Creating Covert Channel Using SIP

  • Miralem Mehić
  • Martin Mikulec
  • Miroslav Voznak
  • Lukas Kapicak
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 429)


Sending VoIP (Voice Over IP) by default requires two protocols:SIP and RTP. First one is used for establishing and changing the settings of the session and second one for exchanging voice packets. The main aim of this paper is to calculate the maximum number and type of SIP messages that can be transferred during established VoIP call without detection and raising an alarm from IDS (Intrusion detection system). Finally, we calculated Steganography bandwidth, amount of data in these messages that can be used for transfer of hidden content. Also, this paper deals with Snort IDS settings for raising alarm, traditional ones by using hard-coded rules and usage of anomaly detection plugin. Results of experiment are provided.


Steganography VoIP Security SIP 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Zander, S., Armitage, G., Branch, P.: A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys & Tutorials 9(3), 44–57 (2007) (cited on page 7)Google Scholar
  2. 2.
    Mazurczyk, W., Szczypiorski, K.: Steganography of VoIP Streams. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1001–1018. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Janicki, A., Mazurczyk, W., Szczypiorski, K.: Steganalysis of transcoding steganography. Ann. Telecommun., doi:10.1007/s12243-013-0385-4Google Scholar
  4. 4.
    Mazurczyk, W., Kotulski, Z.: New VoIP Traffic Security Scheme with Digital Watermarking. In: Górski, J. (ed.) SAFECOMP 2006. LNCS, vol. 4166, pp. 170–181. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Mazurczyk, W., Szaga, P., Szczypiorski, K.: Using transcoding for hidden communication in IP telephony. Multimed. Tools Appl., doi:10.1007/s11042-012-1224-8Google Scholar
  6. 6.
  7. 7.
    Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays (Tech. Rep. TR2005-536). Department of Computer Science, Dartmouth College (November 2005)Google Scholar
  8. 8.
    Szczypiorski, K.: HICCUPS: Hidden Communication System for Corrupted Networks. In Proc. of ACS 2003, Międzyzdroje, Poland, October 22-24, 2003, pp. 31–40 (2003) 23. Google Scholar
  9. 9.
    Mazurczyk, W., Smolarczyk, M., Szczypiorski, K.: Hiding Information in Retransmissions. Telecommunication Systems 52(2), 1113–1121 (2013)Google Scholar
  10. 10.
    Kulin, M., Kazaz, T., Mrdović, S.: SIP Server Security with TLS: Relative Performance, Evaluation. In: 2012 IX International Symposium on Telecommunications (BIHTEL). Fac. of Electr. Eng., Univ. of Sarajevo, Sarajevo, Bosnia-Herzegovina, pp. 1–6. IEEE (2012)Google Scholar
  11. 11.
    Tang, J., Cheng, Y., Hao, Y.: Detection and prevention of SIP flooding attacks in voice over IP networks. In: 2012 Proceedings IEEE INFOCOM. IEEE (2012)Google Scholar
  12. 12.
    Tang, J., Cheng, Y.: Quick detection of stealthy sip flooding attacks in voip networks. In: 2011 IEEE International Conference on Communications (ICC), pp. 1–5. IEEE (June 2011)Google Scholar
  13. 13.
    US Department of Defense – Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD (The Orange Book) (1985) Google Scholar
  14. 14.
    Session Initiation Protocol (SIP) Parameters,
  15. 15.
    [RFC3261][RFC3427][RFC5727]Google Scholar
  16. 16.
    SDP: Session Description Protocol,
  17. 17.
    Snort.AD - Snort(tm) preprocessor based on traffic anomalies detection,
  18. 18.
    Szmit, M., Adamus, S., Bugala, S., Szmit, A.: Implementation of Brutlag’s algorithm in Anomaly Detection 3.0. In: FedCSIS, pp. 685–691 (September 2012)Google Scholar
  19. 19.
    The R Project for Statistical Computing,
  20. 20.
    Szmit, M., Szmit, A.: Usage of Modified Holt-Winters Method in The Anomaly Detection of Network Traffic. Case Studies. Journal of Computer Networks and Communication (article in press)Google Scholar
  21. 21.
    Brutlag, J.D.: Aberrant Behavior Detection in Time Series for Network Monitoring. In: 14th System Administration Conference Proceedings, New Orleans, pp. 139–146 (2000)Google Scholar
  22. 22.
    Szmit, M., Szmit, A., Bugala, S.: Usage of Holt-Winters Model and Multilayer Perceptron in Network Traffic Modelling and Anomaly Detection. Informatica (03505596) 36(4) (2012)Google Scholar
  23. 23.
    Digium/Asterisk JIRA – Asterisk Issues,
  24. 24.
    Open Source SIP Server,

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Miralem Mehić
    • 1
  • Martin Mikulec
    • 1
  • Miroslav Voznak
    • 1
  • Lukas Kapicak
    • 1
  1. 1.VŠB-Technical University of OstravaOstrava-PorubaCzech Republic

Personalised recommendations