Pattern Collection

The following list represents the latest pattern collection that was published in [1], and improved by [2] and [3]. Additional minor updates were provided by [4-6]. Each pattern comprises a number (pattern ID), the authors and publication reference where the pattern was first published*, a brief illustration of the pattern's use, a context (where can the pattern be found in the hierarchy of patterns) and a link to publications which provide evidence for the existence of the pattern.

* Please note that the author of a pattern is not necessarily the inventor of a particular hiding technique. Instead he/she is the one who recognized the pattern within different hiding techniques. The authors of the particular hiding techniques are listed in the `Evidence' attribute of each pattern. 

Latest Version of the Hiding Patterns Hierarchy (based on [1]; updated by [2], [3], [4], [5] and [6]), version: Mar-25-2022.
Latest Version of the Hiding Patterns Hierarchy (based on [1]; updated by [2-6]),
version: Mar-25-2022.

Protocol-agnostic Covert Timing Channel Patterns:
PT1. Inter-packet Times
PT2. Message Timing
PT3. Rate/Throughput

Protocol-aware Covert Timing Channel Patterns:
PT10. Artificial Loss
PT11. Message Ordering (PDU Order)
PT12. Retransmission
PT13. Frame Collisions
PT14. Temperature
PT15. Artificial Reconnections (NEW)
PT16. Artificial Resets (NEW)

Structure Modifying Covert Storage Channel Patterns:
PS1. Size Modulation
PS2. Sequence, incl. sub-patterns
PS3. Add Redundancy

Structure Preserving Covert Storage Channel Patterns:
PS10. Random Value
PS11. Value Modulation, incl. sub-patterns (UPDATED)
PS12. Reserved/Unused

User-data Agnostic Covert Storage Channel Patterns:
PS20. Payload Field Size Modulation (derived from PS1)
PS21. User-data Corruption

User-data Aware Covert Storage Channel Patterns:
PS30. Modify Redundancy
PS31. User-data Value Modulation and Reserved/Unused

Video Introduction to Patterns:

Implementation: Most of these patterns, excluding the payload-specific patterns, can be created with the CCEAP tool.


[1] S. Wendzel, S. Zander, B. Fechner, C. Herdin: Pattern-based Survey and Categorization of Network Covert Channel Techniques, ACM Computing Surveys, Vol. 47, Issue 3, pp. 50:1-26, ACM, 2015.
An early version of the article is available here: download.

[2] W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, K. Szczypiorski: Information Hiding in Communication Networks, Wiley, 2016. Chapters 3 and 8 contain discussions on hiding patterns, basically on the basis of [1] but with an extension of timing-based patterns.

[3] W. Mazurczyk, S. Wendzel, K. Cabaj: Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach, in Proc. Second International Workshop on Criminal Use of Information Hiding (CUING 2018) at ARES, pp. 10:1-10:10, ACM, 2018.

[4] A. Velinov, A. Mileva, S. Wendzel, W. Mazurczyk: Covert Channels in MQTT-based Internet of Things, IEEE ACCESS, Vol. 7, pp. 161899-161915, 2019. 

[5] A. Mileva, A. Velinov, L. Hartmann, S. Wendzel, W. Mazurczyk: Comprehensive Analysis of MQTT 5.0 Susceptibility to Network Covert Channels, Computers & Security, Elsevier, 2021. 

[6] L. Hartmann, S. Zillien, S. Wendzel: Reset- and Reconnection-based Covert Channels in CoAP. In: Proc. European Interdisciplinary Cybersecurity Conference (EICC), 2021.

Keine Kommentare:

Kommentar veröffentlichen