Sage Journals: Discover world-class research

Abstract

Voice over Long-Term Evolution enables reliable transmission among enormous Internet of Things devices, by providing end-to-end quality of service for Internet protocol–based services such as audio, video, and multimedia messaging. The research of covert timing channels aims at transmitting covert message stealthily to the receiver using variations of timing behavior. Existing approaches mainly modulate the covert message into inter-packet delays of overt traffic, which are not suitable for Voice over Long-Term Evolution, since most of the inter-packet delays of Voice over Long-Term Evolution traffic are of regular distribution, and any modification on inter-packet delays is easy to be detected. To address the issue, in this work, we propose a novel covert timing channel for the video stream in Voice over Long-Term Evolution, which modulates the covert message by deliberately dropping out video packets. Based on the two-dimensional mapping matrix, the blocks of covert message are mapped into dropout-packet sequence numbers. To recover the covert message, the receiver retrieves the sequence numbers of lost packets and identifies them to be translated into blocks of the covert message. To evaluate our scheme, the simulations with different packet loss rates are conducted to validate the undetectability, throughput, and robustness, finally, the results show that this scheme is effective and reliable.

Keywords

Covert timing channel Voice over Long-Term Evolution packet dropout undetectability robustness

Introduction

Internet of Things (IoT) has already been marked as the entry into the world of consumer electronic devices^1,2 and Voice over Long-Term Evolution (VoLTE) allows these devices to make faster and effective transmission without any call drops. The first definition of the covert channel was composed by Lampson³ in 1973, and covert channels are those “used for information transmission even though they are neither designed nor intended to transfer information at all.” Covert channels can leak information with the inspection systems like intrusion detection system or firewall, which monitors the communication with outside. According to the modulation entities, covert channels can be roughly divided into covert storage channels (CSCs) and covert timing channels (CTCs). A CSC is implied through direct or indirect writing to a specified storage location shared by the sender and receiver process.⁴ Distinct from the CSCs, CTCs modulate a covert message into variations of target system resource, such as central processing unit (CPU) usage and response time.^5–7

There have been diverse schemes of CTCs, such as Internet protocol covert timing channel (IPCTC),⁴ JitterBug,⁸ time-replay covert timing channel (TRCTC),⁹ and model-based covert timing channel (MBCTC).^10,11 Cabuk et al.⁴ developed the first IPCTC and investigated a number of design issues. IPCTC uses a simple encoding scheme to transmit information, through which bits of covert message are sent to the receiver by controlling packet transmission during a certain time interval.¹² JitterBug is a different kind of CTC. Shah et al.⁸ designed a special keyboard device, which adjusted the interval of packets containing typed information to modulate covert messages. Cabuk⁹ later proposed a new CTC that replays inter-arrival sequences retrieved from legitimate traffic to modulate covert messages. Gianvecchio et al.¹¹ showed us a new method referred as MBCTC to construct CTC. By mimicking inter-packet delays (IPDs) produced by normal traffic, this scheme maintains its undetectability while modulating the covert message into IPD combinations. CTCs based on other Internet protocols (IPs) are also available for CTC researchers. Kogos et al.¹³ searched proposed covert channels designed with hypertext transfer protocol (HTTP), such as adjusting the presence or absence of HTTP packets in a certain time interval to leak information or modulating a covert message into the relative distance between a current uniform resource locator (URL) and the root directory. For other scenarios, Archibald and Ghosal¹⁴ proposed an MBCTC which is based on Skype; this scheme employees multiple IPDs to increase robustness.

Established with Long-Term Evolution (LTE), VoLTE abandons circuit switch technology used in the traditional voice call and transmits all the packets that are generated by the user equipment (UE) through Evolved Packet Core (EPC).¹⁵ Analogous to Voice over Internet Protocol (VoIP) applications such as Skype, data of VoLTE are embedded into payloads of Real-Time Protocol (RTP). Compared with packets generated by other types of application, packets carrying VoLTE data deserve a higher priority in the LTE transmission network.¹⁶ On the other side, packets of VoLTE are organized in a time regularity, for instance, IPDs between packets carrying audio data are 20 ms.¹⁷ Another feature of VoLTE is that the packet is numbered with a unique auto-increasing sequence number during the communication. To the end, CTCs based on IPD adjusting and packet rearranging will violate the regularity of VoLTE traffic apparently. Thus, designing a new CTC for VoLTE is necessary.

One advantage of RTP used in VoLTE is that the lost packets are easy to be tracked with the sequence number field in the RTP header. To analyze the transmission regularity, we captured several streams of VoLTE using TCPdump on both sides of the UE. In current implementation of VoLTE, packets with different types of the payload are transmitted through different channels.¹⁸ Furthermore, packets in VoLTE can be divided into three categories, which are packets carrying signaling information, packets carrying audio data, and packets carrying video data.¹⁹ Furthermore, packets with audio data are generated and delivered through the baseband processor (BP), on which both packet length and IPD are arranged in determinate rules.²⁰ At the same time, packets with video frames are produced by the application processor (AP) which invokes TCP/IP protocol stack in the system kernel to accomplish, thus packets of video stream can be captured conveniently by tools like TCPdump. Hence, our research interest focuses on the video stream. In the experiment, packet loss events with one packet take up more than 40% of all events, and this CTC is developed based on the statistical result.

Inspired by these results, in this work, we propose a CTC scheme based on VoLTE video stream via dropping out packets which are numbered with target RTP sequence number. In particular, the covert message to be transmitted is transformed into the sequence numbers in our scheme, which means that a covert message is grouped into fixed length blocks, and mapped into three sequence numbers of RTP based on the mapping matrix. The covert message that to be delivered is subdivided into blocks with specified bit length; then each block is modulated into the corresponding segment of overt traffic. To represent data blocks with sequence numbers of dropout packets, a mapping matrix is designed to link them. Meanwhile, the parameters of this scheme are flexible, and optimizing the parameters for better undetectability, robustness, or robustness is feasible.

The main contributions of our work are summarized as follows:

A novel method is proposed to build the CTC over VoLTE.

A mapping matrix is utilized for the correlating the data blocks with the sequence numbers of lost packets.

Building a CTC via dropping out packets is proved to be feasible for VoLTE video stream.

The remainder of our paper is organized as follows: In section “Preliminaries,” we show the preliminaries of this CTC, such as VoLTE, RTP, and packet loss events in VoLTE. After that, we illustrate the designation of this scheme, including the system model, message grouping, data representation, and robustness method. Later, we demonstrate how to construct this CTC for the sender and receiver. Furthermore, we present the experiment’s results and analysis. Then, we review the related works about CTC and related schemes. Finally, conclusions and discussions are proposed to overview the CTC scheme briefly.

Preliminaries

VoLTE principles and features

The next generation mobile radio system, called LTE, is designed to boost data transmission rate and user capacity. Distinct from the circuit-switched technique used in the traditional telephone, the basic of VoLTE is the packet-switched network mechanism.²¹ Via the all-IP technology utilized in LTE core network, VoLTE provides various types of multimedia services to users with common Internet-based protocols.²² With the guarantee of LTE infrastructure, VoLTE can service more end users with a high-definition audio, and end-to-end delays in VoLTE can be reduced to 150 ms with one way.²³ According to the VoLTE standard, packets of VoLTE share QoS Class Identifier (QCI) of 1 or 2, which is higher than 8 or 9 of traditional VoIP applications such as Skype and WeChat.²⁴ That means, both jitter and packet loss rate in VoLTE are lower than VoIP applications; excessive modifications of IPDs or packet orders could be identified by the warden.

Another feature of VoLTE is that the payloads of VoLTE packets are not encrypted; thus, arguments like sequence numbers and timestamp are accessible. Since VoIP applications like Skype encrypt the entire payload of user datagram protocol (UDP) packets, acquiring the sequence numbers in the RTP header is technologically impossible.²⁵ This means that retrieving the sequence numbers of lost packets in VoLTE is practical, even if the received packets are out-of-order. Thus, we choose VoLTE as the overt traffic for this CTC based on packet dropout. Except for VoLTE scenario, this CTC scheme is also available for those having a random distribution of packet loss events and accessible sequence numbers.

Familiar with VoIP applications, VoLTE is designed to support multimedia streams, such as the video stream. However, streams in VoLTE video call are composed of three parts, the signaling stream, the audio stream, and the video stream (Figure 1). Besides, these streams are dealt through separate modules in the UE. In general, there are two processors in the modern UE, one is the AP used for executing most computing tasks including video processing and another is the baseband application (BP) embedded with LTE modem.²⁶ The audio stream which is coded by other modules is packaged into RTP packets; then they are forwarded by the LTE module in BP. Meanwhile, the video stream captured by AP module is delivered through the IP stack by the system kernel. Thus, packets generated by AP can be influenced by extra system processes compared to straightforward loads in BP.²⁷

Figure 1.

Three different channels of VoLTE traffic during the video call.

Thus, modulating a covert message into the video stream stealthily is more practical than into the audio stream. Covert channel designers have to mimic the time regularity of audio stream, which provides little space to operate. On the other hand, the video stream can be disturbed by other runtime noise; thus, it provides an opportunity to design a CTC without violating the regularity of VoLTE. On the other aspect, since the audio packets and the video packets are delivered through different channels with unequal UDP ports, the data are dealt separately and uncorrelated. Thus, building this CTC over the video stream of VoLTE has no correlation between the audio stream, metrics like undetectability, robustness, and throughput can be evaluated directly.

RTP in VoLTE

Real-time transport protocol (RTP) is the protocol employed by VoLTE, which provides end-to-end delivery services for data with real-time characteristics, such as interactive audio and video.²⁸ Built on UDP, RTP stream is not blocked during the communication. Thus, jitters and transmission delays of RTP packets are only under the influence of network condition rather than UE’s capacity. In addition, feeding back of transmission quality is also embedded into RTP, which is named as real-time transport control protocol (RTCP). By reporting network jitter and packet loss rate through RTCP payload, the sender could adjust transmission parameters to provide better service.

There are several parts in the RTP header, including the sequence number, timestamp, synchronization source recognition code (SSRC), packet length, marker, payload type, and so on. After receiving the invitation signaling, parameters for the VoLTE call are negotiated so that they can be supported by both sides. To identify a session, SSRC is introduced as a unique identifier, which varies if communication restarts. According to the negotiation information captured ahead of RTP streams, the payload type field is the identifier of different multimedia types.

Using tools like TCPdump, RTP packets are captured during VoLTE call. After analyzing payload types of captured packets, it is proved that only video stream with payload type of 115 can be captured through system kernel. Furthermore, to satisfy restrictions of max transmission unit (MTU) of intermediate network nodes, video frames are sliced into several RTP payloads that would not violate the MTU length. Thus, it is common that the packets of one video frame are sent in a very short period time, which results in the conflict at a higher possibility.

CTC for VoLTE

As mentioned above, packets of VoLTE are divided into three categories. However, the audio information of VoLTE is coded by adaptive multi-rate wideband (AMR-WB), which has a strict inter-frame interval restriction. Although the video channel is designed in the same way, the image process module of AP could be disturbed by the complexity of the captured image. Thus, compared to the definite data size of audio frames, video frames captured through the smartphone’s camera may vary from 20 to 70 KB, which results in the variation of the number of packets (NoPs) corresponding to the whole frame.²⁹

Except for the data path, packets of the audio stream are granted with the QCI of 1, which guarantees the packet loss rate lower than $10^{- 2}$ and the packet transmission delay less than 100 ms.³⁰ Meanwhile, QCI of the video stream is set as 2, which has lower priority than the audio stream. Besides, the sizes of audio packets are almost 41 bytes; thus, transmitting the packets separately with the fixed IPD is sufficient. However, the lengths of video packets are mostly around 1278 bytes, which is larger than audio packets. At the same time, as shown in Figure 2, it is common that the LTE module has to transmit at least two video packets in a short period of time. As a result, the packet loss events in the video stream are not evitable during the transmission period, and the packet loss rate depends on the LTE network condition.³¹

Figure 2.

The variation of packet lengths for video packets.

Furthermore, packet loss events which are caused by the network condition are supposed to be discrete. That is, packet loss events with more continuous packets take up a smaller percentage of total events. Corresponding to the captured result, packet loss events with not more than five consecutive packets take up almost 90% of the total. As shown in Figure 3, the cumulative distribution function (CDF) curve rises rapidly at the start of the horizontal axis, and then, the curve rises slowly until it reaches the maximum of the vertical axis. Inspired by the result, in this work, we propose a CTC scheme for VoLTE video stream via dropping out packets having target sequence numbers. To modulate a covert message into the target position, a mapping matrix is utilized to link the blocks of the covert message with the sequence numbers in RTP header. Other mechanisms like robustness method and demodulation algorithm will be introduced in section “Construction.”

Figure 3.

The cumulative distribution function (CDF) of the number of packets (NoPs) of packet loss event. The marked vertical line corresponds to the percentage of packet loss events that have consecutive lost packets not more than 5.

System design

We first introduce the system model of this CTC. We then describe how to convert the covert message into RTP sequence numbers. The method that guarantees the transmission robustness is discussed in the last.

System model

The system model is shown in Figure 4, in which the sender is Alice and the receiver is Bob. The notations used in the figure are illustrated in Table 1. The overt traffic to be modulated is the video stream in VoLTE. For the sender, the covert message to be sent is grouped into blocks, according to the configuration of block length expressed as bl. Then, the data blocks noted as $D_{i}$ are mapped into codewords, according to the arrangement rules defined in the mapping matrix. After that, the sender acquires the sequence numbers of packets to be dropped. The final step for Alice is dropping target packets from the video stream in VoLTE.

Figure 4.

The system model of this CTC. The covert message is grouped into equal length blocks and converted into decimal integers. Then, the data block noted as $D_{i}$ is mapped into a codeword $V_{i}$ which is a set composed of target sequence numbers. After that, those packets are dropped from the overt traffic. By monitoring the received packets, the receiver of this CTC could identify the dropped packets. With the retrieved sequence numbers of lost packets, the receiver can restore the covert message using the demodulation algorithm.

Table 1.

The notations and symbols.

Notation	Description
$D_{i}$	The ith block of covert message
$V_{i}$	The ith codeword, which is organized as a set of RTP sequence numbers
$N$	The noise of LTE network, only packet dropout is considered
${V_{i}}^{'}$	The ith codeword which is identified from the retrieved sequence numbers of lost packets
$D'_{i}$	The ith block of covert message, which is restored from the ith retrieved codeword
$P x_{i}$	The first packet to be dropped in the ith codeword
$P y_{i}$	The second packet to be dropped in the ith codeword
$P z_{i}$	The third packet to be dropped in the ith codeword
$bl$	Binary bit length of blocks which is grouped from the covert message
$Ls$	The length of segments in overt traffic carrying $V_{i}$
$Ld$	The first segment containing the first two packets in $Ls$ , which is used for conveying a data block
$Lc$	The second segment containing the third packets in $Ls$ , which is embedded with robustness information

RTP: Real-Time Protocol; LTE: Long-Term Evolution.

For the receiver, sequence numbers of lost packets should be monitored during the communication process. Depending on the configuration of $Ls$ , $Ld$ , and $Lc$ , the receiver can identify the attributes of retrieved sequence numbers. To simplify the demodulation procedure, sequence numbers of different attributes are separated into different sets. As to the procedure of codeword identification, all the possible combinations of ( $P x_{i}$ , $P y_{i}$ ) should be checked to minimize the effect of network noise. To the identified codeword ${V_{i}}^{'}$ , the mapping matrix is referred while converting ${V_{i}}^{'}$ into the segment of covert message noted as $D'_{i}$ . Then, by recombining the $D'_{i}$ in the binary format, the receiver Bob can get the covert message transmitted from Alice.

Data mapping

The key point of this CTC is how to represent a covert message with RTP sequence numbers of dropout packets. To solve this, two measures are taken in the proposed scheme. The first step is data grouping, which means that the transmission is not affected by the length of the covert message, and the covert message is grouped into equal length blocks and transmitted separately. The second step is the mapping matrix, which connects the data blocks and the sequence numbers.

Packets in the overt stream are divided into sequential parts, which correspond to the blocks in the covert message. That means, the receiver can restore equal length covert message without transmission control. By transmitting data blocks separately, bit error rates (BERs) of different blocks are independent even network condition varies randomly. Another feature of this scheme is that only packet dropouts of network noise can influence the demodulation result. Thus, transmission jitter and packet reordering have no influence on it.

In this proposed scheme, the length of blocks in the covert message expressed as $bl$ is variable. By adjusting the configuration of $bl$ , other parameters like $Ls$ and $Ld$ are also changed to meet the requirement. The combinations of parameters have different performance in undetectability, throughput, and robustness. In fact, there are two segments of overt traffic that are utilized to deliver one block of the covert message. The first segment which is noted as $Ld$ above is tightly bonded with $bl$ and contains two packets that are expressed as $P x_{i}$ and $P y_{i}$ . To distinguish them, the relationship is restricted as $P x_{i}$ should be dropped ahead of $P y_{i}$ . The second segment which is noted as $Lc$ is used to transmit the error detection information and will be illustrated in the next section

E = 2^{bl} - 1

(1)

M (P x_{i}, P y_{i}) = D_{i}

(2)

As aforementioned, the matrix is utilized to link the data blocks and the positions of packets. The number of columns and rows of the mapping matrix depends on the setting of $bl$ , which indicates the sum of elements the matrix should contain. For a certain $bl$ , the sum of adopted elements in the matrix should be greater than $2^{bl}$ . At the same time, the decimal blocks of the covert message which is expressed as $D_{i}$ are mapped into the position ahead of $E$ . Particularly, the mapping regular is defined as equation (2). For example, if $D_{i}$ is set to 12 which matches the third row and the sixth column, then $P x_{i}$ is 3 and $P y_{i}$ is 6.

The relationship between $bl$ and $Ld$ is linked by the count of adopted elements. For a certain $bl$ , the calculation for $Ld$ is not easy. But, by calculating the count of available elements in the matrix first, it is easier to acquire the suitable $bl$ matching the max practicable candidate $Ld$

b l = \log_{2} ⌊ \frac{L d \times (L d - 1)}{2} ⌋

(3)

2^{bl + 1} \leq L d^{2} - Ld < 2^{bl + 2}

(4)

f (Ld) = L d^{2} - Ld

(5)

In the first stage, for the matrix $M$ , having $Ld$ rows and $Ld$ columns, the max corresponding $bl$ is figured out through equation (3). However, the target is finding the proper $Ld$ with a certain $bl$ . Therefore, equation (3) is transformed to inequality constraint (4), in which the $Ld$ is converted to the value of function $f (Ld)$ which is indicated in equation (5). The results of the calculation are located in Figure 5, where the horizontal axis is $Ld$ and the vertical axis is the result of $f (Ld)$ . Besides, the dotted horizontal line indicates $2^{bl + 1}$ , which is the minimum sum of elements the mapping matrix should contain under configured $bl$ .

Figure 5.

The relationship between $Ld$ and $bl$ . The function $f (Ld)$ is expressed as equation (5).

Generation of $P z_{i}$

Since this CTC scheme is built over VoLTE, which provides a guarantee of transmission delay time in an acceptable range. Thus, the receiver could retrieve the sequence numbers of lost packet timely, even if some of them are out-of-order. Benefited from that, this scheme is only effected by the lost packets in network noise rather than packet reorder.

To guarantee robustness, a packet noted as $P z_{i}$ is used for error detection in $Lc$ segment. Therefore, to keep robustness with network noise, a function maps the ( $P x_{i}$ , $P y_{i}$ ) and $P z_{i}$ is necessary to reduce the possibility of mistakes. Thus, the length of $Lc$ influences the effectiveness of error detection, which means that the probabilities of candidate ( $P x_{i}$ , $P y_{i}$ ) combinations being mapped into the same position in $Lc$ will decrease with larger $Lc$

P z_{i} = ((P x_{i} + P y_{i}) \mod Lc) + Ld + 1

(6)

Equation (6) shows the function used in the proposed scheme, where the $P z_{i}$ is extracted as a numerical characteristic of $P x_{i}$ and $P y_{i}$ . After the receiver gets the $P z_{i}$ in $Lc$ segment, identifying the codeword out from possible ( $P x_{i}$ , $P y_{i}$ ) combinations can be separated as a single procedure. Since the network condition may be volatile if the environment changes, the configuration of $Lc$ should fit the variation. However, it is impractical changing the configurations to adapt to the network condition while transmitting. Therefore, the $Lc$ used in this scheme is fixed during one communication, but it will change with different $Ld$ setting.

Construction

In this section, we illustrate the detail of modulation and demodulation. For the sender, the covert message to be transmitted is modulated into positions of dropped packets having target sequence numbers. For the receiver, by monitoring the packet loss events, sequence numbers of lost packets are retrieved. By referring the error detection information, codewords can be identified from sets of symbols. Then, through an inverse mapping procedure, the covert message is accessible to the receiver of this CTC.

Modulation

The procedure of modulation mainly aims at modulating the covert message into the overt traffic. As aforementioned, the covert message to be transmitted is grouped into equal length blocks, and the blocks are transformed into decimal format. By referring to the mapping matrix, the data blocks are mapped into three sequence numbers of video packets. Finally, packets having target sequence numbers are dropped out during the VoLTE call.

Data grouping

Before this process, the configuration of $bl$ should be set to a fixed value, since self-adaption is not considered in the current scheme. The covert message $S$ should be transformed into binary format no matter what kind of original content is. Then, from the start to the end, $S$ is sliced into equal length blocks based on the $bl$ . To satisfy the parameters’ requirements of the mapping matrix, the generated blocks are converted into decimal format.

Thus, each block could be modulated separately, and other methods like synchronization are naturally embedded into the segmenting mechanism. Benefited from this designation, both the sender and receiver could synchronize the transmission through referring to the variation of sequence number rather than the clock.

Data mapping

In this procedure, the grouped blocks are mapped into three positions noted as $P x_{i}$ , $P y_{i}$ , and $P z_{i}$ . Familiar with the data grouping procedure, $Ld$ , $Lc$ , and $Ls$ should be assigned to make sure the correct mapping matrix is loaded

D_{i} = {\begin{matrix} \frac{(P y_{i} - 1) \times (P y_{i} - 2)}{2} + P x_{i} - 1, P y_{i} \mod 2 = 0 \\ \frac{(P y_{i} - 1) \times (P y_{i} - 2)}{2} + P y_{i} - P x_{i} - 1, P y_{i} \mod 2 = 1 \end{matrix}

(7)

{\begin{matrix} P y_{i} \geq \sqrt{2 \times D_{i}}, P y_{i} \mod 2 = 0 \\ P y_{i} \leq \sqrt{2 \times D_{i}} + 2, P y_{i} \mod 2 = 1 \end{matrix}

(8)

\frac{(P y_{i} - 1) \times (P y_{i} - 2)}{2} \leq D_{i} \leq \frac{(P y_{i} - 1) \times P y_{i}}{2}

(9)

P x_{i} = {\begin{matrix} \frac{(P y_{i} - 1) \times (P y_{i} - 2)}{2} + D_{i} + 1, P y_{i} \mod 2 = 0 \\ \frac{(P y_{i} - 1) \times (P y_{i} - 2)}{2} + P y_{i} - D_{i} - 1, P y_{i} \mod 2 = 1 \end{matrix}

(10)

Since the mapping matrix is an upper triangular matrix, calculating the $P x_{i}$ or $P y_{i}$ directly is sophisticated, especially under the elements’ arrangement mode used in the matrix. Therefore, we deduce $D_{i}$ based on $P x_{i}$ and $P y_{i}$ first, which is shown in equation (7). As illustrated in Figure 6, the elements in the matrix $M$ are arranged on the basis of columns’ parity; thus, $D_{i}$ should be inferred by the parity of $P y_{i}$ . Then, the boundary of $P y_{i}$ can be calculated by equation (8), in which the maximum or the minimum of $P y_{i}$ is conveyed roughly. Finally, we search the best $P y_{i}$ linearly, until the $P y_{i}$ reaches the restriction of equation (9). Since the boundary of $P y_{i}$ calculated by equation (8) is approximate to the target value, the time cost of linear search is not more than two steps.

Figure 6.

The procedures of data grouping and mapping. The binary covert message is grouped into equal length blocks showed as $D_{i}$ . Each block is mapped into codeword separately.

Finally, based on the precise value of $P y_{i}$ , we can get $P x_{i}$ directly by equation (10), where $P x_{i}$ is also discussed on the basis of the parity of $P y_{i}$ . The error detection information, expressed as $P z_{i}$ in this scheme, is calculated through equation (6). So, to reduce complexity, the $Lc$ that is used in the proposed scheme is fixed referring to Figure 7. Under the configured $bl$ , the minimum value of possible $Ld$ is chosen as the target $Ld$ , the maximum value of possible $Ld$ is set as $Ls$ , which is the number of packets in each group.

Figure 7.

A mapping matrix used in this CTC. Depending on the configuration, the number of lines and columns are set to $Ld$ , which is calculated by $bl$ . The $E$ showed in the figure is the ultimate element in the last column. The $N$ showed above means that the position is not adopted.

Now, codewords of this CTC are generated. After dropping out the VoLTE packets having the sequence numbers in the RTP header, the covert message is modulated into the overt traffic.

Demodulation

In this section, we explain how to restore the covert message which is embedded into the sequence numbers of lost packets. The demodulation process mainly contains procedure of codeword identification and inverse mapping; other measures like lost packets’ sequence numbers retrieving and recombination are not the key point, so they are not illustrated particularly here.

Codeword identification

With retrieved RTP sequence numbers of dropout packets, the receiver should identify the real codeword from all the available symbols. Thus, the error detection information $P z_{i}$ is the guarantee of a correct result. The preprocessing step is separating the positions based on the attribute, and the next step is generating all the ( $P x_{i}$ , $P y_{i}$ ) combinations adopted in the mapping matrix, the final step is verifying the error detection information to identify the authentic codeword.

The codeword identification procedure aims at retrieving the codeword sent by the sender from the symbols which are disturbed by the network noise. As shown in Figure 8, the retrieved RTP sequence numbers of lost packets are separated based on the range of $Ld$ and $Lc$ . Then, collections of these positions are set as the parameters of Algorithm 1, where the correct codeword is identified. Step 2 means selecting two elements from $d_{1}$ to $d_{m}$ . Since the noise may be too strong to exceed the signal, all the combinations should be checked to avoid mistakes. Step 4 calls the function defined in equation (6), which calculates the $P z_{i}$ that should have appeared. After this, if the supposed $P z_{i}$ appears in $d_{m + 1}$ to $d_{n}$ , then the combination of ( $x_{i}$ , $y_{i}$ , $z_{i}$ ) is in the codebook. If there are several results in r, the codeword having an outcome of $P y_{i} - P x_{i}$ around $L_{d} / 2$ is the final result. In the end, the legal codeword is used in inverse mapping procedure.

Figure 8.

The procedure of separating the retrieved sequence numbers into different sets.

Algorithm 1. Codeword identification.
1: r← {}, { $d_{1}$ , $d_{2}$ , …, $d_{m}$ }, { $d_{m + 1}$ , $d_{m + 2}$ , …, $d_{n}$ } 2: for $x_{i}$ , $y_{i}$ in { $d_{1}$ , $d_{2}$ , …, $d_{m}$ }: 3: if $x_{i} < y_{i}$ then 4: $z_{i}$ ← $f (x_{i}, y_{i})$ 5: if $z_{i}$ in { $d_{m + 1}$ , $d_{m + 2}$ , …, $d_{n}$ } then 6: append ( $x_{i}$ , $y_{i}$ , $z_{i}$ ) to r 7: else 8: discard ( $x_{i}$ , $y_{i}$ ) 9: end if 10: end if 11: end for 12: return r

Algorithm 1. Codeword identification.

1: r← {}, {

d_{1}

d_{2}

, …,

d_{m}

}, {

d_{m + 1}

d_{m + 2}

, …,

d_{n}

}
2: for

x_{i}

y_{i}

in {

d_{1}

d_{2}

, …,

d_{m}

}:
3: if

x_{i} < y_{i}

then
4:

z_{i}

←

f (x_{i}, y_{i})

5: if

z_{i}

in {

d_{m + 1}

d_{m + 2}

, …,

d_{n}

} then
6: append (

x_{i}

y_{i}

z_{i}

) to r
7: else
8: discard (

x_{i}

y_{i}

)
9: end if
10: end if
11: end for
12: return r

Inverse mapping

With the retrieved codeword, the next step for the receiver is converting the codeword into the original data. Since this step is the inverse operation of the mapping step on the sender side, the mapping matrix is also adopted.

The major operation of this step is calculating the corresponding $D_{i}$ with identified $P x_{i}$ and $P y_{i}$ . As the mapping matrix is organized by the column’s parity, the count of adopted elements before the column $P y_{i}$ should be calculated first. Then, based on the parity of $P y_{i}$ , the $D'_{i}$ is calculated with the value of $P x_{i}$ in different ways, we conclude the formulation as equation (7), where the arguments are $P x_{i}$ and $P y_{i}$ .

As the covert message is grouped into blocks and transferred separately. To get the entire message, the receiver should recombine all the blocks in the binary mode. After all the procedures mentioned above, a covert message is transmitted to the receiver by modulating it into the sequence numbers of dropout packets in VoLTE video stream.

Experiment results and analysis

In this initial exploration, our focus is whether we can build the CTC for VoLTE. To this end, we experimented with different configurations of $bl$ . The dataset that is used for the test is the real traffic which is captured in two Samsung A5108 mobile phones using TCPdump, and the covert message to be modulated is generated randomly. The simulations of modulation and demodulation are achieved by python scripts. Since this CTC is only influenced by the noise of dropout, packet reorder has none effect on this scheme and is not considered. To test the robustness of different network conditions, we also compare the BERs of distinct configurations under various noise levels.

Undetectability

We calculate the CDFs of the NoPs in packet loss events and inter-packet numbers between loss events. We first calculate the statistical result of packet loss events, which includes the counts of consecutive lost packets and NoPs between adjacent loss events. The results are presented in Figure 9(a) and (b), which reveal the configurations’ effect on the distribution of packet loss events. Figure 9(a) shows that if the block length is shorter than 15, the line of covert traffic will reach 1 earlier than the overt traffic. Since only two packets are dropped in each $Ld$ segment, the density of dropout packets introduced by this scheme increases with a decreasing $bl$ . Figure 9(b) shows the CDF of counts of consecutive packets in packet loss events, and the figure shows that the scheme mimics the overt traffic well. The only difference between the overt traffic and covert traffic is that the CDF curve rises up more rapidly at the beginning than overt traffic.

Figure 9.

Results of the undetectability test under different $bl$ . (a) The cumulative distribution functions (CDFs) of the number of packets (NoPs) between packet loss events under various $bl$ . (b) The CDFs of the NoPs of packet loss events under various $bl$ . (c) The results of Kolmogorov–Smirnov (K-S) test of the overt traffic and the covert traffic corresponding to (a). (d) Results of K-S test corresponding to (b).

We also use a statistical shape test method, called Kolmogorov–Smirnov (K-S) test. The result of the K-S test reveals the similarity of two distributions, and if the p-value is lower than 0.05, it means that the two distributions are not identical.³² Figure 9(c) shows the K-S test results of the distributions in Figure 9(a), and the reference dataset is the original distribution. In the results shown in Figure 9(c), if the configuration of $bl$ is lower than 15, this scheme is detectable. The result of K-S test is the same as the CDF test, which indicates the effect of the configurations of shorter $bl$ . Figure 9(d) shows the K-S test results of distributions in Figure 9(b), the horizontal axis is the block length, and the vertical axis is the p-value of the K-S test. In this test, the covert traffic is detectable if the block length is shorter than 11; other covert traffics are regarded as the same as the original distribution.

In summary, through the CDF shape test and the K-S test, this CTC scheme is stealthy if the configuration of block length is larger than 16. The conclusion is the same as the theoretical analysis, since the smaller the block length is, the smaller $Ld$ is required; thus, more packets should be dropped in the modulation procedure and the disparity between the overt traffic and the covert traffic will increase.

Robustness

The transmission quality of this CTC is influenced by the lost packets introduced by the LTE network. With the higher packet loss rate, there will be more symbols to be identified in the codeword identify procedure of demodulation. To validate the quality of this CTC, the BER is measured with various noise levels designed to mimic the actual circumstances.

As shown in Figure 10, the results of BER are correlative to block length and packet loss rate. To simulate various scenarios, the packet loss rates are configured from 0.5% to 3.0% with 0.5% gap. In Figure 10, the horizontal axis is the values of the block length, the vertical axis indicates the results of bit error rate, and lines with different colors are used to indicate various noise level with different packet loss rate. Generally, the covert transmission will get worse with the increasing block length even under the same packet loss rate. Besides, even if the configuration of block length is the same, the result of BER is also sensitive to network condition, since the higher the packet loss rate is, the more symbols should be identified.

Figure 10.

The bit error rate under different $bl$ and packet loss rates. The results are measured under various packet loss rates from 0.5% to 3.0%, which are displayed using separate lines.

However, although we have tried several ways to select packets that are really dropped by this CTC, the BER is almost the same. The reason is the poor signal-to-noise ratio. For example, if block length goes up to 20, the corresponding $Ld$ is 1449, while the NoPs dropped in $Ld$ is fixed to 2, which is much less than 14 introduced by noise under packet loss rate at 1%. Therefore, this scheme is profitable to obtain lower BER with methods like error correction code or data retransmission.

Trade-off between metrics

By analyzing the experimental results, we have shown that BER can be reduced by decreasing block length. However, this also results in deteriorating undetectability. To balance the robustness, throughput, and undetectability, we sum up the performance of different block length in Figure 11. In the figure, the horizontal axis represents the value of block length, and the left vertical axis reveals the throughput while the right vertical axis reveals the BER and additional packet loss rate due to modulation (Figure 11).

Figure 11.

Comparison of metrics under the different configuration of $bl$ . Three metrics are shown here, including throughput, bit error rate, and additional packet loss rate due to modulation.

According to the figure, with the increasing of the block length, the throughput and additional packet loss rate are decreasing through a similar tendency. As aforementioned, the CTC can be detected if the configuration of block size is lower than 16, so the best block length to be used is 16 to most of the scenarios. Besides, the larger value of block length behaves well in undetectability, especially for the scenarios with better network condition. However, the packet loss rate of VoTLE is not a fixed value, which could vary from 10% to almost zero. Therefore, the configuration of parameters depends on the actual network scenario, which means that a small value is suitable for scenarios with high packet loss rate, and a lager value for scenarios with low packet loss rate. In summary, if the network is getting worse, a smaller block length should be utilized to guarantee low BER and acceptable throughput. If the network is getting better, a bigger block length should be utilized to avoid detection.

Evaluation

With the analysis of experimental results mentioned above, this CTC scheme is proved to be effective with suitable configurations of parameters under stable network condition. At the same time, the state-of-the-art research of CTC over VoLTE is also proved to be feasible. Zhang et al.¹⁷ proposed the CTC scheme via adjusting silence periods called silence-period based covert channel (SPCC). Zhang et al.³³ also proposed another CTC scheme achieved by packet rearranging over VoLTE called NoP-based gray code timing channel (NoP-GCTC) (Table 2).

Table 2.

Comparison between other CTC schemes over VoLTE and this packet dropout CTC.

Scheme	SPCC	NoP-GCTC	Packet dropout CTC
Throughput (bps)	0.7–3.1	1.0–8.2	1.0–4.1
BER (packet loss rate = 1%)	0.1%–0.5%	0.1%–1.0%	3.0%–11.0%
BER (packet loss rate = 2%)	0.2%–0.6%	1.1%–0.2%	5.0%–15%

CTC: covert timing channel; BER: bit error rate; SPCC: silence-period based covert channel; NoP-GCTC: NoP-based gray code timing channel.

With the comparison of throughput, BER under packet loss rate at 1%, and BER under packet loss rate at 2% between this CTC scheme and other CTC schemes over VoLTE, it is definite that this scheme achieves the same range of throughput compared to other schemes. In some scenarios, the robustness of this CTC is not as good as others. However, even if the received packets are out-of-order, the receiver of this CTC could retrieve the sequence numbers of lost packets definitely at the end of the communication. Thus, if the density of lost packets of network noise varies, the robustness of this scheme is acceptable in blocks with normal packet loss rate.

In the actual communication environment, a warden settled on the LTE network may appear as an active defending measure. However, no matter which side the warden is, the dropped packets are regarded as the result of transmission failure due to a wireless collision. As a consequence of this, this CTC is stealthy under the inspection of packets’ statuses, contents, and regularities. Even more, if the active warden drops packets randomly or consecutively, the influence is equivalent to the strengthening of the packet loss rate. Thus, the only effect is the aggravating of robustness on the receiver side. Meanwhile, a signal of packet loss rate exceeding the normal ranges is also noticeable. Therefore, this CTC scheme is stealthy and feasible under the monitoring of the warden.

Related work

A CTC can leak covert message via modulating target timing behavior. Most CTCs are established over end-to-end communication, like HTTP,^13,34 secure shell (SSH), network time protocol (NTP),³⁵ or other TCP-based protocols.³⁶ With the rising popularity of instant message applications, CTCs are proposed for applications like Skype,¹⁰ WeChat, and others. The classic CTCs include On–Off CTC, Jitterbug, IPD-based CTC, MB-CTC, and TRCTC.¹⁴

The entities modulated by CTC can be various timing features. Cabuk et al.⁴ proposed a CTC based on controlling the transmission behavior in a certain time. By setting a fixed time window before transmission, the sender can modulate the covert message via controlling packet transmission in the time window.³⁷ Liu et al.³⁸ proposed a model-based CTC using fountain code. With the help of fountain code, models shared by the sender and receiver can be updated through varied IPD distribution. Ahsan and Kundur³⁹ proposed a method to build a CTC using packet reordering, which adjusts the packets to the target sequence. El-Atawy et al.⁴⁰ proposed a robustness covert channel based on out-of-order packets, which modulates several bits of the covert message into packet combinations. Luo et al.⁴¹ proposed a multi-stream-based CTC scheme, which maps the covert message into 10 kinds of packet combinations.

So, to enhance robustness, Houmansadr et al.⁴² proposed an IPD-based CTC using robust code. Several coding algorithms are considered in the framework; thus, it can absorb features of different algorithms. Archibald and Ghosal¹⁰ proposed a CTC scheme over Skype, and it guarantees robustness by mapping symbols to multi IPDs. Wu et al.⁴³ proposed a CTC scheme based on Huffman coding, which improves robustness with four kinds of error correcting codes. Sellke et al.⁴⁴ proposed a novel CTC method based on mapping L-bits to N-packets, which means that L-bits are modulated into N IPDs.

However, the features of overt traffic in those schemes are not familiar with VoLTE. CTCs over VoLTE should be designed with other modulation entities. Zhang et al.¹⁷ designed a CTC over VoLTE via adjusting silence periods, which are the normal phenomenon during the end-to-end audio communication. By adjusting the packet sequence at the end of the silence period, blocks of a covert message can be modulated into the relative distance between the packets carrying an audio payload and the packets of silence insertion descriptor (SID). Zhang et al.³³ also proposed a CTC over VoLTE via packet rearranging; this scheme adjusts the number of RTP packets between RTCP packets to deliver a covert message. The experimental results showed that these schemes are stealthy under the current detection approaches like K-S test, Kullback–Leibler divergence test, and CDF test.^45,46

By analyzing the captured VoLTE traffic, we discovered that most packet loss events of VoLTE are distributed randomly. Consequently, in this article, we design a new packet dropout–based CTC scheme, which modulates the blocks of a covert message by dropping out certain packets with target sequence number.

Conclusion

We have proposed a CTC over VoLTE video stream by dropping out target video packets. We also employ the two-dimensional mapping matrix to map the blocks of covert message and codewords, which consist of three packets to be dropped. By experiments that are based on the captured traffic, we have demonstrated that the scheme is efficient and acceptable. By adjusting the configuration of the block length, this scheme allows the trade-off between robustness, throughout, and undetectability. As the network condition of VoLTE is variable, this scheme is improbable with an adaptive configuration of block length and $Lc$ .

Since this CTC utilizes the dropped packets as the covert message carrier, the inherent drawback of this scheme is that the demodulation accuracy aggravates if the packet loss rate exceeds the normal ratio. Besides, the throughput of this scheme correlates with the modulation cost. With the improving of the density of dropped packets, the performance can be enhanced to the corresponding level. However, to transmit the covert message stealthily, the configuration of block length should not be less than 16; thus, the max throughput of this scheme has an upper limit. This CTC scheme is also improvable in the aspect of robustness; methods like retransmission and error correction code can be utilized in the future improvement.

Footnotes

Handling Editor: Gary Leavens

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was partly supported by the National Natural Science Foundation of China (no. U1636213), Beijing Municipal Education Commission under Grant (no. KM201510016009), Excellent Teachers Development Foundation of BUCEA (no. 21082717046), National Key R&D Program of China (no. 2016YFC060090).

References

Zhang

Tan

Xue

et al . Cryptographic key protection against FROST for mobile devices. Cluster Comput 2017; 20(3): 2393–2402.

Guan

et al . Achieving efficient and secure data acquisition for cloud-supported Internet of Things in smart grid. IEEE Internet Things 2017; 4(6): 1934–1944.

Lampson

. A note on the confinement problem. Commun ACM 1973; 16(10): 613–615.

Cabuk

Brodley

Shields

. IP covert timing channels: design and detection. In: Proceedings of the 11th ACM conference on computer and communications security, Washington, DC, 25–29 October 2004, pp.178–187. New York: ACM.

Yao

Venkataramani

Milo

. Covert timing channels exploiting non-uniform memory access based architectures. In: Proceedings of the on Great Lakes symposium on VLSI 2017, Banff, AB, Canada, 10–12 May 2017, pp.155–160. New York: ACM.

Lee

Wang

Weatherspoon

. PHY covert channels: can you see the idles? In: Proceeding of the 11th USENIX symposium on network system design and implementation, Seattle, WA, 2–4 April 2014, pp.173–185. Berkeley, CA: USENIX.

Wang

Qiang

Jin

et al . CovertInspector: identification of shared memory covert timing channel in multi-tenanted cloud. Int J Parallel Prog 2017; 45(1): 142–156.

Shah

Molina

Blaze

. Keyboards and covert channels. In: Proceeding of the 15th USENIX security symposium, Vancouver, BC, Canada, 31 July–4 August 2006, pp.59–75. Berkeley, CA: USENIX.

Cabuk

. Network covert channels: design, analysis, detection, and elimination. West Lafayette, IN: Purdue University, 2006, p.4.

10.

Archibald

Ghosal

. Design and analysis of a model-based covert timing channel for skype traffic. In: Proceeding of the 2015 IEEE conference on communications and network security, Florence, Italy, 28–30 September 2015, pp.236–244. New York: IEEE.

11.

Gianvecchio

Wang

Wijesekera

et al . Model-based covert timing channels: automated modeling and evasion. In: Proceeding of the international workshop on recent advances in intrusion detection, Cambridge, MA, 15–17 September 2008, pp.211–230. Berlin: Springer.

12.

Hussain

. A high bandwidth covert channel in network protocol. In: Proceeding of the 2011 international conference on information and communication technologies, Karachi, Pakistan, 23–24 July 2011, pp.1–6. New York: IEEE.

13.

Kogos

Seliverstova

Epishkina

. Review of covert channels over HTTP: communication and countermeasures. In: Proceeding of the 2017 IEEE conference of Russian young researchers in electrical and electronic engineering, St. Petersburg, Russian, 1–3 February 2017, pp.459–462. New York: IEEE.

14.

Archibald

Ghosal

. A comparative analysis of detection metrics for covert timing channels. Comput Secur 2014; 45: 284–292.

15.

Ghosh

Ratasuk

Mondal

et al . LTE-advanced: next-generation wireless broadband technology. IEEE Wirel Commun 2010; 17(3): 10–22.

16.

Peng

et al . Insecurity of voice solution VoLTE in LTE mobile networks. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, Denver, CO, 12–16 October 2015, pp. 316–327. New York: ACM.

17.

Zhang

Tan

Liang

et al . A covert channel over VoLTE via adjusting silence periods. IEEE Access 2018; 6: 9292–9302.

18.

Serval

Markovic

Kovacevic

. 4G mobile internet, services, regulation and mobile operators in Bosnia and Herzegovina. In: Proceeding of the 37th international convention on information and communication technology, electronics and microelectronics, Opatija, Croatia, 26–30 May 2014, pp.432–435. New York: IEEE.

19.

Hyun

et al . A VoLTE traffic classification method in LTE network. In: Proceeding of the 16th Asia-Pacific network operations and management symposium, Hsinchu, Taiwan, 17–19 September 2014, pp.1–6. New York: IEEE.

20.

Ozturk

Vajapeyam

. Performance of VoLTE and data traffic in LTE heterogeneous networks. In: Proceeding of 2013 IEEE global communications conference, Atlanta, GA, 9–13 December 2013, pp.1595–1601. New York: IEEE.

21.

Poikselka

Holma

Hongisto

et al . Voice over LTE: VoLTE. Chichester, West Sussex: John Wiley & Sons Ltd, 2012, p.9.

22.

Huang

Zhu

. Cognitive femtocell networks: an opportunistic spectrum access for future indoor wireless coverage. IEEE Wireless Commun 2013; 20(2): 44–51.

23.

Tabany

Guy

. An End-to-End QoS performance evaluation of VoLTE in 4G E-UTRAN-based wireless networks. In: Proceeding of the 10th international conference on wireless and mobile communications, Seville, 22–26 June 2014, pp.90–97. Wilmington, DE: IARIA.

24.

Yang

. The regressive QoE model for VoLTE. In: International conference on advanced information networking and applications workshops, Taipei, Taiwan, 27–29 March 2017, pp.409–414. New York: IEEE.

25.

Korczynski

Duda

. Classifying service flows in the encrypted skype traffic. In: Proceeding of 2012 IEEE international conference on communications, Ottawa, ON, Canada, 10–15 June 2012, pp.1064–1068. New York: IEEE.

26.

Zhu

Zhang

Mao

et al . A methodology for determining the image base of arm-based industrial control system firmware. Int J Crit Infr Prot 2017; 16: 26–35.

27.

Tan

Zhang

et al . A high-performance hierarchical snapshot scheme for hybrid storage systems. Chinese J Electron 2018; 27(1): 76–85.

28.

Jacobson

Frederick

Casner

et al . RTP: a transport protocol for real-time applications, https://tools.ietf.org/html/rfc3550 (2003, accessed 3 February 2018).

29.

Sun

Zhang

et al . DPPDL: a dynamic partial-parallel data layout for green video surveillance storage. IEEE T Circ Syst Vid 2016; 28(1): 193–205.

30.

Vizzarri

. Analysis of VoLTE end-to-end quality of service using OPNET. In: Proceeding of the 2014 European modelling symposium, Pisa, 21–23 October 2014, pp.452–457. New York: IEEE.

31.

Kim

Kwon

et al . Breaking and fixing volte: exploiting hidden data channels and mis-implementations. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, Denver, CO, 12–16 October 2015, pp.328–339. New York: ACM.

32.

Rezaei

Hempel

Shrestha

et al . Detecting covert timing channels using non-parametric statistical approaches. In: 2015 international wireless communications and mobile computing conference, Dubrovnik, 24–28 August 2015, pp.102–107. New York: IEEE.

33.

Zhang

Liang

Zhang

et al . Building covert timing channels by packet rearrangement over mobile networks. Inform Sciences 2018; 445–446: 66–78.

34.

Shen

Yang

Huang

. Concealed in web surfing: behavior-based covert channels in HTTP.J Netw Comput Appl 2018; 101: 83–95.

35.

Ameri

Johnson

. Covert channel over network time protocol. In: Proceedings of the 2017 international conference on cryptography, security and privacy, Wuhan, China, 17–19 March 2017, pp.62–65. New York: ACM.

36.

Dong

Qian

et al . A network covert channel based on packet classification. Int J Netw Secur 2012; 14(2): 109–116.

37.

Gianvecchio

Wang

. An entropy-based approach to detecting covert timing channels. IEEE T Depend Secure 2011; 8(6): 785–797.

38.

Liu

Zhai

et al . Designing analog fountain timing channels: undetectability, robustness, and model-adaptation. IEEE T Inf Foren Sec 2016; 11(4): 677–690.

39.

Ahsan

Kundur

. Practical data hiding in TCP/IP. In: Proceeding of the workshop multimedia security at ACM multimedia, Juan-les-Pins, 6 December 2002. New York: ACM.

40.

El-Atawy

Duan

Al-Shaer

. A novel class of robust covert channels using out-of-order packets. IEEE T Depend Secure 2017; 14(2): 116–129.

41.

Luo

Chan

Zhou

et al . Robust network covert communications based on TCP and enumerative combinatorics. IEEE T Depend Secure 2012; 9(6): 890–902.

42.

Houmansadr

Borisov

. CoCo: coding-based covert timing channels for network flows. In: Proceeding of the 13th international workshop on information hiding, Prague, Czech Republic, 18–20 May 2011, pp.314–328. Berlin: Springer.

43.

Wang

Ding

et al . Improving performance of network covert timing channel through Huffman coding. Math Comput Modell 2012; 55(1–2): 69–79.

44.

Sellke

Wang

Bagchi

et al . TCP/IP timing channels: theory to implementation. In: Proceeding of the IEEE international conference on computer communications 2009, Rio de Janeiro, Brazil, 19–25 April 2009, pp.2204–2212. New York: IEEE.

45.

Biswas

Ghosal

Nagaraja

. A survey of timing channels and countermeasures. ACM Comput Surv 2017; 50(1): 1–39.

46.

Rezaei

Hempel

Sharif

. Towards a reliable detection of covert timing channels over real-time network traffic. IEEE T Depend Secure 2017; 14(3): 249–264.

An end-to-end covert channel via packet dropout for mobile networks

Abstract

Keywords

Introduction

Preliminaries

VoLTE principles and features

RTP in VoLTE

CTC for VoLTE

System design

System model

Data mapping

Generation of P z i

Construction

Modulation

Data grouping

Data mapping

Demodulation

Codeword identification

Inverse mapping

Experiment results and analysis

Undetectability

Robustness

Trade-off between metrics

Evaluation

Related work

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References

Generation of $P z_{i}$