Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol...
Transcript of Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol...
![Page 1: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/1.jpg)
Inter-protocol Steganography forReal-time Services and Its Detection
Using Traffic Coloring
Florian Lehner1, Wojciech Mazurczyk1,2,Jorg Keller1, Steffen Wendzel3,4
1 University of Hagen, Germany2 Warsaw University of Technology, Poland
3 Worms University of Applied Sciences, Germany4 Fraunhofer FKIE, Germany
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 1
![Page 2: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/2.jpg)
Goals
Steganography (hiding secret data) for streaming protocols isalready known. For this paper, we had the following goals:
Showing that inter-protocol steganography for streamingprotocols is feasible, i.e. hiding secret data using therelationships between at least two protocols.
Determining potential hiding methods.
Evaluating these hiding methods.
Performing first analysis on the detectability of the proposedmethods.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 2
![Page 3: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/3.jpg)
Introduction
Why utilize IP telephony or video streaming for informationhiding?
Popularity of real-time services: usage will not raise suspicions(such traffic will not be considered an anomaly).
Use of a variety of cooperating protocols: provides severalopportunities for data hiding in different network layers.
High steganographic bandwidth: e.g., during an G.711-basedIP telephony call the RTP stream rate is 50 packets persecond. Thus, even hiding only 1 bit in every RTP packetresults in a bandwidth of 50 bit/s.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 3
![Page 4: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/4.jpg)
Introduction
Why utilize IP telephony or video streaming for informationhiding?
Popularity of real-time services: usage will not raise suspicions(such traffic will not be considered an anomaly).
Use of a variety of cooperating protocols: provides severalopportunities for data hiding in different network layers.
High steganographic bandwidth: e.g., during an G.711-basedIP telephony call the RTP stream rate is 50 packets persecond. Thus, even hiding only 1 bit in every RTP packetresults in a bandwidth of 50 bit/s.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 4
![Page 5: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/5.jpg)
Introduction
Why utilize IP telephony or video streaming for informationhiding?
Popularity of real-time services: usage will not raise suspicions(such traffic will not be considered an anomaly).
Use of a variety of cooperating protocols: provides severalopportunities for data hiding in different network layers.
High steganographic bandwidth: e.g., during an G.711-basedIP telephony call the RTP stream rate is 50 packets persecond. Thus, even hiding only 1 bit in every RTP packetresults in a bandwidth of 50 bit/s.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 5
![Page 6: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/6.jpg)
Introduction
Typical real-time service connection consists of two phases:
Signaling phase: messages are exchanged to set up andnegotiate the connection parameters.
Conversation phase: one or more real-time data streams aresent between the parties (e.g. for IP telephony there are twoaudio streams).
A popular protocol in this context is RTP (Real-time TransportProtocol). RTP is accompanied by RTCP (Real-time ControlProtocol).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 6
![Page 7: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/7.jpg)
Introduction
Typical real-time service connection consists of two phases:
Signaling phase: messages are exchanged to set up andnegotiate the connection parameters.
Conversation phase: one or more real-time data streams aresent between the parties (e.g. for IP telephony there are twoaudio streams).
A popular protocol in this context is RTP (Real-time TransportProtocol). RTP is accompanied by RTCP (Real-time ControlProtocol).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 7
![Page 8: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/8.jpg)
Introduction
Inter- and Intra-protocol Steganography:
Intra-protocol Steganography: utilizes covert channels insideone protocol, e.g. embedded into DNS, but no other protocol.
Inter-protocol Steganography: utilizes relationships betweenmultiple protocols.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 8
![Page 9: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/9.jpg)
Introduction
Inter-protocol Steganography Examples:
PadSteg embeds secret data into the Ethernet frame paddingif certain types of higher-level protocol are embedded.
StegSuggest utilizes suggestions presented during usage ofGoogle Web search. Modifications of TCP (window size,timestamp options) influence modifications of HTTP (byadding suggestions which contain secret data).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 9
![Page 10: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/10.jpg)
Introduction
Similar Approaches:1
Protocol Hopping Covert Channels utilize several protocolswithin the same network packet and can change the utilizedprotocol for every new packet. Secret data can also be spreadover multiple layers.
Protocol Switching Covert Channels represent hiddeninformation through the order of network protocols used in aflow.
1see: S. Wendzel & S. Zander: Detecting Protocol Switching Covert Channels, LCN 2012, IEEE, 2012.
and: W. Mazurczyk et al.: Information Hiding in Communication Networks, Wiley-IEEE, 2016.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 10
![Page 11: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/11.jpg)
Fundamentals
RTP provides end-to-end communication transmitting real-timedata such as audio or video, via multicast or unicast.
Usually encapsulated in UDP
Packet frequency and size depends on negotiated multimediacodec.
RTCP provides monitoring, controlling and identification ofRTP streams (approx. 5% of the RTP session bandwidth).
RTCP knows five message types, of which Sender Report(SR, for transmission and reception statistics from activesenders) and Receiver Report (RR, like SR but for non-activesenders) are the most frequently used.
We tried to find unique RTP/RTCP relationships that can beutilized for steganographic purposes.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 11
![Page 12: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/12.jpg)
Fundamentals
RTP provides end-to-end communication transmitting real-timedata such as audio or video, via multicast or unicast.
Usually encapsulated in UDP
Packet frequency and size depends on negotiated multimediacodec.
RTCP provides monitoring, controlling and identification ofRTP streams (approx. 5% of the RTP session bandwidth).
RTCP knows five message types, of which Sender Report(SR, for transmission and reception statistics from activesenders) and Receiver Report (RR, like SR but for non-activesenders) are the most frequently used.
We tried to find unique RTP/RTCP relationships that can beutilized for steganographic purposes.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 12
![Page 13: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/13.jpg)
Analysis of RTP/RTCP Related Fields
Several fields of the RTCP header cannot be used for a covertchannel, e.g.:
Synchronization source identifier (SSRC) remains staticthroughout the RTP session.
RTP timestamp, Extended highest sequence number received,Cumulative number of packets lost, Interarrival jitter andSender’s counts: modifications would be conspicuous andeasily detectable.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 13
![Page 14: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/14.jpg)
Analysis of RTP/RTCP Related Fields
Suitable Candidates:
NTP Timestamp (RTCP): 64-bit value; includes time whenSR/RR was sent. Receiver can then calculate, by subtractionof the timestamp when this report was received, how long ittakes to transmit packets. Value varies from packet to packet.
Fraction Lost (RTCP): number of lost RTP packets sinceprevious SR/RR; reset each time an SR/RR is received.Besides real lost RTP packets, a modified sequence number orholdup of RTP packets will also have an effect on this field.
Delay since last SR (RTCP): is part of SR/RR and should berather constant with small variations (e.g. due to lostSRs/RRs; kept in units of 1/65536s).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 14
![Page 15: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/15.jpg)
Analysis of RTP/RTCP Related Fields
Suitable Candidates:
NTP Timestamp (RTCP): 64-bit value; includes time whenSR/RR was sent. Receiver can then calculate, by subtractionof the timestamp when this report was received, how long ittakes to transmit packets. Value varies from packet to packet.
Fraction Lost (RTCP): number of lost RTP packets sinceprevious SR/RR; reset each time an SR/RR is received.Besides real lost RTP packets, a modified sequence number orholdup of RTP packets will also have an effect on this field.
Delay since last SR (RTCP): is part of SR/RR and should berather constant with small variations (e.g. due to lostSRs/RRs; kept in units of 1/65536s).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 15
![Page 16: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/16.jpg)
Analysis of RTP/RTCP Related Fields
Suitable Candidates:
NTP Timestamp (RTCP): 64-bit value; includes time whenSR/RR was sent. Receiver can then calculate, by subtractionof the timestamp when this report was received, how long ittakes to transmit packets. Value varies from packet to packet.
Fraction Lost (RTCP): number of lost RTP packets sinceprevious SR/RR; reset each time an SR/RR is received.Besides real lost RTP packets, a modified sequence number orholdup of RTP packets will also have an effect on this field.
Delay since last SR (RTCP): is part of SR/RR and should berather constant with small variations (e.g. due to lostSRs/RRs; kept in units of 1/65536s).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 16
![Page 17: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/17.jpg)
Pre-evaluation of Delay Effect
Started with analyzing the impact when RTP packets are subjectedto delays using Opus codec and speech payload for 20ms. Addeddelay on top of the network’s delay; VoIP clients using 60ms jitterbuffer.
Testbed using Debian 8 (Linux 3.16.7) and Linphone (an opensource VoIP client) with accounts from sip.linphone.org toestablish VoIP sessions. Communication between two clients wasrouted through the Internet.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 17
![Page 18: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/18.jpg)
Pre-evaluation of Delay Effect
Impact of the delay on ’Delay since last SR/RR’ values; time between twoRTCP messages converged to a certain level after approx. 20 received RTCPmessages, regardless RTP/RTCP delays.
0 50 100
0
1
2
3·105
The number of the received RTCP message
Tim
ein
1/
65
53
6se
con
ds
Unmodified
Delayed by 100 ms
Delayed by 50 ms
Delayed by 10 ms
Result: modifying RTP delay after RTCP packet 20 has an recognizableimpact on RTCP messages that should allow covert signaling.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 18
![Page 19: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/19.jpg)
Proposed Hiding Methods
Module 1: The Fraction Lost field is used in combination with theRound Trip Time (RTT) of the RTCP messages (influenced bydropped RTP packets).2
Module 2: The Fraction Lost field is only used for signalingpurposes (to inform the covert receiver about the number oftransmitted secret bits).The hidden data relies on the timestamp of the last received RTPpacket in combination with the value of the last RTP timestampwithin a RTCP message. Both values are then compared. Equalvalues are interpreted as 0, otherwise 1.
2The RTT is calculated as the time of arrival of the RTCP messagesubtracted by the Delay since last SR/RR and timestamp of the last SR/RR.These two elements have been selected to form the additional payload, as theyare not relying on each other.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 19
![Page 20: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/20.jpg)
Proposed Hiding Methods
Module 1: The Fraction Lost field is used in combination with theRound Trip Time (RTT) of the RTCP messages (influenced bydropped RTP packets).2
Module 2: The Fraction Lost field is only used for signalingpurposes (to inform the covert receiver about the number oftransmitted secret bits).The hidden data relies on the timestamp of the last received RTPpacket in combination with the value of the last RTP timestampwithin a RTCP message. Both values are then compared. Equalvalues are interpreted as 0, otherwise 1.
2The RTT is calculated as the time of arrival of the RTCP messagesubtracted by the Delay since last SR/RR and timestamp of the last SR/RR.These two elements have been selected to form the additional payload, as theyare not relying on each other.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 20
![Page 21: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/21.jpg)
Three-phase Approach
Initial/Measurement Phase: To achieve a reliable data transfer,the covert communication does not start before the 20th RTCPmessage was received.
Data from the last ten received RTCP messages is collectedto calculate average values for Fraction Lost and RTT(continues till end of VoIP session).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 21
![Page 22: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/22.jpg)
Three-phase Approach
Signaling Phase: informs the peer about the number of hiddenbits to be transferred – basically a simple control protocol:3
Is performed for both modules using the Fraction Lost field.Therefore, the sending side drops selected RTP packets.Afterwards, the receiving side will be informed about thenumber of hidden bits to be sent:
Module 1: encoded within the Fraction Lost fieldModule 2: encoded in the difference between the timestamp ofthe last received RTP packet and the RTP timestamp within areceived RTCP message
3see: S. Wendzel & J. Keller: Hidden and Under Control: A Survey and Outlook on Covert Channel-internal
Control Protocols, in: Annals of Telecommunications (ANTE), Springer, 2014.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 22
![Page 23: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/23.jpg)
Three-phase Approach
Covert Communication Phase: transfers the hidden information.
Module 1: signals secret data by influencing the Fraction Lostfield and calculated RTT values (caused by dropped RTPpackets).Hidden data will be signaled alternating between FractionLost values (in our case: 2 bits) and RTT (1 bit).
Module 2: same as in signaling phase (RTP/RTCP timestampdifferences).
Implemented both modules as LKMs for Linux; they workindependently of the used VoIP clients.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 23
![Page 24: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/24.jpg)
Three-phase Approach
Covert Communication Phase: transfers the hidden information.
Module 1: signals secret data by influencing the Fraction Lostfield and calculated RTT values (caused by dropped RTPpackets).Hidden data will be signaled alternating between FractionLost values (in our case: 2 bits) and RTT (1 bit).
Module 2: same as in signaling phase (RTP/RTCP timestampdifferences).
Implemented both modules as LKMs for Linux; they workindependently of the used VoIP clients.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 24
![Page 25: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/25.jpg)
Evaluation: Impact of M1+M2 on ‘Fraction Lost’ Field
0 20 40 60 80 100 120
0
5
10
15
The number of the received RTCP message
RT
Pp
acke
tlo
sses
Unmodified
Module 1
Module 2
Signaling: Pkts. 23-28/31; Transmission: M1: 23-86 (identifiable; 5:55min for175 bits), M2: not identifiable in Fig.; Coding scheme: identifiable forM1(+M2) (1,3,7,10,13).LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 25
![Page 26: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/26.jpg)
Evaluation: Impact on ‘Delay since last SR/RR’ Field
0 20 40 60 80 100 120
0
0.5
1
1.5
2
2.5
·105
The number of the received RTCP message
in1/
6553
6se
con
ds
Unmodified
Module 1
Module 2
Transmission cannot be too easily identified for M1, however, some clearerdifferences for M2 after signaling phase.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 26
![Page 27: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/27.jpg)
Evaluation: Impact of M1+M2 on the Round Trip Time
0 20 40 60 80 100 120
0.2
0.4
0.6
0.8
1
1.2
The number of the received RTCP message
RT
T[s
]
Unmodified
Module 1
Module 2
Although M2 does not signal using the RTT, its influence on the RTT is higherthan in case of M1.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 27
![Page 28: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/28.jpg)
Traffic Coloring Approach
UDP-Payload
0x80 0x7C 0x00
0x80 0x7C 0x00
0x80 0x7C 0x00
0x80 0x7C 0x00
0x05 0x00 0x00
0x06 0x00 0x00
0x07 0x00 0x00
0x08 0x00 0x00
0x1F 0xE0 0x2D
0x23 0xA0 0x2D
0x27 0x60 0x2D
0x2B 0x20 0x2D
0x78 0xCD 0xFF
0x78 0xCD 0xFF
0x78 0xCD 0xFF
0x78 0xCD 0xFF
...
...
...
...
Fig.: Coloring of network traffic.
Focusing on VoIP, i.e. lower-level headers (UDP, IP) not included.Incoming and outgoing traffic is colored separately.
Time-based steganography reflects on different intervals between network
packets, whereas storage-based steganography changes the regular color
structures.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 28
![Page 29: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/29.jpg)
Traffic Coloring Approach
UDP-Payload
0x80 0x7C 0x00
0x80 0x7C 0x00
0x80 0x7C 0x00
0x80 0x7C 0x00
0x05 0x00 0x00
0x06 0x00 0x00
0x07 0x00 0x00
0x08 0x00 0x00
0x1F 0xE0 0x2D
0x23 0xA0 0x2D
0x27 0x60 0x2D
0x2B 0x20 0x2D
0x78 0xCD 0xFF
0x78 0xCD 0xFF
0x78 0xCD 0xFF
0x78 0xCD 0xFF
...
...
...
...
Fig.: Coloring of network traffic.
Used a script to extract relevant meta-data to generate images (e.g. 1image/5s).Data kept in SVG format (XML) to be machine-readable and ease image(meta data) processing.
Visual representation aids human analyst (visual analytics).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 29
![Page 30: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/30.jpg)
Traffic Coloring Approach
2©
4©
3©
5©
1©
(1) RTCP packet, (2 & 3) re-occurring data – repeating color patterns,(4) packet header, (5) different packet lengths.LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 30
![Page 31: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/31.jpg)
M1: Visual Comparison of Altered and Unaltered Traffic
(a) Unmodified VoIP traffic
1©
2©
3©
4©
5©6©7©
(b) Resulting VoIP traffic of M1
Images are stored in SVG format to allow easy application of image processing
algorithms. / (1-7): unusual vertical spaces
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 31
![Page 32: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/32.jpg)
M2: Colored received RTCP messages
(a) Received RTCP messages fromModule 2, no irregularity visibledue to minimized delay
(b) Selected RTCP messages fromModule 2: same situation despitehigher resolution
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 32
![Page 33: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/33.jpg)
Colored pixels between two received RTCP messages
0 20 40 60 80 100 120
5,000
5,500
6,000
The number of the received RTCP message
Th
eav
erag
en
um
ber
ofp
ixel
s UnmodifiedModule 1Module 2
5,000px represent 1ms of traffic differences visible. Difference of M2between 30-70th message considered detectable (larger than STDEV).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 33
![Page 34: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/34.jpg)
Colored pixels between two received RTP messages
2,200 2,400 2,600 2,800
0
20
40
The number of the received RTP packet
Th
eav
erag
en
um
ber
ofp
ixel
s
Unmodified
Module 1
Module 2
Influence of Inter-protocol Steganography visible.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 34
![Page 35: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/35.jpg)
Initial Detection Approach
1 In each image: count number of colored RTP packetsbetween two consecutive colored RTCP messages.
Colored RTP packets can be distinguished from colored RTCPmessages by the length of the pixel row.
2 Identify start of potential steganographic transmission (basedon above values).
3 Colored RTP packets and RTCP messages are evaluatedseparately:
For each generated image: determine time between twoconsecutive RTP packets.This is done for RTCP messages accordingly.
4 A resulting value is classified as ‘steganographic’ if it variesfrom the expected one by more than the calculated standarddeviation (built from the average of ten unmodified VoIPsessions).
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 35
![Page 36: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/36.jpg)
Initial Detection Results
RTCP messages RTP packetsModule 1 Module 2 Module 1 Module 2
TP175(14.58%)
278(23.17%)
90123(32.82%)
51847(18.87%)
FP645(53.75%)
162(13.50%)
106677(38.85%)
53763(19.58%)
TN269(22.42%)
595(49.58%)
45972(16.74%)
103281(37.61%)
FN 111 (9.25%)165(13.75%)
31838(11.59%)
65749(23.94%)
Sensitivity 61% 63% 74% 44%Specificity 29% 79% 30% 66%
FPR 71% 21% 70% 34%FNR 39% 37% 26% 56%
A high sensitivity corresponds to a high probability of detection and a high specificity corresponds to a highprobability of absence of modifications.However, both approaches need further investigation to provide convincing results.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 36
![Page 37: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/37.jpg)
Summary
Summarizing Characteristics of M1 & M2:
Steganographic bandwidth: M1: 3 bits/RTCP message (whichshould not exeed 5% of the messages), M2: 1 bit/RTCP message.In our tests: 0.6 bit/s (M1) and 0.2 bit/s (M2).
Robustness: M1 & M2 are not suitable for networks where delaysand packet losses vary widely.Detectability: VoIP sessions only slightly modified, which aidscovertness. However, detectability not excessively tested and, asusual for such methods, depends on the extend steganography isembedded.Effect on VoIP session: Minimal: M1 Fraction Lost manipulationcan have an effect on VoIP quality, thus was chosen so small thatit is not noticeable. M2 has no impact on the mouth-to-ear delay,as only RTCP messages are delayed.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 37
![Page 38: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/38.jpg)
Summary
Summarizing Characteristics of M1 & M2:
Steganographic bandwidth: M1: 3 bits/RTCP message (whichshould not exeed 5% of the messages), M2: 1 bit/RTCP message.In our tests: 0.6 bit/s (M1) and 0.2 bit/s (M2).Robustness: M1 & M2 are not suitable for networks where delaysand packet losses vary widely.
Detectability: VoIP sessions only slightly modified, which aidscovertness. However, detectability not excessively tested and, asusual for such methods, depends on the extend steganography isembedded.Effect on VoIP session: Minimal: M1 Fraction Lost manipulationcan have an effect on VoIP quality, thus was chosen so small thatit is not noticeable. M2 has no impact on the mouth-to-ear delay,as only RTCP messages are delayed.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 38
![Page 39: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/39.jpg)
Summary
Summarizing Characteristics of M1 & M2:
Steganographic bandwidth: M1: 3 bits/RTCP message (whichshould not exeed 5% of the messages), M2: 1 bit/RTCP message.In our tests: 0.6 bit/s (M1) and 0.2 bit/s (M2).Robustness: M1 & M2 are not suitable for networks where delaysand packet losses vary widely.Detectability: VoIP sessions only slightly modified, which aidscovertness. However, detectability not excessively tested and, asusual for such methods, depends on the extend steganography isembedded.
Effect on VoIP session: Minimal: M1 Fraction Lost manipulationcan have an effect on VoIP quality, thus was chosen so small thatit is not noticeable. M2 has no impact on the mouth-to-ear delay,as only RTCP messages are delayed.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 39
![Page 40: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/40.jpg)
Summary
Summarizing Characteristics of M1 & M2:
Steganographic bandwidth: M1: 3 bits/RTCP message (whichshould not exeed 5% of the messages), M2: 1 bit/RTCP message.In our tests: 0.6 bit/s (M1) and 0.2 bit/s (M2).Robustness: M1 & M2 are not suitable for networks where delaysand packet losses vary widely.Detectability: VoIP sessions only slightly modified, which aidscovertness. However, detectability not excessively tested and, asusual for such methods, depends on the extend steganography isembedded.Effect on VoIP session: Minimal: M1 Fraction Lost manipulationcan have an effect on VoIP quality, thus was chosen so small thatit is not noticeable. M2 has no impact on the mouth-to-ear delay,as only RTCP messages are delayed.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 40
![Page 41: Inter-protocol Steganography for Real-time Services and Its … · 2017-10-10 · Inter-protocol Steganography for Real-time Services and Its Detection Using Tra c Coloring Florian](https://reader034.fdocuments.in/reader034/viewer/2022042115/5e92f8f2aae9c7652564ec6b/html5/thumbnails/41.jpg)
Future Work
Experiment with other codecs than Opus.
Improve detection method to achieve better detection results.
Continue development of Traffic Coloring, i.e. extend the visualanalytics component (e.g. fine-grained scrolling and zooming toallow inter-action with the detection algorithm) and perform a userstudy.
LCN’17, Singapore Lehner/Mazurczyk/Keller/Wendzel: Inter-protocol Steganography for Real-time Services 41