109 urn:lsid:arphahub.com:pub:3dc5f44e-8666-58db-bc76-a455210e8891 JUCS - Journal of Universal Computer Science jucs 0948-695X 0948-6968 Journal of Universal Computer Science 10.3217/jucs-024-07-0864 23379 Research Article C.2.0 - General D.2.11 - Software Architectures D.4.6 - Security and Protection I.2 - ARTIFICIAL INTELLIGENCE I.5.3 - Clustering K.6.5 - Security and Protection SOMSteg - Framework for Covert Channel, and its Detection, within HTTP Graniszewski Waldemar w.graniszewski@ee.pw.edu.pl 1 Krupski Jacek 1 Szczypiorski Krzysztof 1 Warsaw University of Technology, Warsaw, Poland Warsaw University of Technology Warsaw Poland

Corresponding author: Waldemar Graniszewski (w.graniszewski@ee.pw.edu.pl).

Academic editor:

2018 28 07 2018 24 7 864 891 9381F4D9-998F-512F-86D3-4FDE21149561 5505369 24 02 2017 24 07 2018 Waldemar Graniszewski, Jacek Krupski, Krzysztof Szczypiorski This article is freely available under the J.UCS Open Content License.

Due to high efficiency and relatively ease of use, application-layer covert channels, especially HyperText Transfer Protocol (HTTP), have been extensively studied in recent years. This paper extends a new steganographic method where the covert channel is created within the HTTP protocol header, i.e., trailer field. HTTP is the most popular protocol for browsing the Internet and gives the possibility of information sharing. The popularity of HTTP traffic is one of the requirements for undetectable message exchange. This paper presents SOMSteg - a framework for a covert channel, and its detection as a countermeasure, within HTTP. The server's and client's parts are implemented in the JavaScript language and based on the Node.js. Several machine learning techniques can be used for anomaly detection. We tested the detection possibility of such hidden communication by Self Organizing Maps (SOMs). SOMs were also used for tuning the parameters of the covert channel settings within the HTTP trailer. The results of the performed studies are also presented.