IT-Sicherheit in klassischen Netzwerken unterscheidet. Es wird erläutert, weshalb im IoT ein Mangel an IT-Sicherheit herrscht und welche Rolle Standardisierung dabei spielt. Anschließ...

Dieses Kapitel befasst sich mit den Grundlagen der Netzwerktechnik. Insbesondere werden dabei selektierte Aspekte betrachtet, die zum Verständnis des restlichen Buches notwendig sind. Sie erhalten ein Verständnis für die Funktionsweise und die Fähigkeiten von diversen Netzwerkprotokollen. Zum einen ist dies notwendig, um Angriffe zu verstehen. Zum...

Dieses Kapitel führt in die Grundlagen der Public Key Infrastructure (PKI) und der Virtuellen Privaten Netzwerke (VPN), insbesondere IPSec und TLS, ein. Anschließend werden die technischen Grundzüge des Onion Routings betrachtet und das Gebiet der visuellen Kryptografie vorgestellt. Das Kapitel schließt mit einer kurzen Betrachtung der drei Gebiete...

In diesem Kapitel werden Techniken zur Absicherung von einzelnen Netzwerkschichten behandelt. Es beginnt dabei mit der Netzzugangsschicht des TCP/IP-Modells und endet bei der Anwendungsschicht.

Dieses Kapitel führt in die Netzwerksteganografie und verdeckte Kanäle ein. Betrachtet werden dabei die grundlegende Terminologie sowie die bekannten Versteckmuster und selektierte Gegenmaßnahmen.

In diesem Kapitel werden Techniken zur Absicherung von einzelnen Netzwerkschichten behandelt. Es beginnt dabei mit der Netzzugangsschicht des TCP/IP-Modells und endet bei der Anwendungsschicht.

Dieses Kapitel führt in die IT-Sicherheit für das Internet der Dinge (IoT) ein. Zunächst wird definiert, was das IoT ist und weshalb IT-Sicherheit im IoT sich von der IT-Sicherheit in klassischen Netzwerken unterscheidet. Es wird erläutert, weshalb im IoT ein Mangel an IT-Sicherheit herrscht und welche Rolle Standardisierung dabei spielt. Anschließ...

Dieses Kapitel befasst sich mit den Grundlagen der Netzwerktechnik. Insbesondere werden dabei selektierte Aspekte betrachtet, die zum Verständnis des restlichen Buches notwendig sind. Sie erhalten ein Verständnis für die Funktionsweise und die Fähigkeiten von diversen Netzwerkprotokollen. Zum einen ist dies notwendig, um Angriffe zu verstehen. Zum...

Dieses Kapitel stellt eine Einführung in die Kryptografie dar. Es behandelt Grundbegriffe sowie historische Verfahren (Caesar, Vigenère, Vernam) und deren Kryptoanalyse (Friedman-Angriff und Kasiski-Test). Anschließend vermittelt es die Funktionsweise bedeutsamer Strom- und Blockchiffren ((3)DES und AES) sowie die Grundlagen von Zufallszahlengenera...

Dieses Kapitel führt die Grundlagen der IT-Sicherheit ein. Es betrachtet die wichtigsten Begriffe samt Schutzzielen, zentrale Aspekte von Authentifizierung und Zugriffsschutz, das Thema Privatsphäre sowie Schadsoftware. Außerdem gibt es einen Einblick in nicht-technische Bereiche, die mit der IT-Sicherheit in Verbindung stehen. Das Kapitel schließt...

Dieses Kapitel führt in die Grundlagen der Public Key Infrastructure (PKI) und der Virtuellen Privaten Netzwerke (VPN), insbesondere IPSec und TLS, ein. Anschließend werden die technischen Grundzüge des Onion Routings betrachtet und das Gebiet der visuellen Kryptografie vorgestellt. Das Kapitel schließt mit einer kurzen Betrachtung der drei Gebiete...

Dieses Kapitel führt Sie in die Grundzüge der IT-Sicherheit für Netzwerke ein. Es erläutert Grundbegriffe und elementare Konzepte, die zum Verständnis der folgenden Kapitel von Bedeutung sind.

Dieses Kapitel führt in die Netzwerksteganografie und verdeckte Kanäle ein. Betrachtet werden dabei die grundlegende Terminologie sowie die bekannten Versteckmuster und selektierte Gegenmaßnahmen.

With the increasing number of steganography-capable malware and the increasing trend of stealthy data exfiltrations, network covert channels are becoming a crucial security threat -- also for critical infrastructures (CIs): network covert channels enable the stealthy remote-control of malware nested in a CI and allow to exfiltrate sensitive data, s...

Compared to cryptography, steganography is a less discussed domain. However, there is a recent trend of exploiting various information hiding techniques to empower malware, for instance to bypass security frameworks of mobile devices or to exfiltrate sensitive data. This is mostly due to the need to counteract increasingly sophisticated security me...

Die Digitalisierung von Unternehmen ist unter anderem von zwei besonders aktuellen Themenfeldern, dem Internet of Things (IoT) und den Smart Contracts, betroffen. Wir befassen uns in diesem Kapitel mit Sicherheitsaspekten dieser beiden Themenfelder. Es handelt sich hierbei um ein Kapitel mit zusammenfassendem Charakter, das gewonnene Erfahrungen ei...