Attribution of covert (information) channels in critical infrastructures and potentials for prevention and response (ATTRIBUT)


More information you can find on our Mastodon channels in German (Mastodon-Kanal) or English: https://sparrow.cs.uni-magdeburg.de/@AttributEnglish



19.09.2025 ATTRIBUT Presentation at the  Workshop "Cybersecurity: Prävention, Detektion und Reaktion mit Open Source-Perspektiven" of the GI Informatik Festival 2025:

Our GI Festival workshop ‘Cybersecurity: Prevention, Detection and Response with Open Source Perspectives’ https://informatik2025.gi.de/programmuebersicht.html on Friday, 19 September 2025 was a complete success! All of the presentations were fascinating. There was a professional exchange of ideas on practical approaches. Digital sovereignty is possible and innovation capacity is significantly increased.
Many thanks to everyone! The papers can be found in the conference proceedings at https://nextcloud.gi.de/s/YcW26W9ApSLD6on.



 

12.08.2025 ATTRIBUT with two talks at ARES 2025:

  • ARES II: Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences from Denis Petrov, Pascal Ruffing, Sebastian Zillien and Steffen Wendzel
  • ARES CUING Workshop: 9th International Workshop on Cyber Use of Information Hiding – Keynote: Information Hiding in The Light of Malware Threat Actor Attribution: From Trace Maps to Forensic Fingerprinting from Jana Dittmann and Demo from the Team


see in https://2025.ares-conference.eu/


ATTRIBUT team at ARES 2025

 

04.08.2025 ATTRIBUT at Protekt 2025

We are looking forward to present ATTRIBUT at Protekt 2025 (https://www.protekt.de/) and hope to welcome as many interested visitors as possible to our booth in Leipzig on 25.–26. November 2025!





 

04.08.2025 ATTRIBUT Keynote at CUING 2025

Prof. Jana Dittmann will deliver an ATTRIBUT keynote speech entitled ‘Information Hiding in The Light of Malware Threat Actor Attribution: From Trace Maps to Forensic Fingerprinting’ at this year's ARES / CUING (https://2025.ares-conference.eu/program/cuing/).


 

20.06.2025 ATTRIBUT at the ACM IHMMSEC Special Session "Malware and Stego-Malware: Attribution, Analysis and Detection

June 18th - 20th 2025 – Three ATTRIBUT Presentations at ACM IHMMSEC 2025 in Adobe Headquaters, San Jose, CA, USA - https://www.ihmmsec.org/:

Traces Left by the Originator: Forensic Fingerprinting Hidden Malware in Images to Enable Attribution on the Example of SteganoAmor
Jana Dittmann, Stefan Kiltz, Robert Altschaffel, Judith Antal (Otto-von-Guericke University)

Towards Modeling Hidden & Steganographic Malware Communication Based on Images
Claus Vielhauer, Fabian Loewe, Michael Pilgermann (Brandenburg University of Applied Sciences)

Support of Forensic Attribution by Visualizing Textual Embeddings of Stegomalware
Felix Feist, Sebastian Karius, Mandy Knöchel, Sandro Wefel (Martin Luther University Halle-Wittenberg)

Have a look into the Proceedings: https://dl.acm.org/doi/proceedings/10.1145/3733102

 

14.04.2025

We are looking forward to participating in the symposium “SIC! - Security and Innovation in Cyberspace” of the Cyberagentur

We will participate in the SIC! (May 14-15, 2025) with the following contribution:

Title: “Innovations in attribution for cybersecurity in the field of tension between errors, losses and uncertainties” (original German title: "Innovationen der Attribution für die Cybersecurity im Spannungsfeld von Fehlern, Verlusten und Unsicherheiten")

The subject of ATTRIBUT's research is so-called stego malware. This is a current trend in computer viruses and other malicious programs to infiltrate or exfiltrate information unnoticed by means of information hiding (also called steganography) or to hide command & control communication even in well-secured systems. The activities of the attackers are contained in unsuspicious other digital information, such as images, audio or e-mail texts, but also network protocols. This trend poses a growing threat to cyber security, as current protection methods such as anti-virus protection programs can be circumvented.

The ATTRIBUT project aims to identify such covert threats at an early stage and reliably attribute digital attacks to their originators. To this end, Attribut attempts to recognize individual characteristics in the traces of malicious code and describe them precisely. These characteristics are often well hidden and require precise analysis to enable reliable attribution. However, once they have been found, detection, reaction and prevention can be improved. We present our results in the field of tension between errors, losses and uncertainties. Privacy aspects are also included in the considerations. ATTRIBUT pursues exclusively peaceful goals and contributes to a secure, sustainable, peaceful and democratic world.

19.02.2025

Highlights from the current research phase

In the last three months, from December 2024 to February 2025, ATTRIBUT has been able to gain new insights into detection and attribution for all carrier media examined. These research results will be effectively presented by the ATTRIBUT team:

The Brandenburg University of Applied Science and the Otto-von-Guericke University Magdeburg organise a Special Session on "Malware and Stego-Malware: Attribution, Analysis and Detection" at the IHMMSec’25 auf (https://www.ihmmsec.org/cms/special-events). This event will be used to discuss the attribution challenges faced in ATTRIBUT on an international event.

The paper "Information Hiding Detection in Industrial Control Systems - Statistical Analysis in Modbus TCP/IP" by Robert Altschaffel, Jana Dittmann, Lennox Lingk (OvGU) received the Best Paper Award at SECURWARE 2024 (https://www.iaria.org/conferences2024/AwardsSECURWARE24.html).

Also the team of the Brandenburg University of Applied Science, consisting of Tom Neubert, Bjarne Peuker, Eric Schueler, Henning Ullrich, Laura Buxhoidt and Claus Vielhauer, received a journal invitation for their paper "An Analysis Framework for Steganographic Network Data in Industrial Control Systems" (http://www.iaria.org/conferences.html).

The research carried out is an important source of inspiration for international setgo malware research. The results obtained as part of ATTRIBUT have been taken up and referenced by other research groups: In the article "A comprehensive survey on stegomalware detection in digital media, research challenges and future directions" (2025), results on all the carrier media researched in the project were included as impulses (https://www.sciencedirect.com/science/article/pii/S0165168425000039?via%3Dihub).

To keep track of the latest developments in the ATTRIBUT project, you can also follow us on Mastodon https://sparrow.cs.uni-magdeburg.de/@ATTRIBUT or https://sparrow.cs.uni-magdeburg.de/@AttributEnglish


20.09.2024

Press release: ATTRIBUT - Innovations for the detection of covert malware attacks in cyber and information space - Research into new capabilities in attribution and detection also enables better prevention and response

It's on to the next phase and we're in! At the end of August, the decision was made on the Cyber Agency's first major project: the projects ATTRIBUT from the University of Magdeburg and SOVEREIGN from the University of Hamburg qualified for the next research phase as part of the research competition on ‘Existential risks from cyber and information space’ organised by the Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur), see also in https://www.cyberagentur.de/cyberagentur-entscheidet-sich-fuer-projekte-der-unis-magdeburg-und-hamburg/.

The subject of ATTRIBUT's research is so-called stego-malware. This is a current trend among computer viruses and other malware programmes to infiltrate and exfiltrate information unnoticed by means of information hiding (also known as steganography) or to conceal command & control communication even in well-secured systems. The activities of the attackers are contained in unsuspicious other digital information, such as images, audio or e-mail texts. This trend poses a growing threat to cyber security, as current protection methods such as anti-virus programmes can be circumvented.


The ATTRIBUT project aims to identify such covert threats at an early stage and reliably attribute digital attacks to their originators. ATTRIBUT pursues exclusively peaceful goals and contributes to a secure, sustainable, peaceful and democratic world.
Prof Jana Dittmann from the Magdeburg team speaks of one of the most exciting research projects of our time: "All the researchers were fully enthusiastic from the very beginning. In the first year of our research project, we were already able to achieve promising results. We have shown that it is possible to recognise individual characteristics in the traces of malicious code and to describe them precisely." These characteristics are often well hidden and require precise analysis in order to enable reliable attribution. Once they have been found, however, improved detection as well as reaction and prevention can take place. The team in Bavaria provides support here, for example, by analysing possible measures in response and prevention from the perspective of the law enforcement authorities.


The researchers have scrutinised various carrier media in which the malicious code can be hidden. Prof. Wendzel from Worms and his team are researching standard Internet protocols such as the Domain Name Service DNS, the Brandenburg team with Prof. Vielhauer and Prof. Pilgermann has focused on industrial controls and the image carrier medium, the Halle team with Dr. Wefel is analysing text-based hiding and in Magdeburg, industrial controls with a focus on critical applications and audio data are being examined. Each of the carrier media has its own specifics and the individual trace layers must be structured and systematised accordingly. One of the biggest challenges here is the enormous variety of potential hiding places, which allows attackers to conceal their tracks in a wide variety of ways.

The ATTRIBUT approach requires not only the technical ability to detect, but also to link the digital traces with the real identities of the perpetrators. This is particularly complex as attackers use sophisticated methods to disguise their true identity. Our aim is to reliably recognise and document these links despite errors, losses and uncertainties.

The ATTRIBUT project offers the potential to better protect security-critical infrastructures and hold digital attackers legally accountable. The work we are doing could have a lasting impact on research into internal and external sovereignty and make our digital world more secure.

Information and initial results of the project: https://attribut.cs.uni-magdeburg.de/
Follow us on Mastodon https://sparrow.cs.uni-magdeburg.de/@ATTRIBUT or English: https://sparrow.cs.uni-magdeburg.de/@AttributEnglish - here you will also find our ATTRIBUT explanatory videos!

Podcast of the Cyberagentur: link


 

03.09.2024

Decision made in the Cyber Agency's first major project - The ATTRIBUT and SOVEREIGN projects have come out on top in the research competition on ‘Existential risks from cyber and information space’ organised by the Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur) GmbH.

The ATTRIBUT project is entering the next research phase of the contest.

Press releases:

Cyberagentur
Behördenspiegel

Portal eGovernment.de



20.08.2024

We are looking forward to our participation in the symposium to present the interim results of the project "Existential risks from cyber and information space - high security in security-critical and defence-relevant scenarios (HSK)" (German original title:  "Existenzbedrohende Risiken aus dem Cyber- und Informationsraum - Hochsicherheit in sicherheitskritischen und verteidigungsrelevanten Szenarien (HSK)")


We are very pleased to present our results at the symposium to present the interim results of the project "Existential risks from cyber and information space - high security in security-critical and defence-relevant scenarios (HSK)" of the Agentur für Innovation in der Cybersicherheit GmbH on 20 August 2024.

16.08.2024

ATTRIBUT was a topic on the Krumbacher Stego-Days

For three days topics of steganography, steganalysis and information hiding were discussed in Krumbach (Germany). One of the days wsa hosted by the ATTRIBUT project and discussed topics of Stego-Malware attribution.

Links:

https://sparrow.cs.uni-magdeburg.de/@ATTRIBUT/112970645569906845

https://dju.social/@cdpxe/112962343014464343

31.07.2024

ATTRIBUT on the 8th International Workshop on Cyber Use of Information Hiding (CUIng) - a workshop co-located with the International Conference on Availability, Reliability and Security (ARES 2024)

In the presentation "A Case Study on the Detection of Hash-Chain-based Covert Channels Using Heuristics and Machine Learning" by Prof. Steffen Wendzel, the ATTRIBUT project was introduced to the audience.

23.04.2024

FOUR ATTRIBUT PAPERS ACCEPTED FOR THE 12TH ACM WORKSHOP ON INFORMATION HINDING AND MULTIMEDIA SECURITY (24.-26.06.2024)

The ATTRIBUT team will present four papers on this years ACM IH&MMSec-Workshop (24.-26.06. Parador de Baiona, Baiona, Spain).

The ACM IH&MMSec-Workshop is one of the most relevant events in the multimedia security and information hiding research communities and focuses on topics such as Information Hiding, Steganography, Digital Watermarking, Anonymity and Covert Channels. The work presented cover a wide range of topics, including theoretical and technical aspects as well as industrial and commercial applications of techniques and algorithms for multimedia security.

In the Special Session "Stego-Malware: Attribution, Analysis and Detection" organised by Claus Vielhauer (THBRB) and Steffen Wendzel (HSW), the following papers are presented:

  • Jana Dittmann, Christian Kraetzer, Jost Alemann und Bernhard Birnbaum, „Forensic Trace Analysis for MP3 based Stego-Malware: Exemplary Study for Stego-Algorithm and Capacity Attribution to derive YARA Rules for Malware Identification“
  • Sebastian Zillien, Denis Petrov, Pascal Ruffing und Friedrich Gross, „A TCP/IP Network Steganography Malware Detection Framework“
  • Mandy Knöchel und Sebastian Karius, „Text Steganography Methods and their Influence in Malware: A Comprehensive Overview and Evaluation“
  • Eine Arbeit, die die Spurensuche zusammen mit Studierenden in der Lehre für Bildmaterial zusammenfaßt, wird von Stefan Kiltz, Jana Dittmann, Fabian Loewe, Christian Heidecke, Max John, Jonas Maedel and Fabian Preissler unter dem Titel „Forensic Image Trace Map for Image-Stego-Malware Analysis: Validation of the effectiveness with Structured Image Sets“ präsentiert.

24.01.2024

ATTRIBUT AT THE GI SECURITY 2024 IN WORMS

The team of authors Jana Dittmann, Christian Krätzer, Stefan Kiltz and Robert Altschaffel (Otto von Guericke University); Claus Vielhauer (TH Brandenburg); Steffen Wendzel (HS Worms); Sandro Wefel (MLU Halle-Wittenberg); Holger Nitsch (HFOED Bayern) from the ATTRIBUT project is pleased about the acceptance of their paper  "Attribution of covert (information) channels in the field of critical infrastructures and capabilities for prevention and response (ATTRIBUT)" (original German title: „Attribution von verdeckten (Informations-)Kanälen im Bereich kritischer Infrastrukturen und Potentiale für Prävention und Reaktion (ATTRIBUT)“) at the GI Sicherheit at the Worms University of Applied Sciences.

The "SICHERHEIT" is the regular symposium of the "Security - Protection and Reliability" section of the Gesellschaft für Informatik e.V. It offers a forum for the discussion of challenges, trends, techniques and the latest scientific and industrial results to an audience from research, development and application.

At the conference (April 9th – 11th, 2024), the team will present the motivation, perspectives and possibilities of attribution in StegoMalware in the ATTRIBUT project. Since the use of steganographic methods reduces the performance of security mechanisms such as antivirus protection programs, and firewalls and steganography components are now provided online as ready-to-use building blocks, there is an increased threat situation that requires further research into incident investigation and sustainable security solutions. The ATTRIBUT project focuses on stego-malware and researches the attribution of covert (information) channels as well as the potential for prevention and response. IT security incidents must be investigated from various perspectives. One important aspect is attribution, i.e. determining who or what triggered the security incident. In the ATTRIBUT project, the focus is on assigning incidents to a system of origin and thus being able to recognize attacker signatures.

Additionally, a Poster with the title "StegoMalware - Scores from MITRE" was presentet on the Session of the Zentrums für Technologie und Transfer (Hochschule Worms).

17.11.2023

RESEARCH DAY 2023 OF THE HS WORMS

 

The work of the HS Worms in the context of ATTRIBUT was presented with a Poster titled "ATTRIBUT Phase II" at the Research Day 2023.

06.07.2023

COMPUTER SCIENTISTS AT THE UNIVERSITY OF MAGDEBURG WANT TO DETECT CYBER ATTACKS AT AN EARLY STAGE

Cybersecurity research project successful in competition for research funding


The ATTRIBUT research project on cyber security at Otto von Guericke University Magdeburg has made it through another round in the competition "Existential risks from cyber and information space - high security in security-critical and defense-relevant scenarios" organized by the Agency for Innovation in Cyber Security GmbH (original German title: Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur)) and will receive research funding of almost 2.5 million EUR.

The "Multimedia and Security" working group led by Prof. Jana Dittmann from the Faculty of Computer Science received an excellent rating from the expert jury and was selected as one of three other research projects to take part in the second funded phase of the competition. All three research groups are now continuing to implement their project concepts. After one year, they will be evaluated again and two projects will be selected for the third phase.

The security experts at the University of Magdeburg want to conduct targeted research into covert communication or so-called steganographic channels in order to detect cyber attacks at an early stage. The term steganography refers to the science of secretly storing or transmitting information.

"Time and again, critical infrastructures such as energy and water suppliers, hospitals, companies in the food industry, public authorities and banks are attacked for a variety of reasons and objectives," says computer scientist Jana Dittmann. "Attackers often use covert channels to remain undetected and continue to install malware unhindered or secretly drain data from the attacked system. It is difficult to detect such attacks and they often remain undetected. Our research is now aimed at gaining a better understanding of these covert channels," explains Jana Dittmann. "If we succeed in identifying the starting point at an early stage, completely new tools for detection, prevention and response can be developed."

The University of Magdeburg's partners in this research project are the Hochschule Worms, the Technische Hochschule Brandenburg, the Martin-Luther-Universität Halle-Wittenberg as well as Hochschule für den öffentlichen Dienst in Bayern.

Press release of the Cyberagentur: link

Contact for the media: Prof. Dr.-Ing. Jana Dittmann, Otto-von-Guericke-Universität Magdeburg, Institut für Technische und Betriebliche Informationssysteme

19.04.2023

On November 7, 2022, the contracts for research on "Existential risks from cyber and information space - high security in security-critical and defense-relevant scenarios" were signed with six research networks at the Central German Multimedia Center in Halle (Saale). This marks the start of the first phase of the €30 million research project of the Agency for Innovation in Cyber Security (Cyberagentur).

With the ATTRIBUT research project, the "Multimedia and Security" working group (Prof. Dittmann) at FIN / Otto von Guericke University Magdeburg was selected as one of six projects from a broad field of applicants and can now take part in this first funded phase of the competition.

Die Cyberagentur hat einen Forschungsauftrag zum Schutz der kritischen Infrastruktur vergeben. Unter anderem an die Uni Magdeburg: Jörg Wadzack und Jana Dittmann von der Uni Magdeburg und Daniel Mayer und Christian Hummert von der Cyberagentur (v.l.n.r.).

Caption: The cyber agency has awarded a research contract for the protection of critical infrastructure. Among others to the University of Magdeburg: Jörg Wadzack and Jana Dittmann from the University of Magdeburg and Daniel Mayer and Christian Hummert from the Cyberagentur (from left to right).

Image rights: Cyberagentur / © Gerrit Tharann/Cyberagentur


"Time and again, critical infrastructures such as energy and water suppliers, hospitals, companies in the food industry, authorities and banks are attacked for a variety of reasons and objectives," says computer scientist Jana Dittmann. "Attackers often use covert channels to remain undetected and continue to install malware unhindered or secretly drain data from the attacked system. It is difficult to detect such attacks and they often remain undetected. Our research now aims to better understand and automatically detect these covert channels," explains Jana Dittmann. "If we succeed in doing this at an early stage, we can develop completely new tools to detect these malicious code modules that contain hidden code, but above all to find out who created them."

The University of Magdeburg's partners in this research project are Worms University of Applied Sciences, Brandenburg University of Applied Sciences, Martin Luther University Halle-Wittenberg and the University of Applied Sciences for the Civil Service in Bavaria.

Press release of the OVGU: link

Press release of the Cyberagentur: link




Last Change: 22.09.2025

Sie können eine Nachricht versenden an: Webmaster
Sicherheitsabfrage:
Captcha
 
Lösung: