List of Figures

1. 1.1 Basic mimicry system. S1 and S2 denote signal transmitters and R is the signal receiver. "+" denotes that the response of the receiver R is advantageous to S2; thus, S2 benefits from the S1/R couple. (Reproduced from [3] with permission of Wiley.)
2. 1.2 Ancient and modern information hiding.
3. 1.3 Evolution of hidden data carrier throughout the history. (Reproduced from [6] with permission of ACM.)
4. 1.4 Protocol functions used for network steganography, associated with OSI RM layers. (Reproduced from [29] with permission of IEEE.)
5. 2.1 Classification of information concealment possibilities in communication networks.
6. 2.2 A historic classification of information hiding techniques. (Reproduced from [2] with permission of IEEE.)
7. 2.3 Classification of modern steganography techniques and scope of network steganography.
8. 2.4 An example of carrier and subcarriers based on VoIP connection example. (Reproduced from [13] with permission of Wiley.)
9. 2.5 Multiple flows steganography example-sending secret data that is distributed over a number of traffic flows. (Reproduced from [13] with permission of Wiley.)
10. 2.6 Network steganography methods classification.
11. 2.7 Relationship between the three features of network steganography. (Reproduced from [15] with permission of ACM.)
12. 2.8 Relationship between the features of network steganography with steganographic cost included. (Reproduced from [13] with permission of Wiley.)
13. 2.9 Relationship between steganographic cost and undetectability. (Reproduced from [13] with permission of Wiley.)
14. 2.10 Traffic type obfuscation techniques classification.
15. 2.11 Model for hidden communication. (Reproduced from [15] with permission of ACM.)
16. 2.12 Hidden communication scenarios and potential localizations of the warden. (Reproduced from [15] with permission of ACM.)
17. 3.1 Taxonomy for storage methods as patterns shaded. (Reproduced from [1] with permission of ACM.)
18. 3.2 Illustration of the size modulation pattern: PDUs of different size are transmitted between sender and receiver to encode symbols s1 and s2.
19. 3.3 The sequence method illustrated using a simple HTTP request. Two different symbols s1 and s2 are encoded by the order of two selected header elements.
20. 3.4 Illustration of the case pattern. By only using one header line, multiple symbols per request can be transferred by modulating the case of letters.
21. 3.5 Taxonomy for network steganography timing methods.
22. 3.6 Example of using packet rate (throughput) to encode hidden communication. The covert sender encodes a zero bit as sending with rate r0 and a one bit as sending with rate r1. The covert receiver decodes the hidden messages based on the observed rates.
23. 3.7 Example of using time gaps between packets to encode hidden communication. The covert sender encodes a zero bit as small gap g0 and a one bit as large gap g1. The covert receiver decodes the bits based on the gaps observed.
24. 3.8 An FTP NOOP covert channel, an example of using message sequence timing for hidden communication. The integer value of the covert bits is encoded as the number of FTP NOOP commands sent during the idle periods when no data are transferred via FTP.
25. 3.9 An example of using artificial packet loss to encode hidden communication. The covert sender encodes a zero bit as arrived packet and a one bit as artificially lost packet. The covert receiver decodes the information using the packet's sequence numbers.
26. 3.10 An example of (re)ordering packets to encode hidden communication. A packet in a correct position encodes a zero bit, while a packet in an incorrect position encodes a one bit.
27. 3.11 An example of using frame jamming for hidden communication. To send a zero or one bit, the covert sender retransmits with delay d0 or delay d1, respectively, after a previous frame collision.
28. 3.12 A temperature-based covert channel. The covert sender encodes information by changing the CPU load on the intermediate host through changing the service request rate. The CPU load changes affect the temperature, which in turn affects the clock skew on the intermediate host. The covert receiver measures the clock-skew change over time to reconstruct the original load pattern and thereby decode the covert bits. (Reproduced from [63] with permission of IEEE.)
29. 3.13 The idea of LACK. (Reproduced from [34] with permission of Wiley.)
30. 3.14 LACK as an example of a hybrid method.
31. 3.15 Components of the LACK delay. (Reproduced from [34] with permission of Wiley.)
32. 3.16 The impact of LACK on the total packet loss probability. (Reproduced from [57] with permission of Wiley.)
33. 3.17 Generic retransmission mechanism based on timeouts. (Reproduced from [63] with permission of Springer.)
34. 3.18 The concept of retransmission steganography. (Reproduced from [63] with permission of Springer.)
35. 3.19 An example of the RTO-based RSTEG segment recovery. (Reproduced from [38] with permission of Springer.)
36. 4.1 Control protocol terminology showing the embedding of all control protocol components into subcarriers, which are combined to form the cover area.
37. 4.2 Optimization problem for control protocols: header size and feature spectrum are conflicting requirements.
38. 4.3 Ping Tunnel's control protocol header. (Reproduced from [4] with permission of Springer.)
39. 4.4 The header of the protocol presented by Ray and Mishra. (Reproduced from [4] with permission of Springer.)
40. 4.5 Two types of PSCCs. (a) Protocol hopping covert channel using two protocols (hidden data are embedded into storage attributes). (b) Protocol channel using four protocols (hidden data are represented by the protocol itself). (Reproduced from [21] with permission of Iaria.)
41. 4.6 The concept of status updates.
42. 4.7 (a) A ToU occurs multiple times within one packet to reduce the overall number of packets and header bits required for a transaction. (b) The same data are transmitted using two packets, that is, the feature of allowing multiple occurrences for a ToU per packet is not used.
43. 4.8 Control protocol engineering approach. (Reproduced from [2] with permission of Springer.)
44. 4.9 Produced words by the exemplary grammars GCP and GCC.
45. 4.10 The sender S transfers information to the receiver R via the covert channel proxies Q1 ? Qn. (Reproduced from [3] with permission of Springer.)
46. 5.1 Classes of traffic type obfuscation based on the objective.
47. 5.2 Padding network packets to de-identify packet sizes.
48. 5.3 The main architecture of SkypeMorph [21].
49. 5.4 The main components of FreeWave [22].
50. 5.5 The main components of FreeWave [22] client.
51. 5.6 The main components of FreeWave [22] server.
52. 5.7 Classes of traffic type obfuscation based on the implementation domain.
53. 5.8 The main architecture of Obfsproxy.
54. 5.9 The main architecture of CensorSpoofer [36].
55. 5.10 Countermeasures to traffic type obfuscation.
56. 5.11 Skype TCP activity with and without changes in bandwidth. (Reproduced from [37] with permission of IEEE.)
57. 6.1 Linking network flows for the detection of stepping stone attacks. Flows numbered 2 and 5 are part of a stepping stone attack, while the other flows are benign.
58. 6.2 General model of network flow watermarking.
59. 6.3 Using flow watermarks to detect stepping stone attacks.
60. 6.4 A system for anonymous communications.
61. 6.5 A botnet traceback system [29] using flow watermarks.
62. 6.6 Random selection and assignment of time intervals of a packet flow for watermark insertion.
63. 6.7 Distribution of packets arrival time in an interval of size T before and after being delayed.
64. 6.8 Model of RAINBOW network flow watermarking system.
65. 6.9 Slot numbering in the SWIRL scheme. (Reproduced from [14] with permission of Springer.)
66. 6.10 Delaying packets to insert a watermark by SWIRL. (Reproduced from [34] with permission of Springer.)
67. 6.11 Targeted (a) and nontargeted (b) attacks on an anonymous network.
68. 7.1 The VoIP stack and protocols. (Reproduced from [4] with permission of IEEE.)
69. 7.2 A frame carrying a speech payload encoded with an overt codec (1), transcoded (2), and encoded with a covert codec (3). (Reproduced from [19] with permission of IEEE.)
70. 7.3 The TranSteg scenario S4 (SS-Secret Sender; SR-Secret Receiver). (Reproduced from [19] with permission of IEEE.)
71. 7.4 The distribution of packets' size during conversation and periods of silence.
72. 7.5 StegTorrent hidden data exchange scenario (TsX denotes a timestamp from the corresponding µTP header's field. (Reproduced from [25] with permission of IEEE.)
73. 7.6 iStegSiri's crafted voice stream (a); results in corresponding classes of traffic...