Eliminating Steganography in Internet Traffic with Active Wardens

  • Gina Fisk
  • Mike Fisk
  • Christos Papadopoulos
  • Joshua Neil
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2578)


Active wardens have been an area of postulation in the community for nearly two decades, but to date there have been no published implementations that can be used to stop steganography as it transits networks. In this paper we examine the techniques and challenges of a high-bandwidth, unattended, real-time, active warden in the context of a network firewall. In particular, we concentrate on structured carriers with objectively defined semantics, such as the TCP/IP protocol suite rather than on the subjective, or unstructured carriers such as images that dominate the information hiding literature. We introduce the concept of Minimal Requisite Fidelity (MRF) as a measure of the degree of signal fidelity that is both acceptable to end users and destructive to covert communications. For unstructured carriers, which lack objective semantics, wardens can use techniques such as adding noise to block subliminal information. However, these techniques can break the overt communications of structured carriers which have strict semantics. We therefore use a specification-based approach to determine MRF. We use MRF to reason about opportunities for embedding covert or subliminal information in network protocols and develop both software to exploit these channels, as well as an active warden implementation that stops them. For unstructured carriers, MRF is limited by human perception, but for structured carriers, well known semantics give us high assurance that a warden can completely eliminate certain subliminal or covert channels.


Intrusion Detection Intrusion Detection System Information Hiding Covert Channel Network Address Translator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    R. J. Anderson. Stretching the limits of steganography. Springer Lecture Notes in Computer Science, pages 39–48, 1996. Special Issue on Information Hiding. 23Google Scholar
  2. [2]
    R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley and Sons, New York, New York, USA, 2001. 20Google Scholar
  3. [3]
    R. J. Anderson and F.A.P. Petitcolas. On the limits of steganography. IEEE Journal of Selected Areas in Communications, 16(4):474–481, May 1998. Special Issue on copyright and privacy protection. 23, 24CrossRefGoogle Scholar
  4. [4]
    S. Craver. On public-key steganography in the presence of an active warden. In Proceedings of the Second Information Hiding Workshop, April 1998. 23Google Scholar
  5. [5]
    K. Egevang and P. Francis. RFC 1631: The IP network address translator (NAT), May 1994. 30Google Scholar
  6. [6]
    M. Ettinger. Steganalysis and game equilibria. In Information Hiding, pages 319–328, 1998. 24Google Scholar
  7. [7]
    M. Fisk and G. Varghese. Agile and scalable analysis of network events. In Proceedings of the SIGCOMM Internet Measurement Workshop. ACM, November 2002. 32Google Scholar
  8. [8]
    J. Fridrich, R. Du, and M. Long. Steganalysis of LSB encoding in color images. In Proceedings of the IEEE International Conference on Multimedia and Expo, August 2000. 22Google Scholar
  9. [9]
    V.D. Gilgor. A guide to understanding covert channel analysis of trusted systems. Technical report, National Computer Security Center, U. S. Department of Defense, 1993. 23Google Scholar
  10. [10]
    M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedingsof USENIX Security Symposium, 2001. 20, 24, 29Google Scholar
  11. [11]
    A. Havill. The Spy Who Stayed Out In The Cold: The Secret Life of Double AgentRobert Hanssen. St. Martin’s Press, 2001. 20Google Scholar
  12. [12]
    N. F. Johnson. Steganalysis of images created using current steganographic software.In Proceedings of the Second Information Hiding Workshop, April 1998. 22,24Google Scholar
  13. [13]
    N.F. Johnson, Z. Duric, and S. Jajodia. Information Hiding: Steganography and Watermarking 3-Attacks and Countermeasures. Kluwer Academic Publishers,2000. 24, 26Google Scholar
  14. [14]
    N. F. Johnson and S. Jajodia. Exploring steganography: Seeing the unseen. IEEEComputer, pages 26–34, February 1998. 26Google Scholar
  15. [15]
    N. F. Johnson and S. Jajodia. Steganalysis: The investigation of hidden information.In Proceedings of the IEEE Information Technology Conference, September 1998. 22, 23Google Scholar
  16. [18]
    D. Kahn. The Codebreakers-The Story of Secret Writing. Scribner, New York, New York, USA, 1996. 26Google Scholar
  17. [19]
    E. Kawaguchi and R.O. Eason. Principle and applications of BPCS steganography. In Proceedings of SPIE’s International Symposium on Voice, Video, and Data Communications, November 1998. 21, 26Google Scholar
  18. [20]
    B. W. Lampson. A note on the confinement problem. Communications of the ACM, 16(10):613–615, 1973. 23CrossRefGoogle Scholar
  19. [21]
    G. R. Malan, D. Watson, and F. Jahanian. Transport and application protocolscrubbing. In Proceedings of IEEE InfoCom, March 2000. 20, 24, 29Google Scholar
  20. [22]
    K. Nichols, S. Blake, F. Baker, and D. Black. RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 headers, December 1998.29Google Scholar
  21. [24]
    V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23-24):2435–2463, December 1999. 20, 24CrossRefGoogle Scholar
  22. [25]
    F.A.P. Petitcolas. Watermarking schemes evaluation. I. E. E. E. Signal Processing, 17:58–64, 2000. 24CrossRefGoogle Scholar
  23. [26]
    F. A.P. Petitcolas, R. J. Anderson, and M.G. Kuhn. Attacks on copyright marking systems. In Proceedings of Information Hiding, Second International Workshop, IH’98, 1998. 24Google Scholar
  24. [27]
    S. Pluta. United States of America vs. Robert P. Hanssen. affidavit.html. 20
  25. [28]
    N. Provos and P. Honeyman. Detecting steganographic content on the internet. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS), 2002. 23Google Scholar
  26. [29]
    T.H. Ptacek and T.N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks Inc., January1998. 20, 24Google Scholar
  27. [30]
    C.H. Rowland. Covert channels in the TCP/IP protocol suite. First Monday, 1996. 27, 32Google Scholar
  28. [31]
    G. J. Simmons. The prisoners’ problem and the subliminal channel. In D. Chaum, editor, Advances in Cryptography: Proceedings of Crypto-83, pages 51–67. Plenum Press, New York and London, 1984, August 1983. 19, 23Google Scholar
  29. [32]
    M. Smart, G.R. Malan, and F. Jahanian. Defeating TCP/IP stack fingerprinting. In Proceedings of the 9th USENIX Security Symposium, August 2000. 24Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Gina Fisk
    • 1
    • 2
  • Mike Fisk
    • 1
  • Christos Papadopoulos
    • 2
  • Joshua Neil
    • 1
    • 2
  1. 1.Los Alamos National LaboratoryUSA
  2. 2.University of Southern CaliforniaUSA

Personalised recommendations