**2. The combined method using modification of the fields IP and TCP**

As mentioned earlier, the methods for modifying the IP and TCP header fields have certain features that make them stand out from the rest of the methods:


Despite the many advantages of both methods, there are some flaws, and the main one, to which attention is immediately drawn, is the obviousness of data transfer, i.e., any statistical analysis allows us to calculate both the hidden communication channel itself and the information transmitted in it.

The method proposed by Rowland [3] is as follows: to generate a value in the "Sequence Number" field, the plaintext character is encoded in accordance with the ASCII table, and the resulting value is multiplied by a certain number multiple of two. The resulting value is entered in the "Sequence Number" field and sent to the recipient. The recipient, knowing the key (divider), should check all incoming TCP packets for the subject of the steganogram, dividing the value of the "Sequence number" field by the key.

On the one hand, this method allows you to create a data channel through which you can transmit secret data in front of a passive observer. But the existence of a single key is a disadvantage, since, based on a dozen of such packages, it can be concluded that the sequence numbers of all packages have a common factor, which is the key. Thus, the proposed method is easy to detect.

Based on the source data and analysis of the disadvantages of network steganography methods with modification of the IP and TCP packet header fields, we can propose a modified method that will be based on the simultaneous use of the IP and TCP protocol header fields. The key needed to decrypt the transmitted message will also be transmitted as a steganogram, only in encrypted form in the "Identifier" field of the IP header, while the encrypted steganogram will be transmitted in the "Sequence number" field of the TCP header.

The implementation of this method is divided into two parts:


The first block consists of the following steps:

• Generation of the key k, which will be used in the future. The key can be any number that is a multiple of two. To generate a key, take two numbers x and y and raise the first to the power of the second.

**75**

of the TCP header.

*Analysis of Network Protocols: The Ability of Concealing the Information*

be conducted on the automatic formation of x, y.

key and steganogram into the TCP and IP header fields.

• The conversion of secret data—a character or number that must be transferred to the corresponding code in the ASCII table. The coded number is denoted

• Getting the media C as the product of the key value by the value of a secret

C = S\*k10

• Checking the number C—it must meet the requirement 228 < C < 233. This condition is necessary so that the value of the "Sequence number" field does not look suspicious. If the value of C does not meet the requirements, the numbers x and y need to be changed to others, and repeat steps 1–2. Further studies will

• The value of the numbers x and y is written together into the number z and is flipped so that the previous values can only be read from right to left.

Then the data is converted from decimal to hexadecimal. Thus, we get a three-

Then, at the second stage, you need to put the obtained values of the encrypted

We briefly describe the network steganography method with a modification of the fields in the TCP header, since in it we will transmit the secret message itself. For the purpose of steganography, the header of this protocol usually uses some fields that can be changed without losing the functionality of the package. For the purpose of our research, we will focus on the "Sequence Number" field (SN, SequenceNumber). This field performs two tasks. The first is the following: if the SYN flag is set, then this initial value of the sequence number is ISN (InitialSequenceNumber), and the first byte of data that will be transmitted in the next packet will have a sequence number equal to ISN + 1. Otherwise, if SYN is not set, the first byte of data transmitted in this packet has this sequence number. For our case it is important to know that this value will not change during the path of

The "Sequence Number" field allows you to create a 32-bit length sequence. According to the Rowland method, the transmitted message is encoded in accordance with the ASCII table and multiplied by a certain number (the key), a multiple of two to reduce the detection probability, then entered into the generated TCP packet in the "Sequence number" field, and the packet is sent. When the packet reaches the destination address, the recipient must save all incoming TCP packets, from which he must remove the value in the "Sequence number" field and then divide by the key he knows in advance. But, as it was said before, this method is extremely easy to detect based on the analysis of a number of TCP packets due to a permanent key. In the proposed modification of the method, this key will be transmitted simultaneously with the TCP packet, in the IP header. This will increase

The next step is to add the value of the C media in the "Sequence Number" field

Next, you must enter the value of the encrypted key (inv (z)) 16 in the IP header field. To organize such an operation, you should return to the network steganography method with modification of the IP header fields. During the packet path, only the "Identifier" field remains unchanged; its length is 16 bits and 1 bit in the "Flags" field, which is responsible for the DF flag. Changing these fields does not carry

*DOI: http://dx.doi.org/10.5772/intechopen.88098*

by S, since it is our steganogram.

digit hexadecimal number inv. (z) 16.

the packet from the sender to the recipient.

the difficulty of detecting the steganogram.

character.

*Analysis of Network Protocols: The Ability of Concealing the Information DOI: http://dx.doi.org/10.5772/intechopen.88098*

*Computer and Network Security*

methods:

**2. The combined method using modification of the fields IP and TCP**

• Total gives bandwidth of 49 bits per 1 packet.

nication channel itself and the information transmitted in it.

is the key. Thus, the proposed method is easy to detect.

The implementation of this method is divided into two parts:

• Entering data into the corresponding TCP and IP header fields.

"Sequence number" field of the TCP header.

The first block consists of the following steps:

and raise the first to the power of the second.

long adjustments and preparations.

will not be fragmented.

number" field by the key.

steganogram.

As mentioned earlier, the methods for modifying the IP and TCP header fields have certain features that make them stand out from the rest of the

• The most common and standard protocols are used as carriers of the steganogram.

• Implemented on any operating system, the implementation does not require

• Changes in the package will not affect its behavior on the network, in case it

Despite the many advantages of both methods, there are some flaws, and the main one, to which attention is immediately drawn, is the obviousness of data transfer, i.e., any statistical analysis allows us to calculate both the hidden commu-

The method proposed by Rowland [3] is as follows: to generate a value in the "Sequence Number" field, the plaintext character is encoded in accordance with the ASCII table, and the resulting value is multiplied by a certain number multiple of two. The resulting value is entered in the "Sequence Number" field and sent to the recipient. The recipient, knowing the key (divider), should check all incoming TCP packets for the subject of the steganogram, dividing the value of the "Sequence

On the one hand, this method allows you to create a data channel through which you can transmit secret data in front of a passive observer. But the existence of a single key is a disadvantage, since, based on a dozen of such packages, it can be concluded that the sequence numbers of all packages have a common factor, which

Based on the source data and analysis of the disadvantages of network steganography methods with modification of the IP and TCP packet header fields, we can propose a modified method that will be based on the simultaneous use of the IP and TCP protocol header fields. The key needed to decrypt the transmitted message will also be transmitted as a steganogram, only in encrypted form in the "Identifier" field of the IP header, while the encrypted steganogram will be transmitted in the

• Preparing data for the transfer, which includes generating the key k, converting the transmitted secret symbol or number into its corresponding code in the ASCII table, and calculating the value of the carrier C, which is an encrypted

• Generation of the key k, which will be used in the future. The key can be any number that is a multiple of two. To generate a key, take two numbers x and y

**74**


$$\mathbf{C} = \mathbf{S}^\star \mathbf{k}\_{10}$$


Then the data is converted from decimal to hexadecimal. Thus, we get a threedigit hexadecimal number inv. (z) 16.

Then, at the second stage, you need to put the obtained values of the encrypted key and steganogram into the TCP and IP header fields.

We briefly describe the network steganography method with a modification of the fields in the TCP header, since in it we will transmit the secret message itself. For the purpose of steganography, the header of this protocol usually uses some fields that can be changed without losing the functionality of the package. For the purpose of our research, we will focus on the "Sequence Number" field (SN, SequenceNumber). This field performs two tasks. The first is the following: if the SYN flag is set, then this initial value of the sequence number is ISN (InitialSequenceNumber), and the first byte of data that will be transmitted in the next packet will have a sequence number equal to ISN + 1. Otherwise, if SYN is not set, the first byte of data transmitted in this packet has this sequence number. For our case it is important to know that this value will not change during the path of the packet from the sender to the recipient.

The "Sequence Number" field allows you to create a 32-bit length sequence. According to the Rowland method, the transmitted message is encoded in accordance with the ASCII table and multiplied by a certain number (the key), a multiple of two to reduce the detection probability, then entered into the generated TCP packet in the "Sequence number" field, and the packet is sent. When the packet reaches the destination address, the recipient must save all incoming TCP packets, from which he must remove the value in the "Sequence number" field and then divide by the key he knows in advance. But, as it was said before, this method is extremely easy to detect based on the analysis of a number of TCP packets due to a permanent key. In the proposed modification of the method, this key will be transmitted simultaneously with the TCP packet, in the IP header. This will increase the difficulty of detecting the steganogram.

The next step is to add the value of the C media in the "Sequence Number" field of the TCP header.

Next, you must enter the value of the encrypted key (inv (z)) 16 in the IP header field. To organize such an operation, you should return to the network steganography method with modification of the IP header fields. During the packet path, only the "Identifier" field remains unchanged; its length is 16 bits and 1 bit in the "Flags" field, which is responsible for the DF flag. Changing these fields does not carry

changes in the package, in case the package is not fragmented, but it should not be, since by condition we need to know the minimum MTU value and not exceed it when creating and sending the package.

At the "Identifier" field, 16 bits is available to us for adding a steganogram; the information in it is displayed in the form of four numbers in hexadecimal number system. Thus, we have 65,535 possible values that can be used both for transmitting the steganogram and for the key, which in turn is also a steganogram. In order not to transmit the key in such an explicit form, it is proposed to use only three numbers out of four, while reading them from right to left. In this case, the number can be odd with its standard reading from left to right. The fourth unused number can take any value. Thus, we can use only 16 of the 17 bits available in a packet. It is proposed to use the second bit in the "Flags" field—DF—as a specific label, the presence of which allows you to expand the key extraction algorithm: whether you need to read the value from the first or from the second number in the "Identifier" field to extract the key.

Thus, the next step is to enter (inv (z)) 16 in the "Identifier" field of the IP header. At the same time, we must set the value of "1" to the second bit in the "Flags" field if we enter the key in the first 12 bytes of the "Identifier" field or 0 if we fill the first 4 bytes of the field with random values and in the remaining 12 bytes our key.

Next, we send a packet with modified fields to the recipient, where he must carry out the procedure inversely described in the framework of this algorithm [8].

We calculate the bandwidth of the proposed method.

Since the "Identifier" field in the IP header can contain 16 bits of information, 1 bit is available in the "Flags" field, and in the "Sequence number" field, a 32-bit information is available in the TCP header; we can conclude that the total throughput of steganography is 49 bits. But it should be noted that in this method we use the "Identifier" field to transmit the encrypted key in the steganogram, which is used to extract secret information from the "Sequence number" field, and the bit in the "Flags" field is used as a label. Thus, to transfer the encrypted key, we allocate 12 bits of information available in the "Identifier" field, and in the remaining 4 bits, we enter a random number from 0 to 16 in the hexadecimal number system (from 1 to F) and use 1 bit as a label, necessary for more organization more flexible operation of the algorithm. Based on this, we can conclude that for transmitting specific information, we have 32 bits left in the "Sequence number" field, and 3 bits of secret information can be transmitted, which is encrypted in 32 bits of information hiding the secret.

#### **2.1 Intercomputer exchange**

The exchange of computer networks is based on the Open System Interconnection (OSI) reference model.

Studying hidden information flows with computer interaction on networks of interest will include information about the services that are added to the network traffic data. As part of the protocol, headings are assessed at two levels: network and transport. We will address network protocols (IPv4 and IPv6) and transport protocols (TCP and UDP).

Further, we are considering the reports and the possibility of more detailed manipulation.

#### **2.2 IPv4**

IPv4 is the most popular protocol of network level; see more information in RFC791.

**77**

**Figure 1.** *Header of IPv4.*

*Analysis of Network Protocols: The Ability of Concealing the Information*

The format of IPv4 header is presented in **Figure 1**. IPv4 header field analysis shows the following results:

other value is possible injection information.

could be used to pass hidden information.

add data to the next two "Options" and "Padding" fields.

Bits from 0 to 2 are set for priority and 6 to 7 set to reserved.

The header size of IPv4 is 20 bytes; using specialized field in header—"Options"

field—can increase it. When the amount of the header is less than 20 bytes, it is

1. "Internet Header Length" field. Ability to increase the size of the Internet Header Length field to extend the original header. This change allows you to

The value "111" should not appear on the networks of provider; it could be appearing only for local networks, which leads to the point that the capture of this value in the network provider is a mark of malicious information injection.

By default, these bits are reserved and must be set to 0; the result is that the

You can change the value of the identification field. The point is that the field is used to build correctly after fragmentation, but there is a DF flag that rejects fragment packets, so if the flag is set to "1" this ID is not required, and this field

As the standard requires, the first bit is reserved and should be set to "0";

if the result is different, it is mark of injection information.

*DOI: http://dx.doi.org/10.5772/intechopen.88098*

likely damaged and has to be discarded.

2. "Type of Service" field

3. "Identification" field

4. "Flags" field

**2.3 Header of IPv4**



The header size of IPv4 is 20 bytes; using specialized field in header—"Options" field—can increase it. When the amount of the header is less than 20 bytes, it is likely damaged and has to be discarded.
