The article is devoted to an overview of network steganography methods that can be used to build hidden message transmission channels in IP networks, as well as methods aimed at identifying such hidden channels. The article gives the concept of a stegocontainer, and provides classification of network steganography methods. The article discusses the following methods of organizing hidden channels: the method of changing the contents of network packet headers, the Transcoding Steganography (TranSteg) method, the delay modulation method, the Lost Audio Packet Steganography (LACK) method, the Retransmission Steganography (RSTEG) method. In the review of the method of changing the contents of network packet headers, the principle of implementing changes in values in some service fields of IP (Internet Protocol) and TCP (Transmission Control Protocol) packet headers, which do not lead to data transmission failure, are considered. In the overview of the TranSteg method, the principle of transcoding the contents of network packets delivering real-time traffic is considered in order to free up space in the packet, which will be used to transmit hidden information. In the review of the delay modulation method, the principles of hidden message encoding are considered, which is carried out by changing the delay value of sending packets in the network. In the review of the LACK method, the mechanism of deliberate retention of RTP packets with an embedded steganographic message is considered. In the review of the RSTEG method, the principle of TCP segment exchange is considered, which provides the possibility of transmitting a steganogram. A number of parameters are given by which it is possible to conclude that there is a hidden channel in the network. The applicability of statistical methods and the methods with a classifier for detecting hidden channels in IP networks is considered. The expediency of implementing statistical methods and methods with a classifier in integration with systems for capturing and analyzing network traffic is indicated.
Read full abstract