当前位置：网站首页>(10.3) [steganography mitigation] steganography protection, steganography interference and steganography detection

1.1、 brief introduction ：
Enterprise users should all use their own defense in depth security policies to detect and combat data hiding technologies . Statistical experts say that most data hiding uses data hiding applications that can be obtained free of charge from the Internet , Although there are also individual through VoIP Or wireless transmission for data hiding . But the more common malicious users （ for example , A person engaged in child exploitation or commercial espionage ） Or use known applications for data hiding crimes . Because it is common to use applications for data hiding , So with VoIP Or wireless attacks , Its potential harm is even greater .
There are many products that can detect traces of data hiding . For data in transmission , You can use network packet capture tools to collect and analyze hidden data , Post analysis of data hiding behavior . for example , Analyze the... Generated by the packet capturing tool pcap file . Besides , There are more comprehensive monitoring products , You can find the relationship between different data , And manage with security information events (Security Information Event Management, SIEM) The view shows . These products are derived from real-time network analysis tools , such as IPS and MPS（ Malware protection system ）. But finding the hidden contents of the data is much more difficult than identifying the known malicious files . Besides , Although ordinary documents （ Such as photos ） All have hash values , But if the carrier file used by the suspect is customized , There is no known hash value that can be used for comparative analysis , It is impossible to judge whether the image has been modified .

1.2、 Layered detection ：
Data hiding security layered detection method

1.3、 Network technology ：
brief introduction ：
Various security products applied in the enterprise network , Every product is part of a defense in depth strategy , Can be identified to varying degrees 、 Mitigate or modify data hiding behavior , Mainly the data transmitted in the network （ Such as files and data hidden in network transmission and protocols ）
Network technology for detecting data covert activities
Intrusion prevention system (IPS)
Most intrusion prevention systems (IPS) Are not optimized , Can not well detect data hiding behavior and steganographic programs .IPS It is very suitable for detecting data hiding and steganography programs in downloads , Or complete the first step in the life cycle of steganography and hidden information discovery . at present , majority IPS None of the products have signatures that can be used to detect different types of steganography tools , But we can make it have this function in various ways . We have briefly introduced many common programs , With little effort, you can create a signature to detect the download behavior of the program .
Malware protection system (MPS)
Malware protection system (MPS) Mainly used to analyze unknown executables with malicious purposes . Put the unknown executable into the virtual sandbox environment , MPS You can analyze the behavior of the file at run time . Any installation or modification dll file 、 Registry changes 、 Installed services and other behaviors will be MPS detected , And analyze the unauthorized or abnormal behaviors similar to malicious code . This heuristic （ Behavior ） Analysis is very suitable for detecting new data hiding or steganographic programs that have not been analyzed yet .
Anti virus (A/V）
It is the most common method to detect data hiding and steganography . Most of the tools and software used in steganography and data hiding are downloaded from the Internet , Not through E-mail Acquired , So using anti-virus software doesn't seem appropriate . however , If people pass E-mail When sending a file as an attachment that uses a known program to embed data , Deploying anti-virus software to detect or mitigate this behavior is a good solution . The drawback of antivirus software is ： At present, most software does not have a comprehensive set of digital signatures to detect attachments with hidden data .
Next generation firewalls
There are many dwarf old school Characteristics of firewall . This behavior based heuristic analysis method is very suitable for detecting new data hiding or steganography tools that have not been documented . For some special data hiding protocols , Application protocol decoding can provide detection schemes for some of these technologies , But secondary development is needed . Besides , The next generation firewall can also perform heuristic analysis , Analyze the behavior of avoiding detection through ownership encryption , Other behaviors of avoiding detection and resource abuse . Although the next generation firewall has no special data hiding and steganography transmission detection module , However, this function can be realized by configuring corresponding policies .
Data leakage prevention system
Can detect the data in the file , You can also configure policies to track intrusion behavior
eg： Track some metadata that is not allowed to flow out of the network . Usually , DLP A large number of metadata detection strategies for the company or the organization need to be customized . however , Here's the thing to watch out for , Some data hiding programs use data obfuscation or data masking techniques （ Such as encryption ）, When files processed by these programs are transferred over the network ,DLP Also cannot detect .DLP Only documents processed using simple techniques can be detected , for example ,Word、PDF Such as word processing software or spreadsheet files . People simply embed data in the metadata area of these files , And these can easily be DLP detected .

Two 、 interfere

2.1、 history ：
1904 year ～1905 Communication interference during the Russo Japanese conflict in . Russian telegraph stations always send random noises , To interrupt communication between Japanese fleets . During the second world war , The British and American military has invented a jamming method that can avoid accurate radar detection , That is, small metal pieces are continuously dropped from the aircraft to interfere with the ground to air radar system . Now , Electronic warfare has become the center of land, sea and air campaigns , Its main purpose is to conduct E-sports in almost all battlefields ： Covert communication 、 Disturbance signal 、 Conduct communication fraud, etc .
Many basic concepts of steganography have been gradually applied to network infrastructure . Dark rat action 、Alureon Trojans and various malicious applications use data hiding technology to avoid DLP System 、 Detection of content filter and Application Firewall . therefore , The application of communication interference or terminal technology is critical . Because digital images 、 The proportion of multimedia files in network attacks is increasing , So system administrators can use low cost （ Less network overhead ）、 Noninvasive interference Yi method to counter these attacks .

2.2、 Example ：
Deploy a with JPEG Interference function Web gateway
2.3、Web Workflow of gateway ：
Normal process
（1） User pass Web The gateway performs a URL request
（2） The gateway will URL Requests are forwarded to URL
（3）URL Response request
（4） Web The gateway interprets and checks the response
Extra work
（5） If the response contains JPEG Images , The gateway keeps responding , At the same time JPEG Forward image to JPEG
Interfere with the server .
（6） Interfere with server security check , Also on JPEG Recoding the image , To disrupt the hidden
Hiding information .
（7） To be treated JPEG The image returns to Web gateway .
（8）Web The gateway returns the processed image to the URL The requested application .
2.4、 analysis ：
Processed by the interfering server JPEG The image is not abnormal to the user . But if URL The request was initiated by a malicious application that wanted to extract command and control information from the image , Interfering with the server has successfully destroyed the command or control information .
Of course , Information can be hidden in almost any form of content （ Images 、 Multimedia files 、Web HTML 、 file 、
Spreadsheets and javascript etc. ）, Therefore, more other forms of jamming technology will be used in information security countermeasures .

3、 ... and 、 Data hiding detection terminal technology

3.1、 brief introduction ：
Many vendors produce host based 、 Products with application shielding function . The application shielding function is realized by setting the black and white list policy , The blacklist is a list of applications that are not allowed to pass , The white list is the list of applications that are allowed to pass . The policy can be based on the application name 、 Digital signature hash values or other behavioral characteristics （ for example , system call 、 The permissions required to execute the application and the current user permissions ） To set .
By formulating policies, it is not allowed to specify that certain applications are executed in a certain environment or a certain user , Many steganography applications can be shielded . All you need is the digital signature of the steganography tool to be blocked （ Hash value ） list , Then keep maintaining this list , Make sure the digital signature is up to date , This will prevent these steganography tools from running .

3.2、 Example （ System ）：
McAfee Of HIPS（ Host intrusion prevention system , Host Intrusion Prevention System) or Symantec Of Critical System Protection（ Key system protection ）, Its security mechanism not only provides the necessary application shielding function , It also forwards attack attempts to the management console or the information security event management system (Security Information Event Management System, SIEM), And then provide information security personnel with medium and high-level data leakage and malware infection alarms
Data hiding detects the behavior of terminal technology
Many enterprise networks have taken vulnerability scanning measures , The plug-ins of scanning devices can be customized （ for example ,Nessus) . Administrators can customize the detection dll file 、 Executable files and other files related to data hiding programs . It is worth noting that , These can not be detected in general network vulnerability scanning , Need to scan by certificate （ When scanning, you need to log in to the detected device ） To detect . Now , Many vulnerability scanning products support NASL (Nessus Attack scripting language , Nessus Attack Scripting Language)

3.3、 Example （ Program ）：
The following one can detect the steganographic program Camouflage, Changes made to the registry
<if>
<condition type: "and">
<custom_item>
type : REGISTRY_SETTING
description : "steganography program Camouflage"
value_type : POLICY_ TEXT
reg_key : "HKEY_CURRENT_USER\Software\Camouflage\CamouflageFile\0"
reg_option : CAN_BE_NULL
</custom_item>

3.4、 present situation ：
With the continuous advancement of the technological revolution in the mobile field , Mobile device management and security products are becoming increasingly important , It can detect all kinds of data hiding and steganography . Many products can also detect and block the downloading of data hiding and steganography applications .
If the user's mobile device （ Such as mobile phone ） After a prison break or root Handling to escape security detection , Most mobile device security management products can still connect to their respective enterprise networks , Continue to perform security checks on mobile devices . and , The administrator can also selectively clean up the device partially or completely . Mobile device security management products are gradually improved , Start showing something like DLP Characteristics of ： Can prevent users from copying information to E-mail And forward it to other users , Or copy or paste the information to E-mail Or other documents .

原网站

版权声明
本文为[Black zone (rising)]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/160/202206090212342852.html