8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
1/17
WLAN Steganography RevisitedChristian Kraetzer(1), Jana Dittmann(1) and Ronny Merkel(1)
(1) Otto-von-Guericke University Magdeburg, Universitaetsplatz 2, D-39106, MagdeburgContact email: [email protected]
ABSTRACTTwo different approaches for using a sequence of packets of the IEEE 802.11 (WLAN) protocol as cover for a
steganographic communication can be found in literature: in 2003 Krzysztof Szczypiorski1
introduced a method
constructing a hidden channel using deliberately corrupted WLAN packets for communication. In 2006 Kraetzer et al.introduced a WLAN steganography approach that works without generating corrupted network packets. This later
approach, with its hidden storage channel scenario (SCI) and the timing channel based scenario (SCII), is reconsidered
here.
Fixed parameter settings limiting SCIs capabilities in the implementation (already introduced in 2006) motivated an
enhancement. The new implementation of SCI increases the capacity, while at the same time improving the reliabilityand decreasing the detectability in comparison to the work described in 2006. The timing channel based approach SCII
from 2006 is in this paper substituted by a completely new design based on the usage of WLAN Access Point
addresses for the synchronisation and payload transmission. This new design now allows a comprehensive practical
evaluation of the implementation and evaluations of the scheme, which was not possible with the original SCII before.
The test results for both enhanced approaches are summarised and compared in terms of detectability, capacity andreliability.
Keywords: WLAN steganography
1. MOTIVATION AND INTRODUCTIONIn 2006 Kraetzer et al.2 introduced a Python based WLAN4 steganography prototype which, using the notation of
Katzenbeisser,5
employed pure steganography (i.e. a system which does not require the prior exchange of some secretinformation between sender and receiver). For a passive steganography approach6 two different communication
scenarios were introduced. The first communication scenario (in the following referred to as SCI) was a covert storage
channel3
using header embedding similar to the TCP/IP based schemes of Kundur et al.7
or Murdoch et al.8
for the
construction. In this prototype the synchronisation pattern and the fields used for the embedding of the payload were
fixed which allowed functioning as pure steganography.
The second communication scenario in Kraetzer et al.
2
(in the following referred to as SCII) was aiming at theconstruction of a covert timing channel3 for WLANs. Unlike other network based covert timing channels (e.g. the IP
based scheme described by Cabuk et al.9) the WLAN approach has the problem that a packet send can by no means be
dropped or manipulated once it is send. To overcome this obstacle Kraetzer et al.2
used a WLAN protocol function
which allows a sender to re-send a packet if it has to assume that the initial sending failed (e.g. by superposing). This
function re-sends WLAN packets without changes except that one flag in the header (Retry) is set to allow the
intended receiver to drop the packed without further processing if the initial packet was received. A prototypical
implementation of SCII was also presented by Kraetzer et al.2 but it had to rely on a predefined (static)
synchronisation between the communication partners in the steganographic channel and nevertheless did show a very
low reliability. All ideas for a dynamic synchronisation in this earlier scenario failed.
In this paper the shortcomings regarding SCI and SCII as they are already described by Kraetzer et al. 2 are addressed
by a new implemented steganography and steganalysis tool set. The new implementation, which is in C++ instead of
Python, enhances SCI, redesigns SCII and allows a more detailed evaluation of the performance of the steganographic
approach in regards to detectability, capacity and reliability. Therefore the primary goal for our work is the evaluationof the performance of the new scenarios in terms of detectability, capacity and reliability. The secondary goal is the
determination of the performance of the implemented self-synchronisation.
Figure 1 shows the adaptation of a classic passive steganography6 scenario to WLAN steganography. The basic
principle here is to use a WLAN communication between two communication partners A and B as cover for the
construction of a hidden channel between two other communication partners CandD. Furthermore the existence of an
attacker/steganalysistEin the scenario is assumed.
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
2/17
Figure 1: Basic principle for WLAN steganography as introduced by Kraetzer et al.2
This paper is structured as follows: section 2 introduces briefly the improvements for the storage channel basedsteganographic scenario, section 3 introduces a new design for the timing channel based steganographic scenario
overcoming the problems of the previous timing channel approach. In section 4 the parameters which can be modified
for the implemented scenarios are introduced, before in section 5 the test scenario is specified, which aims at
evaluating the impact of the chosen parameters on the detectability, capacity and reliability of the scenarios. Theresults of the evaluations are presented in section 6. Section 7 concludes the paper with a summary and an indication
of further work.
2. THE IMPROVED STORAGE CHANNEL BASED COMMUNICATION SCENARIOTo distinguish between the old scheme for covert storage channel steganography for WLANs (SCI) presented by
Kraetzer et al.2 and the new scheme the latter is referred to in the following as new scenario I (NSCI). Unlike SCI,
where the prototype used pure steganography with fixed WLAN channel, synchronisation pattern and the fields used
for the embedding of the payload, in NSCI the synchronisation pattern and fields for payload embedding are freelydefinable (the configuration has to be shared between CandD, which makes the scenario a secret key steganography
approach with uses in this prototype only the key kI=konfI, which is the parameterisation file for NSCI, every possible
parameterisation represents one key in the key space, but since the number of reasonable parameterisations is limited
the number of practically available keys is also strongly limited further research might be invested to improve the
security of the key scheme chosen). Furthermore the WLAN channel used can either be defined by theparameterisation shared by CandD or automatically synchronised. Also the C++ implementation of NSCI allows todiscard the 0.5 seconds delay between two stego packets, which had to be introduced into SCI due to the slow access
time of the Python based prototype to the driver of the WLAN NIC (network interface card). Thereby the improved
design of NSCI increases the maximum achievable capacity. NSCI knows the following user definable parameters:
delay, synchronisation pattern, fields for embedding, scanlength, lower packet bound, upper duplicates bound, start
channel, and end channel. These parameters are discussed in more detail in section 4.
2.1. SENDER IN NSCI
In NSCI C, which is the sender in the hidden channel, has to perform three consecutive operations: channel selection,
packet filtering and embedding. These three operations are realised in modules as shown in Figure 2.
The first module invoked by Cperformes a channel selection in the WLAN. This channel selection module which
takes its parameterisation from the configuration file konfI scans all channels Channels (maximum 13, depending onnational regulations) in the range specified in the configuration file. The first channel found fulfilling the quality
criteria specified in konfI (in terms of the lower bound of packets per second in the channel and the upper bound of
natural occurrence of packets with a set Retry flag) is used for the hidden communication and is in the following
denoted with ChanCI.
After the channel selection a packet filtering is performed on the packet stream PCI in the selected channel ChanCI.An additional parameter delay is fetched from konfI in this step and indicates the (minimum) time between two
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
3/17
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
4/17
WLANWLAN channel selection
packet filter
configurationkonfI
configurationkonfI
PDI
configurationkonfI
detector messagem
packet streamPDI
Channels channel ChanDI
reset
Figure 3: Composition of the receiver in NSCI
3. THE REDESIGNED TIMING CHANNEL BASED COMMUNICATION SCENARIOTo distinguish between the old scheme for covert time channel steganography for WLANs (SCII) presented by
Kraetzer et al.2
and the new scheme the latter is referred to in the following as new scenario II (NSCII).
A complete redesign of the covert time channel steganography approach had to be performed because the assumptionfor a synchronisation between Cand D in SCII was proven in practical tests to be difficult in practise. The original
idea and assumption as described by Kraetzer et al.,2
is that CandD would see the same (in terms of communicating
stations, send packets, packet order, etc) WLAN network if close together. If they would have been able to see the
same (or at least very similar) actual status of the wireless networks Cand D would have been able to construct a
matrix of communication instances in the WLAN and use this as a basis for synchronisation. The problem with thisapproach, already identified by Kraetzer et al.,2 is the strong divergence between the WLAN networks visible and
accessible to CandD, even if close together and using exactly the same hardware, as observed in our tests.
Therefore the new synchronisation scheme proposed for NSCII uses a key-based (in the introduced prototype the key
kII in NSCII is composed by the parameterisation file konfIIand an user specified 8 bit ASCII key key (in our tests we
used key=1234) further research needs to be invested to improve the security of the key scheme chosen in respective
to the theoretical overall key space size and the number of practically feasible keys (elimination of weak keys))dynamic synchronisation scheme for the synchronisation between CandD. This synchronisation scheme is based on
the assumption that, even ifCandD do not observe exactly the same behaviour of the WLAN (which was required for
SCII), D however receives all the packets which are duplicated by C (since D is placed in range of C) and can
therefore retrieve the used APs with the help of a shared secret (chapter 3.2). In this approach the first two APs found
in one channel fulfilling the quality criteria specified in konfII are selected for the secret communication. One is
considered the source for packets which, if resend (duplicated by C with set Retry bit), represent a 1 in thesteganographic channel and the second one is used as a source of packets which represent the 0. NSCII knows the
following user definable parameters: delay, error correction parameters, scanlength, lower packet bound, upper
duplicates bound, start channel, and end channel. These parameters are discussed in more detail is section 4.
3.1. SENDER IN NSCII
In NSCII C, which is the sender in the hidden channel, has to perform four consecutive operations: channel/AP
selection, message pre-processing, packet filtering and embedding. The interaction between the modules
implementing these operations is shown in Figure 4.
Channel- & AP-selection: Additionally to the channel selection from NSCI here also a selection of a tuple of APs
(Access Points) is performed. The configuration for the user defined parameter scanlength in the file konfII determines
how long a channel in the specified range is scanned for its usefulness in NSCII. Additional to the existence of at least
two active APs in the channel, the channel has to satisfy the following requirements specified in konfII: the lower
bound of packets (default: 10 packets per second) for the two used APs, and upper bound of packets send by these two
APs with a set Retry bit (depending on the intended reliability of the channel). If a channel ChanCIIis found which
satisfies the requirements for the lower bound of traffic and the upper bound for packets with Retry, it is used for the
hidden communication and the tuple of AP addresses is send to the pre-processing module.
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
5/17
preprocessing
WLANWLAN channel- & AP-selection
packet filter
configurationkonfII
configurationkonfII&key
PCII
configurationkonfII
packet streamPCII
embedding
module
PCII
WLANWLAN
messagem
Channels
channel ChanCII
APs APCII address streamADR
Figure 4: Composition of the sender in NSCII
Pre-processing: Prior to the transmission in NSCII the message m has to be modified to improve the reliability by
adding error correction and synchronisation information, furthermore the resulting bit-stream BCII has to be
transformed into an address-streamADR.
The message m is split into blocks of 8 bit size each representing one message byte and a 12 bit synchronisation word
is added to each block. This synchronisation word consists of two components: a 9 bit key-based hash value computed
by the hash function hash1(APCII,key) (in the evaluated prototype as a hash function a XOR with the ASCII object key,which is a shared secret between Can D, is used; further research of course needs to be considered improving the
security by the choice of a different and cryptographic secure hash functions) from the MAC addresses of the used
APs and a 3 bit byte switch SCII used for error correction method 1 (ecm1). The pre-processing module of NSCII
therefore transforms 8 bit of payload into 20 bit of the stream BCII under the constraint that ecm1 is switched off. If the
error correction method ecm1 is enabled, each byte of the message is inserted repeatedly (dtimes) intoBCII. Thereby
the size ofBCII is computed asBCII = d * 20Bit * l where dis the number of repetitions specified in konfII and l is themessage length (a default value ofd=5 is used in the tests performed within this work).
As a last step in pre-processing the bit streamBCII is encoded into an address stream ADR by using a second key based
hash function for assigning the two selected APs to the message bits 0 and 1. This operation is performed as
hash2(APCII,key) which returns as output either 0 or 1 (here also a XOR with key is used; see description of
hash1(APCII,key) above), wheresimilar to hash1(APCII ,key) APCIIrepresents the MAC addresses of the used APs and
key is the shared secret between sender and receiver. All message bits are then substituted by the corresponding AP-address.
Like in NSCI the sending station Capplies in NSCII a packet filter to the packet stream (PCII) to generate a modified
packet stream PCII. The rules applied in the filtering are:1. Fetch the next packet
2. Drop the packet, if it is not send on channel ChanCII
3. Drop the packet, if in the ADDRESS2 header field is not the next address in ADR
4. Drop the packet, if it is of subtype 0 or 55. Forward the packet to the embedding module
6. Flush the buffer
7. Delete the first address in ADR
8. Sleep for delay microseconds
9. Goto 1.
Like in NSCI the delay is customised in the configuration file for the scenario (konfII). In addition to the filtering rules
already used by NSCI here two additional lines are added (rules 3 and 6) which filter the addresses based on ADR and
modifyADR after a packet is forwarded to the embedding module.
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
6/17
In NSCII the embedding module has the tasks to set in all packets in PCII the Retry bit, to update the CRC in the
WLAN header of each packet and to insert the resulting packet stream PCII back into the WLAN network.
3.2. RECEIVER IN NSCII
The receiver D of the steganographic message m in NSCII has to ensure WLAN channel synchronicity with C. As
already introduced in section 2.1 for NSCI, two methods for channel synchronisation are foreseen: either the channel
is predefined as in SCII or a dynamic synchronisation ofD on the channel used by Cis performed. Having done theWLAN channel synchronisation the receiver performs packet filtering and detection steps as shown in Figure 5.
WLANWLAN channel- & AP-selection
packet filter
configurationkonfII &key
configurationkonfII&key
PDII
configurationkonfII
detector messagem
packet streamPDII
reset
ChannelsAPsAPDII
channel ChanDII
byte-switch SDII APsAPDII
Figure 5: Composition of the receiver in NSCII
Channel-, AP-selection and synchronisation: In the detection process in NSCII the WLAN is analysed. All channels
are scanned for the time scanlength for the presence of APs and possible synchronisation words. The APs found in a
WLAN channel are stored in a list and a second list contains all possible 2-tuples of AP addresses. Using
hash2(konfII,key) to each of the AP addresses per tuple a 0 or a 1 is assigned.
Both lists are updated with every received WLAN packet, which passes a primary filtering removing all packets
which: are not involving an AP, have no Retry bit set and are of subtypes 0 and 5. From all packets which pass thisprimary filtering a synchronisation attempt is performed.
A synchronisation attempt takes the sender address of a packet and identifies all tuples in the tuples list which contain
this address. Depending on the value assigned by hash2(konfII,key) a 0 or 1 is added to the corresponding stream.After enough (12 for a synchronisation word, see section 3.1) packets are received for one of the alternate streams, the
bits of the resulting bit string are compared to the output ofhash1(APDII,key), where APDII is the corresponding AP
tuple and the key is the shared secret between C and D. If the strings match then a positive synchronisation is
performed with the APs ofAPDII and the status of the byte switch SDII is read from the bit-string. If no positive
synchronisation could be performed the next of the alternate streams is evaluated.
The channel with the most positive synchronisations is considered by D to be the channel used in the hiddencommunication ChanDII. IfCandD are synchronised correctly then ChanCII = ChanDII. After ChanDII is chosen the
module scans it for a user definable time for further synchronisation words. If no further synchronisation words can be
found the channel selection process is started again.
In the channel- and AP-selection module also a second error correction mechanism (ecm2) is implemented for NSCIIwith the goal to further improve the reliability of the scenario. It is based on a fuzzy search
10and generates optimal
alignments in the matching between the first 12 bit (the length of a synchronisation word in NCSII) of one of thealternate strings described above and the output of hash1(APDII,key). Each of these alignments has a distance to the
result ofhash1(APDII,key). If this distance is below a threshold, the algorithm still considers the strings to match. For
the tests performed here the threshold and weighting of the fuzzy search are chosen to cover error bursts up to 10
errors (this value is based on observations during preliminary tests where some packets were replayed up to 10 times
by their original sender using the Retry mechanism).
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
7/17
Packet filtering: If a channel ChanDII is selected and a synchronisation is found in this channel the next eight packets
(which contain the payload, see section 3.1) with a set Retry bit from the APs in APDII are considered to belong to
the hidden channel. In contrast to the rules for the detector for NSCI in NSCII the Retry flag has to be set (rule 3)
and the considered packets can be further reduced to the addresses in APDII(rule 4). As a further step, which is not
necessary in NSCI the rule 7 below resets the channel- and AP-selection module every 8 payload bit (see section 3.1).A rule which is required for NSCI and which does not exist for NSCII is the check for the set synchronisation flags
prior to the forwarding to the detector. The rules are:1. Fetch the next packet2. Drop the packet, if it is not send on channel ChanDII
3. Drop the packet, if RETRY is not set
4. Drop the packet, if the ADDRESS2 header field is not in APDII
5. Drop the packet, if it is of subtype 0 or 5
6. Forward the packet to the detector
7. If 8 packets have been received: send a RESET and wait for new ChanDII and APDII
Else: Goto 1.
If the channel- and AP-selection module receives the reset command send by the packet filter after a group of 8
packets a new synchronisation word is searched for. If no synchronisation word could be found after a user specified
time then the channel selection is restarted. The result of the packet filtering process is the packet stream PDII (which
could be described asADR without the synchronisation).
The detector maps the AP addresses in PDII to the bit values 0 and 1 by using hash2(APDII,key). The output ofthis mapping is the bit-streamBDII, which is represented as a block 8 of bits with the corresponding byte switch SDII
signalled by the channel- and AP selection module.
The detector keeps the SDIIfrom the previous block and compares it to its actual value. If they match a copy of the
previous byte is received (emc1), if they differ a new byte is received. In case emc1 is enabled all received copies ofone byte are compared and a majority decision is made. The received bytes are concatenated and the received message
m is generated.
4. PARAMETERISATION OF THE SCENARIOSTable 2 shows the user definable parameters for the implementations of NSCI and NSCII. A x in the table indicates
the relevance of the parameter for the corresponding scenario.
Parameter NSCI NSCII
delay (range: 0s) x xsynchronisation pattern (range: all possible variations of IEEE 802.11 FCF fields) x
fields for embedding (range: all possible fields in the IEEE 802.11 header except FCF &
DATA; default: DurationID)
x
error correction parameters (range: none, ecm1 and/or ecm2 enabled; default number of
repetitions for ecm2: 5)
x
scanlength (range: 0s) x x
lower packet bound(default: 10 packets per second) x x
upper duplicates bound(range: 0) x x
start channel (range: 1-13; default: 1) x x
end channel (range: 1-13; default: 13) x x
Table 2: Parameters and their relevance for NSCI and NSCII
The parameter delay in Table 2 is the time the algorithm waits between two duplicated packets (this is considered the
equivalent to the embed strength in other steganography scenarios and has a direct influence on the detectability,
capacity and reliability of the introduced approaches). In synchronisation pattern the synchronisation pattern for NSCI
is specified. Here the flags of the IEEE 802.11 Frame Control Field (FCF)4 (ProtocolVersion, Type, Subtype, ToDS,
FromDS, MoreFrag, Retry, PowerManagement, MoreData, WEP and Order) can be identified as either necessary for
synchronisation or not necessary. The parameterfields for embedding specifies which fields of the IEEE 802.11 Media
Access Control (MAC) header4 are used in NSCI for the payload embedding. These fields are: Frame Control (FCF),
Duration ID, Address 1, Address 2, Address 3, Sequence Control, Address 4, Data and CRC, where Frame Control is
the FCF already addressed above and reserved here for synchronisation, and Data is the actual payload of the WLAN
packet and therefore has to remain unchanged under any condition. Note that not all fields in the FCF and MAC can
be used for the duplicated packets without negative impact to the reliability of the WLAN network, therefore the usage
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
8/17
of some fields has to be strictly avoided. Since the packet is not modified for NSCII the parameters synchronisation
pattern and fields for embedding are not required for this scenario. The parameter error correction parameters
specifies the error correction type used (two different mechanisms are implemented) and is only valid in NSCII. The
five other parameters scanlength, lower packet bound, upper duplicates bound, start channel and end channel are
required only for selection of the WLAN network by Cand therefore for the channel synchronisation between Cand
D.
5. TEST SCENARIOIn this section the complete test scenario consisting of the test objectives and the test set-up is introduced.
5.1. Test Objectives
The primary goal for the tests is the evaluation of the performance of the introduced scenarios in terms of detectability,capacity and reliability. The secondary goal is the determination of the performance of the implemented self-
synchronisation schemes for NSCI and NSCII. In the following subsections the measurement/computation of the
characteristics non-detectability (T), capacity (Cap) and reliability (R) is described. The chosen fixed message m and
the used keys for the tests are described in section 5.2.
5.1.1. Detectability/non-detectability Evaluations
For the evaluations of the relative non-detectability the occurrence of the modified FCF flags in the WLAN are
measured, therefore it is computed for NSCI and NSCII the same way. For the computation the WLAN is scanned forthe selected synchronisation pattern with the steganographic channel present (numPacketssync with stego). From this
number the number of packets send by C (numPacketsC) is subtracted returning the value for
numPacketssync without stego. Now the two ratios Tsync without stegoand Tsync with stego are computed using the number of usable
packets in the WLAN (numPacket):
numPackets
numPacketsT
stegowithoutsync
stegowithoutsync
__
__ = (1)numPackets
numPacketsT
stegowithsync
stegowithsync
__
__ = (2)
While in NSCI different synchronisation patterns have to be considered, in NSCII only the impact of the embedding in
the Retrybit has to be measured. The overall detectability Tisthen computed as:
)(1 ____ stegowithoutsyncstegowithsync TTT = (3)
IfTsync with stego= Tsync without stego, which is the case if the WLAN without and with a steganographic channel has the same
occurrence of synchronisation patterns per second, T is equal to 1 which indicates a maximum value of non-detectability. When Tsync with stego > Tsync without stego the detectability T does assume values below 1. If the natural
occurrence of packets with a valid synchronisation in a WLAN (Tsync without stego) is known or measured in advance, the
expected detectability Texpfor NSCI and NSCII can be estimated by Cin advance using delay and equations (2) and
(3).
5.1.2. Capacity Evaluations
The absolute capacity Cap (in byte per second) for a channel for NSCI and NSCII is described as the product of thenumber of packets modified by Cper second (numPacketsC) and the capacity per modified packet (CapP). For NSCI
CapP can be parameterised between 2 and 32 byte. If NSCII is used without emc1 then CapP is 1/20 byte, otherwise
this value is divided by the number of duplicates in emc1. The capacity for an ideal channel Capmax can be computed
for values ofdelay 0 to provide a point of reference:
PC CapnumPacketsCap = (4)delay
CapCap P=max (5)
5.1.3. Reliability Evaluations
While the computation of the capacity is the same for NSCI and NSCII for the evaluation of the relative reliability twodifferent approaches have to be defined. Both require numPacketsCwhich is the number of packets send by C. For the
reliability of NSCI (RNSCI) the ratio between numPacketsC and the number of packets with correct synchronisation
received byD (numPacketsD) is measured as:
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
9/17
D
CNSCI
numPackets
numPacketsR = (6)
tnumSyncsNanumPackets
numPacketsR
C
CNSCI
+
=exp_ (7)
If the relative frequency of natural occurrence of packets with the synchronisation pattern (numSyncsNat) for agiven channel is known or measured in advance, the expected reliability RNSCI_exp can be computed for this channel as
shown in equation (7).
In the reliability evaluations for NSCII additionally to the ratio between correctly send and received packets the fact
that one data byte is signalled with a fixed sequence of duplicated packets (20 if emc1 is off) has to be taken intoaccount. Ifemc1 is used, the number of packets to be duplicated for the transmission of one byte increases by the
number of repetitions. Therefore the reliability of NSCII (RNSCII) is modelled as:
pC
DNSCII
CapnumPackets
BytesnumCorrectR
= (8)
Where numCorrectBytesD is the number of bytes correctly received byD, numPacketsCis the number of packets send
by Cand CapP is the capacity per packet.
5.2. Test Set-up and Test Procedure
A large number of tests for the introduced scenarios are necessary to allow for any generalisation of the results. Forthe evaluation of the primary goal, which is the evaluation of the performance of NSCI and NSCII in terms of
detectability, capacity, and reliability, 12 different WLAN networks are considered (public networks with a largenumber of APs in the dept. of computer science of the Otto-von-Guericke University of Magdeburg at night (low
traffic) and day (high traffic) as well as small private networks).
In each network the traffic is monitored for 15 minutes without a steganographic channel present. Then 15 different
tests a 20 minutes are performed for NSCI, varying the parameters delay (0, 0.1, 1, 10, and 100s) and thesynchronisation pattern (Retry, Retry&MoreData, Retry&Fragments). For NSCII 16 tests a 20 minutes are
performed for each WLAN varying delay (0, 0.1, 1, and 10s) and the error correction method used (none, ecm1, ecm2,
ecm1&2). All tests for one WLAN are performed consecutively and have an overall duration of 635 minutes. The
duration of the complete monitoring in all 12 considered networks is therefore 7620 minutes (127h).
For the evaluation of the secondary goal, the determination of the performance of the implemented self-
synchronisation, additional tests are performed monitoring five different WLAN networks for a complete duration of
2.14h.
As the message m for the transmission the string UniversityOfMagdeburg is chosen and transmitted repetitiously.
For the key kI (kI=konfI) for NSCI a new configuration file konfI is generated for each of the parameterisationsdescribed above (thereby 15 different keys are used, one for each parameterisation). For the key kII(kII=konfII;key) for
NSCII a new configuration file konfII is generated for each of the parameterisations, while the ASCII object key is kept
fixed (key=1234; thereby 16 different keys are used, one for each parameterisation).
6. TEST RESULTSThe primary goal of this work is the evaluation of the performance of the introduced scenarios in terms of
detectability, capacity, and reliability. Therefore in sections 6.1 and 6.2 the results for the measurement of these three
characteristics for NSCI and NSCII are presented. Section 6.3 is then focused on the secondary evaluation goal for this
work, which is the evaluation of the reliablility of the channel synchronisation.
6.1. Results for manually synchronised channels - NSCI
For NSCI the impact of the user parameters on the detectabiliy, capacity and reliability is measured here. The results
presented are based on performance monitoring in 12 different WLANs for a complete duration of 60 hours (12*5h).
6.1.1. Detectability/Non-detectability NSCI
The most crucial characteristic for a steganographic channel is always its detectability or non-detectability. Themeasure used in this work for the non-detectability T is defined in equation (3) and describes the impact of the
generated packets on the occurrence of packets with the chosen synchronisation pattern in the channal. The results for
Tare given in the range [0,1], where 1 indicates perfect non-detectability (the hidden channel stays below the ratio of
packets with a set synchronisation pattern) and 0 indicates a very high detectability. Table 1 shows the results for the
non-detectability for the five chosen values for the user definable parameter delay.
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
10/17
delay Min. T Max. T Avg. T
0 0.52746182 0.99998858 0.72874826
0.1 0.70418456 0.98801615 0.83341484
1 0.9211089 0.99179343 0.96634712
10 0.99031742 1 0.99615636
100 0.9990674 0.99998177 0.99959028Table 1: Minimum, maximum and average Tfor different values fordelay (175 tests)
From Table 1 it can be seen that the average non-detectability increases with increasing delay between two packets.
This confirms the basic assumption in steganography that by increasing the capacity (in NSCI equal to a short delay;
see section 6.1.2) the non-detectability is decreased. Figure 6 compares the values for Tand Texp for 35 tests in NSCI
with delay=1s and shows that the results returned from the theoretical modelling are very close to the practically
achieved results.
0
0.2
0.4
0.6
0.8
1
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435
Non-Detectability
Practical Non-Detectability Theoretical Non-Detectability
Figure 6: Tand Texp for NSCI and fordelay=1s (35 tests)
0.90.920.940.96
0.981
0 20 40 60 80 100 120
Packet rate in packets/s
N
on-detect
ability
delay=1s
Figure 7: Relationship between packet rate and Tin NSCI fordelay=1s
When evaluating the impact of the WLAN channel activity (as packet ratio) on T, as shown in Figure 7, it can be seen
that with an increasing channel activity the non-detectability also increases.
The evaluation of additional parameters like the number of APs in the WLAN, the chosen synchronisation pattern or
the natural occurrence of packets with set synchronisation pattern does show that these parameters have no impact
on the non-detectability in NSCI.
6.1.2. Capacity NSCI
For the evaluation of the capacity of NSCI performed here only the Duration ID field of the IEEE 802.11 header is
used to keep the results comparable to the results presented by Kraetzer et al.2 in 2006.
Thereby the capacity per packet is set to 2 byte. If other header fields would also be used for embedding the capacity
per packet could be expanded to 32 byte per packet.To generate the results shown in Table 2 tests for five different values for delay have been performed (35 tests per
setting for delay).
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
11/17
delay Min. capacity in B/s Max. capacity in B/s Avg. capacity in B/s CapMAXin B/s
0 19.7329888 63.6761413 35.2065953 n.d.
0.1 9.78983635 14.5391904 12.2146918 20
1 1.78294574 1.91903531 1.87503384 2
10 0.19982773 0.19982773 0.19982773 0.2
100 0.02067183 0.02067183 0.02067183 0.02Table 2: Min, max, average capacity and CapMAXfor NSCI and different values fordelay (175 tests)
Figure 8 compares the capacity measured (Cap) in the tests for three different values ofdelay (0, 0.1 and 1s) with the
theoretical capacity CapMAX as it is described by equation (5). Due to the fact that the computation of CapMAX would
perform a division by zero, no theoretical value can be given for delay=0s, therefore Table 2 shows in the
corresponding cell n.d. (not defined). The bar chart for delay=0s shows a very strong dependency on the packet
ratio in the channel (in this case the packets are duplicated as soon as they arrive). The bar charts for delay=0.1s and
1s show how the impact of the packet ratio diminishes with increasing delay and thereby the values for Cap and
CapMAX converge, but for this value of delay the impact of the packet ratio in the channel is still visible in the
difference between Cap and CapMAX. The tests performed for delay>1s do not show any difference between Cap and
CapMAXanymore.
0
20
40
60
80
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435Capacityin
B/s
Pracitical capacity
delay=0s
0102030405060
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435Capacity
inB/s
Pr ac iti ca l ca pa ci ty Theor eti ca l ca pa ci ty
delay=0.1s
0
1020
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435Capacityin
B/s
Pracitical capacity Theoretical capacity
Figure 8: Practical capacity Cap and CapMAXfordelay=0s, 0.1s and 1s (35 tests each)
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
12/17
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
13/17
reliable. In Figure 10 the average RNSCI for five different values for delay (0, 0.1, 1, 10 and 100s) and three different
synchronisation patterns (Retry, Retry/MoreData and Retry/MoreFrag) is shown. The results for these tests
show that the usage of Retry/MoreData for synchronisation leads to the most reliable results, while
Retry/MoreFrag performs second best and Retry leads to the worst results. Especially in the case of the latter a
strong decrease of theRNSCIwith increasing delay can be noticed.
0
0.5
1
0 0.1 1 10 100
delay in seconds
averagereliability Retry Retry/MoreData Retry/MoreFrag
Figure 10: AverageRNSCIfor five different values fordelay and three different synchronisation patterns
Summarising the results for the reliability evaluation for NSCI it has to be stated that three different parameters have
an influence on the reliability. These parameters are the synchronisation pattern chosen, the ratio on naturaloccurrence of the chosen synchronisation pattern and the delay. While the synchronisation pattern and delay are user-
defined, the natural occurrence of the chosen pattern is a direct consequence of the choice made on the pattern.
As in the case of the capacity computation for NSCI additional tests are performed here to determine whether the
number of APs or the overall number of packets per second in the WLAN have any influence onRNSCI. No relationship
regarding these two parameters and the reliabilityRNSCIcould be determined by the tests performed.
6.2. Results for manually synchronised channels - NSCII
For NSCII the same characteristics are evaluated as for NSCI but in the tested parameterisations strong differences are
found due to the differences in design. NSCII has no need for synchronisation pattern since it works by simple
duplicating selected packets. Instead a new parameter, the error correction type used (none, ecm1, emc2 or emc1&2)
has to be evaluated for its impact on the characteristics. The results presented are based on performance monitoring in
12 different WLANs for a complete duration of 64 hours (see section 5.2).
6.2.1. Detectability/Non-detectability NSCII
In Table 4 the test results for minimum, maximum and average non-detectability Tas computed by equation (3) are
shown for NSCII. With increasing delay the average and minimum T increase, while the maximum measured T
remains roughly constant for all values ofdelay.
delay Min. T Max. T Avg. T
0 0.560438275 0.997431395 0.756216965
0.1 0.682775248 0.981329438 0.859775674
1 0.925531915 0.997990101 0.964565831
10 0.990926213 0.999645822 0.995928272
Table 4: Minimum, maximum and average Tfor different values fordelay (168 tests)
The choice of the error correction mechanism has no impact on the detectability as it is measured here. Further
research might be invested into a new detectability measure, which pays respect to the fact that transmissions with
emc1 or emc1&emc2 have a much longer duration (using the same capacity) and should therefore be considered more
detectable. Another indication that a new detectability measure would be necessary for further evaluations is the fact
that NSCI and NSCII return roughly the same average T, while by design NSCII is far less invasive than NSCI. While
the tests show that the probability of natural occurrence of packets with set Retry bit and the number of APs in the
WLAN have no impact on the detectability in NSCII, the overall channel activity does influence T. Figure 11 showsthat an increase of the overall channel activity (in packets per second) does also increase the non-detectability for a
given value ofdelay.
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
14/17
0.980.985
0.99
0.995
1
0 50 100 150 200 250 300
Packet rate in packets/s
Non-d
etectability
delay=10s
Figure 11: Impact of the overall channel activity on Tfor NSCII (delay=10s)
6.2.2. Capacity NSCII
The capacitiy Cap measured in the tests for NSCII is, due to ist design, lower than the capacity in NSCI. Table 5 and
Table 6 summarise the test results for the capacity tests performed for different values of delay and compares them to
the theoretical capacity CapMAX computed by equation (5). The results for the tests without error correction or with
emc2 are given in Table 5. The test results for all tests including the redundant sending as error correction aresummarised in Table 6. The number of times each character is redundantly send for the tests performed wit enabled
emc1 is set to 5.
delay Min. Cap in B/s Max. Cap in B/s Avg. Cap in B/s CapMAXin B/s
0 0.3419466 0.78036176 0.54505558 -
0.1 0.10594315 0.2997416 0.24691358 0.5
1 0.03875969 0.0456503 0.04392765 0.05
10 0.00430663 0.00430663 0.00430663 0.005
Table 5: Min, max, average capacity and CapMAX for NSCII for the case without error correction or with emc2 and different
values fordelay (84 tests)
delay Min. Kin B/s Max. Kin B/s Avg. Kin B/s KMAXin B/s
0 0.00430663 0.14900947 0.0880119 -0.1 0.02670112 0.05943152 0.04897256 0.1
1 0.00861326 0.00861326 0.00861326 0.01
10 000086133 0.00086133 0.00086133 0.001
Table 6: Min, max, average capacity and CapMAXfor NSCII for the case with emc1 or emc1&emc2 and different values for
delay (84 tests)
As can be seen from the results in Table 5 and Table 6 the capacity in NSCII is far below the capacity in NSCI for the
same value ofdelay (a fact easily justified by the different designs of the embedding schemes). For delay=0.1s the
average capacity of NSCII is at approximately 60% of the theoretical maximum CapMAX. For larger values of delayCap and CapMAXconverge.
The following parameters are also tested for their impact on Cap: the natural occurrence of packets with set Retry
bit, the overall packet rate within the WLAN channel and the number of APs in the network. None of these three
parameters does show any impact on Cap. The tests performed here for NSCII imply that the capacity of the scenariorelies only on the user definable parameter delay and the users choice of error correction mechanisms (none, ecm1,
emc2 or emc1&2).
6.2.3. Reliability NSCII
In comparison to NSCI, where a model for the expected reliability of a channel could be found, in NSCII no such
model could be generated. This is due to the fact that by sending one message byte 20 network packets are duplicated.
If one of these two APs has to retransmit a packet using the Retry mechanism then the steganographic channel is
disturbed because whether a send byte is corrupted or not depends only on the order in which D receives duplicated
packets of two selected APs. Therefore it is not possible to determine the reliability of the hidden channel without
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
15/17
knowing the probability of natural occurences of Retry for packets of the two selected APs. The APs which are
used for the sending are determined at runtime therefore no prediction of the reliability can be given a priori.
delay Min. RNSCII Max. RNSCII Avg. RNSCII
0 0.01263823 1 0.83151915
0.1 0.0060423 1 0.85347466
1 0.1 1 0.8860539110 0 1 0.64761905
Table 7: Minimum, maximum and averageRNSCIIfor different values fordelay (168 tests)
Concluding the results for the measured reliabilitiesRNSCII presented in Table 7 it can be stated that the highest average
reliability produced in the tests is found for delay=1s. For values above 1s the RNSCII drops dramatically. The tests
show that a longer delay at the sender increases the chance that a natural occurrence of a packet with set Retry bit
disturbs D and thereby decreases the reliability of the hidden channel. The increase in Table 7 of the reliability for
delay=0 and 0.1s can be explained by strong fluctuations in the natural occurrence of packets with the synchronisation
pattern.
00.20.40.60.8
1
Minimum Maximum Average
Reliabili
ty
none
ecm1
ecm2
ecm1&ecm2
Figure 12: NSCII impact of the error correction mechanism onRNSCII
Figure 12 shows the impact of the error correction mechanisms for all tests performed. The average reliability ofNSCII is increased by applying ecm1 but in this case the capacity is decreased as described in section 6.2.2. When
emc2 is applied in the tests performed, the average reliability is lower than the average without the error correction.
The assumption here is that the high degree of tolerance introduced by the fuzzy search in ecm2 does result in a large
number of wrong synchronisations and thereby decreases the reliability. Further research should be invested into this
error correction method and possible means for improvement.
While the tests indicated an indirect proportionality between the probability of natural occurrence of packets withset Retry bit and the reliability of NSCII, no impact of the number of APs in the network of the overall packet rate in
the WLAN channel onRNSCII could be determined.
6.3. Reliability of the self synchronisation of the channel in NSCI and NSCII
For the evaluation of the secondary goal, which is the determination of the performance of the implemented self-
synchronisation schemes for NSCI and NSCII, the performance of the self-synchronisation schemes in five different
WLANs is observed for a complete duration of 2.14h.
6.3.1. NSCI
In NSCI the channel synchronisation is performed by identifying the channel with the most synchronisation patterns
during a timespan specified by the user parameter scanlength. The evaluation performed on the five tests for thereliability of the channel self synchronisation on NSCI indicate an average reliability of 67.5%. The cause of the low
reliability is still a subject for further research. First results indicate that packets send by a sender in a WLAN on one
of the 13 channels can be seen also on other channels. This cross-talk is also suspected to be the reason for an
increasing overall WLAN activity if the communication on one channel increases.
The user definable parameter scanlength has shown in the tests to have an impact on the reliability of the channel self
synchronisation. With increasing scanlength the reliability also increases. The choice of the synchronisation pattern
also has influence on the reliability of the self synchronisation. Here the strength of the impact follows the probability
for the natural occurrence of the selected synchronisaton pattern as shown in section 6.1.3. If a pattern is chosenwhich is less likely to occur naturaly (e.g. the combination Retry&ModreData) the reliability of the channel self
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
16/17
synchronisation is higher than for other, more common, patterns. In the tests performed the parameter delay did show
no influence on the reliability of the channel self synchronisation. As already in the tests for NSCI the reason for this
low self synchronisation accuracy is assumed to be the cross-talk between WLAN channels. Further research schould
be invested into this phenomenon.
6.3.2. NSCII
The channel synchronisation for NSCII is not performed, as in NSCI, by searching for a synchronisation pattern in thepacked headers. Instead the more complicated procedure described in section 3.2 has to be performed. The nave
assumption here would be, that due to the complexity of the used synchronisation mechanism, a correctly performed
synchronisation should automaticaly indicate that the correct channel was found in the channel synchronisation. The
evaluations for the reliability of the channel self synchronisation do show a different picture. For all WLANs where
more than one AP is present a correct self synchronisation is performed in 47% of all cases. In all cases were less than2 APs were present (about 33% of all tests) this is correctly detected and NSCII refused to send data.
7. SUMMARYThe tests performed in this paper have shown that NSCI is suitable for packet rates above 10 packets per second in the
used WLAN channel. At packet rates above this value and values for delay 1s also the theoretical determination of
the expected values for the non-detectability, capacity and reliability returns results very close to the practical achievedvalues. For values ofdelay
8/2/2019 Kraetzer SPIE08 WLAN Stego-Final
17/17
Top Related