은닉 채널은 내부자가 네트워크 외부의 수신자에게 정상적인 통신 방법을 사용하지 않고 데이터를 유출하기 위한 통신 기법으로 숨겨진 통신 채널을 의미한다. 이는 데이터 유출의 방법으로써 악용될 수 있는데, 허가된 통신에서 일반적인 통신 방법이 아닌 네트워크 안에 새로운 통신 채널을 만들어 데이터를 유출하는 기생하는 채널을 통한 데이터 유출 공격 방법으로 활용된다. 악의적으로 사용 시 중요한 데이터를 약속 된 송수신자 이외에는 모르게 유출 시키는 것이 가능하다. 반대로 일반적인 사용자 입장에서는 민간함 정보를 보낼 때, 다른 사람들은 전송 자체를 알 수 없는 보안성을 가진 채널로도 사용될 수 있다. 결국, 사용자의 목적에 따라 악의적인 데이터 유출 채널 혹은 보안성을 가진 채널로 사용될 수 있다.

은닉 채널은 환경에 영향을 받지 않고 어떠한 환경에서도 통신 채널을 만들 수 있다는 장점을 가지고 있다. 즉, 송수신자 사이에 약속된 송수신 방법이 고도화 될수록 은닉성, 데이터 전송 속도 등이 좋아질 수 있다. 그러나 각 은닉 채널마다 사용하는 통신 방법이 다르고 매체가 다름으로 인하여 은닉 채널의 성능 분석을 위해 사용하는 성능 지표가 상이하다. 이로 인하여 은닉 채널 사이의 상대적인 성능 분석이 쉽지 않고 객관적인 수치를 이용한 비교도 어렵다.

본 논문에서는 은닉채널마다 서로 다른 성능 지표를 사용하여 객관적인 평가가 어렵다는 문제점을 보완하기 위하여 은닉 채널에 대해 성능을 다각도로 확인 할 수 있도록 은닉성, 안정성, 투명성, 기밀성, 전송속도에 해당하는 총 다섯가지의 체계적인 성능지표를 제안하고 있다. 여기서 성능 지표를 정리한다는 의미는 성능 분석을 위한 디테일한 방법이나 새로운 성능 지표 방법에 대한 제안 보다는 다양한 관점에서 성능 분석 영역들을 제시함으로 하나의 채널로써 제안되는 은닉 채널의 특징 및 장점을 종합적으로 나타낼 수 있음을 의미한다. 비슷한 환경에서의 은닉 채널에 대해 상대적인 평가가 가능한 성능 다이어그램을 새롭게 제안하고 있고 이를 통해 해당 은닉 채널이 가진 특징을 한눈에 확인 할 수 있도록 하고 있다.
또한, 정리된 성능지표와 관련하여 이를 만족하는 새로운 인코딩 기법을 제안하고 있다.
제안하는 새로운 인코딩 기법들은 Wi-Fi의 주기적 신호를 활용한 은닉 타이밍 채널을 구현하는 데 사용되었고, LTE-A 특정 패킷을 이용한 은닉 스토리지 채널을 위해 제안되었다.

첫째로, 우리는 은닉 채널에 대한 성능 지표를 체계적으로 구성하여 은닉성을 포함한 통신 성능 및 일반 사용자 관점 어우르는 성능 지표 다이어그램을 제안하고 있다.

둘째로, 우리는 IEEE 802.11 환경에서 새로운 인코딩 기법을 적용한 은닉 무선 단방향 통신 메커니즘을 제안하였다. 우리의 은닉 통신은 모든 상업용 AP의 비콘 패킷을 활용할 수 있는 은닉 타이밍 채널을 기반하고 있다. 우리가 제안한 무선 은닉 채널은 WLAN MAC 프로토콜의 펌웨어 수정만으로 구현할 수 있어 실제 AP에 적용이 가능하다. 또한, 다른 사람들에 의해 은닉 신호가 감지될 가능성을 크게 줄이기 위해 PPCTC (ping-pong covert timing channel)라는 새로운 간단한 은닉 데이터 인코딩 체계를 제안하였으며, PPCTC의 은밀성은 이전의 타이밍 기반 은닉 채널과 비교하여 위의 성능지표를 모두 만족하는 것을 보인다. 제안하는 무선 은닉 통신은 단방향 통신이지만, PPCTC는 연속 2비트 오류에 대한 복구 특성이 있어 안정적인 통신이 보장된다. 뿐만 아니라, 우리의 은닉 채널을 통해 전송되는 정보의 기밀성과 무결성을 제공하기 위한 은닉 프레임 구조도 제시되었는데, 이것은 은닉채널 연구에서 처음 시도되는 방법이다.

셋째로, 우리는 LTE-A (Long-Term Evolution-Advanced) 환경에서 시퀀스 번호의 복제를 사용하는 은닉 채널을 제안하였다. 우리는 숨겨진 데이터의 안전한 전송을 달성하면서 실제 통신과 유사한 프로세스를 제공하는 것을 목표로 하고 있습니다. 또한, 제안된 은닉 채널의 성능을 평가하기 위해 상용 무선 통신 장비를 사용한 무선 송수신 체계와 기밀성을 지원하는 전송 체계를 제공하고 실험 결과를 제시하고 있다

주요단어: 성능지표, 성능 다이어그램, 은닉채널, 은닉 AP, 모바일 은닉 채널, 은닉 프레임

A Covert channel refers to a communication technique used by insiders to leak data to external receivers without employing normal communication methods. This can be exploited as a method of data leakage, creating a hidden communication channel within the network by establishing a new communication channel not used in authorized communications. When maliciously used, this method allows for the leakage of critical data without the knowledge of anyone other than the agreed-upon sender and receiver. Conversely, from the perspective of regular users sending sensitive information, it can be utilized as a secure channel where others cannot discern the transmission itself. Ultimately, its usage can be directed either maliciously as a data leakage channel or positively as a secure channel, depending on the user's intentions.
Covert channels offer the advantage of creating communication pathways unaffected by the environment, usable in various settings. Essentially, as the agreed-upon transmission methods between sender and receiver become more sophisticated, the covert channel's characteristics, such as covertness and throughput, can improve. However, the diverse communication methods employed by each covert channel, coupled with different media, make it challenging to use consistent performance metrics for their analysis. This complexity hinders straightforward relative performance evaluation between covert channels and complicates objective comparisons using numerical metrics.

To address the difficulty of objectively evaluating covert channels with different performance metrics, this paper proposes a systematic set of five performance metrics: covertness, stability, transparency, confidentiality, and throughput. These metrics aim to provide a comprehensive view of covert channel performance from various perspectives. Rather than introducing new detailed methods or metrics, the goal is to present a range of performance analysis areas for the proposed covert channel as a whole. Additionally, a performance diagram is suggested, allowing for relative evaluations of covert channels in similar environments and providing a quick overview of the characteristics of the proposed covert channel.
In the IEEE 802.11 environment, a new encoding technique for covert wireless unidirectional communication mechanisms is proposed. The covert communication is based on a covert timing channel that can utilize beacon packets from all commercial APs. Our proposed wireless covert channel is suitable for real public AP environments as it can be implemented with firmware modifications to WLAN MAC protocols. To significantly reduce the likelihood of detection by others, we propose a new simple covert data encoding system called PPCTC (ping-pong covert timing channel). The covertness of PPCTC satisfies all the above performance metrics compared to previous timing-based covert channels. While our wireless covert communication is unidirectional, PPCTC has a recovery feature for consecutive 2-bit errors, ensuring stable communication. Furthermore, we present a covert frame structure to provide confidentiality and integrity for the information transmitted through our covert channel, marking a novel attempt in covert channel research.
In the LTE-A (Long-Term Evolution-Advanced) environment, we propose a practical covert channel using sequence number duplication. Our goal is to achieve secure transmission of covert data while providing a process similar to actual communication. Moreover, we provide a wireless transmission system using commercial wireless communication equipment for evaluating the performance of the proposed covert channel and present experimental results supporting confidentiality.

• List of Figures x
• List of Tables xii
• 1. Introduction 1
• 1.1 Background 1
• 1.2 Motivation 5
• 1.3 Research Contributions 8
• 1.3.1 Organized systematic covert channel performance metric 8
• 1.3.2 Efficient encoding scheme for wireless covert channel 11
• 1.4 Thesis Overview 14
• 2. Related work 16
• 2.1 Performance metrics for covert channel 16
• 2.1.1 Wired covert channel performance metric 16
• 2.1.1.1 Covert storage channel 16
• 2.1.1.2 Covert timing channel 18
• 2.1.2 Wireless covert channel performance metric 19
• 2.2 Covert channels 23
• 2.2.1 Covert storage channel 24
• 2.2.2 Covert timing channel 25
• 2.2.3 Wireless Covert channel 26
• 3. Preliminary 30
• 3.1 IEEE 802.11 WLAN 30
• 3.1.1 IEEE 802.11 WLAN Beacon Frame 30
• 3.1.2 Complement line code 32
• 3.2 RLC layer in LTE 33
• 3.3 Communication Frame structure 34
• 4. Systematic covert channel performance metric 36
• 4.1 Covertness 36
• 4.2 Robustness 39
• 4.3 Concealment 40
• 4.4 Transparency 41
• 4.5 Throughput 41
• 4.6 Performance Diagram 45
• 4.6.1 Measurement criteria for each performance metrics 48
• 5. Efficient encoding scheme for wireless covert channel 55
• 5.1 Covert timing channel in 802.11 environment 55
• 5.1.1 Encoding scheme (Ping-Pong Encoding) 56
• 5.1.2 Covert Frame 62
• 5.1.3 Recovery Process 66
• 5.1.4 Testbed 71
• 5.2 Hybrid covert storage channel in LTE environment 75
• 5.2.1 System Model 76
• 5.2.2 Encoding scheme 77
• 5.2.3 Covert Frame 80
• 5.2.4 Testbed 82
• 6. Results and Analysis 85
• 6.1 IEEE 802.11 (Wi-Fi) environment 85
• 6.1.1 Covertness 89
• 6.1.2 Robustness 93
• 6.1.3 Transparency 95
• 6.1.4 Throughput 98
• 6.2 LTE-A environment 100
• 6.2.1 Covertness 101
• 6.2.2 Robustness 103
• 6.2.3 Throughput 103
• 6.2.4 Transparency 104
• 7. Conclusions 107
• 7.1 Conclusion 107
• 7.2 Future Work 108
• Bibliography 110

1. srsran_4g, srsRAN, https://github. com/srsran/srsran_4g. Online accessed, , 2023

2. Ip covert channel detection, S. Cabuk, Brodley, C. E., Shields, C., ACM Transactions on Information and System Security (TISSEC) 12(4), 1–29, , 2009

3. A note on the confinement problem, Lampson, B. W., 16(10), 613–615, , 1973

4. Ipv6 covert channels in the wild in, Caviglione, L., Powójski, K., Mazurczyk, W., Proceedings of the Third Central European Cybersecurity Conference’, pp. 1–6, , 2019

5. 5G architecture options – full set, RP161266, URL https://telecoms. com/wpcontent/blogs. dir/1/files/2016/06/5Garchitecture options. pdf, , 2016

6. A novel covert channel in ltea system, He, Z., Huang, L., Yang, W. & Wang, Z, pp. 662–666, , 2016

7. Covert communication with relay selection, Zhang, Z., Lian, Z., Wang, Y., Sun, H., Xie, Z., Su, Y., 10(2), 421–425, , 2020

8. Practical covert channels forWiFi systems, Classen, J., Schulz, M.&Hollick, M., 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015 pp. 209–217, , 2015

9. IP covert timing channels: Design and detection, Brodley, C. E., Shields, C., Cabuk, S., Proceedings of the ACM Conference on Computer and Communications Security pp. 178–187, , 2004

10. Introduction to pseudoternary transmission codes, Croisier, A., 14(4), 354–367, , 1970

11. Tcp/ip timing channels: Theory to implementation, Shroff, N., Wang, C.C., Sellke, S. H., Bagchi, S., in pp. 2204– 2212, , 2009

12. Covert communication in relayassisted iot systems, Gao, C., Fukushi, M., Jiang, X., Inamura, H., Yang, B., 8(8), 6313–6323, , 2021

13. An informationtheoretic model for steganography’, Cachin, C., information and computation 192(1), 41–56, , 2004

14. Ieee 802.11 ba: Lowpower wakeup radio for green iot, Lien, S.Y., Gan, M., Lin, Y.P., Yu, J., Deng, D.J., Chen, K. C., Guo, Y.C., 57(7), 106–112, , 2019

15. Demo abstract: Cloraa covert channel over lora phy in, Zheng, Y., Hou, N., IEEE INFOCOM 2020IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)’, IEEE, pp. 1288–1289, , 2020

16. Towards re versible storage network covert channels in, Wendzel, S., Szary, P., Mazurczyk, W., Caviglione, L., Proceedings of the 14th International Conference on Availability, Reliability and Security’, pp. 1–8, , 2019

17. Ieee 802.11 be wifi 7: New challenges and opportunities, Fang, X., Long, Y., Guo, Y., He, R., Han, X., Deng, C., Wang, X., Yan, L., 22(4), 2136–2166, , 2020

18. Implementation of a covert channel in the 802.11 header, Frikha, L., ElHajj, W., Trabelsi, Z., IWCMC 2008 International Wireless Communications and Mobile Computing Conference pp. 594–599, , 2008

19. Uavrelayed covert communication towards a flying warden, Zhao, N., Chen, X., Xu,W., Sheng, M., Niyato, D., IEEE Transactions on Communications, , 2021

20. Embedding Covert Information in Broadcast Communications, Arumugam, K. S. K., Bloch, M. R., IEEE Transactions on Information Forensics and Security 14(10), 2787–2801, , 2019

21. A covert channel over volte via adjusting silence periods, Tan, Y.A., Liang, C., Li, Y., Zhang, X., Li, J., IEEE Access 6, 9292–9302, , 2018

22. Hrtimers and beyond: Transforming the linux time subsystems, Niehaus, D., Gleixner, T., inProceedings of the Linux symposium’, Vol. 1, Citeseer, pp. 333–346, , 2006

23. A robust packetdropout covert channel over wireless networks’, Tan, Y.a., Xu, X., Li, Y., Zhang, X., 27(3), 60– 65, , 2020

24. Covert DCF: A DCFbased covert timing channel in 802.11 networks, Holloway, R., Beyah, R., Proceedings 8th IEEE International Conference on Mobile Adhoc and Sensor Systems, MASS 2011 pp. 570–579, , 2011

25. A novel highspeed iptiming covert channel: Design and evaluation, Hovhannisyan, H., Lu, K., Wang, J., in2015 IEEE International Conference on Communications (ICC)’, IEEE, pp. 7198–7203, , 2015

26. Trends and challenges in network covert channels countermeasures, Caviglione, L., 11(4), 1641, , 2021

27. Achieving robustness and capacity gains in covert timing channels, Shrestha, P. L., Sharif, H., Rezaei, F., Hempel, M., in2014 IEEE International Conference on Communications (ICC)’, IEEE, pp. 969–974, , 2014

28. A packetreordering covert channel over volte voice and video traffics, Zhang, X., Zhang, C., Wang, X., Zhu, H., Tan, Y.a., Zhu, L., 126, 29–38, , 2019

29. A wireless covert channel based on constellation shaping modulation’, Dai, Y., Liu, W., Zhai, J., Liu, G., Cao, P., Ji, X., Security and Communication Networks 2018, 1–5, , 2018

30. A wireless covert channel based on dirty constellation with phase drift, Kelner, J. M., Grzesiak, K., Piotrowski, Z., Electronics 10(6), 647, , 2021

31. Design and performance evaluation of reversible network covert channels, Szary, P., Mazurczyk,W., Wendzel, S., Caviglione, L., inProceedings of the 15th International Conference on Availability, Reliability and Security’, pp. 1–8, , 2020

32. Zmctc: Covert timing channel construction method based on zigzag matrix, Hao, S., Zhang, Y., Zheng, J., Li, Y., Li, S., Computer Communications 182, 212–222, , 2022

33. Voip network covert channels to enhance privacy and information sharing’, Saenger, J., Keller, J., Caviglione, L., Mazurczyk, W., Future Generation Computer Systems 111, 96–106, , 2020

34. Building covert timing channels by packet rearrangement over mobile networks, Zhang, Q., Zhang, X., Zheng, J., Liang, C., Tan, Y.a., Li, Y., Information Sciences 445, 66–78, , 2018

35. A correlationbased approach to detecting wireless physical covert channels’, Huang, S., Liu, G., Bai, H., Liu, W., Dai, Y., Computer Communications 176, 31–39, , 2021

36. Covert localization in wireless networks: Feasibility and performance analysis, Li, C., Shen, X., Cheng, N., Li, Z., Zhao, Y., Wang, W., 19(10), 6549–6563, , 2020

37. Hiding information into voiceoverip streams using adaptive bitrate modulation’, Chang, C.C., Qin, J., Chen, Y., Tian, H., Sun, J., 21(4), 749–752, , 2017

38. Practical covert wireless unidirectional communication in ieee 802.11 environment, Jeon, Y., Oh, M.K., Kim, I., Choi, D., Lee, S., Seong, H., 10(2), 1499–1516, , 2022

39. Covert beamforming design for intelligent reflecting surface assisted iot networks, Li, H., Shi, J., Zhang, H., Shen, C., Zhang, Y., Sun, J., Ma, S., Li, S., IEEE Internet of Things Journal, , 2021

40. Covert communications without channel state information at receiver in iot systems, Yan, S., Hu, J., Zhou, X., Wang, J., Shu, F., 7(11), 11103–11114, , 2020

41. Realizing an 802.11 based covert timing channel using offtheshelf wireless cards’, Beyah, R., Uluagac, A. S., Radhakrishnan, S. V., GLOBECOM IEEE Global Telecommunications Conference pp. 722–728, , 2013

42. Stegoframeorder—mac layer covert network channel for wireless ieee 802.11 networks, Sawicki, K., Bieszczad, G., Piotrowski, Z., 21, , 2021

43. Building Covert Timing Channel of the IoTEnabled MTS Based on MultiStage Verification, Tan, Y.A., Nawaz, R., Baker, T., Liang, C., Li, Y., IEEE Transactions on Intelligent Transportation Systems, , 2021

44. Measuring regularity by means of a corrected conditional entropy in sympathetic outflow, Malliani, A., GnecchiRuscone, T., Baselli, G., Cerutti, S., Liberati, D., Cogliati, C., Montano, N., Porta, A., Biological cybernetics 78, 71–78, , 1998

45. Étude comparative de la distribution florale dans une portion des alpes et des jura’, Jaccard, P., Bulletin del la Société Vaudoise des Sciences Naturelles 37, 547–579, , 1901

46. Ieee 802.11 bd & 5g nr v2x: Evolution of radio access technologies for v2x communications, Naik, G., Choudhury, B., Park, J.M., IEEE access 7, 70169–70184, , 2019

47. Ieee 802.15. 3d: First standardization efforts for subterahertz band communications toward 6g, Hosako, I., Kurner, T., Petrov,V., 58(11), 28–33, , 2020

48. The proposal of ieee 802.11 network access point authentication mechanism using a covert channel in, Sawicki, K.&Piotrowski, Z, Vol. 2,, pp. 656–659, , 2012

49. The optimal carriersecret ratio for wireless covert channels based on constellation shaping modulation’, Liu, G., Qiao, S., Liu, W., Ji, X., Security and Communication Networks 2021, 1–15, , 2021

50. An offtheshelf, low detectability, low data rate, timingbased covert channel for IEEE 802.11 wireless networks, Walker, T. O., Fairbanks, K. D., 2017 14th IEEE Annual Consumer Communications and Networking Conference, CCNC 2017 pp. 835–840, , 2017

51. Covert communication and secure transmission over untrusted relaying networks in the presence of multiple wardens, Kuhestani, A., Azmi, P., Forouzesh, M., Yeoh, P. L., IEEE Transactions on Communications 68(6), 3737–3749, , 2020