For detailed review of historical steganographic methods see the Links section.

Network Steganography

The relations between individuals, social groups and institutions which constitute societies have to be protected from all sorts of abuse because, as George Orwell once amusingly wrote, “On the whole human beings want to be good, but not too good, and not quite all the time”. Exchange of information is involved in many kinds of societal relations which require protection, hence it is not surprising that cryptography and steganography techniques have emerged a long time ago, when societal relations were much less complex, diversified, technology-mediated and information-intensive.

While cryptography protects messages from being captured by unauthorized parties, steganography techniques enable concealment of the fact that a message is being sent, and, if not detected, make the sender and the receiver “invisible”. Thus steganography potentially provides not only security, but also anonymity and privacy, which become understandable desires in modern societies which force us to take part in an increasingly intensive and complex social relations (a somewhat special case of societies in states which incriminate for the usage of encryption).

Obviously, the anonymity potential of steganography, while can be considered as beneficial in the context of protecting privacy, adds new type of threats to individuals, societies and states. The tradeoff between the benefits and threats involves many complex ethical, legal and technological issues. Here we consider the latter in the context of communication networks.

Generally speaking, when considering any communication network three basic functionalities may be distinguished: services/applications, transport of information and control of flow of information. In the traditional PSTN/ISDN, i.e. circuit-switched networks, the services/applications are provided by the network, transport takes place through transparent channels and the control and transport functions are virtually separated:  once the end-to-end connection and transport channel are established, the information (voice or data) from the sender to the receiver is transported through the network without interference. The user of the network has practically no influence on the service delivered by the network and on the flow of information. The Internet, i.e. a packet switched network, has substantially changed the traditional circuit-switched network paradigm: services/applications are created by the network users rather than the network itself, the transport and control functions are not separated and can be influenced by the user. This change of paradigm was one of the main sources of the tremendous success of the Internet, but in the same time introduced the well known problems with quality of service and with protecting the network and its users from harmful/undesired interference. It is thus not surprising that the Internet opened many new possibilities for covert communication.

The new possibilities are a consequence of the fact that network users can influence and/or use the control of data flow – the communication protocols – together with the service/application functionality of terminals to establish covert communication. Secret messages can be hidden not only (1) within ordinary non-covert (overt) messages, like in traditional steganography and circuit-switched networks, but also (2) in communication protocol’s control elements and (3) in effect of manipulating the protocol’s logic. The recently proposed network steganographic methods use options (2) and (3), and their combinations.

All of the information hiding methods that may be used to exchange steganograms in telecommunication networks is described by the term network steganography which was originally introduced by Krzysztof Szczypiorski in 2003. Network steganography is currently seen as a rising threat to network security. Contrary to typical steganographic methods which utilize digital media (pictures, audio and video files) as a cover for hidden data (steganogram) - sometimes called steganography 1.0 - network steganography utilizes communication protocols’ control elements and their basic intrinsic functionality. As a result, such methods are harder to detect and eliminate. Network steganography is also sometimes called steganography 2.0.

Typical network steganography method uses modification of a single network protocol. The protocol modification may be applied to the PDU (Protocol Data Unit), time relations between exchanged PDUs, or both (hybrid methods). Moreover, usage of relation between two or more different network protocols to enable secret communication is possible. It is so called inter-protocol steganography. Classification of network steganography may be found below:

Steganography as a network threat was marginalized for few years but now not only security staff but even business and consulting firms are becoming continuously aware of the potential danger and possibilities it creates

In order to minimize the potential threat to public security, identification of such methods is important as is the development of effective detection (steganalysis) methods. This requires both an in-depth understanding of the functionality of network protocols and the ways in which it can be used for steganography.

MLS (Multi-Level Steganography)

MLS is based on combining two or more steganographic methods in such a way that one method (the upper-level) is a carrier for the other method (the lower-level). From such a binding of information hiding solutions comes some interesting benefits, among others:

• Increased undetectability of upper-level methods,
• Increased total steganographic bandwidth,
• Ability to verify the steganogram's integrity after its reception,
• Limiting the chance of successful steganogram extracting and reading.

MLS was originally proposed by Al-Najjar for picture steganography in:

Al-Najjar AJ.: The Decoy: Multi-Level Digital Multimedia Steganography Model, In Proc. Of 12th WSEAS International Conference on COMMUNICATIONS, Herakli-on, Greece, July 23-25, 2008

We extend this concept for network steganography and redefine it to make it more general. We also present few useful MLS applications that can improve hidden communications in telecommunication networks. This was described in paper:

W. Frączek, W. Mazurczyk, K. Szczypiorski, Multi-Level Steganography: Improving Hidden Communication in Networks - In: Computing Research Repository (CoRR), abs/1111.1250, arXiv.org E-print Archive, Cornell University, Ithaca, NY (USA), published on 25 January 2011 [.pdf]

HICCUPS (Hidden Communication System for Corrupted Networsk)

HICCUPS is an intra-protocol steganographic system which modifies frames protocol specific fields and their content. It is especially suitable for WLANs (Wireless Local Area Networks). The main innovation of the system is usage of frames with intentionally wrong checksums to establish covert communication. The HICCUPS was recognized as the first steganographic system for WLANs.

HICCUPS was originally proposed in:

K. Szczypiorski, HICCUPS: Hidden Communication System for Corrupted Networks, In Proc. of: The Tenth International Multi-Conference on Advanced Computer Systems ACS'2003, pp. 31-40, October 22-24, 2003 - Międzyzdroje, Poland [.pdf]

LACK (Lost Audio Packets Steganography)

LACK is a hybrid intra-protocol steganographic method which modifies voice packets' time relations and their content.

At the transmitter, some selected audio packets are intentionally delayed before transmitting. If the delay of such packets at the receiver is considered excessive, the packets are discarded by a receiver which is not aware of the steganographic procedure. The payload of the intentionally delayed packets is used to transmit secret information to receivers aware of the procedure, so no extra packets are generated. For unaware receivers the hidden data is “invisible”.

LACK was originally proposed in:

W. Mazurczyk and K. Szczypiorski, Steganography of VoIP Streams, In: Robert Meersman and Zahir Tari (Eds.): OTM 2008, Part II - Lecture Notes in Computer Science (LNCS) 5332, Springer-Verlag Berlin Heidelberg, Proc. of OnTheMove Federated Conferences and Workshops: The 3rd International Symposium on Information Security (IS'08), Monterrey, Mexico, November 9-14, 2008, pp. 1001-1018 [.pdf]

PadSteg (Padding Steganography)

PadSteg is an inter-protocol steganographic system which utilizes relations between two or more protocols from the TCP/IP stack to enable hidden communication, namely Ethernet with ARP, TCP, UDP and/or ICMP protocols. It is designed for LANs and takes advantage from Etherleak vulnerability, which causes padding in Ethernet frames to be not always set to zeros. To limit the chance of detection PadSteg has so called carrier-protocol hopping mechanism i.e. it switches between different protocols that cause the frame to be padded.

Padsteg was originally proposed in:

B. Jankowski, W. Mazurczyk, K. Szczypiorski, Information Hiding Using Improper Frame Padding - 14th International Telecommunications Network Strategy and Planning Symposium (Networks 2010), 27-30.09.2010, Warsaw, Poland [.pdf]

and extended in: B. Jankowski, W. Mazurczyk, K. Szczypiorski - PadSteg: Introducing Inter-Protocol Steganography - In: Telecommunication Systems: Modelling, Analysis, Design and Management, Volume 58: 1-2 January/February 2015, ISSN: 1018-4864 (print version), ISSN: 1572-9451 (electronic version), Springer US, Journal no. 11235 [.pdf]

RSTEG (Retransmission Steganography)

RSTEG is an intra-protocol hybrid network steganography method. It is intended for a broad class of protocols that utilises retransmission mechanisms. The main innovation of RSTEG is to not acknowledge a successfully received packet in order to intentionally invoke retransmission. The retransmitted packet carries a steganogram instead of user data in the payload field.

RSTEG was originally proposed in:

W. Mazurczyk, M. Smolarczyk, K. Szczypiorski, RSTEG: Retransmission Steganography and Its Detection, In: Soft Computing in 2010, ISSN: 1432-7643 (print version) ISSN: 1433-7479 (electronic version), Journal no. 500 Springer [.pdf]

SCTP Steganography: Multistreaming-based method

SCTP Multistreaming-based method is an intra-protocol network steganography method. The main idea of this method is  that subsequent chunks are transmitted within streams determined by bits of steganogram.

Multistreaming-based steganographic method was originally proposed in:

W. Fraczek, W. Mazurczyk, K. Szczypiorski, Stream Control Transmission Protocol Steganography, Second International Workshop on Network Steganography (IWNS 2010) co-located with The 2010 International Conference on Multimedia Information Networking and Security (MINES 2010), Nanjing, China, November 4-6, 2010 [.pdf]

StegSuggest

Google Suggest is a service incorporated within Google Web Search which was created to help user find the right search phrase by proposing the auto-completing popular phrases while typing. To enable hidden communication StegSuggest utilizes traffic generated by Google Suggest. Its main innovation is to insert new words into suggestions sent to the Google Suggest client. Inserted words carry bits of steganogram.

StegSuggest steganographic method was originally proposed in:

P. Białczak, W. Mazurczyk, K. Szczypiorski, Sending Hidden Data via Google Suggest, In Proc. of: Third International Workshop on Network Steganography (IWNS 2011) co-located with The 2011 International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM2011), Prague, Czech Republic, 26-28.05.2011 [.pdf]

TranSteg (Transcoding Steganography)

TranSteg is a new IP telephony steganographic method. Typically, in steganographic communication it is advised for covert data to be compressed in order to limit its size. In TranSteg it is the overt data that is compressed to make space for the steganogram. The main innovation of TranSteg is to, for a chosen voice stream, find a codec that will result in a similar voice quality but smaller voice payload size than the originally selected. Then, the voice stream is transcoded. At this step the original voice payload size is intentionally unaltered and the change of the codec is not indicated. Instead, after placing the transcoded voice payload, the remaining free space is filled with hidden data.

TranSteg steganographic method was originally proposed in:

W. Mazurczyk, P. Szaga, K. Szczypiorski, Using Transcoding for Hidden Communication in IP Telephony - In: Computing Research Repository (CoRR), abs/1111.1250, arXiv.org E-print Archive, Cornell University, Ithaca, NY (USA), published on 4 November 2011 [.pdf]