A Multimode Network Steganography for Covert Wireless ...downloads.hindawi.com/journals/scn/2020/8848315.pdf · steganography subfield. Under this background, recent network steganography

Research ArticleA Multimode Network Steganography for Covert WirelessCommunication Based on BitTorrent

Mingqian Wang Weijie Gu and Changshen Ma

School of Information Engineering Changzhou Vocational Institute of Mechatronic Technology Changzhou 213164 China

Correspondence should be addressed to Mingqian Wang 937565385qqcom

Received 11 March 2020 Revised 15 June 2020 Accepted 20 June 2020 Published 5 July 2020

Academic Editor Zhaoqing Pan

Copyright copy 2020 Mingqian Wang et al is is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited

Network steganography is a hidden communication technique which utilizes the legitimate traffic as the vehicle to transfer thesecret information covertly over the untrusted network BitTorrent (BT) is one of the most prevalent P2P services for transmittingvideo files over wireless networks An enormous amount of video data is transmitted over BitTorrent traffic continuously to makeit potentially available for confidential information transfer Hence in this paper the BitTorrent file-sharing service of P2P ischosen as the host for information hiding and a multimode steganographic method based on Bitfield message is proposed Takingadvantage of BitTorrent cooperative transmission and the non-content-authentication mechanism of Bitfield message the secretinformation is delivered during the exchange process of BitMapInfo between two peers e steganographic mode is dynamicallyselected in view of the secret size achieving adaptive bandwidth e experimental results show that our scheme can resiststatistical-based detection effectively and outperform the existing method by obtaining a lower degree of detection rate undermachine learning-based steganalysis

1 Introduction

Data transmission security such as information hiding is animportant field that has been discussed by many works [1 2]As a subfield of data transmission security network steg-anography exploits the normal traffic as the carrier totransmit information stealthily via untrusted networksCompared with the static multimedia steganography suchas image steganography [3] it is difficult for the monitor tolocate and extract the covert data in tremendous networkflow Hence network steganography is an effective means oftransporting confidential information in networks In recentyears it has become a hot research topic in the field ofinformation security due to the fine properties of networktraffic

ere are two broad types of network covert channelscovert storage channel and covert timing one Covert storagechannel embeds the secret information into the redun-dancies of network protocols [4ndash7] Although it is simpleand easy to implement it can be easily detected by the

existing methods Covert timing channel delivers the secretinformation by exploiting time-relevant events of networkpackets and it has better stealthiness than the covert storageone Generally it can be divided into three subclasses On-Off covert channel [8] interpacket delay- (IPD-) basedcovert channel [9ndash12] packet sorting [13 14] and combi-nation-based ones [15 16] Synchronization is always adifficult problem to solve since the covert timing channel issusceptible to the unstable network condition such as jitterand delay To guarantee the reliability Archibald and Ghosal[17] designed a mechanism by using TCP ACKs to syn-chronize the covert channel Houmansadr [18] and Archi-bald [19] used the Error Correction Code to encode thesecret information to increase accuracy which sacrificed thebandwidth of the covert channel and increase the trans-mission overhead Countering the above deficiencies net-work steganography tends to mimic the normal traffic byshape-fitting e feature model is considered in themodulation process of the secret information to resist sta-tistical detection tools Predominantly appropriate and

HindawiSecurity and Communication NetworksVolume 2020 Article ID 8848315 14 pageshttpsdoiorg10115520208848315

feasible network services with more popularity reliabilityand security are sought as a steganographic carrier

It is revealed in the 2017 network traffic report that theP2P traffic accounts for 7925 8346 6394 and 6719of the total flow in Germany Eastern Europe Middle Eastand Australia respectively which wins the top rankingAmong them the BitTorrent (BT) file sharing service oc-cupies more than 50 to 70 of P2P traffic Additionally theresult of traffic monitor between the boundary route ofJiangsu Education Network and the national trunk routeindicates that the BitTorrent traffic accounts for 60 of allwhich has become the most prevailing P2P protocol

As we know an ideal steganographic carrier shouldpossess two properties popularity and complexity Since themassive communication traffic and complex pattern of sucha carrier can improve the undetectability of steganographyNowadays wireless network has become a predominantmeans of data transmission dynamically evolving networksteganography subfield Under this background recentnetwork steganography solutions exploit popular P2P ser-vices like file-sharing systems like BitTorrent search featureslike Google Suggest and multimedia and Voice-over-IPservices like Skype and WeChat [20ndash24] e continuousand large amount of video data transmission during Bit-Torrent wireless communication provides chances of launchingsteganography

Kopiczko et al [25] proposed a BitTorrent-based net-work steganographic method called StegTorrent It wasbased on modifying the order of data packets in the peer-peerdata exchange protocol which can provide steganographicbandwidth of up to 270 bs However the perturbation ofinherent network noise such as jitter or packet loss mayaffect the order of certain packet on the receiver sideMeanwhile ordering of packets with distinct IP inevitablyaltered the interpacket delays which could be easily dif-ferentiated from the normal distribution of BitTorrent IPDsby the adversary To overcome the drawbacks of the existingmethod the steganographic procedure should retain anormal communication mode of network service In orderto improve undetectability the modulation of secret in-formation cannot generate abnormal traffic or propertieserefore in this paper BitTorrent is selected as the steg-anographic carrier of which the system structure com-munication mode and protocols are analyzedcomprehensively On this basis the protocol redundancy isdeeply tapped in which the secret information can be em-bedded e main contribution of this paper is as follows

(1) Taking advantage of the non-content-authenticationmechanism of Bitfield message the secret infor-mation is transferred during the exchange process ofBitMapInfo (BitMap Information) between two le-gitimate BTpeers (Clients) and is embedded into thecontent of ltbitfieldgt according to the given formatus the covert traffic of our scheme preservesnormal behavior and property so as to resistdetection

(2) e multimode steganographic method is proposedwhich exploits the cooperative transmission of BT

peers e steganographic mode (Single-Link Steg orMulti-Link Steg) is dynamically selected in view ofthe secret size achieving adaptive bandwidth InMulti-Link Steg multiple peers participate in thetransmission of secret information concurrently toaccomplish collaborative steganography Meanwhilesuch method is noise-tolerated due to the reliabletransmission mechanism of TCP making the pro-posed scheme more robust

(3) Multidimensional steganalysis is employed tocomprehensively verify the undetectability of theproposed scheme Statistical properties-based de-tection methods are used to measure the trafficregularity such as Entropy test (EN-test) e non-parametric statistical method is exploited to measurethe distance between two distributions such as theKolmogorovndashSmirnov test (K-S test) Machinelearning-based steganalysis is used to classify thetested traffic into covert or normal such as SVMRandom Forest and Deep Neural Networks

e remainder of this paper is organized as follows InSection 2 related works are reviewed e basics of theBitTorrent system are described in Section 3 In Section 4the proposed scheme is introduced in detail In Section 5experimental results are presented and analyzed Finally thewhole paper is concluded in Section 6

2 Related Work

Kopiczko et al [25] proposed a BitTorrent-based networksteganographic method called StegTorrent which is illus-trated in Figure 1 It is assumed that both the secret datasending and receiving sides are in control of a certainnumber of BitTorrent clients and as mentioned above theirIP addresses are known to each other In Figure 1 for thesake of clarity only single direction steganographic trans-mission is presented but of course end-to-end bidirectionalcommunication is possible and the other direction isanalogous No knowledge of the networkrsquos topology isnecessary e hidden data sender uses the modified Bit-Torrent clientmdashStegTorrent clientmdashto share a resource thatis downloaded by the second StegTorrent client that consistsof a group of controlled BitTorrent clients

For the sake of the proposed methodrsquos description andanalysis the term data package is defined as a set of IPaddresses that are sent within the IP packets in a pre-determined order and the term data package size as the totalnumber of elements in this set For example it is assumedthat the data package size is 2 In this case two packets withtwo different IP addresses (eg IP1 and IP2) are used to sendbits of hidden data In this simple scenario if the order of thepackets is modified for steganographic purposes and theBitTorrent client receives a packet that was sent from IP1 andthen from IP2 then it will be interpreted as binary ldquo0rdquo and inother cases as binary ldquo1rdquo It is assumed that the data packageand its size are a shared secret between transmitting andreceiving StegTorrent clients

2 Security and Communication Networks

It must be noted that this methodrsquos performance de-pends on the size of the data package while the latter relies onthe number of available receiving IP addresses (receivingBitTorrent clients under control) However the perturbationof inherent network noise such as jitter or packet loss mayaffect the order of certain packet on the receiver sideMeanwhile ordering of packets with distinct IP inevitablyaltered the interpacket delays which could be easily dif-ferentiated from the normal distribution of BitTorrent IPDsby the adversary

3 BitTorrent Analysis

BitTorrent is a P2P file-sharing system that allows its users todistribute large files over networks BitTorrent is distin-guished from other similar file transfer applications in thatinstead of downloading a resource from a single centralserver users download fragmented files from other userssimultaneously As a result the file transfer time is con-siderably decreased because the group of users that share thesame resource or part of it may consist of several tothousands of hosts Such a group of users interested in thesame resource known as ldquopeersrdquo combine together with acentral component known as a ldquotrackerrdquo in BitTorrent iscombination of peers and trackers is called a ldquoswarmrdquoTrackers are responsible for controlling the resource transferbetween peers Peers that hold onto a particular resource orpart of a resource are required to share the resource and toperform the transfer

ere are two types of BitTorrent peers based on thestage at which they are involved in downloading or sharing agiven resource

(1) Seeders peers that possess the complete resource andare only sharing it

(2) Leechers peers that do not possess the completeresource but they are interested in doing so ey alsoshare the fragments they have already downloadedWhen a leecher obtains all the remaining fragments ofthe resource it automatically becomes a seed

In order to preserve the communication mode andproperties of normal BT traffic during the steganographicprocess it is essential to analyze the operation mode andprotocols in the BT system e concrete communicationprocedure of BT file sharing is shown in Figure 2

(1) A seed file (torrent) is produced by the seeder andthen released to the Tracker which is combinedwith the web service

(2) Peer1 (Leecher) queries and downloads the seed fileof the required resource from the Tracker

(3) Peer1 (Leecher) requests the list of peers whichpossess the shared resource from the Tracker

(4) e Tracker returns the corresponding peers-list toPeer1 (Leecher)

(5) Peer1 (Leecher) conducts ldquothree-way handshakerdquo ofTCP with the other peer and then the connectionbetween them is established

(6) Once Peer1 (Leecher) is connected with Peer2successfully they will immediately send and replythe Handshake messages in order to confirm theiridentities

(7) Peer1 (Leecher) exchanges the Bitfield message withPeer2 informing each other of the indexes of filefragments which are already owned by themselves

(8) Peer1 (Leecher) exchanges a series of negotiationmessages with Peer2 such as choke unchoke in-terested and not interested

(9) Peer1 (Leecher) sends the Request message toPeer2 asking for the specific file fragments

(10) Peer2 replies the Piece message to Peer1 (Leecher)containing the corresponding file fragments

Among them the Bitfield message is used to indicatethe bitmap information of certain file fragments whichhave already been obtained by the current peer In the BTclient a file is generally divided into several fragmentswhose size is 256 kB en the fragments are indexedfrom 0 in sequence Since the number of fragments is

IP1IP2

IP3

Ts1Ts2

Ts3

BitTorrent client

StegTorrent client

Secret data sender

IP1

IP2

IP3

IP1 + Ts5IP1 + Ts1

IP2 + Ts4 IP2 + Ts2

IP3 + Ts6IP3 + Ts3

ldquo0001rdquo

BitTorrent client

StegTorrent client

Secret data receiver

ldquo01rdquo ldquo00rdquo

Figure 1 e system model of StegTorrent

Security and Communication Networks 3

distinct for each file the length of the Bitfield message isvariable

e format of the Bitfield message is shown in Figure 3where len refers to the length of the Bitfield message whichoccupies 4 Bytes And id is the identifier of Bitfield messageof which the value is set to 5 occupying 1 Bytee ltbitfieldgtof X Bytes indicates the possession of specific file fragmentsas depicted in Figure 4 e fragment with index 0 corre-sponds to the highest bit of the first byte and so on If the bitis ldquo1rdquo in the position it is revealed that the correspondingfragment is possessed while a bit ldquo0rdquo means that certainfragment is not possessed by the peer

It can be observed that the Bitfield message is only sentafter completing a ldquohandshakerdquo immediately Since there isno content-authentication mechanism of Bitfield message inBT client the modification of ltbitfieldgt may not arise ab-normally In other words the altered ltbitfieldgt will defaultas the original content Although the Bitfield message is onlyexchanged for once during the single interaction of twopeers the size of the delivered data is considerableerefore the Bitfield message is employed as the steg-anographic carrier in this paper

4 The Proposed Scheme

41 System Model e proposed steganographic systemmodel is presented in Figure 5 e steganographic peersinclude steganographic sender and receiver which disguiseas the legitimate BT clients e open-source code of the BTclient is modified according to the proposed scheme whichis implemented as follows

(1) Steg-preparing first the steganographic mode(Single-Link Steg or Multi-Link Steg) is selected bythe sender-peer in accordance with the secret sizeAnd a suitable video file is chosen as a shared

resource Second the critical information of theshared video file such as file name and format isdelivered to the receiver-peer via e-mail instantmessaging and so on

(2) Normal BitTorrent communicationbefore-steg thesteganographic peers request the common file re-source from the Tracker and establish TCP link witheach other

(3) Steg-synchronization the steganographic peers ex-change the Handshake message to authenticate theiridentities in covert communication

(4) Steg-implementation the sender-peer embeds thesecret information into the Bitfield messageaccording to the selected steganographic modeen the altered Bitfield message is sent to the re-ceiver-peer from which the secret information canbe extracted

(5) Normal BitTorrent communicationafter-steg afteraccomplishing the transmission of secret informa-tion the steganographic peers still exchange thenegotiation messages and transfer the required videofile fragments as the other normal BT peers

42 Multimode Steganography In BT communication twopeers only exchange Bitfield message for once during theentire process of video file transfer in order to share theconcrete bitmap information of themselves As mentionedabove the bitmap information is used to inform the other

Fragments transmission

Exchange negotiation message

Exchange Bitfield message

Reply handshake message

Send handshake message

ldquoree-way HandshakerdquoReturn the list

Request for list of resource possessor

Download seed fileUpload seed file

Seeder Tracker Peer1 Peer2

Figure 2 e communication sequence diagram of BT file sharing

len = 0001 + X (X-bitfield length) id = 5 ltbitfieldgt

Figure 3 e format of the Bitfield message

4 Security and Communication Networks

peer which file fragments have been possessed by one peerand is sent after completing ldquohandshakerdquo immediatelyHence the secret data that can be transferred is limitedduring the single interaction of two peers If more secret datais required to be delivered multiple peers might beemployed in sharing the common resource Multipeersparticipate in the transmission of secret information con-currently to accomplish cooperative steganography Ac-cordingly there are two proposed steganographic modesbased on the data size of secret information Single-Link StegandMulti-Link Steg e main notations and symbols of ourscheme are presented in Table 1

Select steganographic

mode

Single-link

Multi-link

Select shared video file

Data size

Request resources

Construct TCP link

Secret information

Exchange Negotiation

Message and data fragment

Identity authentication

Overt channel transfer

Shared video file name

Sender peer

Receiver peer

Embedding

Exchange handshake

message

Exchange BitFieldmessage

Steg-preparingSteg-implementation

Steg-synchronizationNormal BT communication

Figure 5 e proposed steganographic system model

0 1 2 3 4 5 6The shared video file

256kB 256kB 256kB 256kB 256kB 256kB 256kB

1 1 10 0 0 0ltbitfieldgt

X kB

The file fragmentThe fragment is possessed

The fragment is not possessed

Figure 4 e possession of specific file fragments indicated in ltbitfieldgt

Table 1 e main notations and symbols

Notation DescriptionSingle-Link Steg Single-link steganography modeMulti-Link Steg Multi-link steganography modeMode Steganography modeS_len e length of secret informationSecret_info e content of secret informationPadding e remainder of Bitfield fieldFile e shared video filesizeof Function of calculating the shared file sizeIndex e index of secret data blockS_block (i) e i-th secret data block

Security and Communication Networks 5

421 Single-Link Steg e Single-Link Stegmode is suitablefor transmitting less secret information such as key andparameter In this scenario there are only two peers par-ticipating in covert communication As mentioned abovethe steganographic sender must be a seeder e Single-LinkSteg is implemented as follows

Step 1 Bitmap Info ltbitfieldgt is partitioned into foursteganographic fields as shown in Figure 6 Assumethat the length of ltbitfieldgt is X Bytes e meaning ofeach field is illustrated as follows

(i)Mode refers to the steganographic mode whichoccupies 1 Byte When this value is set to ldquo0rdquo it isdenoted that our steganography is working in Single-Link state(ii)S_len refers to the length of secret informationwhich occupies 1 Byte And it is defined as L Bytes(iii)Secret_info refers to the content of secret infor-mation whose size is L Bytes(iv)Padding refers to the remaining original content ofltbitfieldgt after the substitution whose size is (X-L-2)Bytes And it should be satisfied that L + 2leX

Step 2 e original ltbitfieldgt is substituted with thesecret information according to the aforementionedsteganographic format In addition the shared videofile between steganographic peers must be appropri-ately selected in accordance with the secret size L Inparticular the size of the video file should satisfy thecertain requirement as denoted in

sizeof(File)ge [(L + 2)lowast8lowast256]106 GB (1)

where sizeof is represented as the function of calcu-lating the file size e video file is generally dividedinto several fragments whose size is 256 kB

422 Multi-Link Steg In order not to disrupt the legitimateBT communication of file sharing when it is necessary totransfer a larger amount of secret data the steganographicpeers are not allowed to send Bitfield message several timesus theMulti-Link Stegmode is exploited in case that moresecret information is required to deliver Cooperativesteganography can be realized by the collaborative transferof multiple BT peers In this scenario the steganographicpeers disguise as the legitimate BT clients intended todownload the common video resource ey collaborate totransfer the secret segments in accordance with prior carefulplanning e Multi-Link Steg is implemented as followswhich is shown in Figure 7

Step 1 Bitmap Info ltbitfieldgt is partitioned into fivesteganographic fields as shown in Figure 8 Assumethat the length of ltbitfieldgt is X Bytes e meaning ofeach field is illustrated as follows

(i)Mode refers to the steganographic mode whichoccupies 1 Byte When this value is set to ldquo1rdquo it isdenoted that our steganography is working in Multi-Link state

(ii)S_len refers to the length of the secret block whichoccupies 1 Byte And it is defined as L Bytes(iii)Index refers to the index of the secret block whichinitiates from 1(iv)S_block refers to the content of the secret blockwhose size is L Bytes(v)Padding refers to the remaining original content ofltbitfieldgt after the substitution whose size is (X-L-3)Bytes And it should be satisfied that L + 3leX

Step 2 e secret information is divided into n blockswhose size is L S_block (i) refers to the i-th secret datablock where i 1 2 nStep 3 n peers (legitimate BT clients) are controlled bythe steganographic sender to transfer the secret blockscollaborativelyStep 4 e sender-peers then connected with thesteganographic receiver respectively establishing ncovert linksStep 5 For each sender-peer the original ltbitfieldgt issubstituted with the secret block according to theaforementioned steganographic formatStep 6 e steganographic receiver extracts the secretblocks according to the agreed format en the blocksare reordered to retrieve the complete secret infor-mation which is denoted as secret_info as follows

secret_info 1113944n

i1s_block(i) (2)

5 Experiment Results and Analysis

51 Data Set and Implementation Single-Link Steg andMulti-Link Steg are realized in the experiment respectivelye open-source BT clients are modified to implement theproposed scheme delivering the secret information covertlyUnder the Single-Link Steg mode steganographic receiverdisguises as the BTseedere data size of secret informationis 255 bytes and the shared video file is selected whose size is104MB e communication packets between the steg-anographic peers are captured by Wireshark as shown inFigure 9 It can be seen that the secret data is transferredsuccessfully by format substituting the partial content of theBitfield message Besides it is verified that the legitimate BTcommunication has not been affected by the revision of theBitfield message e negotiation messages such as Inter-ested and Unchoke are exchanged subsequently and so arethe file fragment transmission messages such as Request andPiece In that it can be concluded that the proposed steg-anography retains normal communication without intro-ducing any additional anomaly

Under the Multi-Link Steg mode e data size of secretinformation is 1 kB and the shared video file is selectedwhose size is 90MB In this scenario there are three steg-anographic peers involving in the covert communication inwhich peer1 and peer2 are all controlled by the stegano-graphic sender in order to cooperatively transfer the secretdata Peer3 is the steganographic sender which acts as the

6 Security and Communication Networks

BT seeder Figure 10 presents the Bitfield messages ofsteganographic peer1 and peer2 which contain the secretblock respectively

Further experiments are performed to evaluate the mainperformance metrics of the proposed scheme which containthe undetectability robustness and capacity analysis As the

BT Client 1

BT Client 2

BT Client n

BT Client n + 1

s_block(1)

s_block(2)

s_block(n)Secret information

Secret senders Secret receiver

BT Client 3 s_block(3)

P2P network

Figure 7 e cooperative steganography of peers in Multi-Link Steg

len = 0001 + X id = 5 ltbitfieldgt

Mode = 1

4B 1B X B

S_len = L S_block Padding

1B 1B L B (X-L-3) B

Index

1B

Figure 8 e steganographic format of ltbitfieldgt in Multi-Link Steg

ModeS_len

Secret_info

Figure 9 Bitfield message under Single-Link Steg mode

ltbitfieldgt

S_len = L Secret_info Padding

len = 0001 + X id = 5

Mode = 0

1B 1B L B (X-L-2) B

4B 1B X B

Figure 6 e steganographic format of ltbitfieldgt in Single-Link Steg

Security and Communication Networks 7

undetectability and robustness will not be affected by thenumber of steganographic peers only the mode of Single-Link Steg is considered in the corresponding experiment

52 Undetectability As the core property undetectabilityrefers to the covert traffic that cannot be differentiated fromthe normal one which is all depended on the similaritybetween the two erefore in order to improve unde-tectability the modulation of secret information cannotgenerate abnormal traffic or properties In the experimentnormal traffic of downloading general video files in BTclients (BitTorrent μTorrent and Vuze) is captured byWireshark en the lengths of ltbitfieldgt in bitfield mes-sages are extracted to form the normal samples enumber of normal and steganography samples is 20000In the following statistical and machine learning-basedsteganalysis is utilized to detect our proposed schemerespectively

521 Statistical-Based Steganalysis Statistical-based steg-analysis is the most common and popular method to detectthe potential covert traffic in which statistical propertiessuch as traffic regularity or distribution function areexploited to distinguish the normal and covert traffic As weknow the histogram is a significant property that can revealthe statistical distribution feature of traffic erefore thehistograms of normal and covert traffic of our scheme arecompared in Figure 11 where the x-axis shows the fieldlength of ltbitfieldgt ranging from 0 to 2500 Bytes and the y-axis indicates the number of lengths that occurred withineach bin (the x-axis is divided into eight bins) As shown inthe figure the field length of normal ltbitfieldgt occurs mostbetween 800 and 1200 Bytes with a peak value of 1000 BytesIt is obvious that the histogram of our scheme matches thenormal one quiet well e file size which is calculated isapproximately 49GB corresponding to the maximumltbitfieldgt length of 2500 Bytes

Meanwhile two notable detection methods are employedto reckon the detection resistance of our scheme compared

with StegTorrent [25] quantitatively which are the Entropytest [26] and KolmogorovndashSmirnov test [27] For normal andcovert samples they are both divided into 20 consecutivewindows whose size is 1000 Certain statistical feature of eachwindow is calculated and used during the detection processas depicted in Figure 12

(1) Entropy Test Entropy can describe the degree of chaos ina process In the Entropy test (EN-test) it is utilized tomeasure the regularity of data traffic [26] If the traffic is lessregular the Entropy value will be larger and vice versa Sincethe less regularity indicates more randomness the moreamount of information is contained in the traffic e En-tropy value is obtained by calculating the statistical averageof all possible self-information which is denoted in

H(X) E I xi( 11138571113858 1113859 minus 1113944n

i1p xi( 1113857logp xi( 1113857 (3)

where X represents a one-dimensional discrete randomvariable whose set of values is Ω xi|i 1 2 n e

ModeS_len

Index Secret_info

ltStegnographic Peer1gt

(a)

ModeS_lenIndex

Secret_info

ltStegnographic Peer2gt

(b)

Figure 10 Bitfield message under Multi-Link Seg mode

Length (Bytes)0 500 1000 1500 25002000

400

800

1200

16002000

2400

2800

3200

Normal trafficOur scheme

Num

ber

Figure 11 e comparison of histograms between normal andsteganographic ltbitfieldgt lengths of our scheme

8 Security and Communication Networks

self-information of xi is I(xi) and the probability of xi isdenoted as p(xi) P X xi1113864 1113865 e Entropy values of 20windows for normal and covert samples are compared inFigure 13 From the result it can be found that most Entropyvalues of normal samples range approximately from 05 to13 whereas those of the covert samples generated byStegTorrent are from 08 to 15 But the values of our schememix with those of the normal samples which can hardly bedifferentiated

en 20 windows of normal and covert samples aretested using the Entropy test respectively when the windowsize is 1000 e results are presented in Table 2 where thedetection threshold is denoted as THD It is observed thatthe false-negative rate of normal samples declines when thethreshold increases Meanwhile the detection rates (truepositive rates) of covert samples are shown in the table Andwe can see the detection rate of StegTorrent ranges from91 to 98 while that of our scheme is only below 7Hence the Entropy test fails to distinguish the covertsamples of our scheme from the normal one

(2) KolmogorovndashSmirnov Test K-S test [27] measures themaximum distance between two distributions A small valueindicates that two distributions are close to each otherConversely a large value means that one distribution doesnot fit the other one e Kolmogorov-Smirnov test value(KS-test value) is attained by taking the supremum of theabsolute difference between two empirical distributionfunctions for all x which can be defined in

KSTEST sup S1(x) minus S2(x)1113868111386811138681113868

1113868111386811138681113868 (4)

where S1(x) and S2(x) refer to the empirical distributionfunctions of two samples e comparison of KS-test valuesbetween the normal and covert samples is shown in Fig-ure 14 Likewise 20 windows of normal and covert samplesare tested in the experiment e x-axis is the windownumber and the y-axis shows the corresponding KS-testvalue It is observed that the KS-test values of our scheme areunder 015 confused with those of the normal traffic usthe distribution of our scheme is close to that of the normalone Nevertheless the corresponding values of StegTorrentoccur from 015 to 025 which is deviated from the normalcase

en the covert traffic is detected using the K-S test andthe detection results are shown in Table 3 where the de-tection threshold is denoted by THD It is observed that the

false negative (FN) rate of the normal traffic declines whenthe threshold increases FN refers to the normal samplewhich is misclassified as the covert one Hence the detectionthreshold is set appropriately from 013 to 015 in order toguarantee that the false-negative rate remains under 1Meanwhile the true positive (TP) rates of covert samples arepresented in the table In this paper the detection rate isrepresented by TP From the results it is easily seen that thedetection rate of StegTorrent is more than 92 when testedwith different thresholds But in our case it is located under3 indicating that the KolmogorovndashSmirnov test cannoteffectively detect the covert traffic generated by our scheme

ltBitfieldgtlengthsextract

Statistical featurecalculating

Detectionthreshold setting

Detectionresult

Normaltraffic

Coverttraffic

Data Preprocessing

Window sizefilter

1 steg

0 normal

Figure 12 Block diagram of the statistical-based detection process

Window number0

02

04

06

08

10

12

14

2 4 6 8 10 12 14 16 18 20

16

Entro

py v

alue

Normal trafficOur schemeStegTorrent

Figure 13 e comparison of Entropy values between normal andcovert samples

Table 2 e detection result of the Entropy test under differentthresholds

Detection result TP()

FN()

TP()

FN()

TP()

FN()

Detectionthreshold THD 095 THD 098 THD 103

Our scheme 007 009 004 007 002 004StegTorrent 098 009 092 007 091 004

Security and Communication Networks 9

522 Machine Learning-Based Steganalysis Recently themachine learning technique performs quite well in resolvingcomplex problems in various domains In particular it hasprogressively become a novel and effective means ofdetecting covert channels In machine learning-basedsteganalysis various statistical metrics (features) of normaland covert samples are utilized by classifier models andeventually be trained to distinguish covert traffic eclassifiers used in machine learning-based detection mainlyinclude SVM Neural Network Logistic Regression NaiveBayes Random Forest and Deep Neural Network [28ndash30]In this paper Deep Neural Network (DNN) is principallyemployed to further estimate the undetectability of ourscheme compared with StegTorrent

(1) Detection Process e proposed scheme is detected usingDNN by the following steps as depicted in Figure 15

Step 1 Network traffic of downloading general videofiles in BT clients is captured by Wireshark en thelengths of ltbitfieldgt are extracted to form the normalor covert samples whose size is 5000000 respectivelye samples are divided into 10000 subsamples eachcontaining 500 lengthsStep 2 For each subsample values of five statisticalfeatures including mean median entropy standarddeviation and root of average mean error are calculatedas described in Table 4 e data set of statistical

features contains two types of samples which are thenormal and covert ones It will be then used for trainingor testing in the classifierStep 3 e data set is divided into two parts 70 ofwhich is used for training in the DNN classifier modeland 30 of which is used for testing e normal trafficis labeled ldquo0rdquo and the covert one is labeled ldquo1rdquo Aftertraining the DNN classifier it can be exploited to detectthe covert traffic online

e structure of DNN is shown in Figure 16 In the inputlayers 5 statistical features are fed to DNN as the inputvariables In the hidden layers each layer consists of anumber of neurons involved in the prediction phase Eachneuron adjusts its weight based on the learning process andparticipates in calculating the coefficients of the finalequations which will be used to determine the class label(normal or overt) of tested samples e output layer isresponsible for determining the predicted value of the classlabel

(2) Detection Result Figure 17 depicts the effect on thedetection rate of covert samples when increasing the numberof neurons inside the DNN hidden layers It can be notedthat the detection rate improves as the number of neuronsincreases until it reaches 13 where the highest rate of 37 isachieved in detecting our proposed scheme Nevertheless atmost 96 of StegTorrent is differentiated successfully by theDNN classifier

Subsequently the effect on the detection rate of in-creasing the number of hidden layers in DNN is shown inFigure 18 It is observed that the detection rate also increasesas the increment of hidden layers until reaching a certainlevel And the rate declines after the peak value since theclassifier model is overfitted It is easily found that 43 ofcovert samples of our scheme are detected when the numberof hidden layers is 5 while the detection rate of StegTorrentreaches above 97 under the same circumstances

Finally the proposed scheme is tested by other machinelearning-based detection methods such as SVM LogisticRegression Naive Bayes Random Forest And the detectionrates of our scheme and StegTorrent are compared in Fig-ure 19 It is observed that 24 to 43 of our scheme isdetected by different classifiers while the detection rates ofStegTorrent appear from 92 to 98 It is clearly noticeablethat the proposed scheme has outperformed StegTorrent byobtaining a lower degree of detection rate erefore it canbe concluded that our scheme possesses better undetect-ability than the existing method

53 Robustness Robustness requires the covert channel tokeep working with relatively high accuracy and low bit errorrate (BER) resisting the perturbation of network noise suchas network jitter and packet disorder and loss In the ex-periment the robustness of our proposed scheme is mea-sured considering packet loss (pl) and packet disorder (pd)e BERs of the proposed scheme are compared with thoseof StegTorrent in terms of different rates of packet disorder

Table 3 e detection result of the Kolmogorov-Smirnov testunder different thresholds

Detection result TP()

FN()

TP()

FN()

TP()

FN()

Detectionthreshold THD 013 THD 014 THD 015

Our scheme 003 001 001 000 000 000StegTorrent 099 001 095 000 092 000

Window number0

005

01

015

02

025

03

035

2 4 6 8 10 12 14 16 18 20

KS-te

st va

lue

Normal trafficOur schemeStegTorrent

Figure 14 e comparison of KS-test values between normal andcovert samples

10 Security and Communication Networks

loss as given in Figure 20 It is obvious that the secret in-formation about our scheme can be accurately obtainedunder different rates of packet loss or disorder However theBER of StegTorrent increases with the increment of packetlossdisorder ratee BER of StegTorrent reaches up to 11

when 20 of packets are lost which will degrade the reli-ability of covert communication in StegTorrent

On the one hand the good performance in resistingpacket loss and disorder of our scheme is due to the TCPreliable transmission mechanism of normal BT traffic whichserves as the carrier of our steganography erefore theproposed method is noise-tolerated On the other handpacket loss or disorder alters the packet-arriving order inStegTorrent which will lead to the misrecovery of secret dataon the receiver side Hence we can conclude that ourscheme is superior to StegTorrent in respect to robustness

54Capacity Capacity is the maximum data size that can bereliably transmitted over the covert channel per second orpacket In other words capacity refers to the transfer rate ofsecret information It is closely related to the bandwidth ofnormal carrier and the steganographic modulation algo-rithms As revealed in Figure 21 the field length of ltbitfieldgtranges from 0 to 2500 Bytes in normal BT communication

Sample acquisition

ltDNNgtclassifier

trainingtestingNetwork

traffic

Data Preprocessing

Feature extraction

ldquo1rdquo covert

ldquo0rdquo normal

Machine learning

Figure 15 Detection process of DNN

Table 4 Definitions of the statistical features

Input variable Feature Formula Explanationx1 Mean μ (1n) times 1113936

ni1li li is the length of ltbitfieldgt n is the subsample size

x2 Median l(n+1)2 Where the lengths are sorted in ascending order

x3 Entropy minus1113936ni1p(li)logp(li) p(li) is the probability of length li

x4 Standard deviation σ 1113936

ni1(1n) times (l2i minus μ2)

1113969li is the length of ltbitfieldgt μ is the mean of the lengths

x5 Root of average mean error RAME 1113936

ni1|li minus μ|n

1113969 li is the length of ltbitfieldgt μ is the mean of the lengths

1

0

x1

x2

x3

x4

x5

Inputlayer

Hiddenlayer

Output layer

H1 H2 Hk

Covert

Normal

y

Figure 16 e structure of DNN

0

02

04

06

08

10

1 2 3 4 5 6 13 15 18 21Number of neurons

50 100

Det

ectio

n ra

te

Our schemeStegTorrent

Figure 17 e effect on the detection rate of increasing thenumber of neurons inside the DNN 3-hidden layers

04

05

07

08

1 3 5 7 9Number of hidden layers

15

Our schemeStegTorrent

2003

09

10D

etec

tion

rate

Figure 18 e effect on the detection rate of increasing thenumber of hidden layers in DNN

Security and Communication Networks 11

which means that the maximum capacity of Single-Link Stegis 2500 BP Meanwhile inMulti-Link Steg the capacity willincrease linearly with the number of steganographic peerswhich is shown in Figure 21 Since the field length of normalltbitfieldgt occurs most between 800 and 1200 Bytes asmentioned above the secret data of a certain size (L) istransmitted by each peer engaged in the steganography It isfound that when 64 peers transfer the secret informationconcurrently the capacity reaches up to 76800 BP

However more peers might increase the overhead ofsystem resources and the complexity of the steganographiccontrol mechanism which will make the scheme moredifficult to implement us the tradeoff between thenumber of steganographic peers and system overhead will betaken into consideration in future research And then thecapacity ofMulti-Link Steg mode can be analyzed under theoptimal number of steganographic peers

6 Conclusions

BitTorrent file sharing the protocol of P2P is a stegano-graphic carrier with high covertness which has massivenetwork traffic and complex communication mechanisme steganographic peers are confused with numerous le-gitimate BT peers owing to the cooperative transmission inthe P2P network us it is extremely difficult to locatesteganographic peers in the tremendous BT traffic esteganographic peers disguise as the legitimate BT clientswho are interested in possessing the common video fileeyparticipate in downloading the same resource following thenormal BT communication mode without introducing any

02

04

06

08

Deep neural network

0

10

12

Naive Bayes

Logistic regression

Random forest

Support vector machine

StegTorrentOur scheme

98 97 95 93 92

4339

30 2724

Det

ectio

n ra

te

Figure 19 e comparison of detection rates between our scheme and StegTorrent under different machine learning-based steganalysismethods

BER

05 1 2 3 5Packet disorderloss rate ()

10 20

Our scheme-pl Stegtorrent-plStegtorrent-pdOur scheme-pd

0

002

004

006

008

010

012

Figure 20 e comparison of BERs between our scheme andStegTorrent under different rates of packet lossdisorder

Capa

city

(BP

)

times103

L = 100L = 400

L = 800L = 1200

0

10

20

30

40

50

60

70

80

2 4 8 16 321 64Number of peers

Figure 21 Capacity of the proposed scheme under differentnumbers of steganographic peers

12 Security and Communication Networks

extra traffic Taking advantage of the non-content-authen-tication mechanism of Bitfield message the secret infor-mation is embedded into the content of ltbitfieldgt accordingto the given format e altered Bitfield message can bypassthe security censorship of the BT system and networkmonitor device Hence our scheme has proved betterundetectability and robustness than the current methods Inthe future work another BitTorrent-based steganographicalgorithm will be designed and researched in which thetradeoff between the numbers of steganographic peers andsystem overhead will be taken into consideration And thenthe optimal steganographic mode can be analyzed andselected

Data Availability

e software code and data used to support the findings ofthis study are available from the corresponding author uponrequest

Conflicts of Interest

All authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

is work was supported by the Natural Science Foundationof the Higher Education Institutions of Jiangsu Provinceunder Grant no 19KJB510019 Innovation and Entrepre-neur-ship Training Program for College Students of JiangsuProvince under Grant no 201913114004Y Changzhou KeyLaboratory of Industrial Internet and Data Intelligenceunder Grant no CM20183002 and the Project of ChangzhouVocational Institute of Mechatronic Technology under Grantno 2019-YBKJ-05

References

[1] X Chen J Li J Weng J Ma and W Lou ldquoVerifiablecomputation over large database with incremental updatesrdquoIEEE Transactions on Computers vol 65 no 10 pp 3184ndash3195 2016

[2] Z Zhou Y Cao M Wang E Fan and Q M J Wu ldquoFaster-RCNN based robust coverless information hiding system incloud environmentrdquo IEEE Access vol 7 pp 179891ndash1798972019

[3] Z Zhou Y Mu and Q M J Wu ldquoCoverless image steg-anography using partial-duplicate image retrievalrdquo SoftComputing vol 23 no 13 pp 4927ndash4938 2019

[4] M A Elsadig and Y A Fadlalla ldquoSurvey on covert storagechannel in computer network protocols detection and mit-igation techniquesrdquo International Journal of Advances inComputer Networks and Its Security vol 6 no 3 pp 11ndash172016

[5] R Sun L Shi C Yin and J Wang ldquoAn improved method indeep packet inspection based on regular expressionrdquo gteJournal of Supercomputing vol 75 no 6 pp 3317ndash3333 2019

[6] W Mazurczyk and K Szczypiorski ldquoEvaluation of stegano-graphic methods for oversized IP packetsrdquo Telecommunica-tions Systems vol 49 no 2 pp 210ndash217 2012

[7] Y Jiang M Zhao C Hu L He H Bai and J Wang ldquoAparallel FP-growth algorithm onWorld Ocean Atlas data withmulti-core CPUrdquo gte Journal of Supercomputing vol 75no 2 pp 732ndash745 2019

[8] S Cabuk C Brodley and C Shields ldquoIP covert timingchannels design and detectionrdquo in Proceedings of the 2004ACM Conference on Computer and Communications Securitypp 55ndash74 Washington DC USA October 2004

[9] X Zi L Yao L Pan and J Li ldquoImplementing a passivenetwork covert timing channelrdquo Computers amp Securityvol 29 no 6 pp 686ndash696 2010

[10] T Zhu Y Lin Y Liu W Zhang and J Zhang ldquoMinorityoversampling for imbalanced ordinal regressionrdquo Knowledge-Based Systems vol 166 no 15 pp 140ndash155 2019

[11] S Gianvecchio H Wang and D Wijesekera ldquoModel basedcovert timing channels automated modeling and evasionrdquoLecture Notes In Computer Science Springer Berlin Ger-many pp 211ndash230 2008

[12] G Liu J Zhai and Y Dai ldquoNetwork covert timing channelwith distribution matchingrdquo Telecommunication Systemsvol 49 no 2 pp 199ndash205 2012

[13] X Zhang C Liang Q Zhang Y Li J Zheng and Y-a TanldquoBuilding covert timing channels by packet rearrangementover mobile networksrdquo Information Sciences vol 445-446pp 66ndash78 2018

[14] X Zhang L Zhu X Wang C Zhang H Zhu and Y-a TanldquoA packet-reordering covert channel over VoLTE voice andvideo trafficsrdquo Journal of Network and Computer Applicationsvol 126 pp 29ndash38 2019

[15] Z Pan X Yi Y Zhang B Jeon and S Kwong ldquoEfficient in-loop filtering based on enhanced deep convolutional neuralnetworks for HEVCrdquo IEEE Transactions on Image Processingvol 29 pp 5352ndash5366 2020

[16] X Luo E W W Chan P Zhou and R K C Chang ldquoRobustnetwork covert communications based on TCP and enu-merative combinatoricsrdquo IEEE Transactions on Dependableand Secure Computing vol 9 no 6 pp 890ndash902 2012

[17] R Archibald and D Ghosal ldquoDesign and performanceevaluation of a covert timing channelrdquo Security and Com-munication Networks vol 9 no 8 pp 755ndash770 2016

[18] A Houmansadr and N Borisov ldquoCoCo coding-based coverttiming channels for network flowsrdquo in Proceedings of the 13thInternational Conference on Information Hiding pp 314ndash328Prague Czech Republic May 2011

[19] R Archibald and D Ghosal ldquoA covert timing channel basedon fountain codesrdquo in Proceedings of the IEEE 11th Inter-national Conference on Trust Security and Privacy in Com-puting and Communications pp 970ndash977 Liverpool UKJune 2012

[20] J Lei D Li Z Pan Z Sun S Kwong and C Hou ldquoFast intraprediction based on content property analysis for low com-plexity HEVC-based screen content codingrdquo IEEE Transac-tions on Broadcasting vol 63 no 1 pp 48ndash58 2017

[21] F W Xu ldquoResearch on the hidden anonymous communi-cation system based on P2Prdquo M S thesis Beijing Universityof Posts and Telecommunications Beijing China 2013

[22] W Mazurczyk M Karas and K Szczypiorski ldquoSkyDe askype-based steganographic methodrdquo International Journal ofComputers Communications and Control vol 8 no 3pp 1841ndash1847 2013

[23] J Lei J Sun Z Pan S Kwong J Duan and C Hou ldquoFastmode decision using inter-view and inter-component cor-relations for multiview depth video codingrdquo IEEE Transactionson Industrial Informatics vol 11 no 4 pp 978ndash986 2015

Security and Communication Networks 13

[24] J Lv C Zhu S Tang and C Yang ldquoDeepflow hidinganonymous communication traffic in P2P streaming net-worksrdquoWuhan University Journal of Natural Sciences vol 19no 5 pp 417ndash425 2014

[25] P Kopiczko W Mazurczyk and K Szczypiorski ldquoSteg-Torrent a steganographic method for the P2P file sharingservicerdquo IEEE Security and Privacy Workshops vol 42 no 6pp 151ndash157 2013

[26] S Gianvecchio and H Haining Wang ldquoAn entropy-basedapproach to detecting covert timing channelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 8 no 6pp 785ndash797 2011

[27] D Zhang G Wang X Wang Z Li W Li and J WangldquoCyberspace security for future Internetrdquo Security andCommunication Networks vol 2018 p 1 2018

[28] Y Chen J Xiong W Xu and J Zuo ldquoA novel online in-cremental and decremental learning algorithm based onvariable support vector machinerdquo Cluster Computing vol 22no 8 pp 7435ndash7445 2019

[29] Y Chen W Xu J Zuo and K Yang ldquoe fire recognitionalgorithm using dynamic feature fusion and IV-SVM clas-sifierrdquo Cluster Computing vol 22 no 10 pp 7665ndash76752019

[30] D Omar A-F Ala B B Ghassen and J Ilyes ldquoUsing hi-erarchical statistical analysis and deep neural networks todetect covert timing channelsrdquo Applied Soft ComputingJournal vol 82 Article ID 105546 2019

14 Security and Communication Networks