Are We Protected Against Network Covert Channels?

Information-hiding-based techniques like covert channels are increasingly used by attackers to conceal malware in different carriers, such as images or inter-process communication services. These techniques allow, for example, to secretly exfiltrate information, elude well-know detection mechanisms, or remotely activate a backdoor. The usage of network traffic features is appealing to attackers, as they offer a wide range of possibilities. The adoption of network covert channel often leads to security problems: in fact, several out-of-the-box Intrusion Detection Systems or firewalls do not consider them as a major threat. Being able to spot covert channels is mandatory to fully assess the security capabilities of a network infrastructure. In this poster, we will answer the question of whether we are really protected from the threat of network covert channels, by assessing the detection capabilities of the most popular and open source security mechanisms, i.e., Snort, Zeek and Suricata.