CUING

8th International Workshop on Cyber Use of Information Hiding
  • Date
    Jul 31, 2024
  • Location
    SR08
  • Duration
    08:45 — 14:45
Workshops Lettering

Workshop Chairs

Workshop Chairs Logo Workshop Chairs Logo Workshop Chairs Logo Workshop Chairs Logo Workshop Chairs Logo Workshop Chairs Logo
  • → Wojciech Mazurczyk
  • → Philipp Amann
  • → Luca Caviglione
  • → Angelo Consoli
  • → Peter Kieseberg
  • → Joerg Keller

Accepted Paper

A Case Study on the Detection of Hash-Chain-based Covert Channels Using Heuristics and Machine Learning
Jeff Schymiczek (University of Helsinki, Finland), Tobias Schmidbauer (Nuremberg Institute of Technology, Germany), Steffen Wendzel (Worms University of Applied Sciences, Germany)
Full Paper
Reversible network covert channels are a security threat that allows its users to restore the carrier object before sending it to the overt receiver, drawing detection challenging. Some of these covert channels utilize computational intensive operations, such as the calculation of cryptographic hash chains. Currently, these computational intensive reversible covert channels are considered difficult to detect.
This paper proposes ways of utilizing shape analysis of packet runtime distributions to detect such computational intensive covert channels. To this end, we simulated the latency of traffic modified by a hash-chain based covert channel by adding mock hash-reconstruction runtimes to runtimes of legitimate ping traffic. After qualitatively observing the changes in the empirical probability distribution between modified and natural traffic, we investigated machine learning algorithms for their ability to detect the covert channel’s presence. We show that a decision tree-based AdaBoost classifier using the investigated statistical measures as input vector and a convolutional neural network applied directly to the packet runtime empirical probability distribution are able to classify sets of 50 ping measurements with high accuracy for low to medium high latency connections. Our approach improves significantly over previous work done on the detection of computational intensive covert
channels as our approach both requires smaller sampling window sizes and achieves significantly higher detection rates on the same reference dataset.
Workshop CUING
How to evade modern web cryptojacking detection tools? A review of practical findings
Pawel Rajba (University of Wroclaw, Poland), Krzysztof Chmiel (University of Wroclaw, Poland)
Full Paper
One of the foundations of cryptocurrencies based on proof-of-work consensus is mining. This is an activity which consumes a lot of computational resources, so malicious actors introduce cryptojacking malware to exploit users computers and in result use their victim resources. Cryptojacking emerged several years ago together with the increasing adoption and prevalence of cryptocurrencies. This type of malware may have several types, but in this paper we consider malicious scripts embedded into the websites. As the threat is real and we hear regularly about affected websites including major web content providers, in this paper we analyzed selected promising detection methods based on more sophisticated techniques which are not only based on blacklisting which is the most common way of preventing this kind of attacks. The analysis resulted in findings showing all the considered solutions can be tricked from the controlled server. Fortunately, we also show the ways how the considered solutions can be improved, so the proposed methods can be efficient again.
Workshop CUING
Trustworthiness and explainability of a watermarking and machine learning-based system for image modification detection to combat disinformation
Andrea Rosales (Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Spain), Agnieszka Malanowska (Warsaw University of Technology, Poland), Tanya Koohpayeh Araghi (Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Barcelona, Spain, Spain), Minoru Kuribayashi (Center for Data-driven Science and Artificial Intelligence at Tohoku University Japan, Japan), Marcin Kowalczyk (Warsaw University of Technology, Poland), Daniel Blanche-Tarragó (Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Center, Spain), Wojciech Mazurczyk (Warsaw University of Technology, Poland), David Megías (Internet Interdisciplinary Institute (IN3), Universitat Oberta de Catalunya, Barcelona, Spain, Spain)
Full Paper
The widespread of digital platforms, that prioritize content based on engagement metrics and reward content creators accordingly, has contributed to the expansion of disinformation with all its social and political impact. We propose a verification system to counterbalance disinformation in two stages. First, a system that allows media industries to watermark their image and video content.

Second, a user platform for news consumers to verify if images and video over the internet have been modified. However, digital platforms, often developed as black boxes that hide their rationale from users and prioritize the investor’s interests over ethical and social concerns, have contributed to this disinformation and to a general lack of trust in verification systems. In this paper, we address trustworthiness and explainability in the development of the user platform to increase its trustworthiness and acceptance based on three iterations of an international user study.
Workshop CUING
ZW-IDS: Zero-Watermarking-based network Intrusion Detection System using data provenance
Omair Faraj (Telecom SudParis, Institut Polytechnique de Paris, France), David Megias (Internet Interdisciplinary Institute, Universitat Oberta de Catalunya, Spain), Joaquin Garcia-Alfaro (Telecom SudParis, Institut Polytechnique de Paris, France)
Full Paper
In the rapidly evolving digital world, network security is a critical concern. Traditional security measures often fail to detect unknown attacks, making anomaly-based Network Intrusion Detection Systems (NIDS) using Machine Learning (ML) vital. However, these systems face challenges such as computational complexity and misclassification errors. This paper presents ZW-IDS, an innovative approach to enhance anomaly-based NIDS performance. We propose a two-layer classification NIDS integrating zero-watermarking with data provenance and ML. The first layer uses Support Vector Machines (SVM) with ensemble learning model for feature selection. The second layer generates unique zero-watermarks for each data packet using data provenance information. This approach aims to reduce false alarms, improve computational efficiency, and boost NIDS classification performance. We evaluate ZW-IDS using the CICIDS2017 dataset and compare its performance with other multi-method ML and Deep Learning (DL) solutions.
Workshop CUING
Natural Language Steganography by ChatGPT
Martin Steinebach (Fraunhofer, Germany)
Full Paper
Natural language steganography as well as natural language watermarking have been challenging because of the complexity and lack of noise in natural language. But with the advent of LLMs like ChatGPT, controlled synthesis of written language has become available. In this work, we show how ChatGPT can be utilized to generate synthetic texts of a given topic that act as stego covers for hidden messages.
Workshop CUING
Single-image steganalysis in real-world scenarios based on classifier inconsistency detection
Daniel Lerch-Hostalot (Universitat Oberta de Catalunya, Spain), David Megías Jimenez (Universitat Oberta de Catalunya, Spain)
Full Paper
This paper presents an improved method for estimating the accuracy of a model based on images intended for prediction, enhancing
the standard Detection of Classifier Inconsistencies (DCI) method. The conventional DCI method typically requires a large enough set of images from the same source to provide accurate estimations, which limits its practicality. Our enhanced approach overcomes this limitation by generating a set of images from a single original image, thereby enabling the application of the standard DCI method without requiring more than one target image. This method ensures that the generated images maintain the statistical properties of the original, preserving any embedded steganographic messages, through the use of non-destructive image manipulations such as flips, rotations, and shifts. Experimental results demonstrate that our method produces results comparable to those of the traditional DCI method, effectively estimating model accuracy with as few as 32 generated images. The robustness of our approach is also confirmed in challenging scenarios involving cover source mismatch (CSM), making it a viable solution for real-world applications.
Workshop CUING
Are Deepfakes a Game-changer in Digital Images Steganography Leveraging the Cover-Source-Mismatch?
Arthur Méreur (Troyes University of Technology, France), Antoine Mallet (Troyes University of Technology, France), Rémi Cogranne (Troyes University of Technology, France)
Full Paper
This work explores the potential of synthetic media generated by AI, often referred to as Deepfakes, as a source of cover-objects for steganography. Deepfakes offer a vast and diverse pool of media, potentially improving steganographic security by leveraging cover-source mismatch, a challenge in steganalysis where training and testing data come from different sources.

The present paper proposes an initial study on Deepfakes' effectiveness in the field of steganography. More precisely, we propose an initial study to assess the impact of Deepfakes on image steganalysis performance in an operational environment. Using a wide range of image generation models and state-of-the-art methods in steganography and steganalysis, we show that Deepfakes can significantly exploit the cover-source mismatch problem but that mitigation solutions also exist. The empirical findings can inform future research on steganographic techniques that exploit cover-source mismatch for enhanced security.
Workshop CUING
A Comprehensive Pattern-based Overview of Stegomalware
Fabian Strachanski (University of Duisburg-Essen, Germany), Denis Petrov (Worms University of Applied Sciences, Germany), Tobias Schmidbauer (Nuremberg Institute of Technology, Germany), Steffen Wendzel (Worms University of Applied Sciences, Germany)
Full Paper
In recent years, malware is increasingly using steganographic methods (so-called stegomalware) to remain hidden as long as possible. It not only covers its tracks on the infected system, but also tries to hide its communication with adversary infrastructure.

This paper reviews 105 stegomalware cases on the basis of 142 reports, ranging from digital media (audio, video, images) to text and network steganography. For this purpose, the covert channels used by the malware are categorized and introduced using a pattern-based approach. Our survey reveals that solely a small set of patterns are used and the most frequent methods rely on modulation of states and values. We also analyzed the commonalities of media, text and network stegomalware and found that least significant bit (LSB) steganography is exclusively utilized for media steganography. Our results indicate, that only a small variation of network protocols, media types and hiding methods are utilized by stegomalware and therefore, research may focus on these to counter malicious activities covered by steganography.
Workshop CUING
No Country for Leaking Containers: Detecting Exfiltration of Secrets Through AI and Syscalls
Marco Zuppelli (Institute for Applied Mathematics and Information Technologies, Italy), Massimo Guarascio (ICAR-CNR, Italy), Luca Caviglione (CNR - IMATI, Italy), Angelica Liguori (ICAR-CNR, Italy)
Full Paper
Containers offer lightweight execution environments for implementing microservices or cloud-native applications. Owing to their ubiquitous diffusion jointly with the complex interplay of hardware, computing, and network resources, effectively enforcing container security is a difficult task. Specifically, runtime detection of threats poses many challenges since containers are often immutable (i.e., they cannot be instrumented or inspected), and many malware deploys obfuscation or elusive mechanisms. Therefore, in this work we propose a deep-learning-based approach for identifying the presence of two containers colluding to covertly leak secret information. In more detail, we consider a threat actor trying to exfiltrate a 4,096-bit private TLS key via five different covert channels. To decide whether containers are colluding for leaking data, the deep learning model is fed with statistical indicators of the syscalls, which are built starting from simple counters. Results indicate the effectiveness of our approach, even if some adjustments are needed to reduce the number of false positives.
Workshop CUING
Robust and Homomorphic Covert Channels in Streams of Numeric Data
Jörg Keller (FernUniversität in Hagen, Germany), Carina Heßeling (FernuUniversitaet Hagen, Germany), Steffen Wendzel (Worms University of Applied Sciences, Germany)
Full Paper
A steganographic network storage channel that uses a carrier with a stream of numeric data must consider the possibility that the carrier data is processed before the covert receiver can extract the secret data. A sensor data stream, which we take as an example scenario, may be scaled by multiplication, shifted into a different range by addition, or two streams might be merged by adding their values. This raises the question if the storage channel can be made robust against such carrier modifications. On the other hand, if the pieces of secret data are numeric as well, adding and merging two streams each comprising covert data might be exploited to form a homomorphic covert channel. We investigate both problems together as they are related and give positive and negative results. In particular, we present the first homomorphic storage covert channel. Moreover, we show that such type of covert channel is not restricted to sensor data streams, but that very different scenarios are possible.
Workshop CUING

Detail CUING 02/05

Topics of interest include, but are not limited to 03/05

  • Cyber information hiding techniques
  • Studies regarding the use of information hiding in cybercrime
  • Analysis of cybercrime cases related to information hiding
  • New steganographic & steganalysis methods
  • Local, air-gapped, and network covert channels
  • Side channels and less obvious usage of information hiding techniques
  • Digital watermarking of multimedia content and network traffic
  • Stegomalware-related research, including techniques and detection
  • Novel countermeasures against information hiding techniques: detection, prevention, limitation
  • Evasion, obfuscation, and anti-forensics techniques used in cyberattacks
  • Traffic type obfuscation techniques, e.g., traffic morphing
  • Hiding covert communication within network attacks, e.g., DDoS, SPAM, etc.
  • Underground marketplaces and their business models (e.g., legal and technical aspects of darknet)
  • Information-hiding-based botnets and their mitigation
  • Information hiding based on adversarial learning and generative AI
  • Utilization of AI/ML techniques for improved data hiding techniques and detection methods
  • Information hiding in AI/ML models and datasets
  • Utilization of information hiding techniques to fight disinformation
  • Privacy enhancing techniques
  • Aspects and methods for sharing strategic intelligence
  • Abusing legitimate social media, cloud-based services, etc. for information hiding purposes

Workshop Chairs 04/05

Workshop Chairs

Workshop Chairs Logo
Wojciech Mazurczyk
Warsaw University of Technology, Poland
Workshop Chairs Logo
Philipp Amann
Europol, European Cybercrime Centre, The Netherlands
Workshop Chairs Logo
Luca Caviglione
CNR – IMATI, Italy
Workshop Chairs Logo
Angelo Consoli
Scuola universitaria professionale della Svizzera italiana (SUPSI), Switzerland
Workshop Chairs Logo
Peter Kieseberg
FH St. Pölten, Austria
Workshop Chairs Logo
Joerg Keller
FernUniversität in Hagen, Germany

Program Committee

Soumya Banerjee | CNAM-CEDRIC LAB, INRIA-EVA, Paris, France
Krzysztof Cabaj | Warsaw University of Technology, Poland
Michal Choras | Bydgoszcz University of Science and Technology, Poland
Jana Dittmann | Otto-von-Guericke University Magdeburg, Germany
Mordechai Guri | Ben-Gurion University of the Negev, Israel
Zbigniew Kotulski | Warsaw University of Technology, Poland
Rafal Kozik | Bydgoszcz University of Science and Technology, Poland
Christian Kraetzer | Otto-von-Guericke University Magdeburg, Germany
David Megias | Universitat Oberta de Catalunya, Spain
Aleksandra Mileva | University Goce Delcev, Republic of Macedonia
Marek Pawlicki | Bydgoszcz University of Science and Technology, Poland
Zbigniew Piotrowski | Military University of Technology, Poland
Steffen Wendzel | Worms University of Applied Sciences and FernUniversität in Hagen, Germany
Milad Taleby Ahvanooey | Nanjing University, China
Maria Carla Calzarossa | University of Pavia, Italy
Marco Cremonini, | University of Milan, Italy
Mattia Epifani | CNR, Italy
Massimo Guarascio | CNR – ICAR, Italy
Stefan Katzenbeisser | University of Passau, Germany
Minoru Kuribayashi | Okayama University, Japan
Jean-Francois Lalande | CentraleSupélec, France
Daniel Lerch-Hostalot | Universitat Oberta de Catalunya, Spain
Shujun Li | University of Kent, UK
Pawel Rajba | University of Wroclaw, Poland
Martin Steinebach | Fraunhofer SIT, Germany
Hui Tian | National Huaqiao University, China
Tanja Zseby | Vienna University of Technology, Austria
Marco Zuppelli | CNR – IMATI, Italy
Tobias Schmidbauer | Nuremberg Institute of Technology, Germany
Avinash Srinivasan | United States Naval Academy, USA
Remi Cogranne | Troyes University of Technology, France

Submission 05/05

Important Dates

Extended Submission Deadline May 14, 2024
Author Notification Jun 02, 2024
Proceedings Version Jun 18, 2024
Conference Jul 30 — Aug 02, 2024
Join ARES 2025!

Join us at ARES 2025 in Ghent, Belgium