2015-Taxonomy (Networking)

The following list represents the latest pattern collection that was published 2014/2015 in [1], and improved by [2] and [3]. Additional minor updates were provided by [4-6]. Each pattern comprises a number (pattern ID), the authors and publication reference where the pattern was first published*, a brief illustration of the pattern’s use, a context (where can the pattern be found in the hierarchy of patterns) and a link to publications which provide evidence for the existence of the pattern.

Please note that this taxonomy was incorporated into the generic taxonomy (details are described in the paper that presents the generic taxonomy).

_{^{*Please note that the author of a pattern is not necessarily the inventor of a particular hiding technique. Instead he/she is the one who recognized the pattern within different hiding techniques. The authors of the particular hiding techniques are listed in the `Evidence’ attribute of each pattern.}}

_{^{Latest Version of the Hiding Patterns Hierarchy (based on [1]; updated by [2-6]), version: Mar-25-2022.}}

• Protocol-agnostic Covert Timing Channel Patterns

  • PT1. Inter-packet Times

    PT1. Inter-packet Times (also P8. Inter-arrival Time Pattern)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1], updated by [2].
    Illustration	The covert channel alters timing intervals between network PDUs (interarrival times) to encode hidden data.
    Context	Network Covert Timing Channels -> Protocol-agnostic
    Evidence	G. Shah, A. Molina, and M. Blaze. 2006. Keyboards and Covert Channels. In Proc. 15th USENIX Security Symposium. USENIX Association, 59–75. C. G. Girling. 1987. Covert Channels in LAN’s. IEEE Transactions on Software Engineering 13 (February 1987), 292–296. Issue 2. S. Cabuk. 2006. Network covert channels: Design, analysis, detection, and elimination. Ph.D. Dissertation. Purdue University See [1] for additional evidence entries.
    Implementation	Covert Channels Evaluation Framework (CCHEF) as well as 8

  • PT2. Message Timing

    PT2. Message Sequence Timing

    Initial publication	W. Mazurczyk, S. Wendzel, S. Zander et al. in [2].
    Illustration	Hidden data is encoded in the timing of message sequences, e.g. acknowledging every n’th received packet or sending commands m times.
    Context	Network Covert Timing Channels -> Protocol-agnostic
    Evidence	see [2].
    Implementation

  • PT3. Rate/Throughput

    PT3. Rate/Throughput Pattern (also P9. Rate)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel sender alters the data rate of traffic from itself or a third party to the covert channel receiver.
    Alias	Throughput Pattern
    Context	Network Covert Timing Channels -> Protocol-agnostic
    Evidence	X. Li, Y. Zhang, F.T. Chong, and B.Y. Zhao. 2011. “A Covert Channel Analysis of a Real Switch”. Technical Report. Dep. of Computer Science, University of California, Santa Barbara. T. G. Handel and M. T. Sandford, II. 1996. Hiding Data in the OSI Network Model. In Proc. First International Workshop on Information Hiding. Springer, London, UK, 23–38. Another possible example for a rate pattern-based hiding technique is mentioned in [1].
    Implementation	?

• Protocol-aware Covert Timing Channel Patterns

  • PT10. Artificial Loss

    PT10. Artificial Message/Packet Loss Pattern (derived from original P4. PDU Corruption/Loss Pattern)

    Initial publication	W. Mazurczyk, S. Wendzel, S. Zander et al. in [2]. However, this pattern is based on the original P4. PDU Corruption/Loss Pattern, which was introduced by S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]. The pattern P4 was split up into two separate patterns (the Frame Collisions pattern and Artificial Loss pattern). P4 was later also re-invented for user-data as PS21. User-data Corruption, cf. [3].
    Illustration	The covert channel signals hidden information via artificial loss of transmitted messages (PDUs).
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	see [2]
    Implementation

  • PT11. Message Ordering (PDU Order)

    PT11. Message Ordering Pattern (also P10 PDU Order Pattern)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    ** Alias(es)**	PDU Order [1], Manipulated Message Ordering [2], Message Ordering [3].
    Illustration	The covert channel encodes data using a synthetic PDU order for a given number of PDUs flowing between covert sender and receiver.
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	K. Ahsan and D. Kundur. 2002. Practical Data Hiding in TCP/IP. In Proc. Workshop on Multimedia Security at ACM Multimedia ’02. X. Luo, E.W.W. Chan, and R.K.C. Chang. 2007. Cloak: A Ten-Fold Way for Reliable Covert Communications. In Proc. 12th European Symposium On Research In Computer Security (ESORICS 2007) (LNCS), Vol. 4734. Springer. A. El-Atawy and E. Al-Shaer. 2009. Building Covert Channels over the Packet Reordering Phenomenon. In INFOCOM 2009. 2186–2194. See [1] and [2] for more evidence entries.
    Implementation

  • PT12. Retransmission

    PT12. Re-Transmission Pattern (also P11)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	A covert channel re-transmits previously sent or received PDUs.
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	C. Kraetzer, J. Dittmann, A. Lang, and T. Kuehne. 2006. WLAN Steganography: A First Practical Review. In Proc. 8th Workshop on Multimedia and Security (MMSEC’06). 17–22. S. Zillien, S. Wendzel: Detection of Covert Channels in TCP Retransmissions, in Proc. NordSec 2018, Springer, 2018. See [1] for two additional examples of such hiding techniques based on the re-transmission pattern.
    Implementation	S. Zillien, S. Wendzel: Detection of Covert Channels in TCP Retransmissions, in Proc. NordSec 2018, Springer, 2018.

  • PT13. Frame Collisions

    PT13. Frame Collisions Pattern (derived from original P4. PDU Corruption/Loss Pattern)

    Initial publication	W. Mazurczyk, S. Wendzel, S. Zander et al. in [2]. However, this pattern is based on the original P4. PDU Corruption/Loss Pattern, which was introduced by S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]. The pattern P4 was split up into two separate patterns (the Frame Collisions pattern and Artificial Loss pattern). P4 was later also re-invented for user-data as PS21. User-data Corruption, cf. [3].
    Illustration	The sender causes artificial frame collisions to signal hidden information.
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	see [2]
    Implementation

  • PT14. Temperature

    PT14. Temperature Pattern

    Initial publication	W. Mazurczyk, S. Wendzel, S. Zander et al. in [2].
    Illustration	The sender influences a third-party node’s CPU temperature, e.g. using burst traffic. This influences the node’s clock skew. The clock skew can then be interpreted by the covert receiver by interacting with the node.
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	see [2]
    Implementation

  • PT15. Artificial Reconnections

    PT15. Artificial Reconnections

    Initial publication	A. Mileva, A. Velinov, L. Hartmann et al. in [5].
    Illustration	The Artificial Reconnections Pattern employs artificial (forced) reconnections to transfer secret messages. The covert sender influences connection states of third-party nodes in a way that their connections to either a central element (e.g., an MQTT broker or a server) or a peer (in a peer-to-peer network) are terminated and then established again (i.e., a reconnect is performed). The covert receiver must be capable of monitoring these reconnects, e.g., either by compromising the central/peer element or in a passive network observer situation, like a MitM location. Encoding works by assigning secret values to third-party, so that a reconnect of a particular node represents the transfer of the secret symbol assigned to that node. Another scenario for this pattern can also be a chatroom or a gaming server with a large number of clients that reconnect automatically after being disconnected (source: [5]).
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	see [5] and [7]
    Implementation

  • PT16. Artificial Resets

    PT16. Artificial Resets

    Initial publication	L. Hartmann, S. Zillien, S. Wendzel in [6].
    Illustration	The pattern PT16 Artificial Resets is embedded by a CS that causes a connection reset of third-party nodes, whose connection states are observed by one or more CRs. The pattern is a protocol-aware timing pattern. So far, the pattern has only been described for an indirect covert channel.
    Context	Network Covert Timing Channels -> Protocol-aware
    Evidence	see [6]
    Implementation	https://github.com/NIoSaT/CoAP-Covert-Channels features the first known implementation and is based on the IoT protocol CoAP.

• Structure Modifying Covert Storage Channel Patterns

  • PS1. Size Modulation

    PS1. Size Modulation Pattern (also P1)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel uses the size of a header element or a PDU to encode a hidden message.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Modifying
    Evidence	C. G. Girling. 1987. Covert Channels in LAN’s. IEEE Transactions on Software Engineering 13 (February 1987), 292–296. Issue 2. M. Wolf. 1989. Covert channels in LAN protocols. In Proc. Local Area Network Security. LNCS, Vol. 396. Springer, 89–101. S. J. Murdoch and S. Lewis. 2005. Embedding Covert Channels into TCP/IP. In Proc. Information Hiding Conference 2005 (LNCS), Vol. 3727. Springer, 247–261. Steffen Wendzel, Florian Link, Daniela Eller, Wojciech Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, Journal of Universal Computer Science (J.UCS), Vol. 25(11), 2019. For more evidence entries cf. [1].
    Implementation	The implementation can be realized using CCEAP. An alternative is: C. Heinz: TLSCC (University of Hagen)
    Known Pattern-based Countermeasures	Steffen Wendzel, Florian Link, Daniela Eller, Wojciech Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, Journal of Universal Computer Science (J.UCS), Vol. 25(11), 2019.

  • PS2. Sequence, incl. sub-patterns

    PS2. Sequence Pattern (also P2)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel alters the sequence of header/PDU elements to encode hidden information.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Modifying
    Evidence	A. Dyatlov and S. Castro. 2005. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol. Technical Report. Gray-World.net. R. Rios, J.A. Onieva, and J. Lopez. 2012. HIDE DHCP: Covert Communications Through Network Configuration Messages. In Proc. IFIP TC 11 27th International Information Security Conference. Springer. X.-g. Zou, Q. Li, S.-H. Sun, and X. Niu. 2005. The Research on Information Hiding Based on Command Sequence of FTP Protocol. In Proc. 9th Int. Conf. on Knowledge-Based Intelligent Information and Engineering Systems (KES 2005), Part III (LNCS), Vol. 3683. Springer Berlin Heidelberg, 1079–1085.
    Implementation	?

    PS2.a. Position Pattern (also P2a)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel alters the position of a given header/PDU element to encode hidden information.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Modifying -> Sequence
    Evidence	R. Rios, J.A. Onieva, and J. Lopez. 2012. HIDE DHCP: Covert Communications Through Network Configuration Messages. In Proc. IFIP TC 11 27th International Information Security Conference. Springer. For further examples cf. [1].
    Implementation	?

    PS2.b. Number of Elements Pattern (also P2b)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel encodes hidden information by the number of header/PDU elements transferred.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Modifying -> Sequence
    Evidence	R. Rios, J.A. Onieva, and J. Lopez. 2012. HIDE DHCP: Covert Communications Through Network Configuration Messages. In Proc. IFIP TC 11 27th International Information Security Conference. Springer. W. Mazurczyk and K. Szczypiorski. 2012. Evaluation of steganographic methods for oversized IP packets. Telecommunication Systems 49, 2 (2012), 207–217. A third example is mentioned in [1].
    Implementation	?

  • PS3. Add Redundancy

    PS3. Add Redundancy Pattern (also P3)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel creates new space within a given header element or within a PDU to hide data into.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Modifying
    Evidence	Z. Trabelsi and I. Jawhar. 2010. Covert File Transfer Protocol Based on The IP Record Route Option. Journal of Information Assurance and Security (JIAS) 5, 1 (2010). T. Graf. 2003. Messaging over IPv6 Destination Options (2003). Retrieved: December 2013. A. Getchell. 2008. RE: For those interested in covert channels. (2008). A posting on the securityfocus penetration testing mailinglist, retrieved: December 2013. For further evidence entries cf. [1].
    Implementation	CCEAP This tool by Binni Shah adds additional option(s) to the TCP header to carry covert data (good explanation is available). C. Heinz: TLSCC (University of Hagen)

• Structure Preserving Covert Storage Channel Patterns

  • PS10. Random Value

    PS10. Random Value Pattern (also P5)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel embeds hidden data in a header element containing a (pseudo-)random value.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Preserving -> Modification of an Attribute
    Evidence	J. Keller, S. Wendzel. Reversible and Plausibly Deniable Covert Channels in One-Time Passwords Based on Hash Chains, Applied Sciences, Vol. 11(2), MDPI, 2021. C. H. Rowland. 1997. Covert Channels in the TCP/IP Protocol Suite. First Monday 2, 5 (May 1997). J. Rutkowska. 2004. The implementation of passive covert channels in the Linux kernel. (2004). Speech held at the 21st Chaos Communication Congress, Berlin, Germany N. Lucena, J. Pease, P. Yadollahpour, and S. J. Chapin. 2004. Syntax and Semantics-Preserving Application Layer Protocol Steganography. In Proceedings of 6th Information Hiding Workshop. In [1], additional information on the evidence is provided.
    Implementation	e.g. C. Heinz: TLSCC (University of Hagen)

  • PS11. Value Modulation, incl. sub-patterns (UPDATED)

    PS11. Value Modulation Pattern (also P6)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel selects one of the n values that a header element can contain to encode a hidden message.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Preserving -> Modification of an Attribute
    Evidence	T. Schmidbauer et al.: Introducing Dead Drops to Network Steganography using ARP-Caches and SNMP-Walks, in Proc. ARES 2019. This channel is an indirect variant of a Value Modulation as an ARP cache of a third party host stores the data (for quite some time). C. G. Girling. 1987. Covert Channels in LAN’s. IEEE Transactions on Software Engineering 13 (February 1987), 292–296. Issue 2. S. Zander, G.J. Armitage, and P.A. Branch. 2006. Covert Channels in the IP time to live field. In Australian Telecommunication Networks and Applications Conference (ATNAC 2006). 298–302. N. Lucena, G. Lewandowski, and S. Chapin. 2006. Covert Channels in IPv6. In Proc. 5th International Workshop on Privacy Enhancing Technologies (PET 2005). LNCS, Vol. 3856. Springer, 147–166. See [1] for more evidence entries.
    Implementation	Covert Channels Evaluation Framework (CCHEF) CCEAP

    PS11.a. Case Pattern (previously known as P6a)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel uses case-modification of letters in header elements to encode hidden data.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Preserving -> Modification of an Attribute -> Value Modulation
    Evidence	A. Dyatlov and S. Castro. 2005. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol. Technical Report. Gray-World.net. R. Patuck and J. Hernandez-Castro. 2013. Steganography using the Extensible Messaging and Presence Protocol (XMPP). CoRR abs/1310.0524 (2013). [1] provides additional examples of possible case pattern-based techniques.
    Implementation	?

    PS11.b. Least Significant Bit (LSB) Pattern (previously known as P6b)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel uses the least significant bit(s) of header elements to encode hidden data.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Preserving -> Modification of an Attribute -> Value Modulation
    Evidence	T. G. Handel and M. T. Sandford, II. 1996. Hiding Data in the OSI Network Model. In Proc. First International Workshop on Information Hiding. Springer, London, UK, 23–38. J. Giffin, R. Greenstadt, P. Litwack, and R. Tibbetts. 2003. Covert messaging through TCP timestamps. In Proc. 2nd International Conference on Privacy Enhancing Technologies. Springer, 194–208. R. Rios, J.A. Onieva, and J. Lopez. 2012. HIDE DHCP: Covert Communications Through Network Configuration Messages. In Proc. IFIP TC 11 27th International Information Security Conference. Springer. More evidence entries are provided in [1].
    Implementation	Covert Channels Evaluation Framework (CCHEF)

    PS11.c. Value Influencing Pattern

    Initial publication	A. Velinov, A. Mileva, S. Wendzel, W. Mazurczyk (2019) in [4]
    Illustration	The covert channel sender (directly or indirectly) influences some (out of n possible) values in a way that a covert channel receiver can determine the value. In other words, the value is not directly written, but influence by altering another value or surrounding networking conditions.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Preserving -> Modification of an Attribute -> Value Modulation
    Evidence	see [4]
    Implementation	-

  • PS12. Reserved/Unused

    PS12. Reserved/Unused Pattern (also P7)

    Initial publication	S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]
    Illustration	The covert channel encodes hidden data into a reserved or unused header/PDU element.
    Context	Network Covert Storage Channels -> Modification of Non-Payload -> Structure Preserving -> Modification of an Attribute
    Evidence	M. Wolf. 1989. Covert channels in LAN protocols. In Proc. Local Area Network Security. LNCS, Vol. 396.Springer, 89–101. T. G. Handel and M. T. Sandford, II. 1996. Hiding Data in the OSI Network Model. In Proc. First International Workshop on Information Hiding. Springer, London, UK, 23–38. K. Ahsan and D. Kundur. 2002. Practical Data Hiding in TCP/IP. In Proc. Workshop on Multimedia Security at ACM Multimedia ’02. See [1] for additional evidence entries.
    Implementation	?

• User-data Agnostic Covert Storage Channel Patterns

  • PS20. Payload Field Size Modulation (derived from PS1)

    PS20. Payload Field Size Modulation (derived from PS1)

    Initial publication	W. Mazurczyk, S. Wendzel, K. Cabaj in [3]. However, this pattern is based on the original PS1. Size Modulation Pattern, which was introduced by S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1].
    Illustration	This pattern uses a size of the payload field of a flow’s PDUs/messages to encode the hidden message. This pattern is a variant (child) of the pattern P1. Size Modulation of [1] which has been already defined for the modification of the non-payload branch of storage methods.
    Context	Network Covert Channel Patterns -> Covert Storage Channel Patterns -> Modification of Payload -> User-data Agnostic
    Evidence	Modulate the size of the data block field in Ethernet frames, cf. Girling’87. Any other method that modulates the size of the payload field in any network protocol.
    Implementation

  • PS21. User-data Corruption

    PS21. User-data Corruption (derived from original P4. PDU Corruption/Loss Pattern)

    Initial publication	W. Mazurczyk, S. Wendzel, K. Cabaj in [3]. However, this pattern is based on the original P4. PDU Corruption/Loss Pattern, which was introduced by S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1]. The pattern P4 was split up into two separate patterns (the Frame Collisions pattern and Artificial Loss pattern), cf. [2]. P4 was later also re-introduced for user-data as PS21. User-data Corruption, cf. [3].
    Illustration	This pattern is related to the cases when steganographic methods do not take into account what kind of user-data is carried within a payload field and/or what its characteristic is (blind modification). It can be applied to single PDUs or to multiple PDUs (a flow). This typically happens if parts of (or the whole) user-data is replaced with secret bits and thus the user-data is corrupted/lost.
    Context	Network Covert Channel Patterns -> Covert Storage Channel Patterns -> Modification of Payload -> User-data Agnostic
    Evidence	see [3].
    Implementation

• User-data Aware Covert Storage Channel Patterns

  • PS30. Modify Redundancy

    PS30. Modify Redundany

    Initial publication	W. Mazurczyk, S. Wendzel, K. Cabaj in [3].
    Illustration	This pattern is used when it is possible to exploit the redundancy of the user-data by means of transforming them in such a way that a free space for secret data is obtained (e.g. by means of transcoding). This pattern is a bit similar to the pattern Add Redundancy defined in [1] but can also decrease redundancy and is applied to payload instead of meta-data.
    Context	Network Covert Channel Patterns -> Covert Storage Channel Patterns -> Modification of Payload -> User-data Aware
    Evidence	See [3] for references. At least the following ideas were published that belong to this pattern: 1. Compress existing user-data in order to make a space for secret data. 2. Transform the VAD-enabled IP telephony voice stream into non-VAD one and fill the gaps using artificially generated RTP packets containing secret data. 3. Approximate the F0 parameter of the Speex codec which carries information about the pitch of the speech signal and use the ``saved’’ space for secret data.
    Implementation

  • PS31. User-data Value Modulation and Reserved/Unused

    PS31. User-data Value Modulation and Reserved/Unused

    Initial publication	W. Mazurczyk, S. Wendzel, K. Cabaj in [3]. However, this pattern is based on the original PS11 Value Modulation and PS12 Rserved/Unused Patterns, which were introduced by S. Wendzel, S. Zander, B. Fechner, C. Herdin in [1].
    Illustration	Characteristic features of user-data can be utilized to store secret information. This includes applying methods like LSB modification to speech samples or digital images carried within the payload field. Compared with previous patterns this is a targeted modification. This pattern is analogous to the combination of the patterns.
    Context	Network Covert Channel Patterns -> Covert Storage Channel Patterns -> Modification of Payload -> User-data Aware
    Evidence	See [3] for references. At least the following ideas were published that belong to this pattern: 1. Encode a stream of information by spreading the encoded data across as much of the frequency spectrum as feasible (e.g. DSSS). 2. Embeds secret data into a carrier audio signal by introducing an echo (a.k.a. echo hiding). 3. Replacing the least significant bit of e.g. each voice sample with secret data (LSB).
    Implementation

Video Introduction to Patterns: https://www.youtube.com/watch?v=0ztPHur0LUY

Implementation: Most of these patterns, excluding the payload-specific patterns, can be created with the CCEAP tool.

Bibliography:

[1] S. Wendzel, S. Zander, B. Fechner, C. Herdin: Pattern-based Survey and Categorization of Network Covert Channel Techniques, ACM Computing Surveys, Vol. 47, Issue 3, pp. 50:1-26, ACM, 2015. An early version of the article is available here

[2] W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, K. Szczypiorski: Information Hiding in Communication Networks, Wiley, 2016. Chapters 3 and 8 contain discussions on hiding patterns, basically on the basis of [1] but with an extension of timing-based patterns.

[3] W. Mazurczyk, S. Wendzel, K. Cabaj: Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach, in Proc. Second International Workshop on Criminal Use of Information Hiding (CUING 2018) at ARES, pp. 10:1-10:10, ACM, 2018.

[4] A. Velinov, A. Mileva, S. Wendzel, W. Mazurczyk: Covert Channels in MQTT-based Internet of Things, IEEE ACCESS, Vol. 7, pp. 161899-161915, 2019.

[5] A. Mileva, A. Velinov, L. Hartmann, S. Wendzel, W. Mazurczyk: Comprehensive Analysis of MQTT 5.0 Susceptibility to Network Covert Channels, Computers & Security, Elsevier, 2021.

[6] L. Hartmann, S. Zillien, S. Wendzel: Reset- and Reconnection-based Covert Channels in CoAP. In: Proc. European Interdisciplinary Cybersecurity Conference (EICC), 2021.

[7] Sebastian Zillien, Steffen Wendzel: Reconnection-based Covert Channels in Wireless Networks. In: Proc. 36th IFIP TC-11 International Information Security and Privacy Conference (IFIP SEC 2021). Springer, 2021.

[8] Sebastian Zillien, Steffen Wendzel: Weaknesses of popular and recent covert channel detection methods and a remedy. In: IEEE Trans. Dep. Sec. Comp. (TDSC), in press.