pith. sign in

arxiv: 2606.11532 · v1 · pith:N6LJZBM5new · submitted 2026-06-10 · 💻 cs.CR

Hiding the Trees in the Forest: Building Network Covert Channels with Hash-Based Covert Carrier Filtering

Zexiao Zou , Zhiqiang Wang , Baoxu Liu , Yuyang Han , Yan Zhang This is my paper

Pith reviewed 2026-06-27 09:51 UTC · model grok-4.3

classification 💻 cs.CR
keywords network covert channelshash-based filteringcovert carrier selectiondetection resistancemachine learning analysisstorage channelstiming channelskey-dependent security
0
0 comments X

The pith

A hash-based strategy filters carriers in network covert channels using a shared key to enhance resistance to detection.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper introduces a hash-based covert carrier filtering strategy for network covert channels. The approach uses a key-dependent hash to dynamically select a sparse subset of possible carriers, making the channel's secrecy rely on the key rather than the hiding method alone. Experiments using machine learning classifiers on both storage and timing channels demonstrate that detection resistance improves markedly once the key exceeds six bits in size. The added processing time remains under eight microseconds per packet, suggesting practicality in real networks. Readers would care because it offers a way to maintain covert communication even when the algorithm details are known to adversaries.

Core claim

By introducing a key-dependent filtering rule during channel construction, the hash-based strategy allows communicating parties to randomly filter a sparse subset from the carrier set as the covert carrier set, enhancing randomness and coupling the covertness tightly to key security, which experimental validation with machine learning traffic analysis shows significantly improves detection resistance.

What carries the argument

The hash-based covert carrier filtering strategy, which applies a key-dependent hash function to select the covert carriers dynamically from the full carrier set.

If this is right

  • The strategy works for both network storage covert channels and timing covert channels.
  • Filter keys larger than six bits cause a significant reduction in the effectiveness of machine learning classifiers at detecting the channels.
  • The per-packet processing delay introduced is less than 8 microseconds, allowing use in high-speed networks.
  • The filtering increases the randomness of carrier selection without exposing the algorithm.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If new statistical patterns emerge from the hash filtering, advanced classifiers beyond those tested could still detect the channels.
  • This method could be applied to other types of covert channels not examined in the paper.
  • Future designs might combine this with multiple keys or varying filter rates for added security.

Load-bearing premise

Introducing the key-dependent hash filtering does not create new statistical patterns or artifacts in the traffic that machine learning classifiers could exploit beyond the specific detection methods tested.

What would settle it

A machine learning classifier achieving high detection accuracy on filtered traffic with key sizes over six bits would show the strategy does not improve resistance as claimed.

Figures

Figures reproduced from arXiv: 2606.11532 by Baoxu Liu, Yan Zhang, Yuyang Han, Zexiao Zou, Zhiqiang Wang.

Figure 1
Figure 1. Figure 1: Covert Carrier Filtering. After covert carrier filtering, only a portion of all [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The Prisoner Model 2.1. Network Covert Channel Construction According to their construction mechanisms, covert channels can be clas￾sified into covert storage and timing channels [8, 9, 10]. This classification has been widely accepted by subsequent researchers and has served as the foundation for further studies. Llamas et al. [11] provided a detailed discus￾sion of the construction methods for both cover… view at source ↗
Figure 3
Figure 3. Figure 3: Network Covert Channel Model 3.2. Covert Data Security Analysis In a network covert channel model that incorporates a covert carrier fil￾tering strategy, once the CS is provided with the shared resources C, the key K, and the covert data D, the corresponding Ce can be uniquely deter￾mined. From an information-theoretic perspective, this can be expressed as H  Ce|(C, K, D)  = 0. For the CR to correctly de… view at source ↗
Figure 4
Figure 4. Figure 4: Hash–Based Covert Carrier Filtering Process. [PITH_FULL_IMAGE:figures/full_fig_p019_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Robustness of Network Timing Covert Channel in Different Network Environ [PITH_FULL_IMAGE:figures/full_fig_p032_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Performance of the network storage covert channel under different filter key [PITH_FULL_IMAGE:figures/full_fig_p033_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Performance of the network timing covert channel under different filter key sizes. [PITH_FULL_IMAGE:figures/full_fig_p034_7.png] view at source ↗
read the original abstract

As an effective anti-censorship mechanism, network covert channels can provide data privacy protection and ensure communication security. However, the covertness of existing network covert channels primarily depends on the secrecy of their covert algorithms. With the increasing depth of research in this field, the difficulty of breaking such algorithms has gradually decreased. Once the algorithm is exposed, the network covert channel can be easily detected by adversaries. To address this issue, this paper proposes a covert carrier filtering strategy based on the hash. In this strategy, a key-dependent filtering rule is introduced during the construction of the network covert channel, enabling the communicating parties to randomly and dynamically filter a sparse subset from the carrier set as the covert carrier set. This strategy not only enhances the randomness of carrier selection but also tightly couples the covertness of the network covert channel with the security of the key. We employ machine learning-based traffic analysis methods to experimentally validate the strategy in two types of network covert channels: network storage and timing covert channels. The experimental results demonstrate that the proposed strategy significantly improves the detection resistance of network covert channels. When the filter key size exceeds six bits, the impact on the detection effect of the classifier becomes quite significant. Furthermore, the processing delay for a single packet is less than 8 $\mu s$, indicating the feasibility of deploying the proposed strategy in high-speed network environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes a hash-based covert carrier filtering strategy for network covert channels. A key-dependent hash is used to dynamically select a sparse subset of carriers from the full set during channel construction, with the goal of increasing selection randomness and binding covertness to key security rather than algorithm secrecy alone. Machine learning-based traffic analysis experiments on both storage and timing covert channels are reported to demonstrate significantly improved detection resistance (particularly when the filter key exceeds 6 bits) along with per-packet processing delay below 8 μs.

Significance. If the experimental results hold under broader scrutiny, the work would offer a practical mechanism to strengthen network covert channels against detection even after algorithm exposure, shifting reliance to key secrecy. The reported low overhead supports potential use in high-speed networks and addresses a recognized weakness in existing designs where algorithm secrecy is the primary defense.

major comments (2)
  1. [Abstract / experimental validation] Abstract / experimental validation: The central claim that the hash-based strategy 'significantly improves the detection resistance' and that impact 'becomes quite significant' for key sizes >6 bits provides no details on datasets, classifier architectures, feature sets, baselines, statistical significance testing, or controls against post-hoc selection. This absence makes it impossible to confirm that the reported accuracy drop is robust and load-bearing for the main result.
  2. [Approach and validation] Approach and validation: The hash(key, carrier) selection rule could induce new key-dependent statistical structure (e.g., autocorrelation at hash-derived lags or entropy patterns in storage fields). The experiments validate only against the specific ML methods described; if those methods omit features sensitive to such artifacts, the claimed improvement in detection resistance may not generalize. This directly affects the central assumption that the filter enhances covertness without creating exploitable patterns.
minor comments (1)
  1. [Abstract] The phrasing 'the impact on the detection effect of the classifier becomes quite significant' is vague and should be replaced with quantitative statements (e.g., accuracy drop from X% to Y% with confidence intervals) once experimental details are supplied.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. The comments highlight important aspects of experimental reporting and potential limitations in validation. We address each major comment below with proposed revisions where appropriate.

read point-by-point responses

  1. Referee: [Abstract / experimental validation] Abstract / experimental validation: The central claim that the hash-based strategy 'significantly improves the detection resistance' and that impact 'becomes quite significant' for key sizes >6 bits provides no details on datasets, classifier architectures, feature sets, baselines, statistical significance testing, or controls against post-hoc selection. This absence makes it impossible to confirm that the reported accuracy drop is robust and load-bearing for the main result.

    Authors: We agree that the abstract omits key experimental details, which limits its standalone value. The full manuscript (Sections 4 and 5) specifies the datasets (public network traces for storage and timing channels), classifier architectures (e.g., SVM, Random Forest, and neural networks), feature sets (inter-arrival times, packet sizes, entropy metrics), baselines (unfiltered covert channels), and evaluation via 10-fold cross-validation with accuracy/F1 metrics across multiple runs. Statistical significance is supported by repeated trials showing consistent accuracy drops. We will revise the abstract to concisely include these elements and quantitative highlights (e.g., accuracy reductions for keys >6 bits) to make the claims verifiable from the abstract alone. revision: yes

  2. Referee: [Approach and validation] Approach and validation: The hash(key, carrier) selection rule could induce new key-dependent statistical structure (e.g., autocorrelation at hash-derived lags or entropy patterns in storage fields). The experiments validate only against the specific ML methods described; if those methods omit features sensitive to such artifacts, the claimed improvement in detection resistance may not generalize. This directly affects the central assumption that the filter enhances covertness without creating exploitable patterns.

    Authors: This concern is well-taken and points to a potential gap in our validation. The hash-based filter uses a key-dependent pseudorandom selection intended to preserve the statistical distribution of the original carrier set while binding security to the key. Our experiments employed standard covert-channel detection features from the literature (timing distributions, size histograms, and basic entropy), which captured the primary anomalies. However, we did not explicitly analyze hash-induced artifacts such as lag-specific autocorrelation or field-specific entropy shifts. We will add a new subsection discussing this possibility, including empirical checks (e.g., autocorrelation functions and entropy comparisons pre- and post-filtering) to demonstrate that no obvious exploitable structure is introduced for the tested hash functions. This will strengthen the generalization claim without altering the core results. revision: partial

Circularity Check

0 steps flagged

No circularity; empirical validation is external to the proposal

full rationale

The paper proposes a hash-based covert carrier filtering strategy and supports its claims solely through experimental evaluation using machine learning classifiers on network storage and timing covert channels. No derivation chain, fitted parameters renamed as predictions, or self-citation load-bearing steps appear in the provided text. The reported improvements (e.g., significant detection resistance for key sizes >6 bits) and performance metrics (delay <8 μs) are presented as direct experimental outcomes rather than reductions to inputs by construction. This is the expected non-finding for an empirical systems paper whose central evidence consists of external classifier tests.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on the abstract; the central claim rests on the domain assumption that the shared key remains secret and that the hash provides adequate randomness without introducing detectable biases. No free parameters or invented entities are explicitly introduced.

axioms (1)
  • domain assumption The security of the shared key is maintained against adversaries.
    The strategy ties covertness directly to key secrecy, so key compromise would invalidate the improved resistance claim.

pith-pipeline@v0.9.1-grok · 5787 in / 1329 out tokens · 25837 ms · 2026-06-27T09:51:37.693979+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

36 extracted references · 24 canonical work pages

  1. [1]

    Wendzel, S

    S. Wendzel, S. Zander, B. Fechner, C. Herdin, Pattern-based sur- vey and categorization of network covert channel techniques, ACM Comput. Surv. 47 (2015). URL:https://doi.org/10.1145/2684195. doi:10.1145/2684195

    work page doi:10.1145/2684195 2015

  2. [2]

    Yan-Feng, Survey on key issues in networks covert channel, Journal of Software 30 (2019) 2470–2490

    L. Yan-Feng, Survey on key issues in networks covert channel, Journal of Software 30 (2019) 2470–2490. URL: http://www.sciengine.com/publisher/SciencePress/journal/ JournalofSoftware/30/8/10.13328/j.cnki.jos.005859. doi:https: //doi.org/10.13328/j.cnki.jos.005859

    work page doi:10.13328/j.cnki.jos.005859 2019

  3. [3]

    J. K. H. Iv, M. Georgiou, A. J. Malozemoff, T. Shrimpton, Security foundations for application-based covert communication channels, in: 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 1971–

    2022

  4. [4]

    doi:10.1109/SP46214.2022.9833752

    work page doi:10.1109/sp46214.2022.9833752 2022

  5. [5]

    B. W. Lampson, A note on the confinement problem, Commun. ACM 16 (1973) 613–615. URL:https://doi.org/10.1145/362375.362389. doi:10.1145/362375.362389

    work page doi:10.1145/362375.362389 1973

  6. [6]

    G. J. Simmons, The prisoners’ problem and the subliminal channel, in: Advances in Cryptology: Proceedings of CRYPTO ’83, Plenum, 1983, pp. 51–67. URL:https://doi.org/10.1007/978-1-4684-4730-9\_5

    work page doi:10.1007/978-1-4684-4730-9 1983

  7. [7]

    T. G. Handel, M. T. Sandford, Hiding data in the osi network model, in: Proceedings of the First International Workshop on Information Hiding, Springer-Verlag, Berlin, Heidelberg, 1996, p. 23–38

    1996

  8. [8]

    Girling, Covert channels in lan’s, IEEE Transactions on Software Engineering SE-13 (1987) 292–296

    C. Girling, Covert channels in lan’s, IEEE Transactions on Software Engineering SE-13 (1987) 292–296. doi:10.1109/TSE.1987.233153

    work page doi:10.1109/tse.1987.233153 1987

  9. [9]

    S. B. Lipner, A comment on the confinement problem, SIGOPS Oper. Syst. Rev. 9 (1975) 192–196. URL:https://doi.org/10.1145/ 1067629.806537. doi:10.1145/1067629.806537

    work page doi:10.1145/1067629.806537 1975

  10. [10]

    Schaefer, B

    M. Schaefer, B. Gold, R. Linde, J. Scheid, Program confinement in kvm/370, in: Proceedings of the 1977 Annual Conference, ACM ’77, Association for Computing Machinery, New York, NY, USA, 38 1977, p. 404–410. URL:https://doi.org/10.1145/800179.1124633. doi:10.1145/800179.1124633

    work page doi:10.1145/800179.1124633 1977

  11. [11]

    Department of Defense Trusted Computer System Evaluation Criteria, Palgrave Macmillan UK, London, 1985, pp. 1–129. URL:https:// doi.org/10.1007/978-1-349-12020-8\_1. doi:10.1007/978-1-349- 12020-8\_1

    work page doi:10.1007/978-1-349-12020-8 1985

  12. [12]

    Llamas, C

    D. Llamas, C. Allison, A. Miller, Covert channels in internet protocols: A survey, in: Proceedings of the 6th Annual Postgraduate Symposium about the Convergence of Telecommunications, Networking and Broad- casting, PGNET, volume 2005, 2005

    2005

  13. [13]

    Zander, G

    S. Zander, G. Armitage, P. Branch, An empirical evaluation of ip time to live covert channels, in: 2007 15th IEEE International Conference on Networks, 2007, pp. 42–47. doi:10.1109/ICON.2007.4444059

    work page doi:10.1109/icon.2007.4444059 2007

  14. [14]

    Alsaffar, D

    H. Alsaffar, D. Johnson, Covert channel using the ip timestamp option of an ipv4 packet, 2016, p. 48. URL:https://api.semanticscholar. org/CorpusID:61048951

    2016

  15. [15]

    Barradas, N

    D. Barradas, N. Santos, L. Rodrigues, V. Nunes, Poking a hole in the wall: Efficient censorship-resistant internet communications by para- sitizing on webrtc, in: Proceedings of the 2020 ACM SIGSAC Confer- ence on Computer and Communications Security, CCS ’20, Association for Computing Machinery, New York, NY, USA, 2020, p. 35–48. URL: https://doi.org/10....

    work page doi:10.1145/3372297.3417874 2020

  16. [16]

    M. B. Rosen, J. Parker, A. J. Malozemoff, Balboa: Bobbing and weaving around network censorship, in: 30th USENIX Se- curity Symposium (USENIX Security 21), USENIX Association, 2021, pp. 3399–3413. URL:https://www.usenix.org/conference/ usenixsecurity21/presentation/rosen

    2021

  17. [17]

    Tahir, M

    R. Tahir, M. T. Khan, X. Gong, A. Ahmed, A. Ghassami, H. Kazmi, M. Caesar, F. Zaffar, N. Kiyavash, Sneak-peek: High speed covert channels in data center networks, in: IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications, 2016, pp. 1–9. doi:10.1109/INFOCOM.2016.7524467. 39

    work page doi:10.1109/infocom.2016.7524467 2016

  18. [18]

    Ghassami, N

    A. Ghassami, N. Kiyavash, A covert queueing channel in fcfs sched- ulers, IEEE Transactions on Information Forensics and Security 13 (2018) 1551–1563. doi:10.1109/TIFS.2018.2797953

    work page doi:10.1109/tifs.2018.2797953 2018

  19. [19]

    Zhang, C

    X. Zhang, C. Liang, Q. Zhang, Y. Li, J. Zheng, Y. an Tan, Building covert timing channels by packet rearrangement over mobile networks, Information Sciences 445-446 (2018) 66–78. URL:https://doi.org/ 10.1016/j.ins.2018.03.007

    work page doi:10.1016/j.ins.2018.03.007 2018

  20. [20]

    T. Sohn, J. Seo, J. Moon, A study on the covert channel detection of tcp/ip header using support vector machine, in: Information and Com- munications Security, Springer Berlin Heidelberg, Berlin, Heidelberg, 2003, pp. 313–324

    2003

  21. [21]

    Bethencourt, J

    J. Bethencourt, J. Franklin, M. Vernon, Mapping internet sensors with probe response attacks, in: Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM’05, USENIX Associ- ation, USA, 2005, p. 13

    2005

  22. [22]

    Borders, A

    K. Borders, A. Prakash, Web tap: detecting covert web traffic, in: Proceedings of the 11th ACM Conference on Computer and Communi- cations Security, CCS ’04, Association for Computing Machinery, New York, NY, USA, 2004, p. 110–120. URL:https://doi.org/10.1145/ 1030083.1030100. doi:10.1145/1030083.1030100

    work page doi:10.1145/1030083.1030100 2004

  23. [23]

    G. Fu, Q. Li, Z. Chen, G. Zeng, J. Gu, Network storage covert channel detection based on data joint analysis, in: X. Sun, Z. Pan, E. Bertino (Eds.), Cloud Computing and Security, Springer International Publish- ing, Cham, 2018, pp. 346–357

    2018

  24. [24]

    P. L. Shrestha, M. Hempel, F. Rezaei, H. Sharif, A support vector machine-based framework for detection of covert timing channels, IEEE Transactions on Dependable and Secure Computing 13 (2016) 274–283. doi:10.1109/TDSC.2015.2423680

    work page doi:10.1109/tdsc.2015.2423680 2016

  25. [25]

    Iglesias, T

    F. Iglesias, T. Zseby, Are network covert timing channels statistical anomalies?, in: Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES ’17, Association for Com- puting Machinery, New York, NY, USA, 2017. URL:https://doi.org/ 10.1145/3098954.3106067. doi:10.1145/3098954.3106067. 40

    work page doi:10.1145/3098954.3106067 2017

  26. [26]

    Coquet, X

    O. Darwish, A. Al-Fuqaha, G. Ben Brahim, I. Jenhani, A. Vasi- lakos, Using hierarchical statistical analysis and deep neural net- works to detect covert timing channels, Applied Soft Computing 82 (2019) 105546. URL:https://www.sciencedirect.com/science/ article/pii/S1568494619303266. doi:https://doi.org/10.1016/j. asoc.2019.105546

    work page doi:10.1016/j 2019

  27. [27]

    Al-Eidi, O

    S. Al-Eidi, O. Darwish, Y. Chen, M. Maabreh, Y. Tashtoush, A deep learning approach for detecting covert timing channel attacks using sequential data, Cluster Computing 27 (2023) 1655–1665. URL:https://doi.org/10.1007/s10586-023-04035-5.doi:10.1007/ s10586-023-04035-5

    work page doi:10.1007/s10586-023-04035-5.doi:10.1007/ 2023

  28. [28]

    J. Liu, W. Chen, Y. Wen, A Robust and Flexible Covert Channel in LTE-A System, in: Journal of Physics Conference Series, volume 1087 ofJournal of Physics Conference Series, IOP, 2018, p. 062027. doi:10.1088/1742-6596/1087/6/062027

    work page doi:10.1088/1742-6596/1087/6/062027 2018

  29. [29]

    Wendzel, T

    S. Wendzel, T. Schmidbauer, S. Zillien, J. Keller, Dyst (did you see that?): An amplified covert channel that points to previously seen data, IEEE Transactions on Dependable and Secure Computing 22 (2025) 614–631. doi:10.1109/TDSC.2024.3410679

    work page doi:10.1109/tdsc.2024.3410679 2025

  30. [30]

    Keller, S

    J. Keller, S. Wendzel, Reversible and plausibly deniable covert chan- nels in one-time passwords based on hash chains, Applied Sciences 11 (2021). URL:https://www.mdpi.com/2076-3417/11/2/731. doi:10. 3390/app11020731

    2021

  31. [31]

    Z. Wang, L. Zhang, R. Guo, G. Wang, J. Qiu, S. Su, Y. Liu, G. Xu, Z. Tian, A covert channel over blockchain based on la- bel tree without long waiting times, Computer Networks 232 (2023) 109843. URL:https://www.sciencedirect.com/science/article/ pii/S1389128623002888. doi:https://doi.org/10.1016/j.comnet. 2023.109843

    work page doi:10.1016/j.comnet 2023

  32. [32]

    X. Ma, P. Pan, J. Li, W. Wang, W. Meng, X. Guan, Abc- channel: An advanced blockchain-based covert channel, ArXiv abs/2403.06261 (2024). URL:https://api.semanticscholar.org/ CorpusID:268358574. 41

    arXiv 2024

  33. [33]

    Partala, Provably secure covert communication on blockchain, Cryp- tography 2 (2018)

    J. Partala, Provably secure covert communication on blockchain, Cryp- tography 2 (2018). URL:https://www.mdpi.com/2410-387X/2/3/18. doi:10.3390/cryptography2030018

    work page doi:10.3390/cryptography2030018 2018

  34. [34]

    Zöllner, H

    J. Zöllner, H. Federrath, H. Klimant, A. Pfitzmann, R. Piotraschke, A. Westfeld, G. Wicke, G. Wolf, Modeling the security of steganographic systems, in: Information Hiding, Springer Berlin Heidelberg, Berlin, Heidelberg, 1998, pp. 344–354

    1998

  35. [35]

    Mazurczyk, S

    W. Mazurczyk, S. Wendzel, K. Cabaj, Towards deriving insights into data hiding methods using pattern-based approach, in: Proceedings of the 13th International Conference on Availability, Reliability and Se- curity, ARES ’18, Association for Computing Machinery, New York, NY, USA, 2018. URL:https://doi.org/10.1145/3230833.3233261. doi:10.1145/3230833.3233261

    work page doi:10.1145/3230833.3233261 2018

  36. [36]

    Barradas, N

    D. Barradas, N. Santos, L. Rodrigues, Effective detection of multime- dia protocol tunneling using machine learning, in: Proceedings of the 27th USENIX Conference on Security Symposium, SEC’18, USENIX Association, USA, 2018, p. 169–185. 42

    2018