Our Network Steganography Concepts

MLS (Multi-Level Steganography)

MLS is based on combining two or more steganographic methods in such a way that one method (the upper-level) is a carrier for the other method (the lower-level). From such a binding of information hiding solutions comes some interesting benefits, among others:

  • Increased undetectability of upper-level methods,
  • Increased total steganographic bandwidth,
  • Ability to verify the steganogram's integrity after its reception,
  • Limiting the chance of successful steganogram extracting and reading.

MLS was originally proposed by Al-Najjar for picture steganography in:

Al-Najjar AJ.: The Decoy: Multi-Level Digital Multimedia Steganography Model, In Proc. Of 12th WSEAS International Conference on COMMUNICATIONS, Herakli-on, Greece, July 23-25, 2008

We extend this concept for network steganography and redefine it to make it more general. We also present few useful MLS applications that can improve hidden communications in telecommunication networks. This was described in paper:

W. Frączek, W. Mazurczyk, K. Szczypiorski, Multi-Level Steganography: Improving Hidden Communication in Networks - In: Computing Research Repository (CoRR), abs/1111.1250, arXiv.org E-print Archive, Cornell University, Ithaca, NY (USA), published on 25 January 2011 [.pdf]

HICCUPS (Hidden Communication System for Corrupted Networsk)

HICCUPS is an intra-protocol steganographic system which modifies frames protocol specific fields and their content. It is especially suitable for WLANs (Wireless Local Area Networks). The main innovation of the system is usage of frames with intentionally wrong checksums to establish covert communication. The HICCUPS was recognized as the first steganographic system for WLANs.

HICCUPS was originally proposed in:

K. Szczypiorski, HICCUPS: Hidden Communication System for Corrupted Networks, In Proc. of: The Tenth International Multi-Conference on Advanced Computer Systems ACS'2003, pp. 31-40, October 22-24, 2003 - Międzyzdroje, Poland [.pdf]

LACK (Lost Audio Packets Steganography)

LACK is a hybrid intra-protocol steganographic method which modifies voice packets' time relations and their content.

At the transmitter, some selected audio packets are intentionally delayed before transmitting. If the delay of such packets at the receiver is considered excessive, the packets are discarded by a receiver which is not aware of the steganographic procedure. The payload of the intentionally delayed packets is used to transmit secret information to receivers aware of the procedure, so no extra packets are generated. For unaware receivers the hidden data is “invisible”.

LACK was originally proposed in:

W. Mazurczyk and K. Szczypiorski, Steganography of VoIP Streams, In: Robert Meersman and Zahir Tari (Eds.): OTM 2008, Part II - Lecture Notes in Computer Science (LNCS) 5332, Springer-Verlag Berlin Heidelberg, Proc. of OnTheMove Federated Conferences and Workshops: The 3rd International Symposium on Information Security (IS'08), Monterrey, Mexico, November 9-14, 2008, pp. 1001-1018 [.pdf]

PadSteg (Padding Steganography)

PadSteg is an inter-protocol steganographic system which utilizes relations between two or more protocols from the TCP/IP stack to enable hidden communication, namely Ethernet with ARP, TCP, UDP and/or ICMP protocols. It is designed for LANs and takes advantage from Etherleak vulnerability, which causes padding in Ethernet frames to be not always set to zeros. To limit the chance of detection PadSteg has so called carrier-protocol hopping mechanism i.e. it switches between different protocols that cause the frame to be padded.

Padsteg was originally proposed in:

B. Jankowski, W. Mazurczyk, K. Szczypiorski, Information Hiding Using Improper Frame Padding - 14th International Telecommunications Network Strategy and Planning Symposium (Networks 2010), 27-30.09.2010, Warsaw, Poland [.pdf]

and extended in: B. Jankowski, W. Mazurczyk, K. Szczypiorski - PadSteg: Introducing Inter-Protocol Steganography - In: Telecommunication Systems: Modelling, Analysis, Design and Management, Volume 58: 1-2 January/February 2015, ISSN: 1018-4864 (print version), ISSN: 1572-9451 (electronic version), Springer US, Journal no. 11235 [.pdf]

RSTEG (Retransmission Steganography)

RSTEG is an intra-protocol hybrid network steganography method. It is intended for a broad class of protocols that utilises retransmission mechanisms. The main innovation of RSTEG is to not acknowledge a successfully received packet in order to intentionally invoke retransmission. The retransmitted packet carries a steganogram instead of user data in the payload field.

RSTEG was originally proposed in:

W. Mazurczyk, M. Smolarczyk, K. Szczypiorski, RSTEG: Retransmission Steganography and Its Detection, In: Soft Computing in 2010, ISSN: 1432-7643 (print version) ISSN: 1433-7479 (electronic version), Journal no. 500 Springer [.pdf]

SCTP Steganography: Multistreaming-based method

SCTP Multistreaming-based method is an intra-protocol network steganography method. The main idea of this method is  that subsequent chunks are transmitted within streams determined by bits of steganogram.

Multistreaming-based steganographic method was originally proposed in:

W. Fraczek, W. Mazurczyk, K. Szczypiorski, Stream Control Transmission Protocol Steganography, Second International Workshop on Network Steganography (IWNS 2010) co-located with The 2010 International Conference on Multimedia Information Networking and Security (MINES 2010), Nanjing, China, November 4-6, 2010 [.pdf]


Google Suggest is a service incorporated within Google Web Search which was created to help user find the right search phrase by proposing the auto-completing popular phrases while typing. To enable hidden communication StegSuggest utilizes traffic generated by Google Suggest. Its main innovation is to insert new words into suggestions sent to the Google Suggest client. Inserted words carry bits of steganogram.

StegSuggest steganographic method was originally proposed in:

P. Białczak, W. Mazurczyk, K. Szczypiorski, Sending Hidden Data via Google Suggest, In Proc. of: Third International Workshop on Network Steganography (IWNS 2011) co-located with The 2011 International Conference on Telecommunication Systems, Modeling and Analysis (ICTSM2011), Prague, Czech Republic, 26-28.05.2011 [.pdf]

TranSteg (Transcoding Steganography)

TranSteg is a new IP telephony steganographic method. Typically, in steganographic communication it is advised for covert data to be compressed in order to limit its size. In TranSteg it is the overt data that is compressed to make space for the steganogram. The main innovation of TranSteg is to, for a chosen voice stream, find a codec that will result in a similar voice quality but smaller voice payload size than the originally selected. Then, the voice stream is transcoded. At this step the original voice payload size is intentionally unaltered and the change of the codec is not indicated. Instead, after placing the transcoded voice payload, the remaining free space is filled with hidden data.

TranSteg steganographic method was originally proposed in:

W. Mazurczyk, P. Szaga, K. Szczypiorski, Using Transcoding for Hidden Communication in IP Telephony - In: Computing Research Repository (CoRR), abs/1111.1250, arXiv.org E-print Archive, Cornell University, Ithaca, NY (USA), published on 4 November 2011 [.pdf]