Please note that the following content is extracted from our paper that can be cited as follows:

  • S. Wendzel, L. Caviglione, W. Mazurczyk, A. Mileva, J. Dittmann, C. Krätzer, K. Lamshöft, C. Vielhauer, L. Hartmann, J. Keller, T. Neubert, S. Zillien (2022): A Generic Taxonomy for Steganography Methods, pre-print, 2022.

On this page, we first summarize the generic taxonomy. Afterwards, we explain the sub-taxonomy on network steganography. All other sub-taxonomies (as well as additional details on the network steganography sub-taxonomy) can be found in the paper.

Graph

Embedding Hiding Patterns

General Domain Specific Example: Network Steganography
E1. State/Value Modulation E1n1. State/Value Modulation
 E1.1. Reserved/Unused State/Value Modulation E1.1n1. Reserved/Unused State/Value Modulation
 E1.2. Random State/Value Modulation E1.2n1. Random State/Value Modulation
 E1.3. LSB State/Value Modulation E1.3n1. LSB State/Value Modulation
 E1.4. Character State/Value Modulation E1.4n1. Character State/Value Modulation
 E1.5. Redundancy State/Value Modulation E1.5n1. Redundancy State/Value Modulation
E2. Element Occurrence E2n1. Element Occurrence
 E2.1. Element Enumeration E2.1n1. Element Enumeration
 E2.2. Element Positioning E2.2n1. Element Positioning
Domain Pattern Sub-Pattern
General EX EXn1
Network EXn1 EX.Xn1
Digital Media EXd1 EX.Xd1
Text EXt1 EX.Xt1
CPS EXc1 EX.Xc1
Filesystem EXf1 EX.Xf1

Representation Hiding Patterns

General Domain Specific Example: Network Steganography
R1. State/Value Modulation R1n1. State/Value Modulation
 R1.1. Reserved/Unused State/Value Modulation R1.1n1. Reserved/Unused State/Value Modulation
 R1.2. Random State/Value Modulation R1.2n1. Random State/Value Modulation
 R1.3. LSB State/Value Modulation R1.3n1. LSB State/Value Modulation
 R1.4. Character State/Value Modulation R1.4n1. Character State/Value Modulation
 R1.5. Redundancy State/Value Modulation R1.5n1. Redundancy State/Value Modulation
R2. Element Occurrence R2n1. Element Occurrence
 R2.1. Element Enumeration R2.1n1. Element Enumeration
 R2.2. Element Positioning R2.2n1. Element Positioning
Domain Pattern Sub-Pattern
General RX RXn1
Network RXn1 RX.Xn1
Digital Media RXd1 RX.Xd1
Text RXt1 RX.Xt1
CPS RXc1 RX.Xc1
Filesystem RXf1 RX.Xf1

Embedding Patterns for Network Steganography

E1n1. Network State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Value Modulation pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating the state or value of a network element, such as a frame, packet, header element, payload field etc.
Original network steganography patterns PS11. Value Modulation (including all sub-patterns) and PS31. User-data Value Modulation, and partially: PT11. Message Ordering (only the aspect of modulating sequence numbers) and PT15. Artificial Reconnections/PT16. Artificial Resets (in both cases, some header fields, such as RST flags, must be modulated). Additionally: multiple patterns to cover E1n1’s sub-patterns (see particular descriptions below).
Examples 1) changing values of the network packet header fields (e.g., target IP address of ARP Ji et al., 2010; 2) Hop Count value in IPv6 Lucena et al., 2005 or the LSB in the IPv4 TTL).
Implementation  

Pattern Collection

E1.1n1. Network Reserved/Unused State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Reserved/Unused pattern from Wendzel et al., 2015.
Illustration The covert message is embedded by modulating reserved/unused states/values of network elements.
Original network steganography patterns PS12. Reserved/Unused and, parts of PS3. Redundancy, parts of PS30. Modify Redundancy, as well as parts of PS31. User-data Value Modulation and Reserved/Unused.
Examples 1) ten examples for the original Reserved/Unused pattern are surveyed in Wendzel et al., 2015, showing that unused/reserved fields in IEEE 802.3 and 802.5 Handel et al., 1996, Wolf, 1989, Jankowski et al., 2010, IPv4 Handel et al., 1996, IP-IP, IPv6 Lucena et al., 2005, TCP Handel et al., 1996, Sadeghi et al., 2012, ICMP Stødle, 2009, daemon9, 1997, BACnet Wendzel et al., 2012, DHCP Rios et al., 2012, and IPSec Sadeghi et al., 2012 can be exploited by overwriting certain header fields, such as the IP Identifier. Moreover, additional and recent works have shown that more protocols are vulnerable due to their unused/reserved fields, such as 2) MQTT Velinov et al., 2019 and 3) SIP Mazurczyk and Szczypiorski, 2008.
Implementation  

Pattern Collection

E1.2n1. Network Random State/Value Modulation

Initial publication Wendzel et al., 2021, A Revised Taxonomy of Steganography Embedding Patterns; generalized version of the Random (Value) Modulation pattern from Wendzel et al., 2015.
Illustration A (pseudo-)random value or state of/in the network data is replaced with a secret message (that is also following a pseudo-random appearance).
Original network steganography patterns PS10. Random Value and PS33. User-data Random Value Modulation.
Examples 1) Wendzel et al., 2015 already mentions some examples, such as the utilization of the pseudo-random IP Identifier field Rowland, 1997, the TCP ISN Rowland, 1997, Rutkowska, 2004, the DHCP xid field Rios et al., 2012 and the SSH MAC field Lucena et al., 2004. Additional examples can be found in 2) cryptographic protocols that use nonces during the challenge-response process Schmidbauer et al., 2022 as well as in 3) IoT protocols with random value fields, such as MQTT Velinov et al., 2019.
Implementation  

Pattern Collection

E1.3n1. Network LSB State/Value Modulation

Initial publication  
Illustration The LSB of network elements are modulated.
Original network steganography patterns PS11.b. LSB Modulation.
Examples 1) Wendzel et al., 2015 provides several examples, such as the modulation of the LSBs in the IPv6 Hop Limit field Lucena et al., 2005, IPv4 TTL field, modulation of the IP timestamp option’s LSB Handel et al., 1996, TCP timestamp option Giffin et al., 2003, DHCP’s LSB of the secs field Rios et al., 2012, the BACnet hop count field, or the XMPP id attributes LSB Patuck and Hernandez-Castro, 2013. 2) Recent work has applied the LSB method to the Modbus protocol Bernieri et al., 2020.
Implementation  

Pattern Collection

E1.4n1. Network Character State/Value Modulation

Initial publication  
Illustration The features of characters in network elements are modulated.
Original network steganography patterns PS11.a. Case Modulation.
Examples 1) case modulation of characters in HTTP headers Dyatlov and Castro, 2005. This method can also be applied to several other textual protocols, such as SMTP, IMAP, POP3, NNTP etc.
Implementation  

Pattern Collection

E1.5n1. Network Redundancy State/Value Modulation

Initial publication  
Illustration The redundancy of a network element’s content is modulated (this is usually applied by a succeeding pattern that fills the gained space with covert data), e.g., by means of compression.
Original network steganography patterns Part of PS30. Modify Redundancy.
Examples three examples of Mazurczyk et al., 2018 can be adjusted in their formulation to reflect this pattern: 1) compression of existing payload (gained space can be used by E1.1n1. Reserved/Unused State/Value Modulation afterwards) Mazurczyk et al., 2014; 2) transformation of the VAD-enabled IP telephony voice stream into a non-VAD one and fill the gaps using artificially generated RTP packets containing secret data by applying another pattern Schmidt et al., 2017; 3) approximation of the F0 parameter of the Speex codec which carries information about the pitch of the speech signal (again, the saved space can then be used by another pattern) Jankowski et al., 2013.
Implementation  

Pattern Collection

E2n1. Network Element Occurrence

Initial publication  
Illustration The covert message is encoded in the spatial or temporal location of elements, which can also, e.g., influence the rate or overall number of packets appearing in a flow (succeeding messages occur shortly or long after previous ones).
Original network steganography patterns PT10. Artificial Loss and PT12. Retransmission as well as multiple patterns to cover E2n1’s sub-patterns (see particular descriptions below).
Examples 1) sending a specific frame or packet multiple times (retransmission) as done in case of IEEE 802.11 Kraetzer et al., 2006 or TCP Zillien and Wendzel, 2018; 2) performing a high number of frame transmissions (e.g., so that their occurrences influence the rate/throughput of a network link Li et al., 2011); 3) selecting one out of multiple possible IPv4 option headers to appear; 4) dropping TCP segments with an even sequence number (artificial loss, i.e., non-occurrence or occurrence of all other elements of a flow, except the dropped ones), 5) not acknowledging TCP packets Mazurczyk et al., 2011 (again a form of non-occurrence).
Implementation  

Pattern Collection

E2.1n1. Network Element Enumeration

Initial publication  
Illustration An attribute describing the quantity of network sub-elements is modulated. This pattern also applies if sub-elements are added to a network element to increase its overall size (e.g., by adding more sub-elements to the payload in network packets).
Original network steganography patterns PT2. Message Sequence Timing, PT12. Retransmission, PS1. Size Modulation, PS2.b. Number of Elements, PS20. Payload Field Size Modulation, as well as parts of PS3. Add Redundancy and PS32. User-data Sequence Modulation.
Examples 1) fragmenting a network packet into either n or m (n≠m) fragments Mazurczyk and Szczypiorski, 2012; 2) letting network packets or commands occur just once or multiple times (e.g., artificial TCP segment or FTP command re-transmissions) Zillien and Wendzel, 2018, Zou et al., 2005; 3) Encoding secret information through the number of IPv6 extension headers or IPv4 option headers; 4) creating additional (unused) space in network packets, such as adding an “unused” IPv6 destination option Graf, 2003 (a variant of the former PS1. Size Modulation) or integration of additional SMTP header lines Getchell, 2008; 5) modulating the number of DHCP options Rios et al., 2012.
Implementation  

Pattern Collection

E2.2n1. Network Element Positioning

Initial publication  
Illustration The covert message is embedded by inserting or changing the temporal/spatial position of a network element (this temporal/spatial position might be described through a virtual element).
Original network steganography patterns PT1. Inter-packet Times, PT3. Rate/Throughput, PT13. Frame Collisions, PS2. Sequence, PS2.a. Position, as well as parts of PT11. Message Ordering and PT15./PT16. Artificial Reconnections/Resets.
Examples 1) a specific packet sent at some certain point in time in a flow (temporal positioning); 2) modulating the position of an existing TCP segment in a TCP stream; 3) position of a specific IPv4 option in the list of options Wendzel et al., 2015 as well as the sequence of multiple IPv4 options in the list of options Wendzel et al., 2015, the order of DHCP options Rios et al., 2012 or the order of HTTP header lines Dyatlov and Castro, 2005 or FTP commands Zou et al., 2005 (each element is positioned individually, but overall, they form a sequence); 4) influencing the inter-arrival time of packets by positioning individual packets Cabuk et al., 2004, Cabuk et al., 2009, Shah et al., 2006, Gianvecchio et al., 2008, Zander et al., 2011 (this can also be done to influence the throughput of a connection, e.g., for a switch Li et al., 2011 or a serial communication port Handel et al., 1996).
Implementation  

Pattern Collection

Representation Patterns for Network Steganography

R1n1. Network State/Value Modulation

(derived from E1n1.)

Pattern Collection

R1.1n1. Network Reserved/Unused State/Value Modulation

(derived from E1.1n1.)

Pattern Collection

R1.2n1. Network Random State/Value Modulation

(derived from E1.2n1.)

Pattern Collection

R1.3n1. Network LSB State/Value Modulation

(derived from E1.3n1.)

Pattern Collection

R1.4n1. Network Character State/Value Modulation

(derived from E1.4n1.)

Pattern Collection

R1.5n1. Network Redundancy State/Value Modulation

(derived from E1.5n1.)

Pattern Collection

R2n1. Element Occurrence

(derived from E2n1.)

Pattern Collection

R2.1n1. Element Enumeration

(derived from E2.1n1.)

Pattern Collection

R2.2n1. Element Positioning

(derived from E2.2n1.)

Pattern Collection


Bibliography:

Steffen Wendzel, Sebastian Zander, Bernhard Fechner, and Christian Herdin: Pattern-based Survey and Categorization of Network Covert Channels, ACM Comp. Surv., 2015.

Liping Ji, Yu Fan, and Chuan Ma: Covert channel for local area network, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, pages 316-319, 2010.

Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin: Covert channels in IPv6, International Workshop on Privacy Enhancing Technologies, Springer, pages 147-166. 2005.

Theodore G. Handel and Maxwell T. Sandford II, Hiding data in the OSI network model, in Proceedings of the 1st International Workshop on Information Hiding, 1996, pp. 23–38.

Manfred Wolf, Covert channels in LAN protocols, in Proc. Local Area Network Security, ser. LNCS. Springer, 1989, vol. 396, pp. 89–101.

Bartosz Jankowski, Wojciech Mazurczyk, and Krzysztof Szczypiorski, Information hiding using improper frame padding, eprint arXiv:1005.1925, 2010.

Ahmad-Reza Sadeghi, Steffen Schulz, and Vijay Varadharajan, The silence of the lans: Efficient leakage resilience for IPsec VPNs, in Computer Security – ESORICS 2012, ser. LNCS, vol. 7459. Springer Berlin Heidelberg, 2012, pp. 253–270.

Daniel Stødle, Ping tunnel – for those times when everything else is blocked, 2009.

daemon9, LOKI2 (the implementation), Phrack Magazine, vol. 7, no. 51, 1997.

Steffen Wendzel, Benjamin Kahler, and Thomas Rist, Covert channels and their prevention in building automation protocols: A prototype exemplified using BACnet, in Proc. 2012 Int. Conf. Green Computing and Communications (GreenCom). IEEE, 2012, pp. 731–736.

Ruben Rios, Jose A. Onieva, and Javier Lopez, HIDE DHCP: Covert communications through network configuration messages, in Proc. IFIP TC 11 27th International Information Security Conference. Springer, 2012.

Aleksandar Velinov, Aleksandra Mileva, Steffen Wendzel, and Wojciech Mazurczyk, Covert channels in MQTT-based internet of things, ACCESS, vol. 7, 2019, pp. 161 899–161 915.

Wojciech Mazurczyk and Krzysztof Szczypiorski, Covert Channels in SIP for VoIP signalling, Springer, 2008, pp. 65–72.

Craig H. Rowland, Covert channels in the TCP/IP protocol suite, First Monday, vol. 2, no. 5, May 1997.

Joanna Rutkowska, The implementation of passive covert channels in the Linux kernel, 2004, speech held at the 21st Chaos Communication Congress, Berlin, Germany.

Norka B. Lucena, James Pease, Payman Yadollahpour, and Steve J. Chapin, Syntax and semantics-preserving application-layer protocol steganography, in Proceedings of 6th Information Hiding Workshop, May 2004.

Tobias Schmidbauer, Steffen Wendzel, and Jörg Keller, “Challenging channels: Encrypted covert channels within challenge-response authentication,” in Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES), 2022, in press.

John Giffin, Rachel Greenstadt, Peter Litwack, and Richard Tibbetts, Covert messaging through TCP timestamps, in Proc. 2nd International Conference on Privacy Enhancing Technologies. Springer, 2003, pp. 194–208.

Reshad Patuck and Julio Hernandez-Castro, Steganography using the extensible messaging and presence protocol (XMPP), CoRR, vol. abs/1310.0524, 2013.

Giuseppe Bernieri, Stefano Cecconello, Mauro Conti, and Gianluca Lain, TAMBUS: A novel authentication method through covert channels for securing industrial networks, Computer Networks, vol. 183, 2020, p. 107583.

Alex Dyatlov and Simon Castro, “Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the HTTP protocol”, Gray-World.net, Tech. Rep., 2005.

Wojciech Mazurczyk, Steffen Wendzel, and Krzysztof Cabaj, Towards deriving insights into data hiding methods using pattern-based approach, in Proc. Second International Workshop on Criminal Use of Information Hiding (CUING 2018), part of Proc. ARES’18. ACM, 2018, pp. 10:1–10:10.

Wojciech Mazurczyk, Paweł Szaga, and Krzysztof Szczypiorski, [Using transcoding for hidden communication in IP telephony],(https://link.springer.com/article/10.1007/s11042-012-1224-8), Multimedia Tools Appl., vol. 70, no. 3, 2014, pp. 2139–2165.

Sabine S. Schmidt, Wojciech Mazurczyk, Jörg Keller, and Luca Caviglione, A new data-hiding approach for IP telephony applications with silence suppression, in Proceedings of the 12th International Conference on Availability, Reliability and Security, 2017, pp. 1–6.

Bartosz Jankowski, Wojciech Mazurczyk, and Krzysztof Szczypiorski,PadSteg: Introducing inter-protocol steganography, Telecommunication Systems, vol. 52, no. 2, 2013, pp. 1101–1111.

Christian Kraetzer, Jana Dittmann, Andreas Lang, and Tobias Kuehne, WLAN steganography: A first practical review, in Proc. 8th Workshop on Multimedia and Security (MMSEC’06), 2006, pp. 17–22.

Sebastian Zillien and Steffen Wendzel, Detection of covert channels in TCP retransmissions, in Secure IT Systems, N. Gruschka, Ed. Cham: Springer International Publishing, 2018, pp. 203–218.

X. Li, Y. Zhang, F. Chong, and B. Zhao, “A covert channel analysis of a real switch,” Dep. of Computer Science, University of California, Santa Barbara, Tech. Rep., 2011.

Wojciech Mazurczyk, Milosz Smolarczyk, and Krzysztof Szczypiorski, Retransmission steganography and its detection, Soft Computing, vol. 15, no. 3, 2011, pp. 505–515.

Wojciech Mazurczyk and Krzysztof Szczypiorski, Evaluation of steganographic methods for oversized IP packets, Telecommunication Systems, vol. 49, no. 2, 2012, pp. 207–217.

Xin-guang Zou, Qiong Li, Sheng-He Sun, and Xiamu Niu, [The research on information hiding based on command sequence of FTP protocol],(https://link.springer.com/chapter/10.1007/11553939_151), in Proc. 9th Int. Conf. on Knowledge-Based Intelligent Information and Engineering Systems (KES 2005), Part III, ser. LNCS, vol. 3683. Springer Berlin Heidelberg, 2005, pp. 1079–1085.

Abe Getchell, Re: For those interested in covert channels, 2008, a posting on the securityfocus penetration testing mailinglist.

Thomas Graf, “Messaging over IPv6 destination options,” 2003, swiss Unix User Group.

Serdar Cabuk, Carla E. Brodley, and Clay Shields, IP covert timing channels: design and detection, in Proceedings of the 11th ACM conference on Computer and communications security, ser. CCS ’04. New York, NY, USA: ACM, 2004, pp. 178–187.

Serdar Cabuk, Carla E. Brodley, and Clay Shields, IP covert channel detection, ACM Transactions on Information and System Security (TISSEC), vol. 12, no. 4, April 2009, pp. 22:1–22:29.

Gaurav Shah, Andres Molina, and Matt Blaze, Keyboards and covert channels, in Proc. 15th USENIX Security Symposium. USENIX Association, 2006, pp. 59–75.

Steven Gianvecchio, Haining Wang, Duminda Wijesekera, and Sushil Jajodia, Model-based covert timing channels: Automated modeling and evasion, in Proceedings of Recent Advances in Intrusion Detection (RAID) Symposium, September 2008.

Sebastian Zander, Grenville J. Armitage, and Philip Branch, Stealthier inter-packet timing covert channels, in IFIP Networking. Springer Berlin Heidelberg, May 2011, pp. 458–470.