Information Hiding in Communication Networks E-Book

CONTENTS

Cover

Series Page

Title Page

Copyright

Dedication

List of Figures

List of Tables

Foreword

Preface

Acknowledgments

Acronyms

Chapter 1: Introduction

1.1 Information Hiding Inspired by Nature

1.2 Information Hiding Basics

1.3 Information Hiding Throughout the History1

1.4 Evolution of Modern Information Hiding

1.5 Emerging Trends in Information Hiding3

1.6 Applications of Information Hiding and Recent Use Cases

1.7 Countermeasures for Information Hiding Techniques

1.8 Potential Future Trends in Information Hiding

1.9 Summary

1.10 Organization of the Book

References

Chapter 2: Background Concepts, Definitions, and Classification

2.1 Classification of Information Hiding in Communication Networks

2.2 Evolution of Information Hiding Terminology

2.3 Network Steganography: Definitions, Classification and Characteristic Features

2.4 Traffic Type Obfuscation: Definitions, Classification and Characteristic Features

2.5 Hidden Communication Model and Communication Scenarios

2.6 Information Hiding Countermeasures Models

2.7 Summary

References

Chapter 3: Network Steganography

3.1 Hiding Information in Protocol Modifications

3.2 Hiding Information in the Timing of Protocol Messages

3.3 Hybrid Methods

3.4 Summary

References

Chapter 4: Control Protocols for Reliable Network Steganography

4.1 Steganographic Control Protocols

4.2 Deep Hiding Techniques

4.3 Control Protocol Engineering

4.5 Techniques for Timing Methods

4.6 Attacks on Control Protocols

4.7 Open Research Challenges for Control Protocols

4.8 Summary

References

Chapter 5: Traffic Type Obfuscation

5.1 Preliminaries

5.2 Classification Based on the Objective

5.3 Classification Based on the Implementation Domain

5.4 Countermeasures

5.5 Summary

References

Chapter 6: Network Flow Watermarking

6.1 Principles, Definitions, and Properties

6.2 Applications of Flow Watermarks

6.3 Example Flow Watermarking Systems

6.4 Watermarking Versus Fingerprinting

6.5 Challenges of Flow Watermarking

Summary

References

Chapter 7: Examples of Information Hiding Methods for Popular Internet Services

7.1 IP Telephony: Basics and Information Hiding Concepts

7.2 Information Hiding in Popular P2P Services

7.3 Information Hiding in Modern Mobile Devices1

7.4 Information Hiding in New Network Protocols

7.5 Information Hiding Concepts for Wireless Networks

7.6 Multiplayer Games and Virtual Worlds4

7.7 Social Networks

7.8 Internet of Things

7.9 Summary

References

Chapter 8: Network Steganography Countermeasures

8.1 Overview of Countermeasures

8.2 Identification and Prevention During Protocol Design

8.3 Elimination of Covert Channels

8.4 Limiting the Channel Capacity

8.5 General Detection Techniques and Metrics

8.6 Detection Techniques for Covert Channels

8.7 Future Work

8.8 Summary

References

Chapter 9: Closing Remarks

Glossary

Index

End User License Agreement

List of Tables

Table 1.1

Table 1.2

Table 5.1

Table 8.1

Table 8.2

List of Illustrations

Figure 1.1

Figure 1.2

Figure 1.3

Figure 1.4

Figure 2.1

Figure 2.2

Figure 2.3

Figure 2.4

Figure 2.5

Figure 2.6

Figure 2.7

Figure 2.8

Figure 2.9

Figure 2.10

Figure 2.11

Figure 2.12

Figure 3.1

Figure 3.2

Figure 3.3

Figure 3.4

Figure 3.5

Figure 3.6

Figure 3.7

Figure 3.8

Figure 3.9

Figure 3.10

Figure 3.11

Figure 3.12

Figure 3.13

Figure 3.14

Figure 3.15

Figure 3.16

Figure 3.17

Figure 3.18

Figure 3.19

Figure 4.1

Figure 4.2

Figure 4.3

Figure 4.4

Figure 4.5

Figure 4.6

Figure 4.7

Figure 4.8

Figure 4.9

Figure 4.10

Figure 5.1

Figure 5.2

Figure 5.3

Figure 5.4

Figure 5.5

Figure 5.6

Figure 5.7

Figure 5.8

Figure 5.9

Figure 5.10

Figure 5.11

Figure 6.1

Figure 6.2

Figure 6.3

Figure 6.4

Figure 6.5

Figure 6.6

Figure 6.7

Figure 6.8

Figure 6.9

Figure 6.10

Figure 6.11

Figure 7.1

Figure 7.2

Figure 7.3

Figure 7.4

Figure 7.5

Figure 7.6

Figure 7.7

Figure 7.8

Figure 7.9

Figure 7.10

Figure 7.11

Figure 7.12

Figure 7.13

Figure 7.14

Figure 7.15

Figure 7.16

Figure 7.17

Figure 8.1

Figure 8.2

Figure 8.3

Figure 8.4

Figure 8.5

Figure 8.6

Guide

Cover

Table of Contents

Begin Reading

Chapter 1

Pages

i

iv

v

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxix

xxx

xxxi

xxxii

xxxiv

xxxv

xxxvi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

IEEE Press445 Hoes LanePiscataway, NJ 08854

IEEE Press Editorial BoardTariq Samad, Editor in Chief

George W. Arnold

Xiaoou Li

Ray Perez

Giancarlo Fortino

Vladimir Lumelsky

Linda Shafer

Dmitry Goldgof

Pui-In Mak

Zidong Wang

Ekram Hossain

Jeffrey Nanzer

MengChu Zhou

Kenneth Moore, Director of IEEE Book and Information Services (BIS)

Information Hiding in Communication Networks

Fundamentals, Mechanisms, Applications, and Countermeasures

Copyright © 2016 by The Institute of Electrical and Electronics Engineers, Inc.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reserved

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data is available.

ISBN: 978-1-118-86169-1

Dedication

Wojciech Mazurczyk would like to dedicate this book to his wife Magdalena and sons Bartek and Tomek.

Steffen Wendzel would like to dedicate this book to Mali.

Sebastian Zander would like to dedicate this book to Wunna, Lara, and Lukas.

Amir Houmansadr would like to dedicate this book to the memory of his grandmother Fatemeh.

Krzysztof Szczypiorski would like to dedicate this book to the memory of his father Jan Szczypiorski.

List of Figures

1.1

Basic mimicry system. S1 and S2 denote signal transmitters and R is the signal receiver. “+” denotes that the response of the receiver R is advantageous to S2; thus, S2 benefits from the S1/R couple. (Reproduced from [3] with permission of Wiley.)

1.2

Ancient and modern information hiding.

1.3

Evolution of hidden data carrier throughout the history. (Reproduced from [6] with permission of ACM.)

1.4

Protocol functions used for network steganography, associated with OSI RM layers. (Reproduced from [29] with permission of IEEE.)

2.1

Classification of information concealment possibilities in communication networks.

2.2

A historic classification of information hiding techniques. (Reproduced from [2] with permission of IEEE.)

2.3

Classification of modern steganography techniques and scope of network steganography.

2.4

An example of carrier and subcarriers based on VoIP connection example. (Reproduced from [13] with permission of Wiley.)

2.5

Multiple flows steganography example—sending secret data that is distributed over a number of traffic flows. (Reproduced from [13] with permission of Wiley.)

2.6

Network steganography methods classification.

2.7

Relationship between the three features of network steganography. (Reproduced from [15] with permission of ACM.)

2.8

Relationship between the features of network steganography with steganographic cost included. (Reproduced from [13] with permission of Wiley.)

2.9

Relationship between steganographic cost and undetectability. (Reproduced from [13] with permission of Wiley.)

2.10

Traffic type obfuscation techniques classification.

2.11

Model for hidden communication. (Reproduced from [15] with permission of ACM.)

2.12

Hidden communication scenarios and potential localizations of the warden. (Reproduced from [15] with permission of ACM.)

3.1

Taxonomy for storage methods as patterns shaded. (Reproduced from [1] with permission of ACM.)

3.2

Illustration of the size modulation pattern: PDUs of different size are transmitted between sender and receiver to encode symbols

s

1

and

s

2

.

3.3

The sequence method illustrated using a simple HTTP request. Two different symbols

s

1

and

s

2

are encoded by the order of two selected header elements.

3.4

Illustration of the case pattern. By only using one header line, multiple symbols per request can be transferred by modulating the case of letters.

3.5

Taxonomy for network steganography timing methods.

3.6

Example of using packet rate (throughput) to encode hidden communication. The covert sender encodes a zero bit as sending with rate

r

0

and a one bit as sending with rate

r

1

. The covert receiver decodes the hidden messages based on the observed rates.

3.7

Example of using time gaps between packets to encode hidden communication. The covert sender encodes a zero bit as small gap

g

0

and a one bit as large gap

g

1

. The covert receiver decodes the bits based on the gaps observed.

3.8

An FTP NOOP covert channel, an example of using message sequence timing for hidden communication. The integer value of the covert bits is encoded as the number of FTP NOOP commands sent during the idle periods when no data are transferred via FTP.

3.9

An example of using artificial packet loss to encode hidden communication. The covert sender encodes a zero bit as arrived packet and a one bit as artificially lost packet. The covert receiver decodes the information using the packet's sequence numbers.

3.10

An example of (re)ordering packets to encode hidden communication. A packet in a correct position encodes a zero bit, while a packet in an incorrect position encodes a one bit.

3.11

An example of using frame jamming for hidden communication. To send a zero or one bit, the covert sender retransmits with delay

d

0

or delay

d

1

, respectively, after a previous frame collision.

3.12

A temperature-based covert channel. The covert sender encodes information by changing the CPU load on the intermediate host through changing the service request rate. The CPU load changes affect the temperature, which in turn affects the clock skew on the intermediate host. The covert receiver measures the clock-skew change over time to reconstruct the original load pattern and thereby decode the covert bits. (Reproduced from [63] with permission of IEEE.)

3.13

The idea of LACK. (Reproduced from [34] with permission of Wiley.)

3.14

LACK as an example of a hybrid method.

3.15

Components of the LACK delay. (Reproduced from [34] with permission of Wiley.)

3.16

The impact of LACK on the total packet loss probability. (Reproduced from [57] with permission of Wiley.)

3.17

Generic retransmission mechanism based on timeouts. (Reproduced from [63] with permission of Springer.)

3.18

The concept of retransmission steganography. (Reproduced from [63] with permission of Springer.)

3.19

An example of the RTO-based RSTEG segment recovery. (Reproduced from [38] with permission of Springer.)

4.1

Control protocol terminology showing the embedding of all control protocol components into subcarriers, which are combined to form the cover area.

4.2

Optimization problem for control protocols: header size and feature spectrum are conflicting requirements.

4.3

Ping Tunnel's control protocol header. (Reproduced from [4] with permission of Springer.)

4.4

The header of the protocol presented by Ray and Mishra. (Reproduced from [4] with permission of Springer.)

4.5

Two types of PSCCs. (a) Protocol hopping covert channel using two protocols (hidden data are embedded into storage attributes). (b) Protocol channel using four protocols (hidden data are represented by the protocol itself). (Reproduced from [21] with permission of Iaria.)

4.6

The concept of status updates.

4.7

(a) A ToU occurs multiple times within one packet to reduce the overall number of packets and header bits required for a transaction. (b) The same data are transmitted using two packets, that is, the feature of allowing multiple occurrences for a ToU per packet is not used.

4.8

Control protocol engineering approach. (Reproduced from [2] with permission of Springer.)

4.9

Produced words by the exemplary grammars

G

CP

and

G

CC

.

4.10

The sender

S

transfers information to the receiver

R

via the covert channel proxies

Q

1

 ⋯ 

Q

n

. (Reproduced from [3] with permission of Springer.)

5.1

Classes of traffic type obfuscation based on the objective.

5.2

Padding network packets to de-identify packet sizes.

5.3

The main architecture of SkypeMorph [21].

5.4

The main components of FreeWave [22].

5.5

The main components of FreeWave [22] client.

5.6

The main components of FreeWave [22] server.

5.7

Classes of traffic type obfuscation based on the implementation domain.

5.8

The main architecture of Obfsproxy.

5.9

The main architecture of CensorSpoofer [36].

5.10

Countermeasures to traffic type obfuscation.

5.11

Skype TCP activity with and without changes in bandwidth. (Reproduced from [37] with permission of IEEE.)

6.1

Linking network flows for the detection of stepping stone attacks. Flows numbered 2 and 5 are part of a stepping stone attack, while the other flows are benign.

6.2

General model of network flow watermarking.

6.3

Using flow watermarks to detect stepping stone attacks.

6.4

A system for anonymous communications.

6.5

A botnet traceback system [29] using flow watermarks.

6.6

Random selection and assignment of time intervals of a packet flow for watermark insertion.

6.7

Distribution of packets arrival time in an interval of size

T

before and after being delayed.

6.8

Model of RAINBOW network flow watermarking system.

6.9

Slot numbering in the SWIRL scheme. (Reproduced from [14] with permission of Springer.)

6.10

Delaying packets to insert a watermark by SWIRL. (Reproduced from [34] with permission of Springer.)

6.11

Targeted (a) and nontargeted (b) attacks on an anonymous network.

7.1

The VoIP stack and protocols. (Reproduced from [4] with permission of IEEE.)

7.2

A frame carrying a speech payload encoded with an overt codec (1), transcoded (2), and encoded with a covert codec (3). (Reproduced from [19] with permission of IEEE.)

7.3

The TranSteg scenario S4 (SS–Secret Sender; SR–Secret Receiver). (Reproduced from [19] with permission of IEEE.)

7.4

The distribution of packets' size during conversation and periods of silence.

7.5

StegTorrent hidden data exchange scenario (Ts

X

denotes a timestamp from the corresponding

μ

TP header's field. (Reproduced from [25] with permission of IEEE.)

7.6

iStegSiri's crafted voice stream (a); results in corresponding classes of traffic (blue—voice, red—silence), which successfully detects secret data bits at the receiving side (b). (Reproduced from [48] with permission of IEEE.)

7.7

The structure of the MAC frame. (Reproduced from [67] with permission of IEEE.)

7.8

Frame Control field. (Reproduced from [67] with permission of ACM.)

7.9

Client server message exchange in First Person Shooter games. (Reproduced from [70] with permission of Springer.)

7.10

Player character movement in FPS games. (Reproduced from [70] with permission of Springer.)

7.11

An example of user input values and server snapshot values [70].

7.12

Example of covert channel encoding. (Reproduced from [70] with permission of IEEE.)

7.13

Reliable data transport state machine. (Reproduced from [70] with permission of IEEE.)

7.14

Throughput depending on Round-Trip Time (RTT), covert bits per angle change (bpa), and number of players. (Reproduced from [70] with permission of IEEE.)

7.15

Throughput depending on packet loss rate, covert bits per angle change (bpa), and number of players. (Reproduced from [70] with permission of IEEE.)

7.16

Possible locations for eavesdropper attacks and network steganographic transmissions in building automation networks.

7.17

Data leakage over a building automation network to an external receiver.

8.1

Countermeasures that can be used to eliminate, limit, and audit the use of network steganography.

8.2

Traffic normalizers remove semantic ambiguities by modifying the content and the timing of protocol messages in order to eliminate covert channels.

8.3

The PUMP significantly reduces covert channel capacity, because it “decouples” the high-security system's ACKs from the ACKs sent to the low-security system. (Reproduced from [58] with permission of IEEE.)

8.4

Network steganography detection with supervised ML techniques.

8.5

Network steganography detection with unsupervised ML techniques.

8.6

Backpropagation neural network.

List of Tables

1.1

Analogies between the information hiding field and the kingdoms of living things.

1.2

Analogies between exemplary ancient and modern information hiding techniques.

5.1

Passive protocol-based countermeasures to detect imitators of the Skype protocol.

8.1

Possible scenarios to attack control protocols based on [3]

8.2

Well-known techniques to normalize IP, UDP, and TCP header fields and their possible side effects.

Foreword

Steganography—the art and science of concealed communication—can be tracedback to antiquity. Secret messages written in invisible ink, printed in microdots, or hidden in innocuous hand-crafted images form the history of this exciting field. Systematic research in steganography only began in the late 1990s and early 2000s. Much of this early research focused on hiding data in multimedia content such as digital images, video streams, or audio data and was driven by the quest to protect copyright. At the same time, steganography was seen as a versatile tool to mitigate governmental bans on the use of cryptography. The research performed in these decades gave us a fair understanding of the possibilities and limits of data hiding.

The new hotspot of the field is network steganography. In contrast to many previous approaches that predominantly targeted multimedia data, network steganography attempts to conceal secret messages directly in network streams. It turns out that the ever-increasing volume of Internet traffic provides a perfect cover for steganographic communication. For example, one can utilize unused bits in network protocols to send covert information or change order and timing of network packets to encode supplementary data.

Network steganography has the potential to circumvent oppressive government surveillance by providing means to communicate “under the radar” of current network monitoring tools. Steganographic techniques can also avoid censorship by concealing the ultimate goal of a communication channel. Furthermore, techniques similar to those employed in network steganography allow to obfuscate the type of traffic or allow to watermark network flows should be. The goal of the former is to conceal the true purpose of a communication channel, while the latter attempts to trace traffic even if it flows through several networked devices. On the downside, network steganography may be used by attackers to efficiently exfiltrate secrets from highly protected computers or by botnets to set up covert control channels; flow watermarking has the potential to break anonymization tools.

Research in network steganography and related disciplines will give us a good insight into the opportunities and risks of this novel technology, which we just started to explore in detail. We learned that simple steganographic schemes that substitute parts of an ongoing communication with secrets are usually detectable, as they introduce unnatural patterns in data streams. This created opportunities to develop specially crafted steganalytic algorithms that discriminate innocuous from steganographic communication, which in turn led to the development of better steganographic tools. This “cat-and-mouse” game between the steganographer and the steganalyst is likely to continue in the near future. The same holds for traffic obfuscation: schemes optimized to mimic a certain distribution of packets will likely be broken with higher order statistics.

I am therefore delighted to see the first comprehensive book on network steganography and related technologies, which I expect will be the standard reference on the subject. I hope that this book will inspire many researchers to explore this exciting discipline of network security—and that it boosts the “cat-and-mouse” game between steganographers and steganalysts, which is vital to move our field forward.

Stefan Katzenbeisser

Preface

Information hiding techniques have their roots in nature, and they have been utilized by humankind for ages. The methods have evolved throughout the ages, but the aims remained the same: hiding secret information to protect them from untrusted parties or to enable covert communication. The latter purpose has grown in importance with the introduction of communication networks where many new possibilities of data hiding emerged.

Information hiding can be utilized for both benign and malicious purposes. Currently, the rising trend among Black Hats is to equip malware with covert communication capabilities for increased stealthiness. On the other hand, covert channels are also becoming increasingly useful for circumventing censorship in oppressive regimes. The complexity and richness of continuously appearing new services and protocols guarantee that there will be a lot of new opportunities to hide secret data. A problematic aspect in this regard is the lack of effective and universal countermeasures that can be applied in practice against increasingly sophisticated information hiding techniques (especially when used for malicious purposes).

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!