**1.1 Network steganography methods**

Baseline data for consideration classifications of methods and means of network steganography come from the materials of Polish scientists Mazurczyk and Szczypiorski and reports on the experiments of Canadian scientists Ahsan and Kundur, scientists Cauich and Gomez of the University of California at Irvine, and researchers Handel and Sandford at the National laboratory at Los Amos. All materials are freely available. Network steganography methods can be divided into three groups [1]:


Each of these methods is divided into several groups; for example, package modification methods include three different methods:


Methods for modifying the structure of gears and packages include three guidelines:


Mixed (hybrid) methods of steganography use two approaches: methods of audio packet loss (LACK) [2] and packet retransmission (RSTEG) [1].

The main idea of methods for modifying header fields is to use some header fields to add steganogram to them [3, 4]. This is possible due to some redundancy in these fields, that is, there are certain conditions in which the values in these fields will not be used in the transmission of packets. The most commonly used header fields are IP and TCP protocols.

Consider an example of a similar method based on modifying unused IP protocol fields to create a hidden channel [4].

The value of the "Identification" field of the IP packet is generated to the sender side. This number contains a random number that is generated when a package

**71**

interfaces (multi-homing).

transfer (hybrid method).

*Analysis of Network Protocols: The Ability of Concealing the Information*

is created. The "Identification" field is used only when fragmentation is used. Therefore, to use this method, you need to know the MTU value in the transmitted network and not exceed it, so that the packet is not fragmented during transmission. In the absence of the need for packet fragmentation, a certain redundancy occurs in the "Flags" field, in the second bit, which is responsible for setting the Don't Fragment (DF) flag. It is possible to specify a flag notifying the sender's unwillingness to fragment a packet. If the steganogram package is not fragmented due to its size, you can hide the information in the "DoNotFragmentBit" flag field.

The advantage of this method is the transmission of unchanged information from the sender to the recipient, but it also limits the amount of information sent. Steganography based on this method is easily implemented; has a good bandwidth, since you can send a lot of IP packets with the changes; and is low cost due to the use of fields that do not violate the functionality of the packet. Among the shortcomings it should be noted that the transmitted data is contained in the open form and can be easily read by the observer (although it is possible to strengthen the protec-

Another method of modifying network packets that alters the payload of a VoIP packet can be widely used in practice with the popularity of programs that provide voice and video communications over the Internet. The network steganography method designed to hide VoIP messages is called Transcoding Steganography (TranSteg), a network steganography method that compresses the payload of a network packet by transcoding. TranSteg can be used in other applications or services (e.g., streaming video), where there is a possibility of compression (with or without losses) of open data. In TranSteg, data compression is used to make room for the steganogram: transcoding (lossy compression) of voice data from a high bitrate to a lower bitrate occurs with minimal loss of voice quality, and after compression, data is added to the free space in the payload package [5]. In general, the method allows to obtain more or less good steganographic bandwidth of 32 kb/s with the smallest difference in packet delay. Experiments of Polish scientists have shown that the delay in transmitting a VoIP packet using TranSteg increases by 1 ms, in contrast to a packet without a steganogram. The complexity of detection directly depends on the choice of the scenario and the conditions of the outside observer (e.g., its location). Among the shortcomings worth mentioning is the fact that this method is difficult to implement. It is necessary to find out which codecs the program uses for voice communication, to choose codecs with the smallest difference in speech quality, while giving more space for embedding steganograms. During compression, the quality of the transmitted speech information is lost. Also interesting is the direction using the mechanisms of the SCTP protocol. Stream control transport protocol (SCTP) [6] is a packet-based transport protocol, a new-level transport protocol that will replace TCP and User Datagram Protocol (UDP) in future networks. Today, this protocol is implemented in operating systems such as BSD, Linux, HP-UX, and SunSolaris, supports network devices of the Cisco IOS operating system, and can be used in Windows. SCTP steganography uses new features of this protocol, such as multi-threading and the use of multiple

The methods of SCTP steganography can be divided into three groups [7]:

• Methods in which the sequence of transmission of SCTP packets is changed.

• Methods that affect both the content of packages and their order when

• Methods in which the contents of SCTP packets change.

*DOI: http://dx.doi.org/10.5772/intechopen.88098*

Using this method provides bandwidth of 1 bit.

tion using additional cryptography).

#### *Analysis of Network Protocols: The Ability of Concealing the Information DOI: http://dx.doi.org/10.5772/intechopen.88098*

*Computer and Network Security*

transfer change.

used.

guidelines:

• Methods of mixed techniques.

fields are IP and TCP protocols.

col fields to create a hidden channel [4].

**1.1 Network steganography methods**

Baseline data for consideration classifications of methods and means of network steganography come from the materials of Polish scientists Mazurczyk and Szczypiorski and reports on the experiments of Canadian scientists Ahsan and Kundur, scientists Cauich and Gomez of the University of California at Irvine, and researchers Handel and Sandford at the National laboratory at Los Amos. All materials are freely available. Network steganography methods can be divided into three groups [1]:

• Steganography methods, whose essence is in changing data in the fields of the

changes, for example, the sequence of packet transmission or the intentional

• Mixed (hybrid) methods of steganography—when they are used, the contents of the packages, the delivery times of the packages, and the order of their

Each of these methods is divided into several groups; for example, package

• Methods for changing data in protocol header fields: they are based on modifying the IP, Transmission Control Protocol (TCP), SCTP header fields, and so on.

• Packet payload modification methods; in this case, various watermark algorithms, speech codecs, and other steganographic techniques for hiding data are

Methods for modifying the structure of gears and packages include three

• Methods, the essence of which is to introduce intentional packet loss by

Mixed (hybrid) methods of steganography use two approaches: methods of

The main idea of methods for modifying header fields is to use some header fields to add steganogram to them [3, 4]. This is possible due to some redundancy in these fields, that is, there are certain conditions in which the values in these fields will not be used in the transmission of packets. The most commonly used header

Consider an example of a similar method based on modifying unused IP proto-

The value of the "Identification" field of the IP packet is generated to the sender

side. This number contains a random number that is generated when a package

• Methods in which the order of the sequence of packets is changed.

audio packet loss (LACK) [2] and packet retransmission (RSTEG) [1].

• Steganography methods, in which the structure of packet transmission

network protocol headers and in the packets payload fields.

introduction of packet loss during transmission.

modification methods include three different methods:

• Methods that change the delay between packets.

skipping sequence numbers at the sender.

**70**

is created. The "Identification" field is used only when fragmentation is used. Therefore, to use this method, you need to know the MTU value in the transmitted network and not exceed it, so that the packet is not fragmented during transmission. In the absence of the need for packet fragmentation, a certain redundancy occurs in the "Flags" field, in the second bit, which is responsible for setting the Don't Fragment (DF) flag. It is possible to specify a flag notifying the sender's unwillingness to fragment a packet. If the steganogram package is not fragmented due to its size, you can hide the information in the "DoNotFragmentBit" flag field. Using this method provides bandwidth of 1 bit.

The advantage of this method is the transmission of unchanged information from the sender to the recipient, but it also limits the amount of information sent. Steganography based on this method is easily implemented; has a good bandwidth, since you can send a lot of IP packets with the changes; and is low cost due to the use of fields that do not violate the functionality of the packet. Among the shortcomings it should be noted that the transmitted data is contained in the open form and can be easily read by the observer (although it is possible to strengthen the protection using additional cryptography).

Another method of modifying network packets that alters the payload of a VoIP packet can be widely used in practice with the popularity of programs that provide voice and video communications over the Internet. The network steganography method designed to hide VoIP messages is called Transcoding Steganography (TranSteg), a network steganography method that compresses the payload of a network packet by transcoding. TranSteg can be used in other applications or services (e.g., streaming video), where there is a possibility of compression (with or without losses) of open data. In TranSteg, data compression is used to make room for the steganogram: transcoding (lossy compression) of voice data from a high bitrate to a lower bitrate occurs with minimal loss of voice quality, and after compression, data is added to the free space in the payload package [5]. In general, the method allows to obtain more or less good steganographic bandwidth of 32 kb/s with the smallest difference in packet delay. Experiments of Polish scientists have shown that the delay in transmitting a VoIP packet using TranSteg increases by 1 ms, in contrast to a packet without a steganogram. The complexity of detection directly depends on the choice of the scenario and the conditions of the outside observer (e.g., its location). Among the shortcomings worth mentioning is the fact that this method is difficult to implement. It is necessary to find out which codecs the program uses for voice communication, to choose codecs with the smallest difference in speech quality, while giving more space for embedding steganograms. During compression, the quality of the transmitted speech information is lost.

Also interesting is the direction using the mechanisms of the SCTP protocol. Stream control transport protocol (SCTP) [6] is a packet-based transport protocol, a new-level transport protocol that will replace TCP and User Datagram Protocol (UDP) in future networks. Today, this protocol is implemented in operating systems such as BSD, Linux, HP-UX, and SunSolaris, supports network devices of the Cisco IOS operating system, and can be used in Windows. SCTP steganography uses new features of this protocol, such as multi-threading and the use of multiple interfaces (multi-homing).

The methods of SCTP steganography can be divided into three groups [7]:


Methods for changing the contents of SCTP packets are based on the fact that each STCP packet is made up of parts and each of these parts can contain variable parameters. Regardless of the implementation, a statistical analysis of the addresses of the network cards used for the forwarded blocks can help in detecting hidden connections. Eliminating the possibility of applying this method, steganography can be achieved by changing the source and destination addresses in randomly selected packet, which is contained in the re-expel e PTO unit.

The essence of the hybrid method based on the SCTP protocol is to use certain protocol mechanisms that allow you to organize the intentional passing of packets in a stream without resending it. Later a steganogram is added to this packet, and it is resubmitted [7]. Modification of packages using a hybrid method can be presented on the Hidden Communication System for Corrupted Networks (HICCUPS), which uses the imperfections of data transmission in a network environment, such as interference and noise in a communication environment, as well as the usual susceptibility of data to distortion. HICCUPS is a steganographic system with bandwidth allocation in a public network environment. Wireless networks are more susceptible to data corruption than wired ones, so the use of noise and noise in the communication environment during system operation looks very tempting. "Listening" of all the frames with the transmitted data in the environment and the ability to send damaged frames with incorrectly corrected code values are two important network features necessary for the implementation of HICCUPS. In particular, wireless networks use an air connection with a variable bit error rate (BER), which makes it possible to introduce artificially damaged frames. This method has low bandwidth (network dependent), cumbersome implementation, low steganographic cost, and high detection complexity. However, the frame analysis does not involve checksum may lead to the discovery of the use of Nogo given method.

The RSTEG method is based on the packet resending mechanism, the essence of which is as follows: when the sender sends a packet, the recipient does not respond with a confirmation flag; thus the packet resending mechanism should work, and the packet with the steganogram inside will be sent again, but confirmation does not come. The next time this mechanism is triggered, the original packet is sent without hidden attachments, to which the packet arrives with confirmation of successful receipt.

The performance of an RSTEG depends on many factors, such as the details of the communication procedures (in particular, the size of the packet payload, the frequency with which segments are generated, and so on).

The investigated method of steganography using packet retransmission RSTEG is a hybrid. Therefore, its steganographic bandwidth is approximately equal to the bandwidth of the methods with packet modification and at the same time higher than the methods of changing the order of packet transmission. The complexity of detection and throughput is directly related to the use of the implementation mechanism of the method. RSTEG based on RTO is characterized by high detection complexity and low bandwidth, while SACK has the maximum bandwidth for RSTEG, but is also more easily detected. The use RSTEG utilizing TCP protocol is a good choice for IP networks. Among the shortcomings, it should be noted that this method is difficult to implement, especially its scenarios, which are based on interception and correction of packets transmitted by ordinary users. Due to the dramatically increased frequency of retransmitted packets or the unusual occurrence of delays in the transmission of steganograms, a casual observer may be suspicious.

**73**

**Table 1.**

*Analysis of Network Protocols: The Ability of Concealing the Information*

Lost audio packets steganography (LACK)—steganography of deliberate delay of audio packets [2]. This is another method implemented via

**Table 1** shows a comparison of methods and their main characteristics and implementation. The position of each method in this table shows how much its characteristics are superior or inferior to the others. The higher the method displayed at the table, the more indicators of its characteristics. In the "Implementation" field, the simplicity of the organization of this method is considered. The less time and effort required by the implementation of this method, the higher its position in this title. Based on the data from **Table 1**, it can be concluded that the main characteristics are directly dependent on each other.

1 TranSteg HICCUPS HICCUPS Modification header

2 LACK TranSteg LACK Modification data

SCTP multi-homing Modification of

3 HICCUPS LACK RSTEG TranSteg 4 RSTEG RSTEG TranSteg Using SCTP

Using SCTP protocol

Modification fields in TCP headers and IP

Modification data blocks in SCTP protocols

(hybrid)

packets

**Steganography cost Implementation**

Protocol use SCTP (hybrid)

blocks data in SCTP protocols

Modifying fields in TCP and IP headers

packages

SCTP multi-homing RSTEG

fields TCP and IP packets

blocks in SCTP protocols

multi-homing

(hybrid)

LACK

HICCUPS

Using SCTP protocol

**Complexity discoveries**

VoIP. Communication over IP telephony consists of two parts: signaling (dialing) and conversational. Both parts of the traffic are transmitted in both directions. The signaling protocols used are SIP and RTP (with RTCP acting as the control protocol). This means that during the signaling phase of the call, the SIP endpoints (called user SIP agents) exchange some SIP messages. Usually SIP messages pass through SIP servers: proxy or redirected, which allows users to search and find each other. After this stage, the conversation phase begins, where the audio (RTP) stream goes to both directions between the caller and the callee. This method has certain advantages. The bandwidth is not less and sometimes higher than the other algorithms that use audio packets. But if you intentionally cause losses, the quality of the connection deteriorates, which can become suspicious for both ordinary users and listeners. Based on the presented steganalysis LACK methods, it can be concluded that the method has an average detection complexity. The implementation of the method is too complex, but may not be possible

*DOI: http://dx.doi.org/10.5772/intechopen.88098*

within certain operating systems.

**No Throughput ability steganography**

5 Modification fields in TCP headers and IP packets

6 Modification data blocks in SCTP protocols

7 Using SCTP protocol (hybrid)

*Comparison of network steganography methods.*

8 Using SCTP multi-homing

#### *Analysis of Network Protocols: The Ability of Concealing the Information DOI: http://dx.doi.org/10.5772/intechopen.88098*

*Computer and Network Security*

of the use of Nogo given method.

successful receipt.

e PTO unit.

Methods for changing the contents of SCTP packets are based on the fact that each STCP packet is made up of parts and each of these parts can contain variable parameters. Regardless of the implementation, a statistical analysis of the addresses of the network cards used for the forwarded blocks can help in detecting hidden connections. Eliminating the possibility of applying this method, steganography can be achieved by changing the source and destination addresses in randomly selected packet, which is contained in the re-expel

The essence of the hybrid method based on the SCTP protocol is to use certain protocol mechanisms that allow you to organize the intentional passing of packets in a stream without resending it. Later a steganogram is added to this packet, and it is resubmitted [7]. Modification of packages using a hybrid method can be presented on the Hidden Communication System for Corrupted Networks (HICCUPS), which uses the imperfections of data transmission in a network environment, such as interference and noise in a communication environment, as well as the usual susceptibility of data to distortion. HICCUPS is a steganographic system with bandwidth allocation in a public network environment. Wireless networks are more susceptible to data corruption than wired ones, so the use of noise and noise in the communication environment during system operation looks very tempting. "Listening" of all the frames with the transmitted data in the environment and the ability to send damaged frames with incorrectly corrected code values are two important network features necessary for the implementation of HICCUPS. In particular, wireless networks use an air connection with a variable bit error rate (BER), which makes it possible to introduce artificially damaged frames. This method has low bandwidth (network dependent), cumbersome implementation, low steganographic cost, and high detection complexity. However, the frame analysis does not involve checksum may lead to the discovery

The RSTEG method is based on the packet resending mechanism, the essence of which is as follows: when the sender sends a packet, the recipient does not respond with a confirmation flag; thus the packet resending mechanism should work, and the packet with the steganogram inside will be sent again, but confirmation does not come. The next time this mechanism is triggered, the original packet is sent without hidden attachments, to which the packet arrives with confirmation of

The performance of an RSTEG depends on many factors, such as the details of the communication procedures (in particular, the size of the packet payload, the

The investigated method of steganography using packet retransmission RSTEG is a hybrid. Therefore, its steganographic bandwidth is approximately equal to the bandwidth of the methods with packet modification and at the same time higher than the methods of changing the order of packet transmission. The complexity of detection and throughput is directly related to the use of the implementation mechanism of the method. RSTEG based on RTO is characterized by high detection complexity and low bandwidth, while SACK has the maximum bandwidth for RSTEG, but is also more easily detected. The use RSTEG utilizing TCP protocol is a good choice for IP networks. Among the shortcomings, it should be noted that this method is difficult to implement, especially its scenarios, which are based on interception and correction of packets transmitted by ordinary users. Due to the dramatically increased frequency of retransmitted packets or the unusual occurrence of delays in the transmission of steganograms, a casual observer may be

frequency with which segments are generated, and so on).

**72**

suspicious.

Lost audio packets steganography (LACK)—steganography of deliberate delay of audio packets [2]. This is another method implemented via VoIP. Communication over IP telephony consists of two parts: signaling (dialing) and conversational. Both parts of the traffic are transmitted in both directions. The signaling protocols used are SIP and RTP (with RTCP acting as the control protocol). This means that during the signaling phase of the call, the SIP endpoints (called user SIP agents) exchange some SIP messages. Usually SIP messages pass through SIP servers: proxy or redirected, which allows users to search and find each other. After this stage, the conversation phase begins, where the audio (RTP) stream goes to both directions between the caller and the callee. This method has certain advantages. The bandwidth is not less and sometimes higher than the other algorithms that use audio packets. But if you intentionally cause losses, the quality of the connection deteriorates, which can become suspicious for both ordinary users and listeners. Based on the presented steganalysis LACK methods, it can be concluded that the method has an average detection complexity. The implementation of the method is too complex, but may not be possible within certain operating systems.

**Table 1** shows a comparison of methods and their main characteristics and implementation. The position of each method in this table shows how much its characteristics are superior or inferior to the others. The higher the method displayed at the table, the more indicators of its characteristics. In the "Implementation" field, the simplicity of the organization of this method is considered. The less time and effort required by the implementation of this method, the higher its position in this title. Based on the data from **Table 1**, it can be concluded that the main characteristics are directly dependent on each other.


#### **Table 1.**

*Comparison of network steganography methods.*
