Analysis of protocol steganography methods in software-defined networks

Authors

DOI:

https://doi.org/10.30837/rt.2025.3.222.16

Keywords:

steganography, network, security, protocols, covert channels, software-defined networks

Abstract

Networking (SDN), which constitutes a critical part of modern network infrastructure. The SDN specific characteristics are as follows: the centralized control, programmable routing logic, and separation of control and data planes. They
introduce both new threat vectors and opportunities for detecting covert communication channels.

The authors classify the steganographic techniques according to the OSI model layers, namely, from the physical to the application layer, including the session and presentation layers. The study covers both traditional approaches based on header manipulation and timing-based channels, as well as modern methods that exploit specific features of protocols such as OpenFlow, TLS, QUIC, HTTP, and DNS. Special attention is given to the inter-protocol steganography, control plane abuse, and synchronization-based covert channels that enable stealthy coordination of network nodes even in segmented environments.

A comparative analysis is conducted based on key characteristics such as bandwidth, undetectability, operational constraints, and detection vectors. The results are summarized in a comparative table, allowing a reasoned evaluation of risks across OSI layers and the identification of critical areas for steganalysis in SDN. The findings confirm the need for a multi-layered defense approach in SDN infrastructures, incorporating inter-protocol analysis, adaptive anomaly detection systems, and traffic normalization policies. The research provides a scientific foundation for the development of effective countermeasures against hidden communication in next-generation networks.

References

B. Jankowski, W. Mazurczyk, and K. Szczypiorski. PadSteg: Introducing inter-protocol steganography // Telecommunication Systems, preprint, 2011. doi: 10.1007/s11235-011-9616-z.

T. Schmidbauer et al. Introducing dead drops to network steganography using ARP-caches and SNMP-walks // Proc. 14th Int. Conf. Availability, Reliability and Security (ARES). 2019. Р. 1–10. doi: 10.1145/3339252.3341488.

J. Hua, Z. Zhou, and S. Zhong. Flow misleading: Worm-hole attack in software-defined networking via building in-band Covert Channel // IEEE Trans. Inf. Forensics Security. 2021. Vol. 16. Р. 1029–1043. doi: 10.1109/TIFS.2020.3013093.

K. Sawicki, G. Bieszczad, and Z. Piotrowski. StegoFrameOrder-AC layer covert network channel for wireless IEEE 802.11 networks // Sensors. 2021. Vol. 21, no. 18. Р. 6268. doi: 10.3390/s21186268.

K. Szczypiorski. HICCUPS: Hidden Communication System for Corrupted Networks // Proceedings of the 10th International Multi-Conference on Advanced Computer Systems (ACS), Międzyzdroje, Poland, Oct. 2003, pp. 31–40.

C. H. Rowland. Covert channels in the TCP/IP protocol suite // First Monday, preprint, 1997. doi: 10.5210/fm.v2i5.528.

M. Wolf. Covert channels in LAN protocols // Lect. Notes Comput. Sci., 1989, pp. 89–101. doi: 10.1007/3-540-51754-5_33.

Z. Trabelsi and I. Jawhar. Covert File Transfer Protocol Based on the IP Record Route Option // Journal of Information Assurance and Security. 2010. Vol. 5, no. 1. Р. 64–73.

P. Bedi and A. Dua. Network steganography using the overflow field of timestamp option in an IPv4 packet // Procedia Comput. Sci. 2020. Vol. 171. Р. 1810–1818. doi: 10.1016/j.procs.2020.04.194.

A. Sharma. New Windows ‘Pingback’ malware uses ICMP for covert communication // BleepingComputer, May 4, 2021. Available: https://www.bleepingcomputer.com/news/security/new-windows-pingback-malware-uses-icmp-for-covert-communication/

S. Amante, B. Carpenter, S. Jiang, and J. Rajahalme. IPv6 Flow Label Specification, IETF, RFC 6437, Nov. 2011. Available: https://datatracker.ietf.org/doc/html/rfc6437

N. B. Lucena, G. Lewandowski, and S. Chapin. Covert channels in IPv6 // Privacy Enhancing Technologies, G. Danezis and D. Martin, Eds. Heidelberg : Springer, 2006. Р. 147–166. doi: 10.1007/11767831_10.

M. Bobade and A. Sagar. Survey and design approach of protocol steganography in IPv6 // Int. J. Comput. Appl. 2013. Vol. 69, no. 7. Р. 31–34. doi: 10.5120/11856-7623.

M. Wang, S. Cao, and Y. Wang.VoNR-IPD: A Novel Timing-Based Network Steganography for Industrial Internet // Security and Communication Networks. 2020. Vol. 2020, Article ID 8846230, 14 p., Jun. 2020. doi: 10.1155/2020/8846230.

G. Fisk, M. Fisk, C. Papadopoulos, and J. Neil. Eliminating steganography in internet traffic with active wardens // Information Hiding, F. A. P. Petitcolas, Ed. Heidelberg: Springer, 2003. Р. 18–35. doi: 10.1007/3-540-36415-3_2.

A. S. Nair, A. Kumar, A. Sur, and S. Nandi. Length based network steganography using UDP protocol // Proc. 2011 IEEE 3rd Int. Conf. Commun. Softw. Netw., Xi’an, China, May 2011. Р. 588–592. doi: 10.1109/ICCSN.2011.6014994.

W. Fraczek, W. Mazurczyk, and K. Szczypiorski. Stream control transmission protocol steganography // Proc. 2010 Int. Conf. Multimedia Inf. Netw. Secur., Nanjing, China, Nov. 2010. Р. 829–834. doi: 10.1109/MINES.2010.176.

W. Mazurczyk and K. Szczypiorski. Covert channels in SIP for VoIP signalling // Multimedia Communications, Services and Security, R. Choras, Ed. Heidelberg: Springer, 2008, pp. 65–76. doi: 10.1007/978-3-540-88873-4_6.

Y. Ji, Y. Wang, and Y. Zhang. Constructing SDN covert timing channels between hosts with unprivileged attackers // IEEE/ACM Trans. Netw. 2024. Vol. 32, no. 1. Р. 1–14. doi: 10.1109/TNET.2024.3496997.

C. Heinz, M. Zuppelli, and L. Caviglione. Covert Channels in Transport Layer Security: Performance and Security Assessment // Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications. 2021. Vol. 12, no. 4. Р. 22–36. doi: 10.22667/JOWUA.2021.12.31.022.

T. Grübl, W. Niu, J. von der Assen, and B. Stiller. QUIC-Exfil: Exploiting QUIC’s Server Preferred Address Feature to Perform Data Exfiltration Attacks // Proc. ACM Asia Conf. on Computer and Communications Security (AsiaCCS). Hanoi, Vietnam, 2025. doi: 10.1145/3708821.3733872.

K. Thimmaraju, R. Krösche, L. Schiff, and S. Schmid. CVE-2018-1000155: Denial of service, improper authentication and authorization, and covert channel in the OpenFlow 1.0+ handshake. oss-sec mailing list, May 9, 2018. Available: https://seclists.org/oss-sec/2018/q2/99

R. Krösche, K. Thimmaraju, and S. Schmid. I DPID it my way! A covert timing channel in software-defined networks // Proc. 2018 IFIP Netw. Conf., Zurich, Switzerland, May 2018, pp. 1–9. doi: 10.23919/IFIPNetworking.2018.8696597.

S. Bistarelli, M. Ceccarelli, C. Luchini, I. Mercanti, and F. Santini. A Preliminary Study on the Creation of a Covert Channel with HTTP Headers // Proceedings of the Italian Conference on CyberSecurity (ITASEC 2024), Ancona, Italy, Jan. 2024. Available: https://ceur-ws.org/Vol-3731/paper34.pdf

E. Brown, B. Yuan, D. Johnson, and P. Lutz. Covert Channels in the HTTP Network Protocol: Channel Characterization and Detecting Man-in-the-Middle Attacks // Journal of Information Warfare. 2010. Vol. 9, no. 3. Р. 1–12. Available: https://repository.rit.edu/other/781/

S. Smendowski. Hidden Communication Using Covert Channels // GitHub repository, 2021. Available: https://github.com/Smendowski/hidden-communication-using-covert-channels

W. A. Dimitrova and G. S. Panayotova. The Impacts of DNS Protocol Security Weaknesses // Journal of Communications. 2020. Vol. 15, no. 5. Р. 1–9. Available: https://www.jocm.us/show-245-1596-1.html

M. Hildebrandt, R. Altschaffel, K. Lamshöft, M. Lange, M. Szemkus, T. Neubert, C. Vielhauer, Y. Ding, and J. Dittmann. Threat Analysis of Steganographic and Covert Communication in Nuclear I&C Systems // presented at the International Conference on Nuclear Security: Sustaining and Strengthening Efforts (ICONS 2020), Vienna, Austria, Feb. 2020. Available:

https://conferences.iaea.org/event/181/contributions/15608/attachments/8569/11404/CN278_478-stealth_v006.pdf

Downloads

Published

2025-09-18

How to Cite

Fokin, D., & Yevdokymenko, M. (2025). Analysis of protocol steganography methods in software-defined networks. Radiotekhnika, (222), 172–183. https://doi.org/10.30837/rt.2025.3.222.16

Issue

No. 222 (2025): Radiotekhnika

Section

Articles

License

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).