1
Permutation-based Steganographic Channels
Kevin Forest, Louis Lemaire, Scott Knight, Member, IEEE

Abstract—Covert channels are a mechanism that allows an
attacker to parasitically place messages within a legitimate
channel.
Detection of these covert channels can have
consequences for an attacker. Not only is the ability to
communicate lost or compromised, but analysis of the channel can
lead to the identity of the attacker themselves. If the attacker is a
wanted criminal or foreign intelligence service, these
consequences can be quite severe. This paper proposes a covert
channel with the property of unattributability. That is, in the
event the channel is detected, nothing about the channel gives any
clues as to the identity of the attacker. The unattributable nature
of the covert channel has a cost, however, in that the channel is
one-way, with the attacker being unable to send messages, only
receive them. As such, the proof-of-concept design uses this
covert channel to transmit sensitive information from an infected
machine.
Index Terms— Steganographic Channels, Covert Channels,
Information hiding
I. INTRODUCTION
T
here are good reasons why people want to communicate
without the communication being detected. In computer
networks covert communication is often hidden within the data
transferred as part of some other seemingly normal, valid
communications. The covert transmitter and receiver share
knowledge of the encoding of the hidden message and
participate in the information transfer. This can leave the
transmitter and receiver vulnerable to surveillance measures
that can detect the encoded data, and perhaps trace the
communications and identify the participants. It is proposed
that a covert communications scheme based on permuting the
order of externally visible network events can be used to create
one-way communications channels that are very difficult to
detect and effectively untraceable to the intended receiver of
the hidden information.
There are any number of communities that would want to
hide their communications. Some examples are: criminals that
have broken into a private computer network and are trying to
steal computing resources or information from the
compromised systems, individuals who are trying to exercise
free-speech rights in a closed political regime, or a foreign
intelligence service that is trying to infiltrate and control
Kevin Forest is with the Royal Military College of Canada, Kingston, ON
K7K 7B4 Canada (e-mail: kevin.r.forest@gmail.com).
Scott Knight is with Royal Military College of Canada, Kingston, ON
K7K 7B4 Canada (phone: 613-541-6000 ext6194; e-mail: knight-s@rmc.ca).
government computer systems of another nation. In each of
these cases the covert communicators are hiding from
surveillance that is actively trying to discover them, and the
cost of being discovered and caught is very high.
In each of these cases there is a covert communicator
(perhaps a Trojan Horse) within the boundaries of a computer
network controlled by the entity conducting the surveillance
(the Warden) and a covert communicator outside that network.
Direct communication in the presence of active surveillance by
the Warden is risky. Therefore an attractive option is to hide
communications within legitimate forms of communication
that are regularly crossing the boundary of the surveilled
network. We will call these legitimate communications the
cover channel. A hidden communication channel, hidden with
such a legitimate cover channel, is called a steganographic
channel [1], or stego channel. In this paper we will refer to
such channels as stego channels or covert channels, although
[1] makes distinction between the two. In general the stego
(covert) channel will make use of residual capacity in the
legitimate cover channel, or masquerade as benign
communications in the cover channel. An example of such a
stego channel is an HTTP tunnel where hidden
communications can masquerade as otherwise well formed and
normal appearing requests for web pages from a web server.
When a stego channel is hiding its communications by
modifying the data in the cover channel, or by introducing
encoded information that appears to be part of the cover
channel, there is risk of detection. That is, the data that is not
part of the cover channel might be detected as anomalous by
the Warden. Once the stego channel is no longer hidden there
is also a danger that the communications can be traced to the
covert communicators and their identities can be discovered.
This is because most stego channel implementations require
active participants at both ends of the channel.
The scenario we will consider as the context for this
research is one where there the covert communicators are
trying to exfiltrate information from a computer network under
surveillance by a powerful Warden, to a receiver outside the
network. For example, a Trojan Horse may have been planted
on a computer inside the network and Trojan Horse will send
information to a receiver on the outside of the network. We
also assume that due to the high cost to the covert
communicators (e.g. criminal prosecution, political
embarrassment, etc.) if the communications can be attributed
2
to them, they will want to minimize the risk of the detection,
and especially, the risk of traceability to the covert receiver.
The risk of traceability, or attribution, of the stego channel
can be reduced if we can separate the receiver of the legitimate
cover channel from the receiver of the stego channel. Consider
the possibility of a communications scheme where the receiver
of the legitimate cover channel (e.g a commercial web server)
can remain totally unaware that there is covert information
encoded within the cover channel. Also consider that the
covert receiver has the ability to observe the legitimate cover
channel at some point (any point) in the communications path
between the Warden’s network and the unwitting receiver of
the legitimate cover channel. The attribution of the covert
communication is then broken because the actual covert
receiver is indistinguishable from any one of all the possible
receivers that could have observed the communication. Of
course, such channels are one-way channels and there is no
possibility of feedback from receiver to transmitter.
The risk of detection of the stego channel can be reduced if
we can ensure that all the messages transmitted to the covert
receiver do not modify the data in the messages of the
legitimate cover channel, or introduce encoded information
that masquerades as messages of the legitimate cover channel.
That is, we do not add any form of new message that is not
already part of the legitimate communications on that channel.
The Warden will not see any message during the covert
communication that is not also seen on the legitimate cover
channel when covert communications is not taking place.
Instead of building a covert communications scheme by
modifying, or masquerading as, legitimate messages — the
encoding of the covert information will be effected by
modifying the order of otherwise perfectly legitimate
messages.
The aim of this research is to model and design a covert,
unattributable communications scheme based on permutation
encoding of observable network events. The network events of
interest are the messages exchanged between the transmitter of
the covert message and a legitimate ancillary site that is
unaware of the presence of the covert communications. The
covert communication is unattributable because any observer
of the network events has an opportunity to extract and read
the covert communication.
The factoradic number system can be used as a means of
indexing permutations. This forms the basis of the theoretical
model for the covert communications scheme. This theoretical
model was used to design a covert communications system in
which information is hidden within the HTTP messages
associated with web browsing traffic. The web servers taking
part in the communication are ancillary sites, and are unaware
of their participation in the covert communication.
The communications scheme being investigated is a low-tomedium bandwidth steganographic channel in which hiding the
channel and the channels unattributability are considered more
important than the information throughput of the channel. The
implications of such channels are important both for
communities that would want to hide their communications,
and for the Wardens defending networks from covert
communications. These channels will work even in the case of
networks with restrictive security policies that only allow
communication with a restricted number of trusted external
sites.
The paper is divided into 6 main sections. Section II
provides some background regarding HTTP tunnels. HTTP
tunnels provide context for more detailed motivation of the
need for permutation-based covert communications channels
and the advantages of these channels. Section III will
introduce the factoradic number system as way of indexing
permutations and thereby provide the basis for a theoretical
model of the covert communications scheme. In section IV the
theoretical model is validated by using it to design and
implement a permutation-based covert communications
scheme that uses HTTP as a legitimate cover channel. Section
V provides a discussion of the implications of the research and
examines the theoretical versus actual efficiency of the
permutation-based channel. The last section summarizes and
concludes the paper.
II. HTTP REVERSE TUNNELS
As computer network perimeter defences become stronger it
is more difficult for an attacker to make an illicit connection
from his computer somewhere on the Internet to a computer
within a protected target network. It is often easier for the
attacker to arrange to break out of the target network than to
break in. An HTTP reverse tunnel is an example of a stego
channel used to break out of the target network [2][3]. Because
such channels use HTTP as their legitimate cover channel, this
section will review the basic HTTP protocol. The misuse of
the HTTP protocol will be explained to see how the stego
channel is formed. The section will finish with a description of
the shortcomings of the HTTP reverse tunnel with respect to
covertness and unattribuatbility.
In the basic HTTP protocol a client request method is a
method issued to an HTTP server by an HTTP client that
declares its intentions. The client methods include GET
(retrieve a page), POST (client provides content to a server),
PUT, CONNECT, etc. [4]. An example of a message that a
web browser might send when asked to retrieve a web page
from this resource is:
GET /frontpage HTTP/1.1
Accept: image/gif, image/jpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/5.0
Host: anysite.com
3
Connection: Keep-Alive
This is the Request Header. The first line of this request
requests a document at named frontpage from the server. The
name of the document requested in a GET message is a data
field that is controlled by the sender of the message. It can be
almost anything.
Given a request like the one above, the web server looks for
the resource (e.g. web page) associated with requested name
and returns it to the sender of the message, preceding it with
some header information in its response. The resource
associated with the URL depends on how the server is
implemented. It could be a static file or it could be
dynamically generated. In this case, the server might return:
HTTP/1.1 200 OK
Date: Mon, 06 Nov 2007 20:21:35 GMT
Server: Apache/2.0.41 (Unix)
Last-Modified: Fri, 03 Nov 2007 12:00:09 GMT
Accept-Ranges: bytes
Content-length: 1000
Connection: Close
Content-Type: text/html
<html> …
The above text is called the response header and the part
with the HTML code ( two carriage returns below the header )
is the body. In some cases the body will specify that other
resources also be downloaded as part of the web page. This is
done by automatically making additional GET requests for
those additional resources (pictures, icons, ads, etc.).
To create an HTTP reverse tunnel, information can be
encoded in the name strings of the client’s GET messages and
in the bodies of the responses from the server. Consider the
scenario described by Figure 1. To illustrate the capabilities of
the reverse tunnel assume that a machine on the target network
is running a malicious Trojan Horse program (the client) that
will communicate with an attacker (the server) somewhere on
the Internet.
Attacker’s
Machine
Firewall
Target
Network
Internet
Server
Client
Figure 1 – HTTP Reverse Tunnel Scenario
How the Trojan Horse program first establishes itself is not
within the scope of the discussion; network computers can
become compromised by viruses, removable media, during the
movement of laptop computers between trusted and untrusted
environments, or by legitimate users either wittingly or
unwittingly installing unauthorised programs. The client code
masquerades as a simple web browser. Once executed on the
target machine, it calls “home” to the attacker’s server
program by issuing a simple GET request (this is why it is
called a “reverse” tunnel). Consider the following GET
request.
GET /some_sub_dir/codeword.html HTTP/1.1
Accept: image/gif, image/jpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/5.0
Host: attacker.com
Connection: Keep-Alive
The requested resource in the GET field may not be an
actual document, but acts as a code-word for the server
program on the outside to recognize that a covert client is
calling home. The server program on the attacker’s computer
will receive the request from the target machine and return a
confirmation embedded in the body of an innocuous-looking
web page, just as if it was serving up a page about news,
sports, or weather:
HTTP/1.1 200 OK
Date: Mon, 06 Nov 2008 20:21:35 GMT
Server: Apache/2.0.41 (Unix)
Last-Modified: Fri, 03 Nov 2008 12:00:09 GMT
Accept-Ranges: bytes
Content-length: 1000
Connection: Close
Content-Type: text/html
<html>
<body>
normal-looking HTML here ...
IDENTIFIER TAG =Confirmed
...
</body></html>
Once the client on the inside of the firewall has received the
acknowledgement, it can issue new GET requests. The attacker
can respond to any one of these requests with a web page
containing an encoded command to be executed on the client
machine. If no data is returned from the attacker’s machine,
the Trojan client simply times out and retries after some set
period of time.
When it retrieves a page with a system command embedded
in the body of the HTML the target machine executes that
command on the target system, parses the output into a series
of strings that are then embedded in a series of GET requests.
These GET requests are received by the server on attacking
machine, and the strings from the set of requests are
reassembled to display the output from the results of the
system command executed on the compromised client
machine. This style of HTTP reverse tunnel can be used for
remote control of the target machine, for downloading
4
additional attack tools, or for exfiltrating information from the
target machine.
Because the contents of the GET requests and the
documents returned by a web server are arbitrary, it is very
straightforward to hide messages in this traffic and create the
stego channel. As long as this embedded information remains
undetected the HTTP reverse tunnel remains covert. However,
there are techniques proposed to detect such tunnels [5][6][7]
that rely on the embedded covert data being in some way
different/anomalous from normal HTTP traffic. It can also be
readily seen that the server on the attacker’s machine is an
active component of the scheme and collaborates with the
client in the exchange of the specialized protocol that forms
the stego channel. This means that if the communication is
detected it can be traced and attributed to the attacker’s
machine. The possibility of detection and attribution add risk
to the use of this form of stego channel.
2.4x1018). Fortunately there is a natural mapping between
integers and permutations that has been well studied for which
the indexing and deindexing operations can be computed in
O(n) time [8][9]. These operations allow us to calculate the
permutation corresponding to an index on the fly, and vice
versa.
The indexing and deindexing operations make use of the
factoradic numbering system. The factoradic numbering
system provides a one-to-one mapping between permutations
of n resources and a factoradic numbers of n digits. The
factoradic number system is a mixed radix numeral system.
Each digit of a factoradic number has a value equal to its radix
factorial multiplied by the digit in that place. Each digit must
be less than or equal to its radix, and cannot go below zero.
Each digit is written with its radix subscripted. The radix
begins at 0, so the first digit, 00, always has the value 0.
0 * 0!
III. A PERMUTATION-BASED MODEL FOR A STEGANOGRAPHIC
CHANNEL
Consider a stego channel designed to exfiltrate information
from a target network. The risk of detection and attribution can
be reduced if the communications endpoint of the legitimate
cover channel on the outside of the target network does not
have to be an active participant in the specialized protocol that
forms the stego channel. The covert communication can be
embedded in the order of events in the legitimate cover
communication instead of inserting data into, or modifying, the
content of the messages. Now the communications endpoint on
the outside of the target network can be totally unaware of the
covert communication and can be any ancillary site where
legitimate communication is allowed. The transmitter in the
target network only communicates using messages that are
already commonly being sent, however the order of the
messages can be controlled. The attacker needs only to
passively observe the order of communications in order to
extract the covert information.
= 0
(1)
Therefore, the factoradic number 552433120100 can be
expressed in decimal as:
5*5! + 2*4! + 3*3! + 1*2! + 0*1! + 0*0!
= 600+48+18+2+0 = 668.
(2)
Similarly, the largest decimal number that can be expressed
using a factoradic number of 6 digits (radix 0-5) is
554433221100:
5*5! + 4*4! + 3*3! + 2*2! + 1*1! + 0*0!
= 719.
(3)
This number is one less than 6!, as 720 would be expressed
in factoradic numbers as 16050403020100, and would require a
seventh digit.
These factoradic numbers can be used to index and compute
a permutation of a set of objects. Consider a set of three
objects S:
This section will present a theoretical model for encoding
covert information in the ordering of computer network events.
Although the main example used in this paper is based on
permuting the order of GET requests in HTTP
communications, the theoretical model is valid for a more
general class of stego tunnels where the order of events can be
permuted without disrupting the semantics of the underlying
legitimate cover channel.
This ordering within this set can be referred to as the
nominal order. This set contains 3! valid permutations,
namely:
Consider that we have a set, S, of n events for which the
transmitter can modify the order in which they occur. A
communications scheme can be set up in a straightforward way
by defining a codebook that maps message text to specific
permutations of S. However, implementing such a scheme
using a lookup table would require n! entries. Even for small
sets of events a space complexity of O(n!) is intractable (20! ≈
Factoradic numbers allow the construction of a specific
permutation based upon the index number of the set required.
For example, consider the construction of the 3rd permutation
of S. The 3rd permutation is S2, index 2. The value 2 is
represented as the factoradic number 120100. Starting from the
left, the first element in the permutation S2 can be found by
taking the element in S whose position (counting from the left,
starting with 0) corresponds to the value found in the first digit
S
= {a0,a1,a2}.
(4)
S0=(a0,a1,a2); S1=(a0,a2,a1); S2=(a1,a0,a2)
S3=(a1,a2,a0); S4=(a2,a0,a1); S5=(a2,a1,a0). (5)
5
of the factoradic index. Thus, the first digit in the index is 1,
therefore the first element of S2 is a1:
S = {a0,a1,a2}
0 1 2
-> S2 = {a1,?,?}.
-> S2 = {a1,a0,?}.
(7)
The element a0 is now removed from S’, which creates a
new set S”, which now contains the solitary object a2.
Repeating the process again, we see that the last digit of the
factoradic index is a 0. This means that a2 is the last object in
the permutation S2:
S” = {a2}
0
(12)
The factoradic index 120100 has the value 2, which means
that S? is the 3rd indexed permutation of S.
(6)
The element a1 is then removed from S, forming set S’ that
consists of one fewer element. The next element in the
permutation can be found by examining the next digit in the
factoradic index, except the object is taken from S’. The
second digit in the index is 0, thus the next object in the subset
is a0:
S’ = {a0,a2}
0 1
0
-> S2 = {a1,a0,a2}
(8)
Checking with the permutations listed above, it is evident
that the 3rd permutation of S is indeed {a1, a0, a2}.
Factoradic numbers can be used to perform the reverse
operation. Given a specific permutation of set S, and knowing
the nominal ordering of resources in S, it is possible to
determine the factoradic index of that permutation. For example, given the permutation S?, and solving for the value of the
index, ?:
S? = { a1,a0,a2}.
(9)
The first step is to determine at which position the first
element in S? (counting from the left) is found in S. The first
element in S? is a1, which is located in the 1 position in S. This
means that the highest radix digit of the factoradic index,
located in the 2! position, is 1.
S = {a0,a1,a2} -> index = 12?1?0
0 1 2
(10)
The theoretical model of our permutation-based model for a
stego channel involves a transformation of the covert message
into a series of integers. These integers are then converted to
factoradic numbers. The factoradic numbers are used to create
permutations of network events which the transmitter uses to
control the order of events during actual communication with
an ancillary site. The attacker, who is receiving the covert
message, is a passive observer of the communications with the
ancillary site. The attacker can record the observed
permutations and reverse the process, first calculating the
factoradic indices, then converting these to the series of
integers representing the covert message.
A covert communications system can be designed using this
model. System design involves a characterization of the
legitimate cover channel in order to guide the selection of
message encoding scheme, integer block size, and event set
size for the permutations.
IV. AN HTTP-BASED COVERT COMMUNICATIONS SYSTEM
The theoretical model was validated in part by using it to
design and implement a covert, unattributable communications
system based on HTTP as the legitimate cover channel. The
implementation allowed us to test the model and to
characterize the resulting channel.
Ancillary
Site
Firewall
Target
Network
Internet
Server
Attacker
Client
Figure 2 – CUTS Tunnel Scenario
The next step is to remove the element a1 from set S,
creating set S’. The next element in S? is a0. Its position in set
S’ is 0, thus the second digit of the factoradic index is 0.
S’ = {a0,a2} -> index = 1201?0
0 1
(11)
Once again, an element is removed from S’, creating S”,
which includes the lone element a2 at the 0 position. The final
resource in S? is also a2. Thus, the last digit of the factoradic
index is 0.
S” = {a2} -> index = 120100
The implemented system is called the Covert Unattributable
Transmission System (CUTS). The CUTS scenario is
described in Figure 2. As with the classic HTTP reverse tunnel
described above, there is a machine on the target network that
is running a malicious Trojan Horse program (the client) that
will communicate with a server somewhere on the Internet.
However in this case the server is an ancillary site that is not
aware of the covert communications channel. The attacker is a
passive observer of the HTTP traffic. The design of the CUTS
can best be understood by examining its components in the
context of a classic communications channel, Figure 3.
6
The design of CUTS begins with a characterization of the
communications channel, in this case HTTP messages. The
observable network events of interest in this implementation
are HTTP GET requests and their ordering. The ancillary web
site we are intending to use has a web page, the basepage, that
automatically loads 13 additional resources (small pictures,
icons, etc.). The order of these GET requests is not important.
These GET requests are our observable network events for
which we can permute the order of requests.
Message
Message
Encoder
Channel
Encoder
Channel
Modulator
Channel
Message
Message
Decoder
Channel
Decoder
Channel
Demodulator
The Attacker can observe the channel and identify GET
requests for the basepage and the following 13 GET requests
for additional resources. The Attacker’s application is
composed of the Message Decoder, Channel Decoder, and
Channel Demodulator. Each of these components, in turn,
undoes the encodings described above in order to recover the
original message.
V. DISCUSSION
CUTS was implemented and works reliably as a validation
of the proposed model and design for a covert, unattributable
communications scheme based on permutation encoding of
observable network events. The scenario allows us to
characterise the information efficiency of such channels. For
example, consider the CUTS implementation for an event set
of GET request elements, S, of size n=13. We can calculate
the maximum information content available in the channel by
calculating the Shannon information entropy [10]:
Figure 3 – CUTS Architecture
The Trojan Horse in this case is an Internet Explorer
Browser Helper Object (BHO) that is running covertly on the
target computer. It is composed of the Message Encoder,
Channel Encoder, and Channel Modulator. The BHO operates
total independently of any activity on the part of the human
user of the target computer.
The Message Encoder accepts the message intended for
covert transmission. The message is converted to a bit stream
and broken up into 32 bit blocks. This block size is chosen as
there are 232 (≈4.29x109) unique blocks that we can map onto
the 13! (≈6.23x109) unique permutations of the GET requests
available. Each of the blocks derived from the original
message is passed in turn to the Channel Encoder.
The Channel Encoder has defined a nominal set of 13
placeholder tokens. The Channel Encoder interprets each
message block received from the Message Encoder as a binary
integer and transforms its value into the equivalent factoradic
number. This factoradic number is used as an index number, i,
to calculate the ith permutation of the nominal set of
placeholder tokens. Each of these permutations is passed in
turn to the Channel Modulator.
The Channel Modulator maintains a one-to-one mapping
between the set of 13 placeholder tokens and the 13 GET
request messages associated with the basepage. For each
permutation (message block) received from the Channel
Encoder, the Channel Modulator makes a GET request for the
basepage from the ancillary web site. Then instead of
automatically requesting the 13 additional resources in the
usual nominal order, the Channel Modulator makes the
requests in the order specified by the permutation.
m
H ( X )    p ( xi ) log 2 p ( xi )
(13)
i 1
Consider that each transmission of a set of GET requests (a
permutation of S) is a transmission of a symbol in the alphabet
X. There are n! such symbols in the alphabet, i.e. 13!. The
information content is maximized when we use all the
available permutations of S and the probability mass function,
p, is uniform. In this case the information entropy is log2n!.
For our example where n=13, the maximum theoretical
information content in each symbol is 32.54 bits of information.
Now we can look at the information content achieved in the
CUTS implementation. We can assume that there is high
entropy in the input message stream to be sent, as would be the
case if the message was compressed before being processed by
the Message Encoder. Then the probability distribution of
message blocks is uniform. However, the message blocks are
32 bits long so we only use 232 of the available permutations.
All others have zero probability of occurring. If we calculate
the information entropy of this channel it is 32 bits of
information. Therefore the channel is 98.3% efficient.
# of
GET
req.
(n)
8
16
32
64
Table 1. Information Content of Permutations
# of
Max info
Actual info
permutations
content
content
(n!)
4.03 x 104
2.09 x 1013
2.63 x 1035
1.27 x 1089
(log2n!)
15.3
44.2
117.7
296.0
(block size)
15
44
117
295
We can also consider the information content in the channel
7
as we increase the size of n, i.e. as the number of resources on
the ancillary site increases. See Table 1. The block size chosen
here is the maximum block size, m, such that 2m < n!. As
would be expected, information content available in the
permutations increases faster than the increase in n, due to the
factorial increase in the symbol space.
The CUTS stego channel has been designed so it can work
in an environment with a very strict security policy and a very
capable warden. There is no restriction on the ancillary web
site specified by the system. Therefore even if the machines on
the target network are only allowed to browse a very limited
set of controlled “friendly” web sites CUTS can be used. The
required criterion is that the communication be visible to the
attacker (i.e. the ability to eavesdrop).
The “covertness” of this channel would seem to be
improved over classical HTTP tunnels. Most detection
schemes for such tunnels involve the detection system
monitoring the content of the HTTP traffic and looking for
known signatures in the HTTP message contents or anomalies
in the content. In the case of CUTS the content of the
messages is exactly what is normally seen for the ancillary site,
except that the order of the messages has changed. In order to
detect the permuted orderings the detector would either have
to know the nominal order of the GET requests, or keep
running sets of orderings and compare them. Since the web
pages being used by CUTS are arbitrary the detector would
have to maintain such information for all web pages. This is a
very large problem. CUTS is also unattributable as long as the
method of observation being used by the passive attacker is
hidden.
The proposed stego tunnels are one-way, low to medium
bandwidth tunnels. However, although the bandwidth is
relatively low (hundreds of bits per permutation set), there are
applications where an attacker may wish to trade-off bandwidth for covertness and unattributability. Even a small
amount of information can be very important, e.g. identity
theft, username/password, keys, government secrets.
VI. CONCLUSION
This research has demonstrated a viable theoretical model and
design for a covert, unattributable communications scheme
based on permutation encoding of observable network events.
The model allows for the design of feasible covert
communications systems. The resulting steganographic
channels provide an opportunity for one-way, low to medium
bandwidth communications for communicators that are hiding
from surveillance that is actively trying to discover them and
the cost of being discovered and caught is very high.
VII. CONCLUSION
This research was funded in part by the ISSNet, an NSERC
Strategic Network (http://www.issnet.ca/). This work was
also funded in part by MITACS, an NCE Canada network
(http://www.mitacs.ca/).
REFERENCES
[1]
Moskowitz, I. S., Chang, L., and Newman, R. E.: Capacity is the wrong
paradigm. In: Proceedings of the 2002 Workshop on New Security
Paradigms. pp 114-126. ACM, New York (2002)
[2] van Hauser. "Placing Backdoors Through Firewalls," v1.5, May (1999)
URL: http://thc.pimmel.com/files/thc/fw-backd.htm (November, 2000)
[3] Daicos, K., Knight, S.: Concerning Enterprise Network Vulnerability to
HTTP Tunneling. In.: Gritzalis, D., De Capitani di Vimercati, S.,
Samarati, P., Katsikas, S.K., (eds.): Security and Privacy in the Age of
Uncertainty, IFIP TC11 18th International Conference on Information
Security (SEC2003). pp. 13-24. IFIP Conference Proceedings 250,
Kluwer (2003)
[4] Wong, C.: HTTP Pocket Reference. O’Reilly & Associates, Sebastopol,
California, (2000)
[5] Pack, D.J., Streilein, W., Webster, S., Cunningham, R.: Detecting HTTP
Tunneling Activities. In: Proceedings of the 2002 IEEE Workshop on
Information Assurance. U.S. Military Academy (2002)
[6] Borders, K., Prakash, A.: Web tap: detecting covert web traffic. In:
Proceedings of the 11th ACM Conference on Computer and
Communications Security. pp 110-120. ACM, New York, (2004)
[7] T. M. Jackson, Anomaly-based HTTP covert tunnel detection using
hidden Markov models, Masters thesis, Royal Military College of
Canada, April (2007)
[8] Lehmer, D. H.: Teaching combinatorial tricks to a computer,
Proceedings of the Symposium on. Applied Mathematical
Combinatorial Analysis. vol. 10, pp. 179-193. Amer. Math. Soc.,
Providence (1960)
[9] Mantaci, R., Rakotondrajao, F. “A permutation representation that
knows what “Eulerian” means”, Discrete Mathematics and Theoretical
Computer Science 4, pp. 101–108 (2001)
[10] Shannon, C.E.: A Mathematical Theory of Communication. In: Bell
System Technical Journal, vol. 27, pp. 379-423, 623-656. July,
October. Wiley (1948)