CCgen: Injecting Covert Channels into Network Traffic

Covert channels are methods to convey information clandestinely by exploiting the inherent capabilities of common communication protocols. They can be used to hide malware communication as part of cyber attacks. Here, we present CCgen, a framework for injecting covert channels into network traffic that includes modules for common covert channels at the network and transport layer and allows a smooth integration of novel covert channel techniques. Our tool—openly available and implemented in Python—enables the operation on-the-fly in live communications as well as the manipulation of network traffic packet captures. We evaluate a first prototype by generating a varied assortment of covert channels based on state-of-the-art techniques and check their detectability with Suricata, a popular, open-source intrusion prevention and detection system. The injected covert channels remain mostly undetected. Our proposal fills a gap within the diversity of openly available tools for cybersecurity research and education. It builds a flexible environment for experts to test analysis algorithms, thus also enabling advanced training in applied network steganography.