International Journal of Computer Applications (0975 – 8887) Volume 118 – No. 21, May 2015 23 An Overview of Advanced Network Steganography Maitrik K Shah Assistant Professor Indus University, Rancharda, Gujarat, India Ankitkumar M. Virparia Assistant Professor Indus University, Rancharda, Gujarat, India Kamal Sharma Assistant Professor Indus University, Rancharda, Gujarat, India ABSTRACT Steganography is the art and science of hiding the information in the carrier object. The main objective of steganography is to hide the existence of data. Lots of advancements has been done in the use of carrier medium, started from image, sound, video and network packets and protocols. Information hiding inside image, audio and video is often called digital steganography whereas if network packets and/or protocols are used then it is called network steganography. Using this technique we can send small amount of information confidentially. Here in this paper, various approaches towards network steganography and current status of research in this field are discussed. Keywords Steganography, Network Steganography, Network Protocols, Covert communication, covert channels, information hiding. 1. INTRODUCTION Cryptography aims to making the information so complex by encrypting it so that the unauthorized user can‟t understand what is being sent. However it is possible for the attacker to get the existence of the secure channel and can decrypt the information. Steganography, in contrast, hides the existence of the message. The message can be hidden in the carrier medium. Here, the carrier medium can be anything like image, audio, video, network protocols, etc. Network steganography uses network protocols as a carrier medium. Basically network steganography can be classified into 3 main ways: 1. Modify the structure of Network protocols‟ header and payload 2. Modify the structure/sequence of packet streams 3. Hybrid schemes The first way uses the structure of network protocols‟ header. These headers contain number of fields that are required for the correct delivery of the packet from source to receiver. Many of these fields are unused in the normal transmission or used sometimes during specific network conditions. So these fields can be a proper carrier to carry the information in the hidden manner. The very first approach to use protocol header was suggested by Craig H. Rowland [1]. He had used identification field of IP header for covert communication in 1997. He also suggested the use of ISN(Initial sequence number) field of TCP header for hiding the data. Other methods of network steganography which uses network protocols are suggested in [2]. Here the author has used 2 bits of type of service field of IP header and 6 unused bits of TCP header. In [3] author has used the etherleak problem. To maintain the minimum length of frame padding bits are added in the Ethernet header. These padding bits are sequence of 0s but some NICs improperly append random bits which is considered as special case. Author has used this vulnerability to send hidden data in the padding bits. Here author has used ARP and TCP protocols to hide the data. In [4] author has used options field of IP header to hide the data. The second way makes the use of sequence and structure of packet streams. In [5] author has used oversized data packets to send hidden data. If packet is very big then it will be fragmented. Here, if number of fragments are even then it carries hidden 1 and if number of fragments are odd then it carries 0. So only 1 bit/ packet can be transmitted hiddenly. In another method author has used fragmentation offset field of IP header. If its value is even then hidden bit 1 otherwise 0. The fragmentation offset of first fragment of the packet will always be 0 which will not carry any hidden bit but rest of the fragments will. Here, number of bits per packet that can be send in hidden manner is n f – 1. Where n f = number of fragments of that packet. In [6] author has used packet payload of packet. Here, based on the number of 1s and 0s of packet payload size of packet will be modified to deliver „0‟ or „1‟ of the secret message. The third way combines previous two approaches. In the following sections we will describe few more and advanced approaches to network steganography. 2. APPROACHES TO NETWORK STEGANOGRAPHY 2.1 PADSTEG (Padding based Steganography) It is the first interprotocol steganography which uses mere than one protocol from TCP/IP stack. It uses ARP and TCP protocols with etherleak vulnerability to implement secret communication. Few protocols in the protocol stack has restriction on the size of frame/packet. To maintain the size of frame padding bits are appended with the original frame. Generally these padding bits are sequence of 0s and added by NIC or software. Few NICs sometimes add other bit sequence than 0s in padding to maintain the minimum size of the frame. Author has made use of this vulnerability to send hidden data as padding bits and because of etherleak problem this will be considered as normal scenario. It means presence of hidden bits will not be revealed. Padsteg works in 2 phases.  In first phase nodes advertise themselves as hidden node.  In second phase actual hidden data transfer occurs. In the first phase random number is inserted in the Ethernet frame padding and hash value is calculated based on the source MAC to announce its existence as hidden node. In the second phase during connection establishment improper frame padding is inserted during TCP ACK segment as shown in the figure.