Conference PaperPDF Available

Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach

Authors:

Abstract and Figures

In network information hiding, hiding patterns are used to describe hiding methods and their taxonomy. In this paper, we analyze the current state of hiding patterns and we further improve their taxonomy. In order to more thoroughly characterize and understand data hiding methods applied to communication networks we propose to distinguish between sender-side and receiver-side patterns. Additionally, we show how information hiding patterns can be utilized to conveniently describe the realization of the distributed network covert channels.
Content may be subject to copyright.
Towards Deriving Insights into Data Hiding Methods Using
Paern-based Approach
Wojciech Mazurczyk
Warsaw University of Technology
Warsaw, Poland
wmazurczyk@tele.pw.edu.pl
Steen Wendzel
Worms University of Applied Science/
Fraunhofer FKIE
Worms/Bonn, Germany
wendzel@hs-worms.de
Krzysztof Cabaj
Warsaw University of Technology
Warsaw, Poland
kcabaj@ii.pw.edu.pl
ABSTRACT
In network information hiding, hiding patterns are used to describe
hiding methods and their taxonomy. In this paper, we analyze the
current state of hiding patterns and we further improve their taxon-
omy. In order to more thoroughly characterize and understand data
hiding methods applied to communication networks we propose to
distinguish between sender-side and receiver-side patterns. Addi-
tionally, we show how information hiding patterns can be utilized
to conveniently describe the realization of the distributed network
covert channels.
CCS CONCEPTS
Security and privacy Network security
;Distributed systems
security;Information ow control; Pseudonymity, anonymity and
untraceability;
Social and professional topics
Computer
crime;
KEYWORDS
information hiding patterns, network steganography, covert chan-
nels; network security; taxonomies; information hiding
ACM Reference Format:
Wojciech Mazurczyk, Steen Wendzel, and Krzysztof Cabaj. 2018. Towards
Deriving Insights into Data Hiding Methods Using Pattern-based Approach.
In ARES 2018: International Conference on Availability, Reliability and Security,
August 27–30, 2018, Hamburg, Germany. ACM, New York, NY, USA, 10 pages.
https://doi.org/10.1145/3230833.3233261
1 INTRODUCTION
Network covert channels belong to the research domain of network
information hiding [
15
]. Network covert channels are stealthy, un-
foreseen communication channels in computer networks. These
channels are increasingly used by cybercriminals, e.g. to allow a
covert transfer of malware data. However, they can be also used
for legitimate purposes, such as communicating illicit information
under Internet censorship.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specic permission and/or a
fee. Request permissions from permissions@acm.org.
ARES 2018, August 27–30, 2018, Hamburg, Germany
©2018 Association for Computing Machinery.
ACM ISBN 978-1-4503-6448-5/18/08.
https://doi.org/10.1145/3230833.3233261
Hiding patterns are descriptions of hiding methods for network
covert channels. Because of their abstract nature, each hiding pat-
tern serves an umbrella for numerous hiding methods. For instance,
hiding data in the least signicant bit (LSB) of the Hop Limit eld
in IPv6 can be represented by the same pattern as modifying the
LSB of the Time to Live eld in IPv4. In addition to describing
hiding methods, patterns can also form taxonomies and have pre-
dened, searchable and comparable attributes, making them an
advantageous tool over existing taxonomy approaches.
Hiding patterns have originally been proposed by Wendzel et
al. in [
22
]. The authors also presented a novel taxonomy of hiding
patterns in their article. Later, the taxonomy and patterns were
updated and extended by Mazurczyk et al. in [
15
]. There are also
publications that discuss whether a new hiding method can repre-
sent a new or an existing pattern [
20
] and there is moreover work
that describes the way in which hiding methods should be described
(in the context of patterns) [19].
In this work, we analyze the key aspects of the hiding patterns
and the current state of the taxonomy in the domain. However,
the main contributions of this paper are that we show how this
concept can be further extended by modifying the pattern-analysis
process and extending the current taxonomy with new patterns.
By taking into account more details on the hiding method’s inner
workings we hope that the resulting pattern categorization will
contribute to a better understanding of the nature of network covert
channels. Moreover, we also introduce and describe a pattern-based
classication of distributed network covert channels.
The rest of this paper is structured as follows. Section 2 intro-
duces fundamentals and related work on hiding patterns. We discuss
limitations of the current patterns approach in Section 3. Section 4
introduces our improved taxonomy, a process for pattern-analysis
as well as new patterns dedicated to the payload eld and our
pattern-based categorization of distributed network covert chan-
nels. Finally, Section 5 concludes our work and provides an outlook
on future research directions.
2 FUNDAMENTALS
To aid the understanding of information hiding methods, an anal-
ysis of the existing network covert channels and corresponding
protocols should be performed. Patterns provide an abstract and
hierarchical view on these methods and their utilization in combi-
nation with network protocols.
As a starting point, we utilize the work by Wendzel et al. [
22
] on
network information hiding patterns. In this work, the authors in-
troduce a classication of network hiding techniques into so-called
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Network Covert Channels
Timing Methods Storage Methods
Message
Timing
Rate/
Throughput
Inter-packet
Times
Modification of
Payload (User Data)
Audio Content,
Video Content, ...
Data in Protocol-specific fields
(a.k.a. Modification of Non-payload)
Structure Modifying Structure Preserving
Position Number of
Elements
Size
Modulation Sequence Add
Redundancy
Modification of an
Attribute
Random
Value
Value
Modulation
Reserved/
Unused
Least Significant
Bit (LSB)
Case
Protocol-agnostic Protocol-aware
Message (PDU)
Ordering
Artificial
Loss RetransmissionTemperature
Frame
Collisions
Original part from (Wendzel et al., 2015)
Updated by (Mazurczyk et al., 2016)
Added by (Mazurczyk et al., 2016)
Legend:
Hybrid
Methods
Figure 1: Information hiding patterns and their hierarchy introduced in [22] and updated in [15].
hiding patterns with the aim to potentially develop countermea-
sures for these patterns. In this perspective, information hiding
patterns are dened as abstract descriptions of how to solve a prob-
lem (data hiding) in a given context (communication protocols). As
patterns can be derived from other patterns, they can form hierar-
chies. Each hiding pattern is a unied and generic description of
a particular family of hiding methods. Patterns must be described
in a pre-dened format and require certain additional properties,
such as at least three known occurrences of a pattern – cf. [
22
] for
details. In [
22
] and [
19
], Wendzel et al. evaluated more than 130
existing network covert channel techniques from past decades and
extracted abstract patterns from these techniques. It turned out that
authors were able to represent all techniques by (only) 11 patterns,
which were arranged in a hierarchical catalog described using Pat-
tern Language Markup Language (PLML). While later work in [
15
]
modied and extended their patterns, the core part of the hierarchy
and several patterns remained (colored in white and light-gray in
Fig. 1). Later modications and extensions by [
15
] are colored in
darker gray in Fig. 1. The latest description of all patterns shown
in this gure is presented briey in Table 1.
As it can be seen in Table 1, a hiding pattern’s description is
written in an abstract manner so that one pattern can be used to
describe multiple hiding techniques at the same time. For instance,
“modulate the least signicant bits of a protocol eld” is a very brief
description of many published hiding methods which utilize the
least signicant bits of elds in arbitrary network protocols.
The above-mentioned classication is carrier-oriented and a
“carrier” is dened as one or more overt trac ows that pass
between the covert sender and the covert receiver, consisting of
protocol data units (PDUs, e.g. frames or packets). Typically, the
carrier can be multi-dimensional, i.e. it oers many opportunities
“places” or “events” for hiding data (called sub-carriers). As in other
network covert channel categorizations the two main groups of
methods are (Fig. 1):
storage methods: a class of network steganography methods
that modify the “places” (sub-carriers) in a carrier to create
a storage covert channel. These techniques hide information
by modifying e.g. protocol elds, such as unused bits of a
header.
timing methods: a class of network steganography methods
that modify the timing of “events” of a carrier to create a
covert channel. These techniques hide information, e.g. in
the timing of protocol messages or packets.
Some important changes have been introduced in [
15
] when
compared with original categorization from [22]. These include:
dening 14 patterns (8 timing patterns and 6 storage pat-
terns), compared to 11 patterns (4 timing and 7 storage)
proposed originally. Note that the increased number of hid-
ing patterns is mainly caused due to adding new layer of
classication in [
15
] for timing patterns which have been
divided into “protocol agnostic” or “protocol aware” groups.
the pattern ’PDU Corruption/Loss Pattern’ has been removed
from the storage patterns and instead the ’Articial Loss’
pattern which full name is ’Articial Message/Packet Loss’
and the ’Frame Collision’ pattern have been added to the list
of timing patterns.
A few patterns have been slightly modied/renamed.
The paper [
22
] introduced also several other concepts which
explain suitably some network covert channels’ phenomena, i.e.
pattern variation, pattern combination, and pattern hopping.
First, pattern variation is a transformation-like approach for
covert channels. The utilized network protocol is dened as the pat-
tern’s context. Therefore, a pattern’s application can change from
one network protocol to another – without redesigning the most
important aspects and inner workings of the hiding technique itself.
Next, pattern combination allows the use of multiple patterns at the
same time (within the same carrier, e.g. by modifying many sub-
carriers at once). This is typically performed to increase available
steganographic bandwidth – thus in short it is a parallel utilization
of multiple network covert channels simultaneously. Finally, pattern
hopping varies the use of patterns over time – usually it is applied
in order to increase stealthiness. This can be briey summarized as
a sequential utilization of various network covert channels in time
using dierent (sub-)carriers.
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
Table 1: Information hiding patterns as introduced in [22] and updated in [15].
Pattern Name Pattern Description
Rate/Throughput The covert channel sender alters the data rate of trac from itself or a third party to the covert channel receiver.
Inter-packet Times The covert channel alters timing intervals between network PDUs (interarrival times) to encode hidden data.
Message Timing Hidden data is encoded in the timing of message sequences, e.g. acknowledging every n’th received packet or
sending commands mtimes.
Articial Loss The covert channel signals hidden information via articial loss of transmitted messages (PDUs).
Frame Collisions The sender causes articial frame collisions to signal hidden information.
Temperature The sender inuences a third-party node’s CPU temperature, e.g. using burst trac. This inuences the node’s
clock skew. The clock skew can then be interpreted by the covert receiver by interacting with the node.
Retransmission A covert channel retransmits previously sent or received PDUs.
Message Ordering The covert channel encodes data using a synthetic PDU order for a given number of PDUs owing between
covert sender and receiver.
Size Modulation The covert channel uses the size of a header element or a PDU to encode a hidden message.
Sequence Modulation The covert channel alters the sequence of header/PDU elements to encode hidden information.
This pattern divides further into: P2.a. Position and P2.b. Number of Elements patterns.
Add Redundancy The covert channel creates new space within a given header element or within a PDU in which to hide data.
Random Value The covert channel embeds hidden data in a header element containing a (pseudo-)random value.
Value Modulation The covert channel selects one of the nvalues that a header element can contain to encode a hidden message.
This pattern divides further into: P6.a. Case Pattern and P6.b. Least Signicant Bit (LSB) patterns.
Reserved/Unused The covert channel encodes hidden data into a reserved or unused header/PDU element.
It must be also noted that in the reminder of this paper we will
rely on the unied description for network information hiding
methods introduced in [
19
]. This paper has been the rst attempt
to standardize the description of network covert channels which
is suitable, e.g. to assess their novelty and impact of the method
on the state-of-the-art. In [
19
], the proposed description of data
hiding methods is split into three categories: (i) general information
about the hiding method; (ii) description of the hiding process, and
(iii) potential or tested countermeasures. The rst two categories
comprise sub-categories and each (sub-)category can be mandatory
or optional (Fig. 2).
The category “hiding method general information” consists of a
link to existing network hiding patterns. It also includes a discussion
of the application scenario and requirements of the carrier. From the
perspective of this paper the most important category, i.e. “hiding
method process”, is split into four parts: the sender-side and the
receiver-side description of the hiding method, the details of the
covert communication channel, and the description of an associated
covert channel control protocol (if applicable). The third category
discusses both, potential and evaluated countermeasures, including
those that detect, limit or prevent the particular hiding method’s
use. In the following we will reference to the fragments of this
unied description when it comes to the pattern categorization.
3 ANALYSIS OF THE EXISTING TAXONOMY
Our analysis has shown that the current information hiding patterns
approach can be further extended to include the following aspects:
Incorporate More Details on Data Hiding Methods: The key
criterion of the current pattern taxonomy for deciding which
pattern an analyzed method represents is to determine how
the secret data is encoded. Thus, due to this it is omitting
some details on how the data hiding method works (from the
- Hiding Pattern [mandatory]
- Application Scenario [mandatory]
- Required Properties of the Carrier [mandatory]
- Sender-side Process [mandatory]
- Receiver-side Process [mandatory]
- Covert Channel Properties [mandatory]
- Covert Channel Control Protocol [optional]
Unified Description Method
Hiding Method General Information [mandatory]
Hiding Method Process [mandatory]
Potential or Tested Countermeasures [mandatory]
Figure 2: The unied description structure for data hiding
methods as introduced in [19].
sender-side and receiver-side process – this will be shown
further in the next sections). This “attens” the description
of the inner workings of the data hiding methods and thus
may prevent that all details of a hiding method are con-
sidered. A more thorough patterns grouping is desired to
more accurately categorize existing network steganography
methods.
Support Hybrid Patterns: For some cases it is dicult to assess
whether the analyzed method is storage, timing or hybrid
– a clearer distinction and unambiguous formula to deduce
this is desirable.
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Multi-Packet and -Flow Characteristics Support: The current
categorization makes no clear distinction between hiding
methods that are focusing on a single packet or multiple
packets. Also, there is no clear distinction between single-
and multi-ow methods. For example, consider a covert chan-
nel that modulates IPv4 ToS values in such a way that the
sequence of ToS values from the consecutive packets is inter-
preted as a single secret data bit – currently such a method
does not match any hidden data pattern. Moreover, some
hiding methods such as [
10
] utilize multiple ows. It is thus
benecial to make the original pattern descriptions more
generic, i.e. less dependent on specic units such as PDUs
or packets.
Coverage of Sophisticated Hiding Methods: It is not exactly
clear whether recent, more advanced network steganogra-
phy concepts like inter-protocol steganography [
9
], protocol
switching covert channels [
21
], multilevel steganography [
5
],
adaptive covert communication [
23
], etc. can be accurately
expressed using current pattern categorization. Pattern com-
bination, pattern hopping and pattern variation are means
to represent them, but not to the full extent.
Inuence on Payload: In the original design decision of the
pattern-based approach, arbitrary content, e.g. digital les,
were considered as part of digital media steganography in-
stead of network information hiding. However, in some cases,
such as in VoIP steganography, where there are data hiding
methods that aect the payload eld, it can be helpful to
have a taxonomy that covers also the transmitted payload.
In principle the patterns should be analogous as they too
adhere to the storage group.
Distinction Between Secret Data Embedding and Transfer: It is
also worth to emphasize that from the pattern-based coun-
termeasures perspective it is more important to know which
pattern represents the covert technique within the commu-
nication channel. It must be noted that in particular the
information hiding patterns used at the sender-side process
to embed secret data may not exactly represent themselves
in the same while traversing within the hidden data carrier
through the communication network.
Embrace PDU Corruption Pattern: As mentioned, in [
22
] 11
(4 timing and 7 storage) patterns have been dened while in
[
15
] there are 14 (8 timing and 6 storage) patterns. However,
the pattern ’PDU Corruption/Loss’ has been removed from
the storage patterns group by [
15
]. In fact, it is our belief
that it is benecial that the ’Articial Message/Packet Loss’
pattern has been added into timing patterns but still the
’PDU Corruption’ pattern should be considered in storage
scenarios.
Based on the above-mentioned points, we describe how we en-
vision enhancements to the current information hiding patterns
concept in the next section.
4 EXTENSION AND MODIFICATION OF THE
PATTERNS APPROACH
In this section, we present the proposed modication for the origi-
nal information hiding patterns concept which can help in deriving
further insights into understanding the nature of various types
of network covert channel techniques. More specically, in sub-
section 4.1 we propose how the original pattern approach can be
extended in order to include the sender-side and receiver-side pro-
cesses which inuences both pattern creation process and covert
techniques categorization. Next, in subsection 4.2 we propose new
patterns applicable to the payload eld. Finally, in subsection 4.3
we discuss the distributed network covert channels and how the
information hiding patterns concept can be used to conveniently
describe them.
4.1 A New Process to Analyze the Details of
Pattern-Application
Considering the arguments from Section 3, we propose an approach
based on [
20
], which describes how to determine the novelty of a
new hiding technique and whether a hiding technique actually rep-
resents a new pattern, or not. Instead, our goal is to gain additional
insights into the inner-workings of the data hiding method, i.e. we
do not replace the original approach.
In the current categorization, authors of a new data hiding tech-
nique rst describe their technique, e.g. informally or using [
19
].
Then, based on how the secret data is embedded one pattern is se-
lected that represents the hiding method. Therefore, authors rst de-
cide whether the hiding method is storage or timing, then, whether
it is protocol-aware/agnostic (timing channel) or header structure
preserving/modifying (storage channel). If a hiding method does
not t into the current pattern representation, it is considered a
new pattern which can be added to the taxonomy. The related
decision-making process can be found in [20].
We propose a similar but modied version of this approach. How-
ever, as mentioned, our approach targets a dierent goal, namely
to derive more insights related to the information hiding method
itself. It must be noted that we do not focus only on how the secret
data for a certain data hiding method is embedded (which is only a
part of the sender-side process) but instead we want to detail both
the complete sender- and receiver-side processes and represent
them with patterns (and for this purpose, we “borrow” the already
existing patterns.
In our proposed approach, the known hiding patterns of exist-
ing publications and websites, e.g. [
15
,
22
] or https://ih-patterns.
blogspot.com, which are tagged as storage or timing patterns, are
taken into account. Then for the hiding method that needs to be de-
scribed using the network covert channel patterns approach, the cor-
responding patterns for both, sender- and receiver-side processes
are selected. Finally, based on the result and depending on what
types of patterns have been assigned to the method, the method
itself is concluded as a storage, a timing or a hybrid method – this
selection process is explained in the details below.
The described improved approach which aims to derive more in-
sights from the data hiding methods using pattern approach allows
to repaint the categorization from Fig. 1. However it must be noted
that in the modied approach we categorize network covert channel
patterns and not data hiding methods. Thus, we start the derived
classication from the network covert channel patterns which are
then divided into timing and storage ones (Fig. 3). Afterwards, each
of the methods that needs to be evaluated is assigned with at least
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
Network Covert Channel Patterns
Covert Timing Patterns Covert Storage Patterns
Message
Timing
Rate/
Throughput
Inter-packet
Times
Modification of
Payload (User Data)
Audio Content,
Video Content, ...
Data in Protocol-specific fields
(a.k.a. Modification of Non-payload)
Structure Modifying Structure Preserving
Position Number of
Elements
Size
Modulation Sequence Add
Redundancy
Modification of an
Attribute
Random
Value
Value
Modulation
Reserved/
Unused
Least Significant
Bit (LSB)
Case
Protocol-agnostic Protocol-aware
Message (PDU)
Ordering
Artificial
Loss RetransmissionTemperature
Frame
Collisions
Method 1Method 2 Method 3
Requires Extension
Method 4
(Hybrid)
Figure 3: Improved aspects of the existing pattern-based taxonomy.
one or more patterns to its sender- and receiver-side processes
separately (for each side at least one or alternatively more patterns
must be selected).
It must be also noted that using this approach it may be possible
to evaluate in greater detail which patterns are most often used
jointly only at the sender-side process (as more than one pattern can
be assigned) or only at the receiver-side process, or nally which
patterns typically coexist at the sender-side and the receiver-side
processes. This can be achieved by performing a thorough analysis
of network covert channels dened in the literature (however, due
to space limitation it will be not part of this paper). In result of
such an analysis this can lead to the identication of potential
relationships between dened patterns, i.e. whether for some of
them it is “easier” to coexist with other patterns within the data
hiding method (as in the case of the extended approach the sender
and the receiver processes can be investigated separately or jointly).
But more importantly, it is also possible to investigate whether
besides of joint patterns utilization (at the sender-side, receiver-side
or both sides), other pattern mixes are also possible. For example,
consider Method 4 in the Figure 3. It is characterized by the pat-
terns Retransmission and Size Modulation, which makes it a hybrid
method. However, the question arises whether is would be possible
to construct a data hiding method that apart from these two pat-
terns utilizes e.g. Message (PDU) Ordering pattern and how this will
impact its properties.
In result, new, previously unknown network information hiding
methods or improved versions of existing ones can be designed
and developed and relationships between the existing patterns can
be investigated and determined. It must be noted that using the
existing pattern classication it was possible to assign only a single
pattern for a certain hiding method which corresponds best with the
secret data embedding process. However, in the extended approach
(which is dierent when compared to the original concept) it is
possible to:
assign more patterns to the sender-side process if it is re-
quired in order to express to a full extent how the sender-side
of the hiding method operates,
Hiding Method Process
Type of the method:
Covert Storage
Pattern(s) Covert Storage
Pattern(s) Network Storage
Covert Channel
Covert Timing
Pattern(s) Covert Timing
Pattern(s) Network Timing
Covert Channel
Covert Timing &
Storage Pattern(s) Covert Timing and/or
Storage Pattern(s) Network Hybrid
Covert Channel
Covert Timing
Pattern(s) Covert Storage
Pattern(s) Network Hybrid
Covert Channel
Sender-side Process Receiver-side Process
Figure 4: Improved process to decide on the network covert
channel type based on the assigned patterns.
include also the receiver-side process and its corresponding
patterns.
Such an approach may not only help to better understand the
nature of the network covert channels and their creation process,
but it can also provide new insights into how to construct more
ecient and eective detection solutions. This can be achieved by
designing and developing detection methods, so they precisely will
be looking for the specic artifacts related to the representation of
the certain patterns in the communication channel (and/or e.g. the
presence of their coexistence).
Finally, each method based on the selected patterns for the
sender- and for the receiver-side processes is assigned to one ele-
ment of the group {storage,timing,hybrid}. This is done as illus-
trated in Fig. 4. In principle, if both the sender- and the receiver-side
processes are characterized with homogenic (only storage or only
timing) patterns then the method is concluded as storage or timing.
If there is heterogeneity across patterns that the method uses, i.e.
storage and timing methods are mixed within the sender- and/or the
receiver-side processes then it is concluded as a hybrid technique.
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Hiding Method Process
Sender-side
Process Receiver-side
Process Type of the method:
P. PDU Order
P. Value modulation P. Sequence (value)
P. Value modulation Network Hybrid
Covert Channel
P. Reserved/unused P. Reserved/unused Network Storage
Covert Channel
Exemplary
method:
PSCC [21]
IPv4 ToS [7]
LACK [12] P. PDU order
P. Reserved/unused
(payload)
P. Reserved/unused
(payload) Network Hybrid
Covert Channel
Delays of IP
packets [2] P. Interarrival time Network Timing
Covert Channel
P. Interarrival time
PadSteg [9] Network Storage
Covert Channel
P. Reserved/unused P. Reserved/unused
P. Size modulation
RSTEG [13] P. Reserved/unused
(payload)
P. Retransmission
P. Reserved/unused
(payload)
Network Hybrid
Covert Channel
stegVAD [16] P. Reserved/unused
(payload)
P. Unused (payload) Network Hybrid
Covert Channel
P. Add redundancy
P. Interarrival time
Pattern(s): Pattern(s):
Figure 5: Classication of the exemplary network covert
channels based on the assigned patterns.
To present how the proposed extended patterns’ classication
approach is functioning for some of the existing network steganog-
raphy techniques, we have chosen seven dierent state-of-the-art
network covert channels to demonstrate how they t into our cate-
gorization (Fig. 5). For example, for a simple network covert channel
which in order to conceal data utilizes Type of Service eld from
the IPv4 header [
7
], the sender- as well as receiver-side processes
use the same pattern, i.e. Reserved/Unused, thus as both processes
are assigned with the storage pattern then the method is concluded
as storage. For the work related to modifying delays between the
consecutive packets within the data stream [
2
] for both sender- and
receiver-side processes the pattern Inter-arrival time is an obvious
choice thus this technique is deemed as timing method. However,
when we consider a more complex method like LACK (Lost Audio
Packets Steganography) [
12
] then the situation is a bit dierent. As
LACK operates by using intentionally delayed voice packets and
replacing the original payload of these packets with secret data
thus at the sender-side process two patterns must be selected – one
storage (Reserved/Unused) and one timing (PDU Order ), whereas
when considering the receiver-side process the chosen pattern is
only storage one (Reserved/Unused) – as at the covert receiver every
incoming packet’s payload, regardless of its order, is probed for the
existence of the hash which will indicate presence of secret data.
Therefore, the method is concluded to be hybrid. It is worth empha-
sizing that if we consider the original pattern approach (which as
mentioned relied only on assigning pattern(s) based on how/where
secret data is embedded) then LACK method would be only char-
acterized by the storage Reserved/Unused pattern. This proves that
the extended pattern approach proposed in this paper allows to
characterize the data hiding methods in greater detail by including
more information on inner workings of the information hiding
technique.
User-data Agnostic User-data Aware
TranSteg [14], stegVAD
[16], HideF0 [8] etc. LSB, DCT, DSSS, Echo
hiding [1], etc.
LACK [12], HICCUPS [18],
RSTEG [13], etc.
Modification of
Payload
PS21. User-data
Corruption
(blind modification)
PS20. Payload
Field Size
Modulation
PS31. User-data Value
Modulation and
Reserved/Unused
(targeted modification)
PS30. Modify
Redundancy
(e.g. via transcoding)
Girling [6]
Figure 6: Classication of the network covert storage chan-
nels for the payload eld and the corresponding patterns.
4.2 Introduction of Additional Patterns
As already mentioned, the current pattern-based categorization of
[
15
,
22
] makes a distinction between patterns applied to user-data
(within the payload eld) and protocol specic data (control in-
formation: headers, padding, etc.). In principle, all these patterns
adhere to the storage group, i.e. modication of the certain “lo-
cations” of the carrier. However, in the original publications on
hiding patterns, this distinction was made based on the idea of
Fisk et al. [
3
] to separate structured (machine-readable) content
from non-structured (human-readable) content, such as images.
This means that in several cases similar rules apply to modify these
elds (because structured data follows rules, e.g. protocol headers
are built similarly to formal grammar) and to the data that they
store. Obviously the most signicant dierence lays in the dissim-
ilarities between the control information carried within protocol
headers/padding and user-data transferred within the payload eld.
Thus, to ll this gap and by considering current research eorts in
this area, we propose to extend the current taxonomy as shown in
Fig. 6.
Network covert channels that modify the payload eld and its
content have been divided based on whether the characteristic of
user-data is taken into account into: (i) user-data agnostic and (ii)
user-data aware. In each of the two groups two patterns have been
identied, which we describe in the same way as the patterns were
originally described in [
22
] using a subset of the Pattern Language
Markup Language’s (PLML) attributes:
PS20. Payload Field Size Modulation
Illustration: This pattern uses a size of the payload eld of a ow’s
PDUs/messages to encode the hidden message. This pattern is a
variant (child) of the pattern P1. Size Modulation of [
22
] which
has been already dened for the modication of the non-payload
branch of storage methods (conrm Fig. 1).
References: PS1. Size Modulation
Context: Network Covert Channel Patterns
Covert Storage Chan-
nel Patterns Modication of Payload User-data Agnostic
Evidence:
1. Modulate the size of the data block eld in Ethernet frames [
6
].
2. Any other method that modulates the size of the payload eld in
any network protocol.
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
PS21. User-data Corruption
Illustration: This pattern is related to the cases when steganographic
methods do not take into account what kind of user-data is carried
within a payload eld and/or what its characteristic is (blind modi-
cation). It can be applied to single PDUs or to multiple PDUs (a
ow). This typically happens if parts of (or the whole) user-data is
replaced with secret bits and thus the user-data is corrupted/lost.
This pattern is similar to the pattern PDU Corruption dened in the
original pattern categorization of [22].
Context: Network Covert Channel Patterns
Covert Storage Chan-
nel Patterns Modication of Payload User-data Agnostic
Evidence:
1. Replace the user-generated data in the payload eld with secret
data in intentionally lost voice packets of the IP telephony call [
12
].
2. Replace the user-generated data in the payload eld with secret
data in retransmitted TCP segments [13].
3. Replace the user-generated data in the payload eld with secret
data in intentionally corrupted IEEE 802.11 frames [18].
PS30. Modify Redundancy
Illustration: This pattern is used when it is possible to exploit the
redundancy of the user-data by means of transforming them in
such a way that a free space for secret data is obtained (e.g. by
means of transcoding). This pattern is a bit similar to the pattern
Add Redundancy dened in [
22
] but can also decrease redundancy
and is applied to payload instead of meta-data.
Context: Network Covert Channel Patterns
Covert Storage Chan-
nel Patterns Modication of Payload User-data Aware
Evidence:
1. Compress existing user-data in order to make a space for secret
data [14].
2. Transform the VAD-enabled IP telephony voice stream into non-
VAD one and ll the gaps using articially generated RTP packets
containing secret data [16].
3. Approximate the F0 parameter of the Speex codec which carries
information about the pitch of the speech signal and use the “saved”
space for secret data [8].
PS31. User-data Value Modulation and Reserved/Unused
Illustration: Characteristic features of user-data can be utilized to
store secret information. This includes applying methods like LSB
modication to speech samples or digital images carried within the
payload eld. Compared with previous patterns this is a targeted
modication. This pattern is analogous to the combination of the
patterns Value Modulation and Reserved/Unused, but applied to pay-
load.
Context: Network Covert Channel Patterns
Covert Storage Chan-
nel Patterns Modication of Payload User-data Aware
Evidence:
1. Encode a stream of information by spreading the encoded data
across as much of the frequency spectrum as feasible (e.g. DSSS) [
1
].
2. Embeds secret data into a carrier audio signal by introducing an
echo (a.k.a. echo hiding) [1].
3. Replacing the least signicant bit of e.g. each voice sample with
secret data (LSB) [1].
As it is visible above, the identied patterns have mostly a num-
ber of examples in the state-of-the-art publications (Fig. 6). Every
newly dened pattern corresponds to the patterns that have been
already dened in the non-payload branch of the original classica-
tion.
Finally, the complete picture of the extended information hiding
patterns classication is illustrated in Fig. 7 and the corresponding
descriptions of all dened patterns which include also potential
multi-packet/multi-ow characteristics of some data hiding meth-
ods are enclosed in Tab. 2.
4.3 Distributed Covert Channel Realization
In [
22
], authors dened three concepts which can be used to explain
suitably some of the existing network covert channels’ phenomena,
i.e. pattern variation, pattern combination and pattern hopping.
The above-mentioned concepts are especially suitable and impor-
tant when trying to depict, explain, and analyze the realization of
distributed network covert channels. We dene a distributed covert
channel as a network covert channel that spreads secret data among
multiple ows/protocols/hosts or uses multiple patterns within the
same ow or PDU for the hidden data exchange. In contrast, the
typical (undistributed) network covert channel is a storage or a
timing channel that uses PDUs of a single ow/protocol with only
one hiding pattern in order to embed secret data.
In Fig. 8 we have illustrated that these three pattern concepts
practically exhaust possibilities for distributed network covert chan-
nel realization. While explaining these concepts we apply the terms
of spatial,temporal, and transform domains which are “borrowed”
from the digital media steganography research area [
17
] and which
helps to described and dene them better.
The rst group i.e. pattern combination is related to the distri-
bution of secret data in a spatial domain. This means that many
patterns are utilized in parallel for the same hidden data carrier e.g.
by modifying many of its sub-carriers or using several carriers at
once. This includes the case when the hybrid data hiding methods
are used (cf. Fig. 1) as well as the case of simultaneous utilization
of multiple network covert channels at once. Consider an example
of HTTP trac (e.g. web browsing) where three separate network
covert channels are used simultaneously: one is used for the IPv4
protocol, the next for the TCP protocol, and nally the third is ap-
plied to HTTP. Pattern combination applies also to the case when,
e.g. three separate connections are used for hidden data purposes
and in each connection a separate network hiding pattern is utilized
at the same time (e.g. IPv4-based in the rst connection, TCP-based
in the second, and HTTP-based in the last one). Typically such an
approach is used in order to increase the overall steganographic
bandwidth.
The second group of distributed covert channels realization is
pattern hopping which allows to spread secret data in the temporal
domain (time). In a nutshell it means that dierent patterns’ uti-
lization varies over time and thus they are applied sequentially for
various (sub-)carriers. Usually, such an approach helps to improve
the stealthiness of the covert data exchange as in order to detect it
more “locations” must be monitored by the warden. An example of
pattern hopping is the tool PHCCT. PHCCT implements a so-called
protocol hopping covert channel that distributes data over dierent
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
Network Covert Channel Patterns
Covert Timing Patterns Covert Storage Patterns
PT2.
Message
Timing
PT3.
Rate/
Throughput
PT1.
Inter-packet
Times
Modification of
Payload (User Data)
Data in Protocol-specific fields
(a.k.a. Modification of Non-payload)
Structure Modifying Structure Preserving
PS2a.
Position
PS2b.
Number of
Elements
PS1.
Size
Modulation
PS2.
Sequence
PS3.
Add
Redundancy
Modification of an
Attribute
PS10.
Random
Value
PS11.
Value
Modulation
PS12.
Reserved/
Unused
PS11b.
Least Significant
Bit (LSB)
PS11a.
Case
Protocol-agnostic Protocol-aware
PT11.
Message (PDU)
Ordering
PT10.
Artificial
Loss
PT12.
Retransmission
PT14.
Temperature
PT13.
Frame
Collisions
User-data Agnostic User-data Aware
PS20.
Payload Field
Size Modulation
PS21.
User-data
Corruption
PS30.
Modify
Redundancy
PS31.
User-data
Value Modulation &
Reserved/Unused
is related to PS1. Size Mod. (used jointly due to modulation of payload length field in protocol headers)
Existing Taxonomy
Proposed Extension of this Paper
Legend:
Figure 7: Classication of network covert channel patterns.
Table 2: Descriptions of hiding patterns in our improved and extended taxonomy.
Pattern Name Pattern Description
PT1. Inter-packet Times The covert channel alters timing intervals between network messages of a ow (interarrival times) to
encode hidden data.
PT2. Message Timing Hidden data is encoded in the timing of message sequences within a ow, e.g. acknowledging every
n’th received message or sending commands mtimes.
PT3. Rate/Throughput The covert channel sender alters the data rate of a ow from itself or a third party to the covert receiver.
PT10. Articial Loss The covert channel signals hidden information via articial loss of a ow’s transmitted messages, e.g.
by frame-corruption or message drop.
PT11. Message Ordering The covert channel encodes data using a synthetic message order in a ow.
PT12. Retransmission A covert channel retransmits previously sent or received messages of a ow.
PT13. Frame Collisions The sender causes articial frame collisions to signal hidden information.
PT14. Temperature The sender inuences a third party node’s hardware temperature using trac of a ow. There must be
a technique for the covert receive to measure the temperature (indirectly).
PS1. Size Modulation The covert channel uses the size of ow metadata (e.g. PDU size or size of a header element) to encode
hidden messages.
PS2. Sequence Modulation The covert channel alters the sequence of ow metadata to encode hidden information.
This pattern divides further into: P2.a. Position and P2.b. Number of Elements patterns.
PS3. Add Redundancy The covert channel embeds redundant metadata (e.g. by adding an unused IP option) in which data is
hidden into a ow. Note that in comparison to PS1, the data is hidden in the redundant data’s presence,
not in the size of an PDU or header element).
PS10. Random Value The covert channel embeds hidden data into ow metadata that contains a (pseudo-)random value.
PS11. Value Modulation The covert channel selects one of the nvalues that a ow’s metadata element can contain to encode a
hidden message.
This pattern divides further into: P11.a. Case Pattern and P11.b. Least Signicant Bit (LSB) patterns.
PS12. Reserved/Unused The covert channel encodes hidden data into a ow’s reserved or unused metadata elements.
PS20. Payload Field The size of the payload in a ow is used to encode hidden information (this is a derivate of PS1 but for
Size Modulation the payload since it involves the modication of a PDU’s payload length eld, i.e. PS1).
PS21. User-data Corruption The covert channel performs a (blind) insertion of covert data into a ow’s payload (similar PT10).
PS30. Modify Redundancy The covert channel compresses a ow’s payload and the resulting free space is used to hide data.
PS31. User-data Value The covert channel performs a modication of a ow’s payload in a way that is not reected by PS30
Modulation and and that does not result in a signicantly modied interpretation of the data, e.g. by modifying least
Reserved/Unused signicant bits of digital images or hiding data in unused/reserved payload bits.
network protocols [
15
]. To this end, PHCCT utilizes more than
one pattern, namely Add Redundancy (embedded in HT TP) and
User-data Corruption (embedded in FTP-Data).
Finally, the last group of techniques which allows to realize a
distributed network covert channel is pattern variation. The original
idea of pattern variation is that each of the dened patterns is
considered in the certain context, i.e. the utilized hidden data carrier
Towards Deriving Insights into Data Hiding Methods Using Paern-based ApproachARES 2018, August 27–30, 2018, Hamburg, Germany
Flows-based
Scattering
Pattern Variation
(transform domain
distribution)
Host-based
Scattering
Pattern Combination
(spatial domain
distribution)
Pattern-based Distributed
Covert Channel Realization
Pattern Hopping
(temporal domain
distribution)
Protocol-based
Scattering
Not distributed covert channel = storage or timing channel that uses PDUs of a single
flow/protocol with only one hiding pattern in order to
send secret data
Distributed covert channel = a covert channel that distributes secret data among many
flows/protocols/hosts or uses multiple patterns within the same
flow or PDU for hidden data exchange
PSCC [21]
Cloak [10]
Multihoming
SCTP-based CC [4]
PHCCT [15]
Figure 8: Classication of pattern-based distributed network
covert channel realization.
(e.g. a network protocol). In our case, we extend this view and dene
pattern variation in dierent contexts. In particular, three contexts
can be distinguished: host-based scattering,ow-based scattering,
and protocol-based scattering which will be described in detail with
examples below. In all cases of pattern variation, the same pattern
is applied to dierent contexts, i.e. its essence does not change.
Host-based scattering requires the covert sender and/or the covert
receiver to control more than one physical host or other network-
ing devices. Parts of the secret data are hidden in the legitimate
trac sent from or directed towards dierent hosts using the same
pattern. An example of this kind of distributed covert channel is
the SCTP multi-homing-based method (i.e. the host’s ability to be
visible in the network through more than one IP address) [
4
]. In
such a scenario, each IP address of the covert receiver can be used
to represent a single bit of secret data (or a sequence of bits). Then,
by modulating the way that packets are addressed and sent secret
data can be transferred in a distributed manner.
Next, Flow-based scattering takes advantage of the capability
to set up multiple ows between two hosts and using them to
signal secret data bits in a distributed way while utilizing the same
pattern. This can be realized, for example, by dividing secret data
into fragments and using a certain information hiding pattern (or
several) to send each fragment using one of the available ows.
An idea of using many ows for a distributed covert channel is
exemplied by the Cloak method [
11
], which is a timing data hiding
technique that encodes secret data bits by uniquely distributing
N
packets over
M
TCP ows. Please note that while in the case of
pattern hopping a utilization of multiple ows is possible as well,
ow-based scattering serves under the umbrella of pattern variation,
i.e. it is required to apply the same pattern to dierent ows, and
pattern hopping must apply dierent patterns.
Finally, Protocol-based scattering applies a pattern to dierent
communication protocols instead of hosts or ows. In contrast to
ow-based scattering, it does not necessarily utilize ows of the
same protocol but changes the actual protocol (which can generate
multiple ows, too). This group is exemplied via protocol switching
covert channels (PSCC) [
21
]. These channels assign hidden informa-
tion to network protocols. For instance, one could link the HTTP
protocol to the hidden value “0” and the DNS protocol to the hidden
value “1”. Then, by sending the packet sequence HTTP, DNS, DNS,
HTTP, one would transfer the secret information “0110”.
Obviously, there are other possibilities to create distributed net-
work covert channels by developing mixed solutions so that it in-
volves the parallel use of, e.g. pattern hopping and pattern variation
or any other fusion of the concepts mentioned above.
5 CONCLUSIONS
We identied limitations of the existing pattern-based taxonomy,
most importantly a lack of payload-based hiding patterns and a
limited denition of distributed covert channels. For this reason,
we extended the list of existing hiding patterns for network covert
channels and their related taxonomy. We also extended the de-
scription of hybrid/distributed hiding methods and proposed an
extension and improvement of the related concepts (especially pat-
tern variation to handle multi-host, multi-ow and multi-protocol
techniques).
We hope this work will help to derive new insights into existing
and new data hiding techniques.
Future work will be devoted to analyzing relationships between
patterns with respect to their joint occurrence in existing methods
as well as we will investigate whether any new data hiding methods
can be deuced based on the less obvious pattern mixes.
ACKNOWLEDGMENTS
Wojciech Mazurczyk and Krzysztof Cabaj are supported by the Air
Force Oce of Scientic Research under award number FA9550-17-
1-0254. The supported project is named CoCoDe (Covert Commu-
nication Detection).
Any opinions, ndings, and conclusions or recommendations
expressed in this material are those of the author(s) and do not
necessarily reect the views of the United States Air Force.
REFERENCES
[1]
W. Bender, D. Gruhl, N. Morimoto, and A. Lu. 1996. Techniques for data hiding.
IBM Systems Journal 35, 3.4 (1996), 313–336. https://doi.org/10.1147/sj.353.0313
[2]
V. Berk, A. Giani, and G. Cybenko. 2005. Detection of Covert Channel Encoding in
Network Packet Delays. Technical Report TR2005-536. Department of Computer
Science, Dartmouth College. http://www.ists.dartmouth.edu/library/149.pdf
http://www.ists.dartmouth.edu/library/149.pdf.
[3]
G. Fisk, M. Fisk, C. Papadopoulos, and J. Neil. 2003. Eliminating steganogra-
phy in Internet trac with active wardens. In Proc. Revised Papers from the 5th
International Workshop on Information Hiding. 18–35.
[4]
Wojciech Fraczek, Wojciech Mazurczyk, and Krzysztof Szczypiorski. 2012. Hiding
Information in a Stream Control Transmission Protocol. Comput. Commun. 35, 2
(Jan. 2012), 159–169. https://doi.org/10.1016/j.comcom.2011.08.009
[5]
W. Fraczek, W. Mazurczyk, and K. Szczypiorski. 2012. Multilevel Steganography:
Improving Hidden Communication in Networks. Journal of Universal Computer
Science 18, 14 (jul 2012), 1967–1986.
[6]
C. G. Girling. 1987. Covert Channels in LAN’s. IEEE Transactions on Software
Engineering 13, 2 (1987), 292–296.
[7]
Theodore G. Handel and Maxwell T. Sandford. 1996. Hiding data in the OSI
network model. In Information Hiding, Ross Anderson (Ed.). Springer Berlin
Heidelberg, Berlin, Heidelberg, 23–38.
[8]
Artur Janicki. 2016. Pitch-based Steganography for Speex Voice Codec. Security
and Communication Networks 9, 15 (2016), 2923–2933. https://doi.org/10.1002/
sec.1428
[9]
B. Jankowski, W. Mazurczyk, and K. Szczypiorski. 2013. PadSteg: introducing
inter-protocol steganography. Telecommunication Systems 52, 2 (01 Feb 2013),
1101–1111. https://doi.org/10.1007/s11235-011- 9616-z
[10]
X. Luo, E. W. W. Chan, and R. K. C. Chang. 2007. Cloak: A Ten-Fold Way for
Reliable Covert Communications. In Computer Security – ESORICS 2007, Joachim
Biskup and Javier López (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg,
283–298.
[11]
Xiapu Luo, Edmond W. W. Chan, and Rocky K. C. Chang. 2007. Cloak: A Ten-
Fold Way for Reliable Covert Communications. In Computer Security – ESORICS
ARES 2018, August 27–30, 2018, Hamburg, Germany W. Mazurczyk et al.
2007, Joachim Biskup and Javier López (Eds.). Springer Berlin Heidelberg, Berlin,
Heidelberg, 283–298.
[12]
Wojciech Mazurczyk and Józef Lubacz. 2010. LACK—a VoIP steganographic
method. Telecommunication Systems 45, 2 (01 Oct 2010), 153–163. https://doi.
org/10.1007/s11235-009- 9245-y
[13]
W. Mazurczyk, M. Smolarczyk, and K. Szczypiorski. 2011. Retransmission
steganography and its detection. Soft Computing 15, 3 (2011), 505–515. https:
//doi.org/10.1007/s00500-009- 0530-1
[14]
Wojciech Mazurczyk, PawełSzaga, and Krzysztof Szczypiorski. 2014. Using
Transcoding for Hidden Communication in IP Telephony. Multimedia Tools Appl.
70, 3 (June 2014), 2139–2165. https://doi.org/10.1007/s11042-012-1224- 8
[15]
W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, and K. Szczypiorski. 2016.
Information Hiding in Communication Networks: Fundamentals, Mechanisms, Ap-
plications, and Countermeasures. Wiley-IEEE.
[16]
Sabine S. Schmidt, Wojciech Mazurczyk, Jörg Keller, and Luca Caviglione. 2017.
A New Data-Hiding Approach for IP Telephony Applications with Silence Sup-
pression. In Proceedings of the 12th International Conference on Availability, Reli-
ability and Security (ARES ’17). ACM, New York, NY, USA, Article 83, 6 pages.
https://doi.org/10.1145/3098954.3106066
[17]
Mansi S. Subhedar and Vijay H. Mankar. 2014. Current status and key issues in
image steganography: A survey. Computer Science Review 13-14 (2014), 95 – 113.
https://doi.org/10.1016/j.cosrev.2014.09.001
[18]
Krzysztof Szczypiorski. 2012. A performance analysis of HICCUPS—a stegano-
graphic system for WLAN. Telecommunication Systems 49, 2 (01 Feb 2012),
255–259. https://doi.org/10.1007/s11235-010- 9363-6
[19]
S. Wendzel, W. Mazurczyk, and S. Zander. 2016. Unied Description for Network
Information Hiding Methods. Journal of Universal Computer Science 22, 11 (nov
2016), 1456–1486.
[20]
S. Wendzel and C. Palmer. 2015. Creativity in Mind: Evaluating and Maintaining
Advances in Network Steganographic Research. Journal of Universal Computer
Science 21, 12 (2015), 1684–1705.
[21]
S. Wendzel and S. Zander. 2012. Detecting Protocol Switching Covert Channels.
In 37th IEEE Conf. on Local Computer Networks. 280–283.
[22]
S. Wendzel, S. Zander, B. Fechner, and C. Herdin. 2015. Pattern-based Survey
and Categorization of Network Covert Channel Techniques. Computing Surveys
(CSUR) 47, 3 (2015).
[23]
F. V. Yarochkin, S.-Y. Dai, C.-H. Lin, and Y. Huang. 2008. Towards Adaptive
Covert Communication System. In Proc. Pacic Rim International Symposium on
Dependable Computing (PRDC). 153–159.
... For network steganography, there already exists a taxonomy of hiding patterns [5] that was enhanced over the years by several papers [2], [52]- [55]. In the remainder, we categorize all existing methods described by these earlier patterns into our taxonomy and derive domain-specific patterns as needed. ...
... Message Ordering (former: PDU Order/ Manipulated Message Ordering) [2], [5], [52] The CS encodes data using a synthetic PDU order. ...
... Additional examples can be found in ii) cryptographic protocols that use nonces during the challenge-response process [68] as well as in iii) IoT protocols with random value fields, such as MQTT [53]. [52] The CS uses the payload size to encode a hidden message. ...
Preprint
Full-text available
A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited to some specific applications or areas. A prime attempt towards a unified understanding of terms was conducted in 2015 with the introduction of a pattern-based taxonomy for network steganography. Six years later, in 2021, the first work towards a pattern-based taxonomy for steganography was proposed. However, this initial attempt still faced several shortcomings, e.g., the lack of patterns for several steganography domains (the work mainly focused on network steganography and covert channels), various terminology issues, and the need of providing a tutorial on how the taxonomy can be used during engineering and scientific tasks, including the paper-writing process. As the consortium who published this initial 2021-study on steganography patterns, in this paper we present the first comprehensive pattern-based taxonomy tailored to fit all known domains of steganography, including smaller and emerging areas, such as filesystem steganography and cyber-physical systems steganography. Besides, to make our contribution more effective and promote the use of the taxonomy to advance research on steganography, we also provide a thorough tutorial on its utilization. Our pattern collection is available at https://patterns.ztt.hs-worms.de.
... For network steganography, there already exists a taxonomy of hiding patterns [5] that was enhanced over the years by several papers [2], [52]- [55]. In the remainder, we categorize all existing methods described by these earlier patterns into our taxonomy and derive domain-specific patterns as needed. ...
... PS2 and PS2.a position elements within a packet. In all four cases, the covert sender essentially performs the same action: adjusting [2], [5], [52] The CS encodes data using a synthetic PDU order. ...
... Additional examples can be found in ii) cryptographic protocols that use nonces during the challenge-response process [68] as well as in iii) IoT protocols with random value fields, such as MQTT [53]. [52] can be adjusted in their formulation to reflect this pattern: i) compression of existing payload (gained space can be used by E1.1n1. Reserved/Unused State/Value Modulation afterwards) [73]; ii) transformation of the VADenabled IP telephony voice stream into a non-VAD one and fill the gaps using artificially generated RTP packets containing secret data by applying another pattern [74]; iii) approximation of the F0 parameter of the Speex codec which carries information about the pitch of the speech signal (again, the saved space can then be used by another pattern) [75]. ...
Preprint
Full-text available
A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited to some specific applications or areas. A prime attempt towards a unified understanding of terms was conducted in 2015 with the introduction of a pattern-based taxonomy for network steganography. Six years later, in 2021, the first work towards a pattern-based taxonomy for steganography was proposed. However, this initial attempt still faced several shortcomings, e.g., the lack of patterns for several steganography domains (the work mainly focused on network steganography and covert channels), various terminology issues, and the need of providing a tutorial on how the taxonomy can be used during engineering and scientific tasks, including the paper-writing process. As the consortium who published this initial 2021-study on steganography patterns, in this paper we present the first comprehensive pattern-based taxonomy tailored to fit all known domains of steganography, including smaller and emerging areas, such as filesystem steganography and cyber-physical systems steganography. Besides, to make our contribution more effective and promote the use of the taxonomy to advance research on steganography, we also provide a thorough tutorial on its utilization. Our pattern collection is available at https://patterns.ztt.hs-worms.de.
... For network steganography, there already exists a taxonomy of hiding patterns [5] that was enhanced over the years by several papers [2], [52]- [55]. In the remainder, we categorize all existing methods described by these earlier patterns into our taxonomy and derive domain-specific patterns as needed. ...
... PS2 and PS2.a position elements within a packet. In all four cases, the covert sender essentially performs the same action: adjusting [2], [5], [52] The CS encodes data using a synthetic PDU order. ...
... Additional examples can be found in ii) cryptographic protocols that use nonces during the challenge-response process [68] as well as in iii) IoT protocols with random value fields, such as MQTT [53]. [52] can be adjusted in their formulation to reflect this pattern: i) compression of existing payload (gained space can be used by E1.1n1. Reserved/Unused State/Value Modulation afterwards) [73]; ii) transformation of the VADenabled IP telephony voice stream into a non-VAD one and fill the gaps using artificially generated RTP packets containing secret data by applying another pattern [74]; iii) approximation of the F0 parameter of the Speex codec which carries information about the pitch of the speech signal (again, the saved space can then be used by another pattern) [75]. ...
Preprint
Full-text available
A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited to some specific applications or areas. A prime attempt towards a unified understanding of terms was conducted in 2015 with the introduction of a pattern-based taxonomy for network steganography. Six years later, in 2021, the first work towards a pattern-based taxonomy for steganography was proposed. However, this initial attempt still faced several shortcomings, e.g., the lack of patterns for several steganography domains (the work mainly focused on network steganography and covert channels), various terminology issues, and the need of providing a tutorial on how the taxonomy can be used during engineering and scientific tasks, including the paper-writing process. As the consortium who published this initial 2021-study on steganography patterns, in this paper we present the first comprehensive pattern-based taxonomy tailored to fit all known domains of steganography, including smaller and emerging areas, such as filesystem steganography and cyber-physical systems steganography. Besides, to make our contribution more effective and promote the use of the taxonomy to advance research on steganography, we also provide a thorough tutorial on its utilization. Our pattern collection is available at https://patterns.ztt.hs-worms.de.
... With the introduction of a pattern-based taxonomy in 2015 [50] a classification or common description of covert channels was introduced that offers the foundation for a comparable evaluation of network protocols in regards to covert channels. In an updated version from 2018 [28] the taxonomy classifies 20 different types of network covert channels. By reversing this deductive approach and applying those patterns inductively to specifications of network protocols we expect to identify potential timing and storage covert channels in a more systematic way than before, where many covert channels were identified by gut-feeling and in-depth knowledge of networking experts. ...
... packet raw bit rate, type (storage/timing), advantages, disadvantages and defense. Lamshöft et al. [23] used the pattern-based taxonomy from Mazurczyk et al. [28] to categorize different channels they discovered in Modbus/TCP. Mileva et al. [33] introduced a variety of covert channels in the MQTT 5 standard by observing the protocol specifications and deriving c overtchannels. ...
... In this work, we follow a more broad approach to systematically identify and evaluate covert channels. We use a two-stage approach in which we use the pattern-based taxonomy of Mazurczyk et al. [28] to find a wide variety of covert channels for a given network protocol. In this approach, we use protocol specifications to find channels and validate their plausibility against default implementations of the protocol. ...
Article
Full-text available
Synchronized clocks are vital for most communication scenarios in networks of Information Technology (IT) and Operational Technology (OT). The process of time synchronisation requires transmission of high-precision timestamps often originating from external sources. In this paper, we analyze how time synchronization protocols impose a threat by being leveraged as carrier for network covert channels. This paper is an extended version version of our open-access paper [15] in which we performed an in-depth analysis of the Network Time Protocol (NTP) in regards to covert channels. In this extended version, we broaden the view and take a look and time synchronisation in a more general way as we provide two comprehensive threat scenarios regarding covert channels and discuss the applicability of such covert channels to another time synchronisation protocol, namely the Precision Time Protocol, PTP. While the Network Time Protocol (NTP) is the most prevalent protocol for synchronizing clocks in IT networks, the Precision Time Protocol (PTP) is mostly found in networks of Industrial Control Systems (ICS) due to higher demands regarding accuracy and resolution. To illustrate the threat of covert channels in such protocols we describe two threat scenarios, one for the Network Time Protocol and one for the Precision Time Protocol. For NTP we perform a systematic in-depth analysis of covert channels. Our analysis results in the identification of 49 covert channels, by applying a covert channel pattern-based taxonomy. The summary and comparison based on nine selected key attributes show that NTP proofs itself as a plausible carrier for covert channels. The analysis results are evaluated in regards to common behavior of NTP implementations in six major operating systems. Two channels are selected and implemented to be evaluated in network test-beds. By hiding encrypted high entropy data in a high entropy field of NTP we show in our first assessment that practically undetectable channels can be implemented in NTP, motivating the required further research. In our evaluation, we analyze 40,000 NTP server responses from public NTP server providers and discuss potential countermeasures. Finally, we discuss the relevance, applicability and resulting threat of these findings for the Precision Time Protocol.
... intrusion detection system) observes the network traffic and the embedding should be inconspicuous in a sense that he would not be able to differ between genuine and steganographic communication [2]. This can be realized for example by manipulating the packets payload on least significant bits, by using unused space in headers or by artificially produced timing delays to modulate time intervals between specific packets [8]. Network steganography in the ICS network communication domain is specific due to the lower amount of available data for potential embedding, because transmitted network packets are usually smaller since only meta-data or few (sensor) values are transmitted to keep the communication lean and simple. ...
Preprint
Full-text available
For the last several years, the embedding of hidden information by steganographic techniques in network communications is increasingly used by attackers in order to obscure data infiltration, exfiltration or command and control in IT (information technology) and OT (operational technology) systems. Especially industrial control systems (ICS) and critical infrastructures have increased protection requirements. Currently, network defense mechanisms are unfortunately quite ineffective against novel attacks based on network steganography. Thus, on the one hand huge amounts of network data with steganographic embedding is required to train, evaluate and improve defense mechanisms. On the other hand, the real-time embedding of hidden information in productive ICS networks is crucial due to safety violations. Additionally it is time consuming because it needs special laboratory setup. To address this challenge, this work introduces an embedding concept to gene ate synthetic steganographic network data to automatically produce significant amounts of data for training and evaluation of defense mechanisms. The concept enables the possibility to manipulate a network packet wherever required and outperforms the state-of-the-art in terms of embedding pace significantly.
... Wendzel et al. introduced a pattern-based taxonomy for network CCs in [164]. The taxonomy was further developed in [97,98] and minor improved in various publications like [65,107,157,189] 1 . The pattern-based taxonomy was revised by Wendzel et al. in [168] and further developed to a generic taxonomy for information hiding in [169]. ...
Thesis
Full-text available
Network-level covert channels can be considered as parasitic communication, nesting into legitimate overt communication in a way they were not foreseen by the creators of the protocol. Thus, such covert communication is threatening the integrity of the defined rules of network communication. Since first mentioned in the 1970s, covert channels have been described for numerous network-level communication protocols, and it can be considered that for each network protocol defined there also exists a covert channel, even if it may not have been described yet. The concepts of covert channels have experienced revolutionary developments within the last decade, creating highly sophisticated information hiding techniques within network traffic that are designed to deceive wardens. This thesis covers three novel approaches for such sophisticated covert channels. First, indirect network-level covert channels that rely on the exploitation of an intermediate third-party system are investigated. Therefore, all known indirect network-level covert channels are surveyed and transferred into a novel pattern-based taxonomy. Our categorization enables the unification of the understanding of this subdomain and standardizes the description of such channels. Further, potential application scenarios and countermeasures against these sophisticated indirect covert channels are described. Second, a novel detection approach is introduced, which allows the detection of reversible and plausibly deniable covert channels. Such channels restore the original information and therefore have been not or hard to detect, like for example if the cover information is (pseudo-)randomly distributed. Such an implementation has recently been published and relies on one-time password chains that are created by computationally intensive hash operations. The detector is based upon elongated packet runtimes, caused by computational intensive operations that are necessary to restore the original information, achieving reversibility. Further, we introduce a novel computational intensive covert channel exploiting nonce-based challenge-response authentication to create a plausibly deniable and reversible communication channel to test the portability of the introduced detector. Third, a novel type of covert channel is introduced, the so-called history covert channel. The presented proof of concept implementation allows transferring of covert information without modifying, creating, or manipulating legitimate traffic. The approach utilizes legitimate network broadcast packets and signals that information to be passed has been observed lately. This concept of splitting data and signaling traffic significantly reduces the amount of information that needs to be transmitted from a covert sender to a covert receiver. Further, we evaluate the robustness and optimization of our implementation in two testbeds.
Conference Paper
Full-text available
The graded approach of the IAEA NSS 17-T, in conjunction with highly restricted and deterministic traffic in a computer network, increases the importance of Information Hiding (IH) technologies for attackers. Thus, it is necessary to provide detection mechanisms and resilience against IH in the architectural designs. We reflect hidden communication channels discovered in both common and industrial network protocols within the scope of the recently updated NSS 17-T. We discuss the potential deployment of detection techniques as well as potential attack vectors such as hidden supply-chain attacks, insider threats and conventional attacks covered by the full depth of the graded approach of NSS 17-T. INTRODUCTION Information hiding (IH) is an important technique usable by advanced persistent threats (APT) for staying undetected over a long duration. While in information technology (IT) the mere presence of different types of communication might be sufficient in order to conceal the compromise of the systems, the graded approach of NSS 17-T [4] in conjunction with highly restricted and deterministic traffic increases the importance of IH technologies for attackers even further. Thus, the general awareness provided by an architectural design with resiliency against Information Hiding and potential detection mechanisms are a necessity. Additionally, such design decisions likely assist the mitigation of (sensitive) digital asset (SDA) vulnerabilities. In this paper, we reflect on discovered hidden communication channels in industrial protocols such as Modbus/TCP and OPC UA, as well as commonly used supporting protocols such as Syslog and NTP within the scope of the newly updated NSS 17-T in order to support the risk informed approach against potential sabotage and unauthorized access to sensitive nuclear information. Based on the graded approach (including computer security levels and computer security zones), the impact of physical access control and decoupling mechanisms for data flows are evaluated in order to assess their suitability for preventing IH-assisted cyber-attacks.
Conference Paper
Full-text available
Even if information hiding can be used for licit purposes, it is increasingly exploited by malware to exfiltrate data or to coordinate attacks in a stealthy manner. Therefore, investigating new methods for creating covert channels is fundamental to completely assess the security of the Internet. Since the popularity of the carrier plays a major role, this paper proposes to hide data within VoIP traffic. Specifically, we exploit Voice Activity Detection (VAD), which suspends the transmission during speech pauses to reduce bandwidth requirements. To create the covert channel, our method transforms a VAD-activated VoIP stream into a non-VAD one. Then, hidden information is injected into fake RTP packets generated during silence intervals. Results indicate that steganographically modified VAD-activated VoIP streams offer a good trade-off between stealthiness and steganographic bandwidth.
Article
Full-text available
Full-text is available here: http://www.jucs.org/jucs_22_11/unified_description_for_network Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.
Article
Full-text available
Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.
Article
Full-text available
The paper presents Multi-Level Steganography (MLS), which defines a new concept for hidden communication in telecommunication networks. In MLS, at least two steganographic methods are utilised simultaneously, in such a way that one method (called the upper-level) serves as a carrier for the second one (called the lower-level). Such a relationship between two (or more) information hiding solutions has several potential benefits. The most important is that the lower-level method steganographic bandwidth can be utilised to make the steganogram unreadable even after the detection of the upper-level method: e.g., it can carry a cryptographic key that deciphers the steganogram carried by the upper-level one. It can also be used to provide the steganogram with integrity. Another important benefit is that the lower-layer method may be used as a signalling channel in which to exchange information that affects the way that the upper-level method functions, thus possibly making the steganographic communication harder to detect. The prototype of MLS for IP networks was also developed, and the experimental results are included in this paper.
Conference Paper
Full-text available
Network covert channels enable hidden communication and can be used to break security policies. Within the last years, new techniques for such covert channels arose, including protocol switching covert channels (PSCCs). PSCCs transfer hidden information by sending network packets with different selected network protocols. In this paper we present the first detection methods for PSCCs. We show that the number of packets between network protocol switches and the time between switches can be monitored to detect PSCCs with 98-99% accuracy for bit rates of 4 bits/second or higher.
Conference Paper
Full-text available
In this paper, we propose Cloak—a new class of reliable timing channels—which is fundamentally different from other timing channels in several aspects. First, Cloak encodes a message by a unique distribution of N packets over X TCP flows. The combinatorial nature of the encoding methods increases the channel capacity largely with (N,X). Second, Cloak offers ten different encoding and decoding methods, each of which has a unique tradeoff among several important considerations, such as channel capacity and the need for packet marking. Third, the packet transmissions modulated by Cloak could be carefully crafted to mimic the normal TCP flows in a typical TCP-based application session. Although Cloak’s basic idea is simple, we show in this paper how we tackle a number of challenging issues systematically. Our experiment results collected from PlanetLab nodes and a test bed suggest that Cloak is feasible under various network conditions and different round-trip delays.
Article
This paper presents an improved version of a steganographic algorithm for IP telephony called HideF0. It is based on approximating the F0 parameter, which is responsible for conveying information about the pitch of the speech signal. The bits saved due to simplification of the pitch contour are used for the hidden transmission. In our experiments, the proposed method was applied to the narrowband Speex codec working in five different modes, with bitrates between 5,950 bps and 24,600 bps. We showed that HideF0 was able to create hidden channels with steganographic bandwidths of around 200 bps at the expense of a steganographic cost of between 0.5 and 0.7 MOS, depending on the Speex mode. Because of placing the approximation flag in the voice packet header, the improved version of the proposed algorithm yielded a significantly lower decrease in speech quality, when compared with the original version of HideF0. In addition, for low bitrates of the hidden channel (i.e., below ca. 50 bps) it was able to operate without introducing any steganographic cost. Copyright
Article
PDF can be downloaded from the journal website: http://www.jucs.org/doi?doi=10.3217/jucs-021-12-1684 Abstract: The research discipline of network steganography deals with the hiding of information within network transmissions, e.g. to transfer illicit information in networks with Internet censorship. The last decades of research on network steganography led to more than hundred techniques for hiding data in network transmissions. However, previous research has shown that most of these hiding techniques are either based on the same idea or introduce limited novelty, enabling the application of existing countermeasures. In this paper, we provide a link between the field of creativity and network steganographic research. We propose a framework and a metric to help evaluating the creativity bound to a given hiding technique. This way, we support two sides of the scientific peer review process as both authors and reviewers can use our framework to analyze the novelty and applicability of hiding techniques. At the same time, we contribute to a uniform terminology in network steganography.
Article
Steganography and steganalysis are the prominent research fields in information hiding paradigm. Steganography is the science of invisible communication while steganalysis is the detection of steganography. Steganography means “covered writing” that hides the existence of the message itself. Digital steganography provides potential for private and secure communication that has become the necessity of most of the applications in today’s world. Various multimedia carriers such as audio, text, video, image can act as cover media to carry secret information. In this paper, we have focused only on image steganography. This article provides a review of fundamental concepts, evaluation measures and security aspects of steganography system, various spatial and transform domain embedding schemes. In addition, image quality metrics that can be used for evaluation of stego images and cover selection measures that provide additional security to embedding scheme are also highlighted. Current research trends and directions to improve on existing methods are suggested.
Article
Covert channels are mechanisms for communicating in-formation in ways that are difficult to detect. Data exfiltration can be an indication that a computer has been compromised by an attacker even when other in-trusion detection schemes have failed to detect a suc-cessful attack. Covert timing channels use packet inter-arrival times, not header or payload embedded informa-tion, to encode covert messages. This paper investigates the channel capacity of Internet-based timing channels and proposes a methodology for detecting covert timing channels based on how close a source comes to achiev-ing that channel capacity. A statistical approach is then used for the special case of binary codes.