Content uploaded by Steffen Wendzel
Author content
All content in this area was uploaded by Steffen Wendzel on Jul 05, 2018
Content may be subject to copyright.
Towards Deriving Insights into Data Hiding Methods Using
Paern-based Approach
Wojciech Mazurczyk
Warsaw University of Technology
Warsaw, Poland
wmazurczyk@tele.pw.edu.pl
Steen Wendzel
Worms University of Applied Science/
Fraunhofer FKIE
Worms/Bonn, Germany
wendzel@hs-worms.de
Krzysztof Cabaj
Warsaw University of Technology
Warsaw, Poland
kcabaj@ii.pw.edu.pl
ABSTRACT
In network information hiding, hiding patterns are used to describe
hiding methods and their taxonomy. In this paper, we analyze the
current state of hiding patterns and we further improve their taxon-
omy. In order to more thoroughly characterize and understand data
hiding methods applied to communication networks we propose to
distinguish between sender-side and receiver-side patterns. Addi-
tionally, we show how information hiding patterns can be utilized
to conveniently describe the realization of the distributed network
covert channels.
CCS CONCEPTS
•Security and privacy →Network security
;Distributed systems
security;Information ow control; Pseudonymity, anonymity and
untraceability;
•Social and professional topics →
Computer
crime;
KEYWORDS
information hiding patterns, network steganography, covert chan-
nels; network security; taxonomies; information hiding
ACM Reference Format:
Wojciech Mazurczyk, Steen Wendzel, and Krzysztof Cabaj. 2018. Towards
Deriving Insights into Data Hiding Methods Using Pattern-based Approach.
In ARES 2018: International Conference on Availability, Reliability and Security,
August 27–30, 2018, Hamburg, Germany. ACM, New York, NY, USA, 10 pages.
https://doi.org/10.1145/3230833.3233261
1 INTRODUCTION
Network covert channels belong to the research domain of network
information hiding [
15
]. Network covert channels are stealthy, un-
foreseen communication channels in computer networks. These
channels are increasingly used by cybercriminals, e.g. to allow a
covert transfer of malware data. However, they can be also used
for legitimate purposes, such as communicating illicit information
under Internet censorship.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specic permission and/or a
fee. Request permissions from permissions@acm.org.
ARES 2018, August 27–30, 2018, Hamburg, Germany
©2018 Association for Computing Machinery.
ACM ISBN 978-1-4503-6448-5/18/08.
https://doi.org/10.1145/3230833.3233261
Hiding patterns are descriptions of hiding methods for network
covert channels. Because of their abstract nature, each hiding pat-
tern serves an umbrella for numerous hiding methods. For instance,
hiding data in the least signicant bit (LSB) of the Hop Limit eld
in IPv6 can be represented by the same pattern as modifying the
LSB of the Time to Live eld in IPv4. In addition to describing
hiding methods, patterns can also form taxonomies and have pre-
dened, searchable and comparable attributes, making them an
advantageous tool over existing taxonomy approaches.
Hiding patterns have originally been proposed by Wendzel et
al. in [
22
]. The authors also presented a novel taxonomy of hiding
patterns in their article. Later, the taxonomy and patterns were
updated and extended by Mazurczyk et al. in [
15
]. There are also
publications that discuss whether a new hiding method can repre-
sent a new or an existing pattern [
20
] and there is moreover work
that describes the way in which hiding methods should be described
(in the context of patterns) [19].
In this work, we analyze the key aspects of the hiding patterns
and the current state of the taxonomy in the domain. However,
the main contributions of this paper are that we show how this
concept can be further extended by modifying the pattern-analysis
process and extending the current taxonomy with new patterns.
By taking into account more details on the hiding method’s inner
workings we hope that the resulting pattern categorization will
contribute to a better understanding of the nature of network covert
channels. Moreover, we also introduce and describe a pattern-based
classication of distributed network covert channels.
The rest of this paper is structured as follows. Section 2 intro-
duces fundamentals and related work on hiding patterns. We discuss
limitations of the current patterns approach in Section 3. Section 4
introduces our improved taxonomy, a process for pattern-analysis
as well as new patterns dedicated to the payload eld and our
pattern-based categorization of distributed network covert chan-
nels. Finally, Section 5 concludes our work and provides an outlook
on future research directions.
2 FUNDAMENTALS
To aid the understanding of information hiding methods, an anal-
ysis of the existing network covert channels and corresponding
protocols should be performed. Patterns provide an abstract and
hierarchical view on these methods and their utilization in combi-
nation with network protocols.
As a starting point, we utilize the work by Wendzel et al. [
22
] on
network information hiding patterns. In this work, the authors in-
troduce a classication of network hiding techniques into so-called
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Network Covert Channels
Timing Methods Storage Methods
Message
Timing
Rate/
Throughput
Inter-packet
Times
Modification of
Payload (User Data)
Audio Content,
Video Content, ...
Data in Protocol-specific fields
(a.k.a. Modification of Non-payload)
Structure Modifying Structure Preserving
Position Number of
Elements
Size
Modulation Sequence Add
Redundancy
Modification of an
Attribute
Random
Value
Value
Modulation
Reserved/
Unused
Least Significant
Bit (LSB)
Case
Protocol-agnostic Protocol-aware
Message (PDU)
Ordering
Artificial
Loss RetransmissionTemperature
Frame
Collisions
Original part from (Wendzel et al., 2015)
Updated by (Mazurczyk et al., 2016)
Added by (Mazurczyk et al., 2016)
Legend:
Hybrid
Methods
Figure 1: Information hiding patterns and their hierarchy introduced in [22] and updated in [15].
hiding patterns with the aim to potentially develop countermea-
sures for these patterns. In this perspective, information hiding
patterns are dened as abstract descriptions of how to solve a prob-
lem (data hiding) in a given context (communication protocols). As
patterns can be derived from other patterns, they can form hierar-
chies. Each hiding pattern is a unied and generic description of
a particular family of hiding methods. Patterns must be described
in a pre-dened format and require certain additional properties,
such as at least three known occurrences of a pattern – cf. [
22
] for
details. In [
22
] and [
19
], Wendzel et al. evaluated more than 130
existing network covert channel techniques from past decades and
extracted abstract patterns from these techniques. It turned out that
authors were able to represent all techniques by (only) 11 patterns,
which were arranged in a hierarchical catalog described using Pat-
tern Language Markup Language (PLML). While later work in [
15
]
modied and extended their patterns, the core part of the hierarchy
and several patterns remained (colored in white and light-gray in
Fig. 1). Later modications and extensions by [
15
] are colored in
darker gray in Fig. 1. The latest description of all patterns shown
in this gure is presented briey in Table 1.
As it can be seen in Table 1, a hiding pattern’s description is
written in an abstract manner so that one pattern can be used to
describe multiple hiding techniques at the same time. For instance,
“modulate the least signicant bits of a protocol eld” is a very brief
description of many published hiding methods which utilize the
least signicant bits of elds in arbitrary network protocols.
The above-mentioned classication is carrier-oriented and a
“carrier” is dened as one or more overt trac ows that pass
between the covert sender and the covert receiver, consisting of
protocol data units (PDUs, e.g. frames or packets). Typically, the
carrier can be multi-dimensional, i.e. it oers many opportunities
“places” or “events” for hiding data (called sub-carriers). As in other
network covert channel categorizations the two main groups of
methods are (Fig. 1):
•
storage methods: a class of network steganography methods
that modify the “places” (sub-carriers) in a carrier to create
a storage covert channel. These techniques hide information
by modifying e.g. protocol elds, such as unused bits of a
header.
•
timing methods: a class of network steganography methods
that modify the timing of “events” of a carrier to create a
covert channel. These techniques hide information, e.g. in
the timing of protocol messages or packets.
Some important changes have been introduced in [
15
] when
compared with original categorization from [22]. These include:
•
dening 14 patterns (8 timing patterns and 6 storage pat-
terns), compared to 11 patterns (4 timing and 7 storage)
proposed originally. Note that the increased number of hid-
ing patterns is mainly caused due to adding new layer of
classication in [
15
] for timing patterns which have been
divided into “protocol agnostic” or “protocol aware” groups.
•
the pattern ’PDU Corruption/Loss Pattern’ has been removed
from the storage patterns and instead the ’Articial Loss’
pattern which full name is ’Articial Message/Packet Loss’
and the ’Frame Collision’ pattern have been added to the list
of timing patterns.
•A few patterns have been slightly modied/renamed.
The paper [
22
] introduced also several other concepts which
explain suitably some network covert channels’ phenomena, i.e.
pattern variation, pattern combination, and pattern hopping.
First, pattern variation is a transformation-like approach for
covert channels. The utilized network protocol is dened as the pat-
tern’s context. Therefore, a pattern’s application can change from
one network protocol to another – without redesigning the most
important aspects and inner workings of the hiding technique itself.
Next, pattern combination allows the use of multiple patterns at the
same time (within the same carrier, e.g. by modifying many sub-
carriers at once). This is typically performed to increase available
steganographic bandwidth – thus in short it is a parallel utilization
of multiple network covert channels simultaneously. Finally, pattern
hopping varies the use of patterns over time – usually it is applied
in order to increase stealthiness. This can be briey summarized as
a sequential utilization of various network covert channels in time
using dierent (sub-)carriers.
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
Table 1: Information hiding patterns as introduced in [22] and updated in [15].
Pattern Name Pattern Description
Rate/Throughput The covert channel sender alters the data rate of trac from itself or a third party to the covert channel receiver.
Inter-packet Times The covert channel alters timing intervals between network PDUs (interarrival times) to encode hidden data.
Message Timing Hidden data is encoded in the timing of message sequences, e.g. acknowledging every n’th received packet or
sending commands mtimes.
Articial Loss The covert channel signals hidden information via articial loss of transmitted messages (PDUs).
Frame Collisions The sender causes articial frame collisions to signal hidden information.
Temperature The sender inuences a third-party node’s CPU temperature, e.g. using burst trac. This inuences the node’s
clock skew. The clock skew can then be interpreted by the covert receiver by interacting with the node.
Retransmission A covert channel retransmits previously sent or received PDUs.
Message Ordering The covert channel encodes data using a synthetic PDU order for a given number of PDUs owing between
covert sender and receiver.
Size Modulation The covert channel uses the size of a header element or a PDU to encode a hidden message.
Sequence Modulation The covert channel alters the sequence of header/PDU elements to encode hidden information.
This pattern divides further into: P2.a. Position and P2.b. Number of Elements patterns.
Add Redundancy The covert channel creates new space within a given header element or within a PDU in which to hide data.
Random Value The covert channel embeds hidden data in a header element containing a (pseudo-)random value.
Value Modulation The covert channel selects one of the nvalues that a header element can contain to encode a hidden message.
This pattern divides further into: P6.a. Case Pattern and P6.b. Least Signicant Bit (LSB) patterns.
Reserved/Unused The covert channel encodes hidden data into a reserved or unused header/PDU element.
It must be also noted that in the reminder of this paper we will
rely on the unied description for network information hiding
methods introduced in [
19
]. This paper has been the rst attempt
to standardize the description of network covert channels which
is suitable, e.g. to assess their novelty and impact of the method
on the state-of-the-art. In [
19
], the proposed description of data
hiding methods is split into three categories: (i) general information
about the hiding method; (ii) description of the hiding process, and
(iii) potential or tested countermeasures. The rst two categories
comprise sub-categories and each (sub-)category can be mandatory
or optional (Fig. 2).
The category “hiding method general information” consists of a
link to existing network hiding patterns. It also includes a discussion
of the application scenario and requirements of the carrier. From the
perspective of this paper the most important category, i.e. “hiding
method process”, is split into four parts: the sender-side and the
receiver-side description of the hiding method, the details of the
covert communication channel, and the description of an associated
covert channel control protocol (if applicable). The third category
discusses both, potential and evaluated countermeasures, including
those that detect, limit or prevent the particular hiding method’s
use. In the following we will reference to the fragments of this
unied description when it comes to the pattern categorization.
3 ANALYSIS OF THE EXISTING TAXONOMY
Our analysis has shown that the current information hiding patterns
approach can be further extended to include the following aspects:
•
Incorporate More Details on Data Hiding Methods: The key
criterion of the current pattern taxonomy for deciding which
pattern an analyzed method represents is to determine how
the secret data is encoded. Thus, due to this it is omitting
some details on how the data hiding method works (from the
- Hiding Pattern [mandatory]
- Application Scenario [mandatory]
- Required Properties of the Carrier [mandatory]
- Sender-side Process [mandatory]
- Receiver-side Process [mandatory]
- Covert Channel Properties [mandatory]
- Covert Channel Control Protocol [optional]
Unified Description Method
Hiding Method General Information [mandatory]
Hiding Method Process [mandatory]
Potential or Tested Countermeasures [mandatory]
Figure 2: The unied description structure for data hiding
methods as introduced in [19].
sender-side and receiver-side process – this will be shown
further in the next sections). This “attens” the description
of the inner workings of the data hiding methods and thus
may prevent that all details of a hiding method are con-
sidered. A more thorough patterns grouping is desired to
more accurately categorize existing network steganography
methods.
•
Support Hybrid Patterns: For some cases it is dicult to assess
whether the analyzed method is storage, timing or hybrid
– a clearer distinction and unambiguous formula to deduce
this is desirable.
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
•
Multi-Packet and -Flow Characteristics Support: The current
categorization makes no clear distinction between hiding
methods that are focusing on a single packet or multiple
packets. Also, there is no clear distinction between single-
and multi-ow methods. For example, consider a covert chan-
nel that modulates IPv4 ToS values in such a way that the
sequence of ToS values from the consecutive packets is inter-
preted as a single secret data bit – currently such a method
does not match any hidden data pattern. Moreover, some
hiding methods such as [
10
] utilize multiple ows. It is thus
benecial to make the original pattern descriptions more
generic, i.e. less dependent on specic units such as PDUs
or packets.
•
Coverage of Sophisticated Hiding Methods: It is not exactly
clear whether recent, more advanced network steganogra-
phy concepts like inter-protocol steganography [
9
], protocol
switching covert channels [
21
], multilevel steganography [
5
],
adaptive covert communication [
23
], etc. can be accurately
expressed using current pattern categorization. Pattern com-
bination, pattern hopping and pattern variation are means
to represent them, but not to the full extent.
•
Inuence on Payload: In the original design decision of the
pattern-based approach, arbitrary content, e.g. digital les,
were considered as part of digital media steganography in-
stead of network information hiding. However, in some cases,
such as in VoIP steganography, where there are data hiding
methods that aect the payload eld, it can be helpful to
have a taxonomy that covers also the transmitted payload.
In principle the patterns should be analogous as they too
adhere to the storage group.
•
Distinction Between Secret Data Embedding and Transfer: It is
also worth to emphasize that from the pattern-based coun-
termeasures perspective it is more important to know which
pattern represents the covert technique within the commu-
nication channel. It must be noted that in particular the
information hiding patterns used at the sender-side process
to embed secret data may not exactly represent themselves
in the same while traversing within the hidden data carrier
through the communication network.
•
Embrace PDU Corruption Pattern: As mentioned, in [
22
] 11
(4 timing and 7 storage) patterns have been dened while in
[
15
] there are 14 (8 timing and 6 storage) patterns. However,
the pattern ’PDU Corruption/Loss’ has been removed from
the storage patterns group by [
15
]. In fact, it is our belief
that it is benecial that the ’Articial Message/Packet Loss’
pattern has been added into timing patterns but still the
’PDU Corruption’ pattern should be considered in storage
scenarios.
Based on the above-mentioned points, we describe how we en-
vision enhancements to the current information hiding patterns
concept in the next section.
4 EXTENSION AND MODIFICATION OF THE
PATTERNS APPROACH
In this section, we present the proposed modication for the origi-
nal information hiding patterns concept which can help in deriving
further insights into understanding the nature of various types
of network covert channel techniques. More specically, in sub-
section 4.1 we propose how the original pattern approach can be
extended in order to include the sender-side and receiver-side pro-
cesses which inuences both pattern creation process and covert
techniques categorization. Next, in subsection 4.2 we propose new
patterns applicable to the payload eld. Finally, in subsection 4.3
we discuss the distributed network covert channels and how the
information hiding patterns concept can be used to conveniently
describe them.
4.1 A New Process to Analyze the Details of
Pattern-Application
Considering the arguments from Section 3, we propose an approach
based on [
20
], which describes how to determine the novelty of a
new hiding technique and whether a hiding technique actually rep-
resents a new pattern, or not. Instead, our goal is to gain additional
insights into the inner-workings of the data hiding method, i.e. we
do not replace the original approach.
In the current categorization, authors of a new data hiding tech-
nique rst describe their technique, e.g. informally or using [
19
].
Then, based on how the secret data is embedded one pattern is se-
lected that represents the hiding method. Therefore, authors rst de-
cide whether the hiding method is storage or timing, then, whether
it is protocol-aware/agnostic (timing channel) or header structure
preserving/modifying (storage channel). If a hiding method does
not t into the current pattern representation, it is considered a
new pattern which can be added to the taxonomy. The related
decision-making process can be found in [20].
We propose a similar but modied version of this approach. How-
ever, as mentioned, our approach targets a dierent goal, namely
to derive more insights related to the information hiding method
itself. It must be noted that we do not focus only on how the secret
data for a certain data hiding method is embedded (which is only a
part of the sender-side process) but instead we want to detail both
the complete sender- and receiver-side processes and represent
them with patterns (and for this purpose, we “borrow” the already
existing patterns.
In our proposed approach, the known hiding patterns of exist-
ing publications and websites, e.g. [
15
,
22
] or https://ih-patterns.
blogspot.com, which are tagged as storage or timing patterns, are
taken into account. Then for the hiding method that needs to be de-
scribed using the network covert channel patterns approach, the cor-
responding patterns for both, sender- and receiver-side processes
are selected. Finally, based on the result and depending on what
types of patterns have been assigned to the method, the method
itself is concluded as a storage, a timing or a hybrid method – this
selection process is explained in the details below.
The described improved approach which aims to derive more in-
sights from the data hiding methods using pattern approach allows
to repaint the categorization from Fig. 1. However it must be noted
that in the modied approach we categorize network covert channel
patterns and not data hiding methods. Thus, we start the derived
classication from the network covert channel patterns which are
then divided into timing and storage ones (Fig. 3). Afterwards, each
of the methods that needs to be evaluated is assigned with at least
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
Network Covert Channel Patterns
Covert Timing Patterns Covert Storage Patterns
Message
Timing
Rate/
Throughput
Inter-packet
Times
Modification of
Payload (User Data)
Audio Content,
Video Content, ...
Data in Protocol-specific fields
(a.k.a. Modification of Non-payload)
Structure Modifying Structure Preserving
Position Number of
Elements
Size
Modulation Sequence Add
Redundancy
Modification of an
Attribute
Random
Value
Value
Modulation
Reserved/
Unused
Least Significant
Bit (LSB)
Case
Protocol-agnostic Protocol-aware
Message (PDU)
Ordering
Artificial
Loss RetransmissionTemperature
Frame
Collisions
Method 1Method 2 Method 3
Requires Extension
Method 4
(Hybrid)
Figure 3: Improved aspects of the existing pattern-based taxonomy.
one or more patterns to its sender- and receiver-side processes
separately (for each side at least one or alternatively more patterns
must be selected).
It must be also noted that using this approach it may be possible
to evaluate in greater detail which patterns are most often used
jointly only at the sender-side process (as more than one pattern can
be assigned) or only at the receiver-side process, or nally which
patterns typically coexist at the sender-side and the receiver-side
processes. This can be achieved by performing a thorough analysis
of network covert channels dened in the literature (however, due
to space limitation it will be not part of this paper). In result of
such an analysis this can lead to the identication of potential
relationships between dened patterns, i.e. whether for some of
them it is “easier” to coexist with other patterns within the data
hiding method (as in the case of the extended approach the sender
and the receiver processes can be investigated separately or jointly).
But more importantly, it is also possible to investigate whether
besides of joint patterns utilization (at the sender-side, receiver-side
or both sides), other pattern mixes are also possible. For example,
consider Method 4 in the Figure 3. It is characterized by the pat-
terns Retransmission and Size Modulation, which makes it a hybrid
method. However, the question arises whether is would be possible
to construct a data hiding method that apart from these two pat-
terns utilizes e.g. Message (PDU) Ordering pattern and how this will
impact its properties.
In result, new, previously unknown network information hiding
methods or improved versions of existing ones can be designed
and developed and relationships between the existing patterns can
be investigated and determined. It must be noted that using the
existing pattern classication it was possible to assign only a single
pattern for a certain hiding method which corresponds best with the
secret data embedding process. However, in the extended approach
(which is dierent when compared to the original concept) it is
possible to:
•
assign more patterns to the sender-side process if it is re-
quired in order to express to a full extent how the sender-side
of the hiding method operates,
Hiding Method Process
Type of the method:
Covert Storage
Pattern(s) Covert Storage
Pattern(s) Network Storage
Covert Channel
Covert Timing
Pattern(s) Covert Timing
Pattern(s) Network Timing
Covert Channel
Covert Timing &
Storage Pattern(s) Covert Timing and/or
Storage Pattern(s) Network Hybrid
Covert Channel
Covert Timing
Pattern(s) Covert Storage
Pattern(s) Network Hybrid
Covert Channel
Sender-side Process Receiver-side Process
…
…
…
Figure 4: Improved process to decide on the network covert
channel type based on the assigned patterns.
•
include also the receiver-side process and its corresponding
patterns.
Such an approach may not only help to better understand the
nature of the network covert channels and their creation process,
but it can also provide new insights into how to construct more
ecient and eective detection solutions. This can be achieved by
designing and developing detection methods, so they precisely will
be looking for the specic artifacts related to the representation of
the certain patterns in the communication channel (and/or e.g. the
presence of their coexistence).
Finally, each method based on the selected patterns for the
sender- and for the receiver-side processes is assigned to one ele-
ment of the group {storage,timing,hybrid}. This is done as illus-
trated in Fig. 4. In principle, if both the sender- and the receiver-side
processes are characterized with homogenic (only storage or only
timing) patterns then the method is concluded as storage or timing.
If there is heterogeneity across patterns that the method uses, i.e.
storage and timing methods are mixed within the sender- and/or the
receiver-side processes then it is concluded as a hybrid technique.
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Hiding Method Process
Sender-side
Process Receiver-side
Process Type of the method:
P. PDU Order
P. Value modulation P. Sequence (value)
P. Value modulation Network Hybrid
Covert Channel
P. Reserved/unused P. Reserved/unused Network Storage
Covert Channel
Exemplary
method:
PSCC [21]
IPv4 ToS [7]
LACK [12] P. PDU order
P. Reserved/unused
(payload)
P. Reserved/unused
(payload) Network Hybrid
Covert Channel
Delays of IP
packets [2] P. Interarrival time Network Timing
Covert Channel
P. Interarrival time
PadSteg [9] Network Storage
Covert Channel
P. Reserved/unused P. Reserved/unused
P. Size modulation
RSTEG [13] P. Reserved/unused
(payload)
P. Retransmission
P. Reserved/unused
(payload)
Network Hybrid
Covert Channel
stegVAD [16] P. Reserved/unused
(payload)
P. Unused (payload) Network Hybrid
Covert Channel
P. Add redundancy
P. Interarrival time
Pattern(s): Pattern(s):
Figure 5: Classication of the exemplary network covert
channels based on the assigned patterns.
To present how the proposed extended patterns’ classication
approach is functioning for some of the existing network steganog-
raphy techniques, we have chosen seven dierent state-of-the-art
network covert channels to demonstrate how they t into our cate-
gorization (Fig. 5). For example, for a simple network covert channel
which in order to conceal data utilizes Type of Service eld from
the IPv4 header [
7
], the sender- as well as receiver-side processes
use the same pattern, i.e. Reserved/Unused, thus as both processes
are assigned with the storage pattern then the method is concluded
as storage. For the work related to modifying delays between the
consecutive packets within the data stream [
2
] for both sender- and
receiver-side processes the pattern Inter-arrival time is an obvious
choice thus this technique is deemed as timing method. However,
when we consider a more complex method like LACK (Lost Audio
Packets Steganography) [
12
] then the situation is a bit dierent. As
LACK operates by using intentionally delayed voice packets and
replacing the original payload of these packets with secret data
thus at the sender-side process two patterns must be selected – one
storage (Reserved/Unused) and one timing (PDU Order ), whereas
when considering the receiver-side process the chosen pattern is
only storage one (Reserved/Unused) – as at the covert receiver every
incoming packet’s payload, regardless of its order, is probed for the
existence of the hash which will indicate presence of secret data.
Therefore, the method is concluded to be hybrid. It is worth empha-
sizing that if we consider the original pattern approach (which as
mentioned relied only on assigning pattern(s) based on how/where
secret data is embedded) then LACK method would be only char-
acterized by the storage Reserved/Unused pattern. This proves that
the extended pattern approach proposed in this paper allows to
characterize the data hiding methods in greater detail by including
more information on inner workings of the information hiding
technique.
User-data Agnostic User-data Aware
TranSteg [14], stegVAD
[16], HideF0 [8] etc. LSB, DCT, DSSS, Echo
hiding [1], etc.
LACK [12], HICCUPS [18],
RSTEG [13], etc.
Modification of
Payload
PS21. User-data
Corruption
(blind modification)
PS20. Payload
Field Size
Modulation
PS31. User-data Value
Modulation and
Reserved/Unused
(targeted modification)
PS30. Modify
Redundancy
(e.g. via transcoding)
Girling [6]
Figure 6: Classication of the network covert storage chan-
nels for the payload eld and the corresponding patterns.
4.2 Introduction of Additional Patterns
As already mentioned, the current pattern-based categorization of
[
15
,
22
] makes a distinction between patterns applied to user-data
(within the payload eld) and protocol specic data (control in-
formation: headers, padding, etc.). In principle, all these patterns
adhere to the storage group, i.e. modication of the certain “lo-
cations” of the carrier. However, in the original publications on
hiding patterns, this distinction was made based on the idea of
Fisk et al. [
3
] to separate structured (machine-readable) content
from non-structured (human-readable) content, such as images.
This means that in several cases similar rules apply to modify these
elds (because structured data follows rules, e.g. protocol headers
are built similarly to formal grammar) and to the data that they
store. Obviously the most signicant dierence lays in the dissim-
ilarities between the control information carried within protocol
headers/padding and user-data transferred within the payload eld.
Thus, to ll this gap and by considering current research eorts in
this area, we propose to extend the current taxonomy as shown in
Fig. 6.
Network covert channels that modify the payload eld and its
content have been divided based on whether the characteristic of
user-data is taken into account into: (i) user-data agnostic and (ii)
user-data aware. In each of the two groups two patterns have been
identied, which we describe in the same way as the patterns were
originally described in [
22
] using a subset of the Pattern Language
Markup Language’s (PLML) attributes:
PS20. Payload Field Size Modulation
Illustration: This pattern uses a size of the payload eld of a ow’s
PDUs/messages to encode the hidden message. This pattern is a
variant (child) of the pattern P1. Size Modulation of [
22
] which
has been already dened for the modication of the non-payload
branch of storage methods (conrm Fig. 1).
References: PS1. Size Modulation
Context: Network Covert Channel Patterns
→
Covert Storage Chan-
nel Patterns →Modication of Payload →User-data Agnostic
Evidence:
1. Modulate the size of the data block eld in Ethernet frames [
6
].
2. Any other method that modulates the size of the payload eld in
any network protocol.
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
PS21. User-data Corruption
Illustration: This pattern is related to the cases when steganographic
methods do not take into account what kind of user-data is carried
within a payload eld and/or what its characteristic is (blind modi-
cation). It can be applied to single PDUs or to multiple PDUs (a
ow). This typically happens if parts of (or the whole) user-data is
replaced with secret bits and thus the user-data is corrupted/lost.
This pattern is similar to the pattern PDU Corruption dened in the
original pattern categorization of [22].
Context: Network Covert Channel Patterns
→
Covert Storage Chan-
nel Patterns →Modication of Payload →User-data Agnostic
Evidence:
1. Replace the user-generated data in the payload eld with secret
data in intentionally lost voice packets of the IP telephony call [
12
].
2. Replace the user-generated data in the payload eld with secret
data in retransmitted TCP segments [13].
3. Replace the user-generated data in the payload eld with secret
data in intentionally corrupted IEEE 802.11 frames [18].
PS30. Modify Redundancy
Illustration: This pattern is used when it is possible to exploit the
redundancy of the user-data by means of transforming them in
such a way that a free space for secret data is obtained (e.g. by
means of transcoding). This pattern is a bit similar to the pattern
Add Redundancy dened in [
22
] but can also decrease redundancy
and is applied to payload instead of meta-data.
Context: Network Covert Channel Patterns
→
Covert Storage Chan-
nel Patterns →Modication of Payload →User-data Aware
Evidence:
1. Compress existing user-data in order to make a space for secret
data [14].
2. Transform the VAD-enabled IP telephony voice stream into non-
VAD one and ll the gaps using articially generated RTP packets
containing secret data [16].
3. Approximate the F0 parameter of the Speex codec which carries
information about the pitch of the speech signal and use the “saved”
space for secret data [8].
PS31. User-data Value Modulation and Reserved/Unused
Illustration: Characteristic features of user-data can be utilized to
store secret information. This includes applying methods like LSB
modication to speech samples or digital images carried within the
payload eld. Compared with previous patterns this is a targeted
modication. This pattern is analogous to the combination of the
patterns Value Modulation and Reserved/Unused, but applied to pay-
load.
Context: Network Covert Channel Patterns
→
Covert Storage Chan-
nel Patterns →Modication of Payload →User-data Aware
Evidence:
1. Encode a stream of information by spreading the encoded data
across as much of the frequency spectrum as feasible (e.g. DSSS) [
1
].
2. Embeds secret data into a carrier audio signal by introducing an
echo (a.k.a. echo hiding) [1].
3. Replacing the least signicant bit of e.g. each voice sample with
secret data (LSB) [1].
As it is visible above, the identied patterns have mostly a num-
ber of examples in the state-of-the-art publications (Fig. 6). Every
newly dened pattern corresponds to the patterns that have been
already dened in the non-payload branch of the original classica-
tion.
Finally, the complete picture of the extended information hiding
patterns classication is illustrated in Fig. 7 and the corresponding
descriptions of all dened patterns which include also potential
multi-packet/multi-ow characteristics of some data hiding meth-
ods are enclosed in Tab. 2.
4.3 Distributed Covert Channel Realization
In [
22
], authors dened three concepts which can be used to explain
suitably some of the existing network covert channels’ phenomena,
i.e. pattern variation, pattern combination and pattern hopping.
The above-mentioned concepts are especially suitable and impor-
tant when trying to depict, explain, and analyze the realization of
distributed network covert channels. We dene a distributed covert
channel as a network covert channel that spreads secret data among
multiple ows/protocols/hosts or uses multiple patterns within the
same ow or PDU for the hidden data exchange. In contrast, the
typical (undistributed) network covert channel is a storage or a
timing channel that uses PDUs of a single ow/protocol with only
one hiding pattern in order to embed secret data.
In Fig. 8 we have illustrated that these three pattern concepts
practically exhaust possibilities for distributed network covert chan-
nel realization. While explaining these concepts we apply the terms
of spatial,temporal, and transform domains which are “borrowed”
from the digital media steganography research area [
17
] and which
helps to described and dene them better.
The rst group i.e. pattern combination is related to the distri-
bution of secret data in a spatial domain. This means that many
patterns are utilized in parallel for the same hidden data carrier e.g.
by modifying many of its sub-carriers or using several carriers at
once. This includes the case when the hybrid data hiding methods
are used (cf. Fig. 1) as well as the case of simultaneous utilization
of multiple network covert channels at once. Consider an example
of HTTP trac (e.g. web browsing) where three separate network
covert channels are used simultaneously: one is used for the IPv4
protocol, the next for the TCP protocol, and nally the third is ap-
plied to HTTP. Pattern combination applies also to the case when,
e.g. three separate connections are used for hidden data purposes
and in each connection a separate network hiding pattern is utilized
at the same time (e.g. IPv4-based in the rst connection, TCP-based
in the second, and HTTP-based in the last one). Typically such an
approach is used in order to increase the overall steganographic
bandwidth.
The second group of distributed covert channels realization is
pattern hopping which allows to spread secret data in the temporal
domain (time). In a nutshell it means that dierent patterns’ uti-
lization varies over time and thus they are applied sequentially for
various (sub-)carriers. Usually, such an approach helps to improve
the stealthiness of the covert data exchange as in order to detect it
more “locations” must be monitored by the warden. An example of
pattern hopping is the tool PHCCT. PHCCT implements a so-called
protocol hopping covert channel that distributes data over dierent
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Network Covert Channel Patterns
Covert Timing Patterns Covert Storage Patterns
PT2.
Message
Timing
PT3.
Rate/
Throughput
PT1.
Inter-packet
Times
Modification of
Payload (User Data)
Data in Protocol-specific fields
(a.k.a. Modification of Non-payload)
Structure Modifying Structure Preserving
PS2a.
Position
PS2b.
Number of
Elements
PS1.
Size
Modulation
PS2.
Sequence
PS3.
Add
Redundancy
Modification of an
Attribute
PS10.
Random
Value
PS11.
Value
Modulation
PS12.
Reserved/
Unused
PS11b.
Least Significant
Bit (LSB)
PS11a.
Case
Protocol-agnostic Protocol-aware
PT11.
Message (PDU)
Ordering
PT10.
Artificial
Loss
PT12.
Retransmission
PT14.
Temperature
PT13.
Frame
Collisions
User-data Agnostic User-data Aware
PS20.
Payload Field
Size Modulation
PS21.
User-data
Corruption
PS30.
Modify
Redundancy
PS31.
User-data
Value Modulation &
Reserved/Unused
is related to PS1. Size Mod. (used jointly due to modulation of payload length field in protocol headers)
Existing Taxonomy
Proposed Extension of this Paper
Legend:
Figure 7: Classication of network covert channel patterns.
Table 2: Descriptions of hiding patterns in our improved and extended taxonomy.
Pattern Name Pattern Description
PT1. Inter-packet Times The covert channel alters timing intervals between network messages of a ow (interarrival times) to
encode hidden data.
PT2. Message Timing Hidden data is encoded in the timing of message sequences within a ow, e.g. acknowledging every
n’th received message or sending commands mtimes.
PT3. Rate/Throughput The covert channel sender alters the data rate of a ow from itself or a third party to the covert receiver.
PT10. Articial Loss The covert channel signals hidden information via articial loss of a ow’s transmitted messages, e.g.
by frame-corruption or message drop.
PT11. Message Ordering The covert channel encodes data using a synthetic message order in a ow.
PT12. Retransmission A covert channel retransmits previously sent or received messages of a ow.
PT13. Frame Collisions The sender causes articial frame collisions to signal hidden information.
PT14. Temperature The sender inuences a third party node’s hardware temperature using trac of a ow. There must be
a technique for the covert receive to measure the temperature (indirectly).
PS1. Size Modulation The covert channel uses the size of ow metadata (e.g. PDU size or size of a header element) to encode
hidden messages.
PS2. Sequence Modulation The covert channel alters the sequence of ow metadata to encode hidden information.
This pattern divides further into: P2.a. Position and P2.b. Number of Elements patterns.
PS3. Add Redundancy The covert channel embeds redundant metadata (e.g. by adding an unused IP option) in which data is
hidden into a ow. Note that in comparison to PS1, the data is hidden in the redundant data’s presence,
not in the size of an PDU or header element).
PS10. Random Value The covert channel embeds hidden data into ow metadata that contains a (pseudo-)random value.
PS11. Value Modulation The covert channel selects one of the nvalues that a ow’s metadata element can contain to encode a
hidden message.
This pattern divides further into: P11.a. Case Pattern and P11.b. Least Signicant Bit (LSB) patterns.
PS12. Reserved/Unused The covert channel encodes hidden data into a ow’s reserved or unused metadata elements.
PS20. Payload Field The size of the payload in a ow is used to encode hidden information (this is a derivate of PS1 but for
Size Modulation the payload since it involves the modication of a PDU’s payload length eld, i.e. PS1).
PS21. User-data Corruption The covert channel performs a (blind) insertion of covert data into a ow’s payload (similar PT10).
PS30. Modify Redundancy The covert channel compresses a ow’s payload and the resulting free space is used to hide data.
PS31. User-data Value The covert channel performs a modication of a ow’s payload in a way that is not reected by PS30
Modulation and and that does not result in a signicantly modied interpretation of the data, e.g. by modifying least
Reserved/Unused signicant bits of digital images or hiding data in unused/reserved payload bits.
network protocols [
15
]. To this end, PHCCT utilizes more than
one pattern, namely Add Redundancy (embedded in HT TP) and
User-data Corruption (embedded in FTP-Data).
Finally, the last group of techniques which allows to realize a
distributed network covert channel is pattern variation. The original
idea of pattern variation is that each of the dened patterns is
considered in the certain context, i.e. the utilized hidden data carrier
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
Flows-based
Scattering
Pattern Variation
(transform domain
distribution)
Host-based
Scattering
Pattern Combination
(spatial domain
distribution)
Pattern-based Distributed
Covert Channel Realization
Pattern Hopping
(temporal domain
distribution)
Protocol-based
Scattering
Not distributed covert channel = storage or timing channel that uses PDUs of a single
flow/protocol with only one hiding pattern in order to
send secret data
Distributed covert channel = a covert channel that distributes secret data among many
flows/protocols/hosts or uses multiple patterns within the same
flow or PDU for hidden data exchange
PSCC [21]
Cloak [10]
Multihoming
SCTP-based CC [4]
PHCCT [15]
Figure 8: Classication of pattern-based distributed network
covert channel realization.
(e.g. a network protocol). In our case, we extend this view and dene
pattern variation in dierent contexts. In particular, three contexts
can be distinguished: host-based scattering,ow-based scattering,
and protocol-based scattering which will be described in detail with
examples below. In all cases of pattern variation, the same pattern
is applied to dierent contexts, i.e. its essence does not change.
Host-based scattering requires the covert sender and/or the covert
receiver to control more than one physical host or other network-
ing devices. Parts of the secret data are hidden in the legitimate
trac sent from or directed towards dierent hosts using the same
pattern. An example of this kind of distributed covert channel is
the SCTP multi-homing-based method (i.e. the host’s ability to be
visible in the network through more than one IP address) [
4
]. In
such a scenario, each IP address of the covert receiver can be used
to represent a single bit of secret data (or a sequence of bits). Then,
by modulating the way that packets are addressed and sent secret
data can be transferred in a distributed manner.
Next, Flow-based scattering takes advantage of the capability
to set up multiple ows between two hosts and using them to
signal secret data bits in a distributed way while utilizing the same
pattern. This can be realized, for example, by dividing secret data
into fragments and using a certain information hiding pattern (or
several) to send each fragment using one of the available ows.
An idea of using many ows for a distributed covert channel is
exemplied by the Cloak method [
11
], which is a timing data hiding
technique that encodes secret data bits by uniquely distributing
N
packets over
M
TCP ows. Please note that while in the case of
pattern hopping a utilization of multiple ows is possible as well,
ow-based scattering serves under the umbrella of pattern variation,
i.e. it is required to apply the same pattern to dierent ows, and
pattern hopping must apply dierent patterns.
Finally, Protocol-based scattering applies a pattern to dierent
communication protocols instead of hosts or ows. In contrast to
ow-based scattering, it does not necessarily utilize ows of the
same protocol but changes the actual protocol (which can generate
multiple ows, too). This group is exemplied via protocol switching
covert channels (PSCC) [
21
]. These channels assign hidden informa-
tion to network protocols. For instance, one could link the HTTP
protocol to the hidden value “0” and the DNS protocol to the hidden
value “1”. Then, by sending the packet sequence HTTP, DNS, DNS,
HTTP, one would transfer the secret information “0110”.
Obviously, there are other possibilities to create distributed net-
work covert channels by developing mixed solutions so that it in-
volves the parallel use of, e.g. pattern hopping and pattern variation
or any other fusion of the concepts mentioned above.
5 CONCLUSIONS
We identied limitations of the existing pattern-based taxonomy,
most importantly a lack of payload-based hiding patterns and a
limited denition of distributed covert channels. For this reason,
we extended the list of existing hiding patterns for network covert
channels and their related taxonomy. We also extended the de-
scription of hybrid/distributed hiding methods and proposed an
extension and improvement of the related concepts (especially pat-
tern variation to handle multi-host, multi-ow and multi-protocol
techniques).
We hope this work will help to derive new insights into existing
and new data hiding techniques.
Future work will be devoted to analyzing relationships between
patterns with respect to their joint occurrence in existing methods
as well as we will investigate whether any new data hiding methods
can be deuced based on the less obvious pattern mixes.
ACKNOWLEDGMENTS
Wojciech Mazurczyk and Krzysztof Cabaj are supported by the Air
Force Oce of Scientic Research under award number FA9550-17-
1-0254. The supported project is named CoCoDe (Covert Commu-
nication Detection).
Any opinions, ndings, and conclusions or recommendations
expressed in this material are those of the author(s) and do not
necessarily reect the views of the United States Air Force.
REFERENCES
[1]
W. Bender, D. Gruhl, N. Morimoto, and A. Lu. 1996. Techniques for data hiding.
IBM Systems Journal 35, 3.4 (1996), 313–336. https://doi.org/10.1147/sj.353.0313
[2]
V. Berk, A. Giani, and G. Cybenko. 2005. Detection of Covert Channel Encoding in
Network Packet Delays. Technical Report TR2005-536. Department of Computer
Science, Dartmouth College. http://www.ists.dartmouth.edu/library/149.pdf
http://www.ists.dartmouth.edu/library/149.pdf.
[3]
G. Fisk, M. Fisk, C. Papadopoulos, and J. Neil. 2003. Eliminating steganogra-
phy in Internet trac with active wardens. In Proc. Revised Papers from the 5th
International Workshop on Information Hiding. 18–35.
[4]
Wojciech Fraczek, Wojciech Mazurczyk, and Krzysztof Szczypiorski. 2012. Hiding
Information in a Stream Control Transmission Protocol. Comput. Commun. 35, 2
(Jan. 2012), 159–169. https://doi.org/10.1016/j.comcom.2011.08.009
[5]
W. Fraczek, W. Mazurczyk, and K. Szczypiorski. 2012. Multilevel Steganography:
Improving Hidden Communication in Networks. Journal of Universal Computer
Science 18, 14 (jul 2012), 1967–1986.
[6]
C. G. Girling. 1987. Covert Channels in LAN’s. IEEE Transactions on Software
Engineering 13, 2 (1987), 292–296.
[7]
Theodore G. Handel and Maxwell T. Sandford. 1996. Hiding data in the OSI
network model. In Information Hiding, Ross Anderson (Ed.). Springer Berlin
Heidelberg, Berlin, Heidelberg, 23–38.
[8]
Artur Janicki. 2016. Pitch-based Steganography for Speex Voice Codec. Security
and Communication Networks 9, 15 (2016), 2923–2933. https://doi.org/10.1002/
sec.1428
[9]
B. Jankowski, W. Mazurczyk, and K. Szczypiorski. 2013. PadSteg: introducing
inter-protocol steganography. Telecommunication Systems 52, 2 (01 Feb 2013),
1101–1111. https://doi.org/10.1007/s11235-011- 9616-z
[10]
X. Luo, E. W. W. Chan, and R. K. C. Chang. 2007. Cloak: A Ten-Fold Way for
Reliable Covert Communications. In Computer Security – ESORICS 2007, Joachim
Biskup and Javier López (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg,
283–298.
[11]
Xiapu Luo, Edmond W. W. Chan, and Rocky K. C. Chang. 2007. Cloak: A Ten-
Fold Way for Reliable Covert Communications. In Computer Security – ESORICS
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
2007, Joachim Biskup and Javier López (Eds.). Springer Berlin Heidelberg, Berlin,
Heidelberg, 283–298.
[12]
Wojciech Mazurczyk and Józef Lubacz. 2010. LACK—a VoIP steganographic
method. Telecommunication Systems 45, 2 (01 Oct 2010), 153–163. https://doi.
org/10.1007/s11235-009- 9245-y
[13]
W. Mazurczyk, M. Smolarczyk, and K. Szczypiorski. 2011. Retransmission
steganography and its detection. Soft Computing 15, 3 (2011), 505–515. https:
//doi.org/10.1007/s00500-009- 0530-1
[14]
Wojciech Mazurczyk, PawełSzaga, and Krzysztof Szczypiorski. 2014. Using
Transcoding for Hidden Communication in IP Telephony. Multimedia Tools Appl.
70, 3 (June 2014), 2139–2165. https://doi.org/10.1007/s11042-012-1224- 8
[15]
W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, and K. Szczypiorski. 2016.
Information Hiding in Communication Networks: Fundamentals, Mechanisms, Ap-
plications, and Countermeasures. Wiley-IEEE.
[16]
Sabine S. Schmidt, Wojciech Mazurczyk, Jörg Keller, and Luca Caviglione. 2017.
A New Data-Hiding Approach for IP Telephony Applications with Silence Sup-
pression. In Proceedings of the 12th International Conference on Availability, Reli-
ability and Security (ARES ’17). ACM, New York, NY, USA, Article 83, 6 pages.
https://doi.org/10.1145/3098954.3106066
[17]
Mansi S. Subhedar and Vijay H. Mankar. 2014. Current status and key issues in
image steganography: A survey. Computer Science Review 13-14 (2014), 95 – 113.
https://doi.org/10.1016/j.cosrev.2014.09.001
[18]
Krzysztof Szczypiorski. 2012. A performance analysis of HICCUPS—a stegano-
graphic system for WLAN. Telecommunication Systems 49, 2 (01 Feb 2012),
255–259. https://doi.org/10.1007/s11235-010- 9363-6
[19]
S. Wendzel, W. Mazurczyk, and S. Zander. 2016. Unied Description for Network
Information Hiding Methods. Journal of Universal Computer Science 22, 11 (nov
2016), 1456–1486.
[20]
S. Wendzel and C. Palmer. 2015. Creativity in Mind: Evaluating and Maintaining
Advances in Network Steganographic Research. Journal of Universal Computer
Science 21, 12 (2015), 1684–1705.
[21]
S. Wendzel and S. Zander. 2012. Detecting Protocol Switching Covert Channels.
In 37th IEEE Conf. on Local Computer Networks. 280–283.
[22]
S. Wendzel, S. Zander, B. Fechner, and C. Herdin. 2015. Pattern-based Survey
and Categorization of Network Covert Channel Techniques. Computing Surveys
(CSUR) 47, 3 (2015).
[23]
F. V. Yarochkin, S.-Y. Dai, C.-H. Lin, and Y. Huang. 2008. Towards Adaptive
Covert Communication System. In Proc. Pacic Rim International Symposium on
Dependable Computing (PRDC). 153–159.