IEEE Press
445 Hoes Lane
Piscataway, NJ 08854
IEEE Press Editorial Board
Tariq Samad, Editor in Chief
George W. Arnold | Xiaoou Li | Ray Perez |
Giancarlo Fortino | Vladimir Lumelsky | Linda Shafer |
Dmitry Goldgof | Pui-In Mak | Zidong Wang |
Ekram Hossain | Jeffrey Nanzer | MengChu Zhou |
Kenneth Moore, Director of IEEE Book and Information Services (BIS)
Copyright © 2016 by The Institute of Electrical and Electronics Engineers, Inc.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reserved
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Cataloging-in-Publication Data is available.
ISBN: 978-1-118-86169-1
Wojciech Mazurczyk would like to dedicate this book to his wife Magdalena and sons Bartek and Tomek.
Steffen Wendzel would like to dedicate this book to Mali.
Sebastian Zander would like to dedicate this book to Wunna, Lara, and Lukas.
Amir Houmansadr would like to dedicate this book to the memory of his grandmother Fatemeh.
Krzysztof Szczypiorski would like to dedicate this book to the memory of his father Jan Szczypiorski.
Steganography—the art and science of concealed communication—can be tracedback to antiquity. Secret messages written in invisible ink, printed in microdots, or hidden in innocuous hand-crafted images form the history of this exciting field. Systematic research in steganography only began in the late 1990s and early 2000s. Much of this early research focused on hiding data in multimedia content such as digital images, video streams, or audio data and was driven by the quest to protect copyright. At the same time, steganography was seen as a versatile tool to mitigate governmental bans on the use of cryptography. The research performed in these decades gave us a fair understanding of the possibilities and limits of data hiding.
The new hotspot of the field is network steganography. In contrast to many previous approaches that predominantly targeted multimedia data, network steganography attempts to conceal secret messages directly in network streams. It turns out that the ever-increasing volume of Internet traffic provides a perfect cover for steganographic communication. For example, one can utilize unused bits in network protocols to send covert information or change order and timing of network packets to encode supplementary data.
Network steganography has the potential to circumvent oppressive government surveillance by providing means to communicate “under the radar” of current network monitoring tools. Steganographic techniques can also avoid censorship by concealing the ultimate goal of a communication channel. Furthermore, techniques similar to those employed in network steganography allow to obfuscate the type of traffic or allow to watermark network flows should be. The goal of the former is to conceal the true purpose of a communication channel, while the latter attempts to trace traffic even if it flows through several networked devices. On the downside, network steganography may be used by attackers to efficiently exfiltrate secrets from highly protected computers or by botnets to set up covert control channels; flow watermarking has the potential to break anonymization tools.
Research in network steganography and related disciplines will give us a good insight into the opportunities and risks of this novel technology, which we just started to explore in detail. We learned that simple steganographic schemes that substitute parts of an ongoing communication with secrets are usually detectable, as they introduce unnatural patterns in data streams. This created opportunities to develop specially crafted steganalytic algorithms that discriminate innocuous from steganographic communication, which in turn led to the development of better steganographic tools. This “cat-and-mouse” game between the steganographer and the steganalyst is likely to continue in the near future. The same holds for traffic obfuscation: schemes optimized to mimic a certain distribution of packets will likely be broken with higher order statistics.
I am therefore delighted to see the first comprehensive book on network steganography and related technologies, which I expect will be the standard reference on the subject. I hope that this book will inspire many researchers to explore this exciting discipline of network security—and that it boosts the “cat-and-mouse” game between steganographers and steganalysts, which is vital to move our field forward.
Stefan Katzenbeisser
Information hiding techniques have their roots in nature, and they have been utilized by humankind for ages. The methods have evolved throughout the ages, but the aims remained the same: hiding secret information to protect them from untrusted parties or to enable covert communication. The latter purpose has grown in importance with the introduction of communication networks where many new possibilities of data hiding emerged.
Information hiding can be utilized for both benign and malicious purposes. Currently, the rising trend among Black Hats is to equip malware with covert communication capabilities for increased stealthiness. On the other hand, covert channels are also becoming increasingly useful for circumventing censorship in oppressive regimes. The complexity and richness of continuously appearing new services and protocols guarantee that there will be a lot of new opportunities to hide secret data. A problematic aspect in this regard is the lack of effective and universal countermeasures that can be applied in practice against increasingly sophisticated information hiding techniques (especially when used for malicious purposes).
Security, censorship, and blocking are on the rise in the Internet. Hence, where covert communication techniques seemed like overkill some time ago, they may become very attractive in the future. Therefore, we expect that in the future, information hiding methods for communication networks will see more widespread use than today, and they will continue to become more sophisticated and harder to detect. It must be emphasized that the threat posed by information hiding techniques can potentially affect every Internet user, since even innocent users' network traffic can be utilized for covert communication purposes (without their explicit knowledge). This will raise similar legal and ethical issues like we are currently experiencing with botnets.
We decided to write this book, because there was no reference book available that covers all aspects of information hiding for communication networks from the history, over the hiding techniques, to the countermeasures. We formed a team of authors, each with significant expertise in certain areas of the overall topic, who contributed equally to the book. As a group, we were able to put together a comprehensive description of the current state-of-the-art of information hiding in communication networks, including the important issues, challenges, emerging trends, and applications.
This book is intended to be utilized mainly as a reference book to teach courses like information hiding, or as a part of network security or other security-related courses. The target audience of the book are graduate students, academics, professionals, and researchers working in the fields of security, networking, and communications. However, the first few chapters of this book are written so that non-expert readers will be able to easily grasp some of the fundamental concepts in this area.
The book is divided into eight chapters that cover the most important aspects of information hiding techniques for communication networks. The last chapter concludes this book.
Chapter 1 is written mostly in a tutorial style so that even a general reader will be able to easily grasp the basic concepts of information hiding, their evolution throughout the history, and their importance especially when utilized in networking environments. It also contains many examples of applications of modern information hiding for criminal and legitimate purposes, and it highlights current development trends and potential future directions.
Chapter 2 discusses the existing terminology and its evolution in the information hiding field. It introduces a new classification of data hiding techniques; however, our new classification builds on existing concepts. The chapter then introduces the two main subfields: network steganography and traffic type obfuscation methods. The chapter concludes with a description of the model for hidden communication and related communication scenarios. It also highlights potential countermeasures.
Chapter 3 describes in detail different flavors of network steganography. Three main types of techniques are distinguished and then characterized: hiding information in protocol modifications, in the timing of network protocols, and hybrid methods.
Chapter 4 introduces techniques that improve the resiliency and undetectability of network steganography methods. These techniques are usually implemented by so-called control protocols. The chapter discusses their features, highlights the design of known control protocols, and discusses control protocol-specific engineering methods.
Chapter 5 concentrates on traffic type obfuscation techniques that allow to hide the type of the network traffic exchanged between two (or multiple) network entities, that is, the underlying network protocol. Typical applications of these methods are twofold: blocking resistance or privacy protection. The chapter presents a classification of traffic type obfuscation techniques and covers the most important of these techniques in detail.
Chapter 6 focuses on network flow watermarking. Network flow watermarking manipulates the traffic patterns of a network flow, for example, the packet timings, or packet sizes, in order to inject an artificial signal into that network flow—a watermark. This watermark is primarily used for linking network flows in application scenarios where packet contents are striped of all linking information.
Chapter 7 presents most recent examples and applications of information hiding in communication networks with a focus on current covert communication methods for popular Internet services. This includes hiding information in virtual worlds (e.g., multiplayer online games), IP telephony, wireless networks and modern mobile devices, and P2P networks and their global services like BitTorrent and Skype. Additionally, we discuss potential steganographic methods for social networks and the Internet of Things (e.g., building automation systems).
Chapter 8 discusses potential countermeasures against network steganography. The chapter describes different types of techniques that lead to the detection, prevention, and limitation of hidden communication.
Chapter 9 concludes the book.
Wojciech Mazurczyk
Steffen Wendzel
Sebastian Zander
Amir Houmansadr
Krzysztof Szczypiorski
Wojciech Mazurczyk would like to thank his family for their love, encouragement, and continuous support. He is also grateful to all colleagues and co-workers with whom it was an honor to collaborate and who have contributed to the research presented in this book.
Steffen Wendzel would like to thank all his co-authors of the last years and Jaspreet Kaur for her contribution of aspects on countermeasures against steganographic control protocols.
Sebastian Zander would like to thank Grenville Armitage, Philip Branch, and Steven Murdoch for the fruitful collaborations and their contributions to some of the research presented in this book. Sebastian would also like to thank his family for their constant encouragement and support.
Amir Houmansadr would like to thank his wife, Saloumeh, for her immense support, his son, Ilya, for bringing joy to their lives, and the rest of his family for their love. He would also like to thank all of his collaborators who have contributed to the research presented in this book, including Nikita Borisov, Negar Kiyavash, and Vitaly Shmatikov.
Krzysztof Szczypiorski would like to thank Wojciech Mazurczyk, Józef Lubacz, Piotr Białczak, Krzysztof Cabaj, Roman Dygnarowicz, Wojciech Frczek, Iwona Grabska, Szymon Grabski, Marcin Gregorczyk, Bartosz Jankowski, Artur Janicki, Maciej Karaś, Bartosz Lipiński, Piotr Kopiczko, Paweł Radziszewski, Elbieta Rzeszutko, Miłosz Smolarczyk, Paweł Szaga, and Piotr Szafran for fruitful cooperation in the area of network steganography in the last 12 years.
AAL | Ambient Assisted Living |
AH | Authentication Header |
AODV | Ad Hoc On-Demand Distance Vector |
API | Application Programming Interface |
APT | Advanced Persistent Threat |
ARQ | Automatic Repeat Request |
BACnet | Building Automation and Control Networking Protocol |
BYOD | Bring Your Own Device |
C&C | Command and Control |
CCE | Corrected Conditional Entropy |
CCN | Content-Centric Networks |
CE | Conditional Entropy |
CFG | Context-Free Grammar |
CFT | Covert Flow Tree |
CFTP | Covert File Transfer Protocol |
CRC | Cyclic Redundancy Check |
CSLIP | Compressed Serial Line Interface Protocol |
CSMA/CD | Carrier Sense Multiple Access/Collision Detection |
CT | Covert Transmission |
CTS | Clear to Send |
DCT | Discrete Cosine Transform |
DDC | Direct Digital Control |
DF | Don't Fragment |
DHCP | Dynamic Host Configuration Protocol |
DHT | Deep Hiding Techniques |
DHT | Distributed Hash Table |
DLP | Data Leakage Protection |
DNS | Domain Name System |
DoD | Department of Defense |
DPI | Deep-Packet Inspection |
DRM | Digital Rights Management |
DSP | Digital Signal Processor |
DSSS | Direct Sequence Spread Spectrum |
DTS | Direct Target Sampling |
DWT | Discrete Wavelet Transform |
ECG | Electrocardiogram |
ESP | Encapsulated Security Payload |
FCFS | First Come First Serve |
FCS | Frame Check Sequence |
FPE | Format-Preserving Encryption |
FPGA | Field-Programmable Gate Array |
FPSCC | FPS Covert Channel |
FPS | First Person Shooter |
FR/R | Fast Retransmit and Recovery |
FTE | Format Transforming Encryption |
FTP | File Transfer Protocol |
GMM | Gaussian Mixture Models |
GPS | Global Positioning System |
GUI | Graphical User Interfaces |
HTML | HyperText Markup Language |
ICMP | Internet Control Message Protocol |
ICS | Industrial Control System |
IH | Information Hiding |
IoT | Internet of Things |
IP | Internet Protocol, version 4 (also IPv4) |
IPD | Interpacket Delay |
IPS | Inter Protocol Steganography or Intrusion Prevention System |
IPSec | IP Security |
IPv6 | Internet Protocol, version 6 |
IRC | Internet Relay Chat |
ISN | Initial Sequence Number |
ISO | International Organization for Standardization |
ISP | Internet Service Provider |
JPEG | Joint Photographic Experts Group |
LACK | Lost Audio Steganography |
LAN | Local Area Network |
LSB | Least Significant Bit |
LTE | Long-Term Evolution |
MAC | Medium Access Control |
MFCC | Mel-Frequency Cepstral Coefficients |
MITM | Man-in-the-Middle |
ML | Machine Learning |
MLS | Multilevel Security |
MOS | Mean Opinion Score |
MPEG | Motion Picture Experts Group |
MSE | Mean Squared Error |
MS/TP | Master–Slave/Token Passing |
MTU | Maximum Transmission Unit |
NAAW | Network-Aware Active Warden |
NAT | Network Address Translation |
NEL | Network Environment Learning |
NOOP | No Operation |
NTP | Network Time Protocol |
OFDM | Orthogonal Frequency-Division Multiplexing |
OLSR | Optimized Link-State Routing |
ON | Ordinary Nodes |
OS | Operating System |
OSI | Open Systems Interconnection |
OSN | Online Social Network |
OT | Overt Transmission |
P2P | Peer to Peer |
PC | Protocol Channel |
PCAW | Protocol Channel-Aware Active Warden |
Portable Document Format | |
PDU | Protocol Data Unit |
PEX | Peer Exchange |
PHCC | Protocol Hopping Covert Channel |
PLC | Packet Loss Concealment |
PLL | Phase Lock Loop |
PLPMTUD | Packetization Layer Path MTU Discovery |
PMTUD | Path MTU Discovery |
PSCC | Protocol Switching Covert Channel |
PSDU | Physical Layer Service Data Unit |
PSNR | Peak Signal-to-Noise Ratio |
PT | Payload Type |
QoC | Quality of Covertness |
QoS | Quality of Service |
RFC | Request for Comments |
RSTEG | Retransmission Steganography |
RTCP | Real-Time Transport Control Protocol |
RTO | Retransmission Timeouts |
RTP | Real-Time Transport Protocol |
RTS | Request to Send |
RTT | Round-Trip Time |
SACK | Selective Acknowledgment |
SAFP | Store and Forward Protocol |
SBC | Session Border Controller |
SCCT | Smart Covert Channel Tool |
SCTP | Stream Control Transmission Protocol |
SDP | Session Description Protocol |
SGH | Steganogram Hopping |
SIP | Session Initiation Protocol |
SkyDe | Skype Hide |
SN | Super Nodes |
SOHO | Small Office Home Office |
SoM | Start of Message |
SR | Secret Receiver |
SRM | Shared Resource Matrix |
SS | Secret Sender |
SSH | Secure Shell |
SVM | Support Vector Machine |
TCP | Transmission Control Protocol |
TLS | Transport Layer Protocol |
ToS | Type of Service |
ToU | Type of Update |
TranSteg | Transcoding Steganography |
TrustMAS | Trusted Multiagent System |
TTL | Time to Live |
TTO | Traffic Type Obfuscation |
UDP | User Datagram Protocol |
UGS | Unsolicited Grant Service |
UMTS | Universal Mobile Telecommunications System |
USB | Universal Serial Bus |
VoIP | Voice over IP |
VPN | Virtual Private Network |
VSC | Virtual Sound Card |
WEP | Wired Equivalent Privacy |
WiMAX | Worldwide Interoperability for Microwave Access |
WiPad | Wireless Padding |
WLAN | Wireless Local Area Network |