Deep Hiding Techniques In Network Steganography

Published Date: 02 Nov 2017

Steganography is the technique of hiding confidential information within any media. In Steganography process is an essential technique in networking as lot of information data need to transfer in network which need to keep hidden to save it from undesired use. Significant amount of research has been carried out to make data hidden in communication, but intensive research was required to make data even more hidden to make it undetectable from third-person who is not in communication.

This Paper presents Deep Hiding Techniques which are general techniques that can be useful in any available network steganography methods like LACK(Lost Audio Packet Steganography), PadSteg(Padding Steganography) or RSTEG (Retransmission Steganography) to reduce its detectability and make it harder to extract steganogram from data carrier. Five different groups of Deep Hiding Technique can make steganogram less detectable for extraction. Those are Steganogram Scattering(SGS), Steganogram Hopping(SGH) which Affect Steganogram and technique that affect carrier are Carrier-modification Camouflage(CMC), Inter-Protocol Steganography(IPS) and Multi-Level Steganography(MLS). These techniques are systematic explanations that can make steganographic communication steganogram more hidden and extraction harder.

Deep Hiding Technique in Network Steganography

As the exchange of important information becomes more complex and important and extensive in the communication world, the problem of hiding or protecting data from any risk or undesired use becomes more and more complex. Network steganography which is information hiding techniques which used different network protocols to insert hidden data into chosen carrier. The information hiding techniques that are used to exchange hidden data in telecommunication networks are called network steganography. To perform stenographic communication proper carrier and network protocol is utilize for transferring steganograms and relationship between them. Each of the method defined in network steganography there is significant importance given to steganographic bandwidth which means how much data can we send using any particular method and still remain unnoticeable. Sending too much hidden data and utilize maximum bandwidth raises risk of detection. So user must leave some portion of bandwidth in order to achieve efficient steganographic communication.

In this paper, deep hiding techniques are introduce which is define as which makes normal network steganography communication even more hidden.

Fig 1: Deep Hiding Technique Classification

There are 5 different types of deep hiding techniques that will affect steganogram or carrier.

Steganogram Scattering (SGS): Divide steganograms into fragments and use different techniques which will distribute sending of those fragmented steganograms.

Steganogram Hopping (SGH): affect the periodical changes of the steganographic method going to be used during a single communication which will be hidden thus changing the location of the steganogram.

Carrier Modification Camouflage (CMC): responsible for addition of steganogram into hidden data carrier.

Inter-protocol Steganography (IPS): There is more than one protocol utilize when hidden communication takes place, inter-protocol steganography utilize relationship between one or more protocol which enables hidden communication and making it more hard to detect steganograms.

Multi-level Steganography (MLS): sub-level is created from upper-level method known as lower-level method. The lower-level method is completely depends on upper-level method.

Methods

This section will discuss about the different methods shown in classification of DHT.

Steganogram Scattering (SGS): The idea of splitting packets into fragments or pieces and then send over the network to reach its desired destination is old and has been practiced widely. Same idea is used in steganogram scattering, in this technique the steganogram is split into pieces and send it as separate message. One important thing related to these pieces is each piece can be send using different steganographic method which makes it even more difficult to intruder or third-party observer to detect all steganogram pieces.

There is one hidden communication method used known as collage (S. Burnett, N. Feamster & S. Vempala, 2010) , in this technique steganogram pieces are hidden in user-generated data on the internet. According to author’s knowledge, scattering of steganograms still not considered as a general technique to be used with all known hidden communication methods in network steganography. SGS further can be classified as follows:

Fig 2: Classification of SGS

Flow-based Scattering: There are more than one host involve in communication and flow based scattering takes advantages of them by setting more than one or say as many as flow between two hosts. As steganogram are parts into pieces, each piece is sent on different unoccupied flows. Flow basically means availability of communication links between two hosts and flows are not bound to only to connection-oriented protocols like TCP but also connectionless protocols like UDP. The idea of using many flows was first introduced in cloak method (Xiapu Luo, Edmond W. W. Chan, and Rocky K. C. Chang, 2007) in network steganography but was only limited to connection-oriented protocol. The working of flow-based scattering can be explained using example.

Fig 3: Flow-based Scattering between two hosts

In the example, User X is willing to send hidden data to User Y. Steganograms splits into 3 pieces and sender decide to send it on 3 flows which are two connection oriented and one connectionless protocols which are TCP and UDP respectively. Each piece of secret data is sent using not only different flows but also different methods using in steganography. On other hand User Y which is receiver received 3 separate pieces and combines them in order to achieve original steganogram. Assembly process of these pieces is not considered. But, it is important to know the order of merging those received fragments. There are different possibilities for merging received fragments; one is to add information in the steganogram about the position to each piece. Another way used is utilizing time of sending. Consider three fragments in our example, fragment3 first bit is sent first on 00:00:00, for fragment 2 the first bit is sent on 00:00:01 and for the fragment 1 the first bit is sent on 00:00:02, so on the receiving side the first piece of original steganogram is fragment3, second will be fragment 2 and last will be fragment 1. If the order mentioned is assembled in same way on receiving end, the receiver will have original steganogram message. However, it require synchronization between both hosts as to make sure fragments are send properly without any distraction because it’s secret data on hidden communication. Another way is to number each flows and assign each pieces to a particular flow and provide this information to receiver as which flow carries which prices of steganogram.

Host-based Scattering: In Host-based Scattering either host i.e. receiver or sender must have control on one or more physical host or any other networking devices going to use in communication. Fragment of the scatter steganogram are hidden in different hosts-based authorize communication path among two-hosts. These two hosts overt channel (E.Stewart Lee, 1999 p.11) are different if they have different senders, receiver or even both. Host-based Scattering can be explained using following example.

Fig 4: Host-based Scattering in SGS

In the above figure User X can have n number of hosts and wants to send hidden data or message to User Y which can also have m number of hosts. On the sender side the User X which is sender will split the steganogram into k parts as shown in figure 4 and send them using available steganographic methods in different overt channels. On receiver side User Y will receive all k pieces of the steganogram and merge them using one of the methods discussed in flow-based scattering. In general, the maximum numbers of parts in which steganograms are separated, equals a number of different over channels in host-based scattering i.e. n*m. There may be another case in where user is not willing to use some of the hosts for the hidden communication. However, sender or receiver of the steganogram pieces does not have any physical access to others hosts in communication. Either utilize single machine to manage other hosts.

Flow and host based Scattering: Both Flow-based Scattering and Host-based Scattering are important for hidden communication and in hybrid SGS technique both are utilized. In other words, there can be one or more flows between each pair or sender of receiver hosts. This is help to increase number of available flows to send pieces of steganogram. Also, it is not important to use each and every available flow between hosts for steganographic communication purpose. Some parts of the steganogram can duplicate and use different flow to send steganogram. This increases flexibility and the chance of successful steganogram reception on receiver end even is some parts is removed or lost in transmission.

The application of the SGS technique is communication between two users who wants to send secret data or message between them. There are many available methods to apply this technique. For example, a VoIP is used for conversation as an overt channel and utilize LACK method or else one user can download one file from another and use few TCP methods. LACK is Lost Audio PaCKets Steganography and is intended for a broad class of multimedia, real-time applications, but its main foreseen application is IP telephony. In LACK communication the voice packets stream is generated at the transmitter. Suppose, the packets are split into 4 pieces from N1-N4. Voice Packet N4 is intentionally delayed while transmitting. Chosen N4 packet payload is replaced with steganogram and will be delayed. After the delay time expires delayed voice packet is sent to the receiver. After the delayed packet arrives at receiver end it usually treat it as excessively delayed packet and consider it as lost packet and drops such packet if such case happens LACK techniques aware receiver to extract steganogram from delayed voice packet.

There is possibility that user may have more than one or more internet connection established from different ISP i.e. one public wireless network and other from cable modem. Therefore, steganogram are divided into different fragment and scatter them on different devices or steganographic method.

Steganogram Hopping:

Steganogram Hoping technique during single hidden communication utilizes periodical changes of the steganographic methods. This will change localization of the steganograms which makes it harder for intruder or third-party to detect them. Steganogram Hoping utilize single connection and single steganogram fragment transferring in stated time whereas in Steganogram Scattering there is no such constraints.

In Steganogram Hoping SCTP is used as data carrier. Stream Control Transmission Protocol (SCTP) is a transport layer protocol, serving in a similar role to the popular protocols Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It provides some of the same service features of both: it is message-oriented like UDP and ensures reliable, in-sequence transport of messages with congestion control like TCP. Three methods can be used for steganogram transfer (W. Frączek, W. Mazurczyk, K. Szczypiorski,2010).

Multi-homing based steganographic method will assigns some steganogram bits for IP address of each sender and receiver. Hidden data to be transferred, following retransmitted SCTP chunks are sent to IP receiver address.

Multi-streaming based method uses each SCTP stream and are assigned with steganogram bits sequence. Hidden data to be transferred, following SCTP chinks are sent to the proper SCTP streams.

In this steganographic method that will utilize the number of SCTP chunks in SCTP packet as a hidden data carrier.

Fig 5: Steganogram Hopping

If the hidden communication steganogram need to be detected then detailed statistical analysis of the SCTP connection feature is required. If different methods are used then for each method analysis is done separately. Analysis is focused on three method discussed above on communication distribution on different IP address, or on the streams of SCTP or utilize number of chunks in SCTP packets. Using SGH techniques and with these three methods over an single overt channel SCP connection makes detection of hidden communication harder and also makes it more difficult for steganogram extraction. Proper analysis could help for steganogram extraction.

Carrier Modification Camouflage (CMC):

Carrier Modification Camouflage (CMC) main task is to mask the existence of steganogram in hidden data carrier. Several actions are performed to achieve main aim of CMC. Those are as follows:

Intentional reduction of the steganographic bandwidth: Steganography bandwidth is defined as the amount of steganogram transmitted during 1s (Bps) on the data carrier. In the action steganogram are inserted less frequently into carrier, hence less secret communication is carried out and a chance of detection is gradually decreased. It can be used with every steganographic method available and is considered simplest way of camouflage.

Changing the way steganographic methods works during steganograms transfer: some of the methods have ability to change their behavior while transferring steganograms to reduce the risk of disclosure. In cloak method, parameters can be changed like no. of packets and TCP flows during communication taking place which makes chance of detection harder.

Changing steganographic method behavior to typical user/services traffic pattern:

In hidden communication traffic is generated which should fit into traffic patterns that are already present in the network and generated by users or services. Sending of the steganogram can be changed to specific time of the day or particular frequency of traffic generation. For example, LACK method uses IP telephone calls to send steganograms. In this technique length, frequency and time of the day is utilized for the calls performed in specific network.

4. Utilization of traffic features to Camouflage hidden communication: Several features of traffic like anomalies, parameters like no. of lost packets. For example, Retransmission Steganography RSTEG establishes hidden communication to be performed by intentionally not acknowledging received packet so that sender will retransmit packet. The payload field of packet is then changes to steganogram and is retransmitted.

Inter-Protocol Steganography

According to Jankowski, Mazurczyk and Szczypiorski inter-protocol steganography is defined as usage of relationships between two or more different protocols to enable secret communication. Inter-protocol steganograpgy used protocols that belong to the same layer of TCP/IP or even to different layer of TCP/IP. Using more than one protocol for hidden communication provides great measure against detection and chance of disclosure. Inter-protocol steganography was implemented in PadSteg(Padding Steganography) method (Bartosz Jankowski, Wojciech Mazurczyk, Krzysztof Szczypiorski). Padsteg utilize relationship between Ethernet, ARP, TCP and other protocols. Padsteg replaces padding bits of the short Ethernet frames with steganograms known as Ether leak; its vulnerability makes Padsteg not trival to detection. PadSteg utilizes ARP to identify all PadSteg capable hidden nodes and also to perform so called carrier-protocol hopping during hidden exchange. Carrier-protocol hopping is an ability to negotiate carrier-protocol of the steganogram during hidden communication. PadSteg actually exchanges hidden data with short frames of protocols such as:TCP, UDP, ICMP and ICMP. To minimize chance of disclosure Padsteg decide to change carrier-protocol for the steganograms e.g. from TCP to UDP.

Fig 6: Inter-Protocol Steganography in Padsteg

Multi-Level Steganography (MLS)

Multi-level steganography is important technique in network steganopgraphy as it provides great success in non-detectability of steganograms. According to FrÄ…czek, Mazurczyk and Szczypiorski multi-level steganography uses available steganographic method which is upper level method to create new level which is lower-level method.

Fig 7: Steganographic bandwidth relationship between overt traffic and upper-level and lower-level method in MLS

In MLS at least two steganographic methods are required. The first is the upper-level method which used overt traffic as hidden data carrier. The second one is lower-level method uses the way the upper-level method operates as carrier. The direct carrier is upper-level method and the lower-level method as indirect carrier which carries packets from overt communication.

One important thing to noticeable that lower-level method utilizes small portion of upper-level bandwidth. Another important thing is lower-level method are harder to detect because lower-level methods are completely depends on upper-level and third-party who wants to seek data needs to detect upper-level first before user can detect secret data from lower-level. All available methods in steganographic communication can be used as upper-level method. Only issue faced is to find appropriate lower-level method which can co-operate with upper-level methods. For example, if LACK is chosen as upper level method, then the lower-level can hides bits in numbers of packets with steganograms of upper-level methods which are send in different time session.

Experiment and Results

The experiment setup is shown in figure. In the experiment LACK method and MLS (Multi-level steganography) is used. A LAN network is setup so no packets were lost or delayed unless it is done intentionally, this will permit to evaluate the impact of LACK and MLS on quality of voice.

Fig: LACK and MLS experiment setup

The conversion was recorded beforehand and encoding is G.711, each Real Time Transfer(RTP) protocol will carry 20ms of voice using 160 bytes and the flow rate of packets is 50 packets per second. The communication last for 9 minutes considering an average calls time of IP telephony. Then, input .wav file was parts into pieces and are inserted into payloads of RTP packets. In next step, RTP stream was influenced by using certain steganographic method:

MLS that transfers 1 bit of the lower-level method steganogram in a single LACK packet (MLS-1).

MLS that transfers 2 bits of the lower-level method steganogram in single LACK packet (MLS-2).

MLS that transfers 3 bits of the lower-level method steganogram in a single LACK packet (MLS-3).

In next step, Streams were sent to receiver, which merge packets and saved those into .wav output file. Then pieces of original input file were used (30 second of length) and degraded output file were compared using PESQ method (ITU-T, Recommendation, 2001 p.862), MOS-LQO (Mean Opinion Score- Listening Quality Objective) value was obtained. This experiment was repeated 10 times and average result was taken. The steganographic bandwidth was measured of upper-level and lower-level methods and cost of measuring was also calculated using MOS scale.

Table 1: Experiment Result

Fig 8: Steganographic bandwidth of upper- (left) and lower-level (right) methods

Fig 9: Experimental voice quality results (MOS-LQO)

The upper-level method in this experiment used is LACK and adding a steganographic method in lower-level has no or negligible impact on quality of voice also no impact has been noticed on upper-level bandwidth cost which is Csu =0. High values on bandwidth cost can occur when LACK introduce around 3% of packet loss. With high number of packet losses are introduced, the quality of voice is affected. Therefore, to keep LACK away from detection the range of packet loss must be reasonable.

Conclusion

In this paper, Deep hiding techniques are defined as general techniques that can be applied to steganography methods like LACK, Retransmission Steganography, PadSteg etc. to improve its strength of hiding and making it harder for third-party to extract steganogram from hidden data carrier. A detailed analysis of methods is required before any extraction is carried out. These techniques are systematic solutions that make steganographic communication and steganogram extraction harder to detect.

Experiment were performed in IP telephony environment, LACK method was used as upper-level method and selecting even/odd RTP sequence numbers of LACK packets as a lower-level method. Experimental results were obtained it is found that lower level method bandwidth is suitable to provide reliability to the upper-level method or to carry encrypted secret data making it harder to extract upper-level steganograms.