IEEE TRANSACTIONS ON EDUCATION, VOL. XX, NO. XX, DATE XXX 1 A Network Steganography Lab on Detecting TCP/IP Covert Channels Tanja Zseby, Member, IEEE, F´ elix Iglesias V´ azquez, Member, IEEE, Valentin Bernhardt, Davor Frkat and Robert Annessi, Abstract—This paper presents a network security laboratory to teach data analysis for detecting TCP/IP covert channels. The laboratory is mainly designed for students of electrical engineering but is open to students of other technical disciplines with similar background. Covert channels provide a method for leaking data from protected systems, which is a major concern for big enterprises and governments. The inclusion of covert channels in the curricula of network security students and network data analysts is therefore considered a valuable extension. In the lab exercises presented, students learn how covert channels in TCP/IP network traffic can be hidden and detected. Since the detection of covert channels requires an in- depth understanding of protocol standards and typical behavior of TCP/IP flows, the lab also provides a ”playground” in which students can deepen their communication networks knowledge. Students learn how to use and interpret statistical analysis to discover abnormal patterns and footprints in network data. They are also trained to deal with noisy scenarios which increase ambiguity and uncertainty. The laboratory was first implemented during the winter semester 2014 with a class of 18 students at TU Wien, Austria. This experience showed that students consolidated the targeted skills as well as increased their interest in the topics explored. All exercises and datasets for the introduced “Network Security Advanced” lab are made publicly available. Index Terms—Communication system security, data analysis, engineering education, security I. I NTRODUCTION C OVERT channels make use of communication networks in ways not intended in the original design of the commu- nication protocols. Covert channels utilize control fields (e.g., TCP/IP headers) or manipulate time-related properties (covert timing channels, Fig. 1) to hide information. The transmitted message is disguised as control data or random communication peculiarities, and travels undetected in the network, other than by the sender and the receiver of the covert communication. Hence, the goal of a covert channel is not only to prevent a hidden message being read by third parties, but also to conceal evidence that such communication has taken place at all. Although covert channels can be used for ethically acceptable applications (e.g., to bypass censorship in non- democratic regimes), they are particularly suited for criminal activities, such as illegal transfer of sensitive information, data leakage and data theft, or hidden malware command and control structures. They are hard to detect with standard attack detection methods and should be included in today’s network security education. T. Zseby, F. Iglesias, V. Bernhardt, D. Frkat, and R. Annessi are with the Institute of Telecommunications, TU Wien, Gusshausstrasse 25/E389, 1040 Vienna, Austria. T. Zseby and F. Iglesias contributed equally to this work. Manuscript received xxx. Fig. 1. Example of a covert timing channel. Clandestine information is conveyed by using the delay between consecutive packets. The lab introduced here is intended as an advanced hands- on exercise for students already familiar with concepts and methodologies related to network security and data analysis techniques. It is designed as an advanced lab that students could take having completed the lab presented in [1]. The educational goals can be summarized as follows: a) to teach students how covert channels in communication networks are created and how they can be detected; b) to increase students’ data analysis skills using statistical methods; c) to deepen students’ knowledge about the TCP/IP protocol and properties of normal TCP/IP traffic; and d) to train students’ skills to solve complex problems that have no clear path to a solution, by employing conjectural reasoning, drawing upon diverse analysis, testing multiple hypotheses and working patiently until a solution is reached. Network security classes are often supplemented by prac- tical exercises that help students to comprehend and deepen theoretical knowledge while acquiring the skills required for scientific work in that area. Several authors have published guidelines for, and their practical experience with, installing network security labs, e.g., [1]–[8]. Comprehensive overviews on covert channels are offered in [9] and [10], with TCP/IP be- ing specifically treated in [11]. Methods to conceal information in different types of signals are summarized in [12]. In [13] a practical exercise investigating bouncing covert channels is proposed for research and educational purposes. This paper presents a lab with several exercises for teaching covert channel detection methods. The TU Wien, Austria, first implemented the laboratory in an advanced Network Security course (NetSec Advanced) during the winter semester of 2014, with a class of 18 students. The class consists of a theory part with lectures and a lab part. All exercises and datasets for the lab are publicly available in order to encourage adoption of the introduced class by other instructors of network security in electrical engineering and computer science [14]. II. EDUCATIONAL AIMS The educational aims pursued by the Network Security Advanced Lab are that students should: This is the author's version of an article that has been published in this journal. Changes were made to this version by the publisher prior to publication. The final version of record is available at http://dx.doi.org/10.1109/TE.2016.2520400 Copyright (c) 2016 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing pubs-permissions@ieee.org.