Please note that the following content is extracted from our paper that can be cited as follows:
- S. Wendzel, L. Caviglione, W. Mazurczyk, A. Mileva, J. Dittmann, C. Krätzer, K. Lamshöft, C. Vielhauer, L. Hartmann, J. Keller, T. Neubert, S. Zillien (2022): A Generic Taxonomy for Steganography Methods, pre-print, 2022.
On this page, we first summarize the generic taxonomy. Afterwards, we explain the sub-taxonomy on network steganography. All other sub-taxonomies (as well as additional details on the network steganography sub-taxonomy) can be found in the paper.
Embedding Hiding Patterns
|General||Domain Specific Example: Network Steganography
|E1. State/Value Modulation||E1n1. State/Value Modulation
|E1.1. Reserved/Unused State/Value Modulation|| E1.1n1. Reserved/Unused State/Value Modulation
|E1.2. Random State/Value Modulation|| E1.2n1. Random State/Value Modulation
|E1.3. LSB State/Value Modulation|| E1.3n1. LSB State/Value Modulation
|E1.4. Character State/Value Modulation|| E1.4n1. Character State/Value Modulation
|E1.5. Redundancy State/Value Modulation|| E1.5n1. Redundancy State/Value Modulation
|E2. Element Occurrence||E2n1. Element Occurrence
|E2.1. Element Enumeration|| E2.1n1. Element Enumeration
|E2.2. Element Positioning|| E2.2n1. Element Positioning
Representation Hiding Patterns
|General||Domain Specific Example: Network Steganography
|R1. State/Value Modulation||R1n1. State/Value Modulation
|R1.1. Reserved/Unused State/Value Modulation|| R1.1n1. Reserved/Unused State/Value Modulation
|R1.2. Random State/Value Modulation|| R1.2n1. Random State/Value Modulation
|R1.3. LSB State/Value Modulation|| R1.3n1. LSB State/Value Modulation
|R1.4. Character State/Value Modulation|| R1.4n1. Character State/Value Modulation
|R1.5. Redundancy State/Value Modulation|| R1.5n1. Redundancy State/Value Modulation
|R2. Element Occurrence||R2n1. Element Occurrence
|R2.1. Element Enumeration|| R2.1n1. Element Enumeration
|R2.2. Element Positioning|| R2.2n1. Element Positioning
Embedding Patterns for Network Steganography
E1n1. Network State/Value Modulation
|Initial publication||Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Value Modulation pattern from Wendzel et al., 2015.|
|Illustration||The covert message is embedded by modulating the state or value of a network element, such as a frame, packet, header element, payload field etc.|
|Original network steganography patterns||PS11. Value Modulation (including all sub-patterns) and PS31. User-data Value Modulation, and partially: PT11. Message Ordering (only the aspect of modulating sequence numbers) and PT15. Artificial Reconnections/PT16. Artificial Resets (in both cases, some header fields, such as RST flags, must be modulated). Additionally: multiple patterns to cover E1n1’s sub-patterns (see particular descriptions below).|
|Examples||1) changing values of the network packet header fields (e.g., target IP address of ARP Ji et al., 2010; 2) Hop Count value in IPv6 Lucena et al., 2005 or the LSB in the IPv4 TTL).|
E1.1n1. Network Reserved/Unused State/Value Modulation
|Initial publication||Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Reserved/Unused pattern from Wendzel et al., 2015.|
|Illustration||The covert message is embedded by modulating reserved/unused states/values of network elements.|
|Original network steganography patterns||PS12. Reserved/Unused and, parts of PS3. Redundancy, parts of PS30. Modify Redundancy, as well as parts of PS31. User-data Value Modulation and Reserved/Unused.|
|Examples||1) ten examples for the original Reserved/Unused pattern are surveyed in Wendzel et al., 2015, showing that unused/reserved fields in IEEE 802.3 and 802.5 Handel et al., 1996, Wolf, 1989, Jankowski et al., 2010, IPv4 Handel et al., 1996, IP-IP, IPv6 Lucena et al., 2005, TCP Handel et al., 1996, Sadeghi et al., 2012, ICMP Stødle, 2009, daemon9, 1997, BACnet Wendzel et al., 2012, DHCP Rios et al., 2012, and IPSec Sadeghi et al., 2012 can be exploited by overwriting certain header fields, such as the IP Identifier. Moreover, additional and recent works have shown that more protocols are vulnerable due to their unused/reserved fields, such as 2) MQTT Velinov et al., 2019 and 3) SIP Mazurczyk and Szczypiorski, 2008.|
E1.2n1. Network Random State/Value Modulation
|Initial publication||Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Random (Value) Modulation pattern from Wendzel et al., 2015.|
|Illustration||A (pseudo-)random value or state of/in the network data is replaced with a secret message (that is also following a pseudo-random appearance).|
|Original network steganography patterns||PS10. Random Value and PS33. User-data Random Value Modulation.|
|Examples||1) Wendzel et al., 2015 already mentions some examples, such as the utilization of the pseudo-random IP Identifier field Rowland, 1997, the TCP ISN Rowland, 1997, Rutkowska, 2004, the DHCP xid field Rios et al., 2012 and the SSH MAC field Lucena et al., 2004. Additional examples can be found in 2) cryptographic protocols that use nonces during the challenge-response process Schmidbauer et al., 2022 as well as in 3) IoT protocols with random value fields, such as MQTT Velinov et al., 2019.|
E1.3n1. Network LSB State/Value Modulation
|Illustration||The LSB of network elements are modulated.|
|Original network steganography patterns||PS11.b. LSB Modulation.|
|Examples||1) Wendzel et al., 2015 provides several examples, such as the modulation of the LSBs in the IPv6 Hop Limit field Lucena et al., 2005, IPv4 TTL field, modulation of the IP timestamp option’s LSB Handel et al., 1996, TCP timestamp option Giffin et al., 2003, DHCP’s LSB of the secs field Rios et al., 2012, the BACnet hop count field, or the XMPP id attributes LSB Patuck and Hernandez-Castro, 2013. 2) Recent work has applied the LSB method to the Modbus protocol Bernieri et al., 2020.|
E1.4n1. Network Character State/Value Modulation
|Illustration||The features of characters in network elements are modulated.|
|Original network steganography patterns||PS11.a. Case Modulation.|
|Examples||1) case modulation of characters in HTTP headers Dyatlov and Castro, 2005. This method can also be applied to several other textual protocols, such as SMTP, IMAP, POP3, NNTP etc.|
E1.5n1. Network Redundancy State/Value Modulation
|Illustration||The redundancy of a network element’s content is modulated (this is usually applied by a succeeding pattern that fills the gained space with covert data), e.g., by means of compression.|
|Original network steganography patterns||Part of PS30. Modify Redundancy.|
|Examples||three examples of Mazurczyk et al., 2018 can be adjusted in their formulation to reflect this pattern: 1) compression of existing payload (gained space can be used by E1.1n1. Reserved/Unused State/Value Modulation afterwards) Mazurczyk et al., 2014; 2) transformation of the VAD-enabled IP telephony voice stream into a non-VAD one and fill the gaps using artificially generated RTP packets containing secret data by applying another pattern Schmidt et al., 2017; 3) approximation of the F0 parameter of the Speex codec which carries information about the pitch of the speech signal (again, the saved space can then be used by another pattern) Jankowski et al., 2013.|
E2n1. Network Element Occurrence
|Illustration||The covert message is encoded in the spatial or temporal location of elements, which can also, e.g., influence the rate or overall number of packets appearing in a flow (succeeding messages occur shortly or long after previous ones).|
|Original network steganography patterns||PT10. Artificial Loss and PT12. Retransmission as well as multiple patterns to cover E2n1’s sub-patterns (see particular descriptions below).|
|Examples||1) sending a specific frame or packet multiple times (retransmission) as done in case of IEEE 802.11 Kraetzer et al., 2006 or TCP Zillien and Wendzel, 2018; 2) performing a high number of frame transmissions (e.g., so that their occurrences influence the rate/throughput of a network link Li et al., 2011); 3) selecting one out of multiple possible IPv4 option headers to appear; 4) dropping TCP segments with an even sequence number (artificial loss, i.e., non-occurrence or occurrence of all other elements of a flow, except the dropped ones), 5) not acknowledging TCP packets Mazurczyk et al., 2011 (again a form of non-occurrence).|
E2.1n1. Network Element Enumeration
|Illustration||An attribute describing the quantity of network sub-elements is modulated. This pattern also applies if sub-elements are added to a network element to increase its overall size (e.g., by adding more sub-elements to the payload in network packets).|
|Original network steganography patterns||PT2. Message Sequence Timing, PT12. Retransmission, PS1. Size Modulation, PS2.b. Number of Elements, PS20. Payload Field Size Modulation, as well as parts of PS3. Add Redundancy and PS32. User-data Sequence Modulation.|
|Examples||1) fragmenting a network packet into either n or m (n≠m) fragments Mazurczyk and Szczypiorski, 2012; 2) letting network packets or commands occur just once or multiple times (e.g., artificial TCP segment or FTP command re-transmissions) Zillien and Wendzel, 2018, Zou et al., 2005; 3) Encoding secret information through the number of IPv6 extension headers or IPv4 option headers; 4) creating additional (unused) space in network packets, such as adding an “unused” IPv6 destination option Graf, 2003 (a variant of the former PS1. Size Modulation) or integration of additional SMTP header lines Getchell, 2008; 5) modulating the number of DHCP options Rios et al., 2012.|
E2.2n1. Network Element Positioning
|Illustration||The covert message is embedded by inserting or changing the temporal/spatial position of a network element (this temporal/spatial position might be described through a virtual element).|
|Original network steganography patterns||PT1. Inter-packet Times, PT3. Rate/Throughput, PT13. Frame Collisions, PS2. Sequence, PS2.a. Position, as well as parts of PT11. Message Ordering and PT15./PT16. Artificial Reconnections/Resets.|
|Examples||1) a specific packet sent at some certain point in time in a flow (temporal positioning); 2) modulating the position of an existing TCP segment in a TCP stream; 3) position of a specific IPv4 option in the list of options Wendzel et al., 2015 as well as the sequence of multiple IPv4 options in the list of options Wendzel et al., 2015, the order of DHCP options Rios et al., 2012 or the order of HTTP header lines Dyatlov and Castro, 2005 or FTP commands Zou et al., 2005 (each element is positioned individually, but overall, they form a sequence); 4) influencing the inter-arrival time of packets by positioning individual packets Cabuk et al., 2004, Cabuk et al., 2009, Shah et al., 2006, Gianvecchio et al., 2008, Zander et al., 2011 (this can also be done to influence the throughput of a connection, e.g., for a switch Li et al., 2011 or a serial communication port Handel et al., 1996).|
Representation Patterns for Network Steganography
R1n1. Network State/Value Modulation
(derived from E1n1.)
R1.1n1. Network Reserved/Unused State/Value Modulation
(derived from E1.1n1.)
R1.2n1. Network Random State/Value Modulation
(derived from E1.2n1.)
R1.3n1. Network LSB State/Value Modulation
(derived from E1.3n1.)
R1.4n1. Network Character State/Value Modulation
(derived from E1.4n1.)
R1.5n1. Network Redundancy State/Value Modulation
(derived from E1.5n1.)
R2n1. Element Occurrence
(derived from E2n1.)
R2.1n1. Element Enumeration
(derived from E2.1n1.)
R2.2n1. Element Positioning
(derived from E2.2n1.)
Steffen Wendzel, Sebastian Zander, Bernhard Fechner, and Christian Herdin: Pattern-based Survey and Categorization of Network Covert Channels, ACM Comp. Surv., 2015.
Liping Ji, Yu Fan, and Chuan Ma: Covert channel for local area network, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, pages 316-319, 2010.
Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin: Covert channels in IPv6, International Workshop on Privacy Enhancing Technologies, Springer, pages 147-166. 2005.
Theodore G. Handel and Maxwell T. Sandford II, Hiding data in the OSI network model, in Proceedings of the 1st International Workshop on Information Hiding, 1996, pp. 23–38.
Manfred Wolf, Covert channels in LAN protocols, in Proc. Local Area Network Security, ser. LNCS. Springer, 1989, vol. 396, pp. 89–101.
Bartosz Jankowski, Wojciech Mazurczyk, and Krzysztof Szczypiorski, Information hiding using improper frame padding, eprint arXiv:1005.1925, 2010.
Ahmad-Reza Sadeghi, Steffen Schulz, and Vijay Varadharajan, The silence of the lans: Efficient leakage resilience for IPsec VPNs, in Computer Security – ESORICS 2012, ser. LNCS, vol. 7459. Springer Berlin Heidelberg, 2012, pp. 253–270.
Daniel Stødle, Ping tunnel – for those times when everything else is blocked, 2009.
daemon9, LOKI2 (the implementation), Phrack Magazine, vol. 7, no. 51, 1997.
Steffen Wendzel, Benjamin Kahler, and Thomas Rist, Covert channels and their prevention in building automation protocols: A prototype exemplified using BACnet, in Proc. 2012 Int. Conf. Green Computing and Communications (GreenCom). IEEE, 2012, pp. 731–736.
Ruben Rios, Jose A. Onieva, and Javier Lopez, HIDE DHCP: Covert communications through network configuration messages, in Proc. IFIP TC 11 27th International Information Security Conference. Springer, 2012.
Aleksandar Velinov, Aleksandra Mileva, Steffen Wendzel, and Wojciech Mazurczyk, Covert channels in MQTT-based internet of things, ACCESS, vol. 7, 2019, pp. 161 899–161 915.
Wojciech Mazurczyk and Krzysztof Szczypiorski, Covert Channels in SIP for VoIP signalling, Springer, 2008, pp. 65–72.
Craig H. Rowland, Covert channels in the TCP/IP protocol suite, First Monday, vol. 2, no. 5, May 1997.
Joanna Rutkowska, The implementation of passive covert channels in the Linux kernel, 2004, speech held at the 21st Chaos Communication Congress, Berlin, Germany.
Norka B. Lucena, James Pease, Payman Yadollahpour, and Steve J. Chapin, Syntax and semantics-preserving application-layer protocol steganography, in Proceedings of 6th Information Hiding Workshop, May 2004.
Tobias Schmidbauer, Steffen Wendzel, and Jörg Keller, “Challenging channels: Encrypted covert channels within challenge-response authentication,” in Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES), 2022, in press.
John Giffin, Rachel Greenstadt, Peter Litwack, and Richard Tibbetts, Covert messaging through TCP timestamps, in Proc. 2nd International Conference on Privacy Enhancing Technologies. Springer, 2003, pp. 194–208.
Reshad Patuck and Julio Hernandez-Castro, Steganography using the extensible messaging and presence protocol (XMPP), CoRR, vol. abs/1310.0524, 2013.
Giuseppe Bernieri, Stefano Cecconello, Mauro Conti, and Gianluca Lain, TAMBUS: A novel authentication method through covert channels for securing industrial networks, Computer Networks, vol. 183, 2020, p. 107583.
Alex Dyatlov and Simon Castro, “Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol”, Gray-World.net, Tech. Rep., 2005.
Wojciech Mazurczyk, Steffen Wendzel, and Krzysztof Cabaj, Towards deriving insights into data hiding methods using pattern-based approach, in Proc. Second International Workshop on Criminal Use of Information Hiding (CUING 2018), part of Proc. ARES’18. ACM, 2018, pp. 10:1–10:10.
Wojciech Mazurczyk, Paweł Szaga, and Krzysztof Szczypiorski, [Using transcoding for hidden communication in IP telephony],(https://link.springer.com/article/10.1007/s11042-012-1224-8), Multimedia Tools Appl., vol. 70, no. 3, 2014, pp. 2139–2165.
Sabine S. Schmidt, Wojciech Mazurczyk, Jörg Keller, and Luca Caviglione, A new data-hiding approach for IP telephony applications with silence suppression, in Proceedings of the 12th International Conference on Availability, Reliability and Security, 2017, pp. 1–6.
Bartosz Jankowski, Wojciech Mazurczyk, and Krzysztof Szczypiorski,PadSteg: Introducing inter-protocol steganography, Telecommunication Systems, vol. 52, no. 2, 2013, pp. 1101–1111.
Christian Kraetzer, Jana Dittmann, Andreas Lang, and Tobias Kuehne, WLAN steganography: A first practical review, in Proc. 8th Workshop on Multimedia and Security (MMSEC’06), 2006, pp. 17–22.
Sebastian Zillien and Steffen Wendzel, Detection of covert channels in TCP retransmissions, in Secure IT Systems, N. Gruschka, Ed. Cham: Springer International Publishing, 2018, pp. 203–218.
Wojciech Mazurczyk, Milosz Smolarczyk, and Krzysztof Szczypiorski, Retransmission steganography and its detection, Soft Computing, vol. 15, no. 3, 2011, pp. 505–515.
Wojciech Mazurczyk and Krzysztof Szczypiorski, Evaluation of steganographic methods for oversized IP packets, Telecommunication Systems, vol. 49, no. 2, 2012, pp. 207–217.
Xin-guang Zou, Qiong Li, Sheng-He Sun, and Xiamu Niu, [The research on information hiding based on command sequence of FTP protocol],(https://link.springer.com/chapter/10.1007/11553939_151), in Proc. 9th Int. Conf. on Knowledge-Based Intelligent Information and Engineering Systems (KES 2005), Part III, ser. LNCS, vol. 3683. Springer Berlin Heidelberg, 2005, pp. 1079–1085.
Abe Getchell, Re: For those interested in covert channels, 2008, a posting on the securityfocus penetration testing mailinglist.
Serdar Cabuk, Carla E. Brodley, and Clay Shields, IP covert timing channels: design and detection, in Proceedings of the 11th ACM conference on Computer and communications security, ser. CCS ’04. New York, NY, USA: ACM, 2004, pp. 178–187.
Serdar Cabuk, Carla E. Brodley, and Clay Shields, IP covert channel detection, ACM Transactions on Information and System Security (TISSEC), vol. 12, no. 4, April 2009, pp. 22:1–22:29.
Gaurav Shah, Andres Molina, and Matt Blaze, Keyboards and covert channels, in Proc. 15th USENIX Security Symposium. USENIX Association, 2006, pp. 59–75.
Steven Gianvecchio, Haining Wang, Duminda Wijesekera, and Sushil Jajodia, Model-based covert timing channels: Automated modeling and evasion, in Proceedings of Recent Advances in Intrusion Detection (RAID) Symposium, September 2008.
Sebastian Zander, Grenville J. Armitage, and Philip Branch, Stealthier inter-packet timing covert channels, in IFIP Networking. Springer Berlin Heidelberg, May 2011, pp. 458–470.