ScienceDirect

Available online at www.sciencedirect.com

Procedia Computer Science 00 (2019) 000–000
ScienceDirect www.elsevier.com/locate/procedia
Available online at www.sciencedirect.com
Procedia Computer Science 00 (2019) 000–000
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 171 (2020) 1810–1818
Third International Conference on Computing and Network Communications (CoCoNet’19)

Network Steganography
Third International using theandOverflow
Conference on Computing Field of Timestamp
Network Communications (CoCoNet’19)
Option in an IPv4 Packet
Network Steganography using the a
Overflowb
Field of Timestamp
Punam Bedi , Arti
Option in an IPv4 PacketDua *
a,b
Department of Computer Science, University of Delhi, Delhi - 110007, India.
Punam Bedia, Arti Duab*
Abstract a,b
Department of Computer Science, University of Delhi, Delhi - 110007, India.

Steganography is a technique of hiding secret data inside a cover. The most popularly used cover media include images, videos,
audios, documents and network protocols. Network Steganography is a technique that uses common network protocols (the
Abstract
header field, the payload field or both) to hide a secret message. TCP/IP protocol suite has been a potential target for network
steganography
Steganography is from the veryofbeginning.
a technique It has
hiding secret data ainside
lot ofa cover.
possibilities
The most for popularly
creation of hidden
used cover channels that can
media include be used
images, to
videos,
communicate
audios, covertly.
documents andInnetwork
this paper, we propose
protocols. a technique
Network that creates
Steganography is a covert
techniquechannel
that using the Overflow
uses common field protocols
network of Timestamp
(the
option field,
header of Internet Protocol,
the payload fieldversion
or both)4 toover
hideaa Local
secret Area Network.
message. TCP/IPThis technique
protocol implements
suite has a storage
been a potential based
target for network
steganography thatfromuses
thethe timestamp
very option
beginning. It which
has a islotused
of for debuggingfor
possibilities andcreation
measurement over the
of hidden networks.
channels that Incan
thisbe
technique,
used to
we use legitimate
communicate valuesIninthis
covertly. thepaper,
Overflow field which
we propose makes itthat
a technique difficult
createsto adetect
covertthechannel
possibility
usingofthe
covert communication.
Overflow field of Timestamp
option of Internet Protocol, version 4 over a Local Area Network. This technique implements a storage based network
© 2020 The Authors.
steganography Published
that uses by Elsevier
the timestamp optionB.V.
which is used for debugging and measurement over the networks. In this technique,
Thisuse
we is an open access
legitimate article
values in theunder the CC
Overflow BY-NC-ND
field which makes license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
it difficult to detect the possibility of covert communication.
Peer-review under responsibility of the scientific committee of the Third International Conference on Computing and Network
© 2020
2020 The
The Authors.
Communications
© Published
Published by
(CoCoNet’19)
Authors. by Elsevier
Elsevier B.V.
B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the scientific committee of the Third International Conference on Computing and Network
Peer-review
Communicationsunder responsibility of the scientific committee of the Third International Conference on Computing and Network
(CoCoNet’19).
Communications (CoCoNet’19)
Keywords: Network Steganography; TCP/IP; covert channel; IPv4; Timestamp Option

Keywords: Network Steganography; TCP/IP; covert channel; IPv4; Timestamp Option

* Corresponding author.
E-mail address: arti.batra@gmail.com

1877-0509 © 2020 author.

* Corresponding The Authors. Published by Elsevier B.V.
ThisE-mail
is an open access
address: article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
arti.batra@gmail.com
Peer-review under responsibility of the scientific committee of the Third International Conference on Computing and Network Communications
(CoCoNet’19)
1877-0509 © 2020 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the scientific committee of the Third International Conference on Computing and Network Communications
(CoCoNet’19)

1877-0509 © 2020 The Authors. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the scientific committee of the Third International Conference on Computing and Network
Communications (CoCoNet’19).
10.1016/j.procs.2020.04.194
 Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818 1811
2 Punam Bedi et. al./ Procedia Computer Science 00 (2019) 000–000

1. Introduction

Information security is the need of every industry today. No organization would want their data to be hacked or
intercepted by anyone. One way to secure the data over the networks is through information hiding using
steganography. Steganography is the art and science of communicating in a way, which hides the existence of the
communication [17]. Steganography takes help of a cover media to hide a secret message. This media could be an
image, a video, an audio, a document or a network protocol. Steganography using images, audio and video has been
a favorite area of researchers since past two decades. However, Network Steganography is a recent emerging field in
the area of research. Other Steganography techniques require extra bandwidth for sending the cover media with
hidden data. Whereas with Network Steganography, it is possible to use already existing Protocol Data Units (PDUs)
as cover with modifications in redundant fields of the respective PDU. Many commonly used protocols are being
proposed for implementing Network Steganography. This hiding of secret information in network protocols’ payload
or header or both, can be achieved through Network Steganography. Network Steganography offers a good
bandwidth for secret data communication. This is because one can create new data packets to carry secret
information or modify the already existing data packets to carry covert data. In this paper, we create a hidden
channel using the timestamp option of Internet Protocol version 4 (IPv4) which is an optional field of an IPv4
packet. To implement the hidden communication, we make use of User Datagram Protocol (UDP) which is an
unreliable transport layer protocol. The UDP segment uses underlying Internet Protocol at the network layer to
facilitate the transmission. This is where we create a covert channel using the Overflow field of the timestamp option
in the IPv4 header. The scheme is experimented and proposed over a Local Area Network (LAN). The remaining
paper is organized as follows: Section 2 and 3 describe the background and related work respectively in the field of
Network Steganography. Section 4 elaborates the architecture of the proposed system. Section 5 explains the actual
experiment and its setup. Sections 6 and 7 summarize the result and conclusion respectively.

2. Background

2.1. Network Steganography

The term Network Steganography was first used by Krzysztof Szczypiorsky in the year 2003[1]. The main idea
of Network Steganography is to hide data in network protocols’ header field or payload field or both. Network
Steganography is implemented by creating covert channels as means of communication between a covert sender and
a covert receiver. These covert channels can be classified into three classes [20]:
• Storage Based Covert channels: These channels carry hidden data in the storage part of Protocol Data unit
(PDU). This channel can be created via a redundant field in the header, or a small portion of payload part of
the PDU, or both together.
• Timing Based Covert Channels: These covert channels are created on the basis of sequence numbers or
timings or delays in the PDUs.
• Hybrid Covert Channels: These covert channels make use of a combination of storage and timing channels
together to support covert communication.
The efficiency of a Network Steganography technique can be judged by analyzing the following characteristics [18]:
• Capacity: It is the amount of covert information that a PDU can carry.
• Robustness: Robustness depicts the conformity of the technique to an error free condition where the secret
should be resistant to change or failures.
• Imperceptibility: It is an important feature that marks the undetectability of a covert message.

2.2. Local Area Networks

A Local Area Network (LAN) is a collection of a number of devices such as computers, laptops, printers, smart
phones etc., connected within a small area like a room, a building or a campus. All the devices in a LAN are
connected either through an Ethernet cable (for wired connections) or through some wireless media. In order to
1812 Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818
Punam Bedi et. al./ Procedia Computer Science 00 (2019) 000–000 3

connect this LAN to the Internet, a router is needed which is generally connected to a telephone line to facilitate data
transmissions over longer distances as shown in Figure 1.

Fig. 1. Local Area Network Connected to the Internet through a Router.

2.3. Internet Protocol version 4

The Internet Protocol version 4 forms the backbone of the Internet. This protocol operates at the network layer
which is responsible for taking important decisions like routing of the Internet packets and managing logical
addresses over the networks. The header [2] of the Internet Protocol (IP) is given in Figure 2.

Version IHL Service Type Total Length

(4 Bits) (4 Bits) (8 Bits) (16 Bits)
Identification Flags Fragment Offset
(16 Bits) (3 Bits) (13 Bits)
Time to Live Protocol Header Checksum
(8 Bits) (8 Bits) (16 Bits)
Source IP Address
(32 Bits)
Destination IP Address
(32 Bits)
Options Padding
(Variable: 0 – 320 Bits) (Variable)

Fig. 2: Structure of the header of Internet Protocol version 4.

The Version field is the first field of the IP Header. It records the version number of the Internet Protocol being
used. The Internet Header Length (IHL) field stores the length of the IP Header (number of 32-bits words) which
could be a maximum of 15 as the size of header length field is 4 bits which can hold a maximum value of 15. The
next field which is of size 8 bits was earlier known as Type of Service (ToS) field. The first three bits were
precedence bits that decided the priority of a packet. The next 4 bits represented high and low values for Delay,
Throughput, Reliability and Cost. The next one bit was reserved for future use. The ToS field has now been replaced
by Differentiated Code Point (DSCP) which occupies 6 bits and ECN (Explicit Congestion Notification) field which
occupies 2 bits. Applications like Voice over IP (VoIP) make use of DSCP field for real time data transmissions and
ECN is used for end to end network congestion notification if supported by both the end points [3]. The Total
Length field gives the size of IP datagram including the header. It can have a maximum value of 65535 bytes. The
 Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818 1813
4 Punam Bedi et. al./ Procedia Computer Science 00 (2019) 000–000

Identification field uniquely identifies an IP datagram. This field is mostly used for fragmentation and reassembly of
IPv4 packets. Next 3 bits are Flag bits which are used to identify and control fragments. The first bit is reserved, the
second bit is the Don’t Fragment (DF) bit which when set to 1, informs the intermediate devices not to fragment the
IP packet. The next bit is More Fragment (MF) bit. This bit when set to 1, indicates that this packet is a fragment of
much larger packet with other fragments following this one. When set to 0, it indicates that the current datagram is
either the last fragment of all the fragments or it is the only fragment. Fragment offset field, tells the offset of this
particular fragment relative to the beginning of the original non-fragmented datagram in eight byte blocks. The Time
to Live field tells for how long can the packet be alive in a network. It is generally set to the number of hops a
packet can travel before getting discarded. The Protocol field tells which protocol at transport layer requested the
service of Internet Protocol. The Header checksum which is a 16-bit long field is used to check for the integrity of IP
header. A checksum of all the fields (including header checksum field containing all zeros) is computed and stored
in this field at the sender side. This is recomputed at the receiver’s side and matched with the stored value to check
the integrity of IP header. The Source IP Address and Destination IP Address hold the 32 bits long IP address of the
sender and the receiver respectively. The last field is Options field which is optional. User may or may not put any
data in the Options part of IP header. Some of the possible options include security, loose source routing, strict
source routing, timestamp and record route as shown in Table 2 [4]. If any option is present in the data, the first byte
of the Option field has a format as depicted in Figure 3. Copy Flag depicts whether this option is copied into all
fragments (depicted by value 1) or not (depicted by value 0). The option class is specified using the next two bits as
depicted in Table 1. The option number is a 5-bit field. The valid values of option number together with option
class, as given in Table 2, specifies an option.

Table 1: Option Class

Option Class Specification
00 (0) Control
01 (1) Reserved for Future Use
10 (2) Debugging and Measurement
11 (3) Reserved for Future Use

0 1 2 3 4 5 6 7
Copy
Option Class Option Number
Flag

Fig. 3. Option Type Octet

Table 2: Options Specification

Option Class Option Number Length Option Specification

0 0 Nil End of option list

0 1 Nil No Operation

0 2 11 Security

0 3 Not Fixed Loose Source Routing

0 9 Not Fixed Strict Source Routing

0 7 Not Fixed Record-route

0 8 4 Stream id

2 4 Not Fixed Time Stamp

 Punam Bedi et. al./ Procedia Computer Science 00 (2019) 000–000 5
1814 Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818

Option Type
Option Length Pointer Overflow Flag
8 bits
8 Bits 8 Bits 4 Bits 4 Bits
(01000100)
Internet Address
32 Bits
Timestamp
32 Bits

Fig. 4. Structure of IP Timestamp Option

2.4. Structure of IP Timestamp option

The structure of the Timestamp option is shown in Figure 4[8]. The Option Type value for Timestamp option is
68 in decimal (copy flag = 0, option class = 2 and option number = 4). Option Length specifies the number of octets
used by the current option including the type, length, pointer, overflow and flag fields. The pointer field is the
number of octets beginning from this timestamp option to the end of timestamps plus one. That is, it is the offset of
the beginning of next timestamp. The minimum value of this pointer field is 5 and the maximum is 40. The
Overflow field is initially zero and is incremented each time a router is unable to add a timestamp to the option field
due to lack of space. The flag field has 3 valid interpretations:
• Value 0: Only Timestamps are stored in consecutive 32 bit words
• Value 1: Each registering entity adds its IP address first followed by the Timestamp.
• Value 3: The Internet address field in this case is pre-specified and only those entities enter the timestamps
whose IP address match the mentioned address.

3. Related Work

Steganography using images, audio and video has been a favorite area of researchers since the last two decades.
Network Steganography is a recent emerging field in the area of research. Many commonly used protocols are being
suggested for implementing Network Steganography. In this section, we discuss previous steganography work
related to Internet Protocol version 4 only. As per our knowledge, very less work has been done in last few years in
implementing steganography in Internet Protocol version 4. Rowland in [13] suggested the use of IP identification
field which is normally used for identifying the fragments of an IPv4 packet. In [15] Ahsan and Kundur exploited
the redundancy in Fragmentation Strategy of an IPv4 datagram. If a datagram is unfragmented (lesser than the size
of maximum transferable unit), there is no use of fields like fragment offset and flags like Don’t Fragment and More
Fragment. Ahsan and Kundur made use of DF flag to transfer a bit ‘0’ or ‘1’. Handel and Sandford in [10] suggested
the use of ToS field for covert channel creation. The last two bits of this field are reserved bits which can be used to
carry secret data. Handel and Sandford also suggested the use of Timestamp option for covert communication. He
suggested the use of a coding sequence to interpret Timestamp values i.e. even timestamp values should be
interpreted as bit ‘0’ and odd timestamps should be interpreted as bit ‘1’. So the last bit of the timestamp value is
modified, if needed, to send the desired bit. This does not make much difference in timestamp value as well. In [16],
Bharti et. al suggested the use of fields like padding bits, IP Identification, Source IP address having fake value to
create covert channels over Internet Protocol. Zouheir and Imad in [19] proposed the use of record route option for
covert communication over IPv4. Alsaffar & Johnson in [7] suggested the use of option length, pointer, overflow
and flag bits of a Timestamp option to carry the covert data but as discussed above under IPv4 specifications, both
length field and the pointer field can have a maximum value of 40 and if you try to assign a value to these fields
which is greater than 40, a warning message is generated by Wireshark application (Wireshark is a freely available
packet analyzer tool) [9] at the receiving end as shown in Figure 5. The warning messages are automatically
highlighted by Wireshark in yellow. Moreover, if more covert messages like these are sent over the network, the
generation of a large number of warning indications can draw the attention of a network administrator about some
suspicious communication. In our work with timestamp option, we try to overcome this by using legitimate values
for all the fields of Timestamp option and hiding data only in the Overflow field.
66 Punam
PunamBedi
Bediet.et.
al./ Procedia
al./ Computer
Procedia Science
Computer 00 00
Science (2019) 000–000
(2019) 000–000
Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818 1815

Fig. 5. Wireshark showing warning alerts.

Fig. 5. Wireshark showing warning alerts.

4. Proposed System
4. Proposed System
In this paper, we propose a Network Steganography system that works over a LAN. The networking environment
In this
created forpaper, we propose
implementing Networka Network Steganography
Steganography system
is as shown in that
Figureworks6. TheoverLANa LAN. The networking
consisted of followingenvironment
devices:
created for implementing Network Steganography is as shown
• Router: The Router used in our system was HUAWEI – HG630V2 Home Gateway capable in Figure 6. The LAN consisted of following devices:
of both wired
• and Router: The Router
wireless connections. used in our system was HUAWEI – HG630V2 Home Gateway capable of both wired
and wireless connections.
• Covert Message Sender (Host A): This is the device that wishes to covertly communicate with a receiver.
• This CoverthostMessage
makes use Sender (Host A):
of Scapy This(version
library is the device
2.4.3rc1)thatofwishes
Python to to
covertly
craft andcommunicate
send packets with a receiver.
that carry
covert data. The covert data is filled in the Overflow field of the Timestamp option of an IPv4 packet.that carry
This host makes use of Scapy library (version 2.4.3rc1) of Python to craft and send packets
• Covertcovert Message
data. TheReceiver
covert data is filled
(Host in the
B): This is Overflow
the devicefield that ofis the Timestamp
waiting to receiveoption
secret of data
an IPv4overpacket.
the LAN
• from CovertHost A (covert message sender). We chose UDP at the Transport layer for its well knownover
Message Receiver (Host B): This is the device that is waiting to receive secret data the LAN
advantage
offrom Host
being A (covert
fast. If a user message
prefers,sender).
accuracy Weover chose UDPinatthat
speed, the case
Transport
UDP layercan be forreplaced
its well by known
TCPadvantage
at the
of beinglayer.
transport fast. A If UDP
a user prefers,
server accuracy over
is programmed speed,
and run overinthisthatsystem
case to UDP canforbeincoming
listen replacedUDP by TCPsegment at the
attransport
a random layer.
port A UDP This
11234. server is programmed
entity after receiving anda run
UDP over this system
segment at portto11234
listenscans
for incoming UDPheader
the IP packet segment
at a random
inside port 11234.
this segment. This entitylooks
It specifically after receiving
and reads athe UDP segmentfield
Overflow at port
of 11234
Timestamp scansoption
the IP of packet
an IPv4header
inside tothis
packet segment.
fetch the covert It specifically
message. looks and reads the Overflow field of Timestamp option of an IPv4
• Other packetDevices:
to fetchThe the LANcovertwas message.
shared by other devices like laptops, computers, mobile phones etc.
All the Other in
• devices Devices:
the LAN TheareLAN eitherwas shared by
connected other devices
through wired orlike laptops,
wireless computers,
connection mobile
to the Router.phones
In ouretc.
setup, as
All theindevices
shown Figure in 6, the
HostLAN A isare theeither
covertconnected through
message sender andwired
HostorB wireless
is the covertconnection
messagetoreceiver.
the Router. HostInAour setup,
takes 20 as
shown
bits in Figure
of input from 6, theHost
user,Abreaks
is the covert
these 20 message
bits intosender and Host
five groups of 4B bits
is the
eachcovert
and message
crafts an receiver.
IPv4 packet Host byAadding
takes 20
bits timestamp
five of input from the user,
options with breaks these 20 option
each timestamp bits intocarrying
five groups of 4ofbits
four bits dataeach andOverflow
in the crafts an IPv4field. packet by adding
The Overflow
field
five is normally options
timestamp used to withcarry eachthe number
timestamp of routers
optionthat were unable
carrying four bits to add the in
of data timestamp
the Overflowvalue. field.
In ourThe technique,
Overflow
we have
field left enough
is normally used space to add
to carry thea number
maximum of five that
of routers timestamp values.toThe
were unable addlocal IP address value.
the timestamp of Host In Bouris technique,
already
known
we have to left
Hostenough
A. It thenspace sends
to addthis aIPmaximum
packet over UDPtimestamp
of five to Host B.values.
We used The UDP
local over
IP TCP
address as the transport
of Host B is layer
already
protocol
known to as Host
it is faster
A. It andthendoessends notthis
require connection
IP packet over UDP establishment.
to Host B. We used UDP over TCP as the transport layer
On theasreceiver’s
protocol it is fasterside,
and doesa python script connection
not require is executedestablishment.
which sniffs all the received packets and captures UDP
segment
On the received from side,
receiver’s Host aA python
having destination port as 11234.
script is executed which Fromsniffsthe allcaptured
the receivedpackets, the script
packets and reads all the
captures UDP
timestamp options of
segment received fromthe Host
IPv4 A header
having anddestination
fetches theport fourasbits of data
11234. Fromfromthe thecaptured
Overflow field ofthe
packets, each option.
script readsThese
all the
four bits of data
timestamp from
options ofeach option
the IPv4 are combined
header and fetchesto read 20 bits
the four bitsofofdata
datasentfromby the Overflow
covert Sender. field of each option. These
four bits of data from each option are combined to read 20 bits of data sent by the covert Sender.
 Punam Bedi et. al./ Procedia Computer Science 00 (2019) 000–000 7
1816 Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818

Fig. 6. Local Area Network Setup for Experiment.

5. Experimental Study

In this paper, we implement Network Steganography using the Overflow field of Timestamp option of an IPV4
packet. Scapy library is used to craft the IP packets. Scapy is a Python program that enables the user to send, sniff,
dissect and forge network packets [5].
A communication setup is established between two devices A and B on a LAN connected to the Internet through
Router R. A Python program is written to create a UDP segment over Internet Protocol version 4. The script on Host
A crafts an IP packet using Scapy and adds covert information entered by the user, in the Overflow field of
Timestamp option of an IPv4 packet. The Overflow field is 4 bit long and we can add a maximum of five
Timestamp options with flag value set to 0 (maximum size of option field is ten 32-bit words) in a single IPv4
packet. So a single IPv4 packet can carry a maximum of 20 bits of covert data per packet.
We also experimented the idea of creating 10 timestamp headers with covert data in overflow field in each of the
ten timestamp options, increasing the steganography bandwidth to 40 bits per packet. It worked well and covert data
was correctly received at the receiver’s side, but the drawback of this idea is that it did not leave any space for
timestamps in the IPv4 header. Consequently, it may raise a suspicion about this IPv4 packet over the network.
Moreover, if the router, through which this packet passes, tries to put its timestamp value in this header, it won’t be
able to do so as no space is left for that and further it will try to increment the value of the Overflow field (this field
is incremented each time a router is unable to put its timestamp in an IPv4 header because of unavailability of
space), so this may change our covert data. Hence, we propose to send five timestamp options with ample space for
actual timestamp values, giving an overall steganography bandwidth of 20 bits/packet.

6. Results

The topology of the LAN setup for the experiment is shown in Figure 6. Here, Host A acts as a covert message
sender and Host B acts as a covert message receiver. A UDP server script is created and executed at Host B to make
it up and listening at a random port number 11234. Twenty bits of covert data per packet is transferred from Host A
to Host B which can be verified from the snapshots of Wireshark in Figure 8. The snapshots of sending entity and
receiving entity (UDP Server at port 11234) are also shown in Figure 7. The covert message is taken as input from
the user, encapsulated in Timestamp option of IPv4 packet, and is sent to Host B whose IP address is already known
over the LAN. This UDP packet is received correctly on the receiver side with rare packet loss. The Timestamp
option of the IPv4 packet is then read by the receiver to fetch the covert data from the Overflow fields of five
timestamp options correctly.
8 8 8 PunamPunam
Punam
Bedi et.Bedi
Bedi al./ et.
et. al./ al./
Procedia Procedia
Procedia Computer
Computer
Computer Science
Science
Science 00 (2019)
00 (2019)
00 (2019) 000–000
000–000
000–000

Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818 1817

7. Fig.
Fig.Fig. 7. Sender
7. Sender
Sender Process
Process
Process (Left)
(Left)
(Left) andand and Receiver
Receiver
Receiver Process
Process
Process (Right)
(Right)
(Right)

8. Fig.
Fig.Fig. 8. Wireshark
Wireshark
8. Wireshark at Sender’s
at Sender’s
at Sender’s
(Left) (Left)
(Left)
andand and Receiver’s
Receiver’s
Receiver’s
(Right)(Right)
(Right) machine.
machine.
machine.

7. 7. 7. Conclusion
Conclusion
Conclusion
and
andand Future
Future
Future Scope
Scope
Scope

In In Inpaper,
thisthisthis paper,
paper, wewe we proposed,
proposed,
proposed, developed
developed
developed andand and experimented
experimented
experimented a technique
a technique
a technique to to to implement
implement
implement Network
Network
Network Steganography
Steganography
Steganography using
using
using
thethethe
OverflowOverflow
Overflow field field
of of
field of timestamp
timestamp
timestamp option option
option of of of
an an an
IPv4IPv4IPv4
packet. packet.
packet. WeWe We
created created
created fivefive five timestamp
timestamp
timestamp options
options
optionsin in in a
a single single
a single IPv4IPv4IPv4
packet packet
packet
header.
header.
header. ThisThisThis
channel channel
channel was was was
found found
found to to to
be be be
capable capable
capable of of of
carryingcarrying
carrying 2020 bits20 ofbits
bits data
of of
data data
perper per
packet.packet.
packet. Our Our
proposed
Our proposed
proposed scheme scheme
scheme is better
is better
is better
than than
thanthethe the
other other
othernetwork network
network steganography
steganography
steganography scheme scheme
scheme which which
which usesusesuses
timestamptimestamp
timestamp option option
option to to to
carry carry
carrycovert covert
covert data data
[7],[7],
data [7],
in in in
terms terms
terms of of of
undetectability
undetectability
undetectability as as as
it sendsit
it sendssends
2020 20
bitsbitsbits
of of
dataof
datadata
byby by
using using
using legitimate
legitimate
legitimate values values
values forfor for
thethe the
OverflowOverflow
Overflow field field
fieldwithoutwithout
without generating
generating
generating anyanyany
warning
warning
warning messagesmessages
messages onon on Wireshark.
Wireshark.
Wireshark. TheThe The development
development
development andand and experimentation
experimentation
experimentation of of of
thisthisthis technique
technique
technique waswas was
solely solely
solely donedonedone
onon a on
a a
Local Local
Local AreaAreaArea
Network Network
Network setup. setup.
setup.TheThe The
current current
current system system
system usesusesuses
UDP UDP UDP
at at at
thethe the
transporttransport
transport layer, layer,
layer,which which
which is is is
an an an unreliable
unreliable
unreliable deliverydelivery
delivery
protocol
protocol
protocol andand and
can becan
can be be
easily easily
easily replaced
replaced
replaced bybyTCP by
TCPTCP
if more if more
if more reliability
reliability
reliability is needed.
is needed.
is needed. The The The advantage
advantage
advantage of of ofscheme
ourour our scheme
scheme is that isitthat
is that usesit uses
it uses
thethethe
veryveryvery essential
essential
essential protocolprotocol
protocol which which
which is the is the
Internet
is the Internet
Internet ProtocolProtocol
Protocol forfor for
hiding hiding
hiding thethe the
data. data.
data.This This
provides
This provides
provides us us
withus with
a wide
with a
a wide wide bandwidth
bandwidth
bandwidth
of of of cover
cover
cover packetspackets
packets forfor for
sending sending
sending covert covert
covert data.
data.data.
ThusThusThus
thisthisthis
work
work work
cancan can
further further
further be be be
extended extended
extended to to tothe
useuse use the
existing
the existing
existingIP IP IP
packets packets
packets of of of the
thethe
LANLANLAN
instead instead
insteadof of of
creatingcreating
creating newnew new
onesonesones
to to to
carry carry
carrycovert covert
covert data. data.
data.Future Future
Future workworkwork
cancan can
alsoalsoalso
be be be
donedonedone
to to to
identifyidentify
identifyother
otherother
option option
option fields fields
fields
of of of
IPv4
IPv4IPv4
header header
header to to to implement
implement
implement a coverta covert
a covert channel channel
channel andand and
explore explore
explore its its its feasibility
feasibility
feasibility over over over
thethe the
InternetInternet
Internet also. also.
also.
 Punam Bedi et. al./ Procedia Computer Science 00 (2019) 000–000 9

1818 Punam Bedi et al. / Procedia Computer Science 171 (2020) 1810–1818

References

[1] Szczypiorski, K. (2003). “Steganography in TCP/IP Networks. State of the Art and a Proposal of a New System-HICCUPS” Warsaw
University of Technology, Poland Institute of Telecommunications, Warsaw, Poland.
[2] Fall, K. R., and W R. Stevens. (2011). “TCP/IP illustrated, volume 1: The protocols” addison-Wesley.
[3] ADVANCED INTERNET TECHNOLOGIES (IT – 302). IPv4 Header, https://advancedinternettechnologies.wordpress.com/ipv4-header/
(2012, accessed 02 Sept 2019).
[4] DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION. INTERNET PROTOCOL, https://tools.ietf.org/html/rfc791 (1981,
accessed 02 Sept 2019).
[5] Introduction. About Scapy, https://scapy.readthedocs.io/en/latest/introduction.html, (2019, accessed 17 Sept 2019).
[6] Murdoch, Steven J. and Stephen Lewis. (2005) “Embedding Covert Channels into TCP/IP” in Barni M., Herrera-Joancomartí J.,
Katzenbeisser S., Pérez-González F. (eds) Information Hiding, Lecture Notes in Computer Science, Springer, Berlin, Heidelberg.
[7] Alsaffar, Hassan and Daryl. (2015) “Covert channel using the IP timestamp option of an IPv4 packet.” The International Conference on
Electrical and Bio-medical Engineering: 48-51.
[8] A SPECIFICATION OF THE INTERNET PROTOCOL (IP) TIMESTAMP OPTION, https://tools.ietf.org/html/rfc781, (1981, accessed 18
Sept 2019).
[9] Wireshark-Go Deep, https://www.wireshark.org, (2019, accessed 19 Sept 2019).
[10] Handel, Theodore G, and Maxwell T. Sandford. (1996) “Hiding Data in the OSI Network Model” Proceedings of 1st International
Workshop, Information Hiding: 23–38.
[11] IP option 4, Timestamp, http://www.networksorcery.com/enp/protocol/ip/option004.htm, (2018, accessed 23 Sept 2019).
[12] Ahsan, Kamran, and Deepa Kundur. (2002) “Practical data hiding in TCP/IP” Proceedings of Workshop on Multimedia Security at ACM
Multimedia.
[13] Rowland, Craig H. (1997) "Covert channels in the TCP/IP protocol suite" First Monday, 2(5).
[14] Bellovin, Steven M. (1989) "Security problems in the TCP/IP protocol suite" ACM SIGCOMM Computer Communication Review 19 (2):
32-48.
[15] Kundur, Deepa and Kamran Ahsan. (2003) “Practical Internet Steganography: Data Hiding in IP” Proceedings of Texas Workshop on
Security of Information Systems, College Station, Texas.
[16] Bharti, Vishal and Itu Snigdh. (2007) “Practical Development and Deployment of Covert Communication in IPv4” Journal on Theoretical
and Applied Information Technology.
[17] Gupta, Richa, Sunny Gupta, and Anuradha Singhal. (2014) "Importance and techniques of information hiding: A review" arXiv preprint
arXiv:1404.3063.
[18] Singh, Namrata, Jayati Bhardwaj, and Gunjan Raghav. (2017) "Network Steganography and its Techniques: A Survey" International
Journal of Computer Applications 174 (2).
[19] Trabelsi, Zouheir and Imad Jawhar. (2010) "Covert file transfer protocol based on the IP record route option." Journal of Information
Assurance and Security 5 (1): 64-73.
[20] Lubacz, Józef, Wojciech Mazurczyk, and Krzysztof Szczypiorski. (2014) "Principles and overview of network steganography." IEEE
Communications Magazine 52 (5): 225-229.