(W. Graniszewski, J. Krupski, K. Szczypiorski) SOMSteg - Framework for Covert Channel, and itsDetection, within HTTP

Abstract: Due to high efficiency and relatively ease of use, application-layer covert channels, especially HyperText Transfer Protocol (HTTP), have been extensively studied in recent years. This paper extends a new steganographic method where the covert channel is created within the HTTP protocol header, i.e., trailer field. HTTP is the most popular protocol for browsing the Internet and gives the possibility of information sharing. The popularity of HTTP traffic is one of the requirements for undetectable message exchange. This paper presents SOMSteg - a framework for a covert channel, and its detection as a countermeasure, within HTTP. The server's and client's parts are implemented in the JavaScript language and based on the Node.js. Several machine learning techniques can be used for anomaly detection. We tested the detection possibility of such hidden communication by Self Organizing Maps (SOMs). SOMs were also used for tuning the parameters of the covert channel settings within the HTTP trailer. The results of the performed studies are also presented.

Keywords: HTTP, SOM, covert channels, information hiding, machine learning, network steganography

Categories: C.2.0, D.2.11, D.4.6, I.2, I.5.3, K.6.5