VoNR-IPD: A Novel Timing-Based Network Steganography for Industrial Internet

As the predominant trade secret of manufacturing enterprises, industrial data may be monitored and stolen by competitive adversaries during the transmission via open wireless link. Such information leakage will cause severe economic losses. Hence, a VoNR-IPD covert timing steganography based on 5G network is proposed in this paper, in which VoNR traffic is employed as the steganographic carrier of covert communication in Industrial Internet. Interference of network jitter noise is fully considered and the high-order statistical properties of jittered VoNR interpacket delays (IPDs) are imitated during the modulation of confidential industrial data.,us, the generated covert VoNR IPDs can possess consistent statistical properties with the normal case in order to improve undetectability. Besides, the synchronization mechanism of steganographic embedding mode is designed to control the embedding density of industrial data flexibly.,e experimental results show that our scheme can resist statistical-based detections and the network noise effectively, which outperforms the existing methods in terms of undetectability and robustness.


Introduction
Industrial Internet realizes the comprehensive sensing, dynamic transmission, and real-time analysis of industrial data by constructing a basic network connecting the machines, materials, human, and information systems. us, scientific decision and intelligent control can be achieved to improve the efficiency of manufacturing resource allocation and production management, among which the intelligent production management and supervisory control system are mainly engaged in the automatic acquisition, transmission, and analysis of crucial industrial data, such as the core parameters, the overall production data, and the running state of devices. Nevertheless, with the rapid development and wide application of Industrial Internet, it is difficult to resist the external attack due to the penetrability of network boundary and the openness of wireless transmission. e industrial data are confronted with severe security threats.
As the predominant trade secret of manufacturing enterprises, industrial data may be monitored and stolen by competitive adversaries during the transmission via open wireless link. Such information leakage will cause severe economic losses and affect the core competitiveness of an enterprise and even threaten its survival and development.
erefore, covert communication technique should be exploited to guarantee the secure transmission of industrial data. Network steganography is a hidden communication technique, which utilizes legitimate traffic as the vehicle to transfer confidential information covertly over the untrusted network.
ere are two broad types of network steganography: covert storage steganography and covert timing one. Covert storage steganography embeds the secret information into the redundancies of network protocols [1][2][3][4][5][6]. Although it is simple and easy to implement, it can be easily detected by the existing steganalysis. Covert timing steganography delivers the secret information by exploiting time-relevant events of network packets and it has better concealment than covert storage one. Generally, it can be divided into four subclasses: on-off steganography [7], interpacket delay-(IPD-) based steganography [8][9][10][11], packet sorting [12,13], and combination-based ones [14,15]. Synchronization is always a difficult issue to solve, since covert timing steganography is susceptible to the unstable network circumstance, such as jitter and delay. To guarantee reliability, several studies [16][17][18][19][20] have utilized Error Correction Code to improve accuracy, which sacrifices the capacity and increases the transmission overhead.
Since IPD-based steganography is one of the most common and effective means, we mainly focus on it in this paper. However, most of the existing methods would either generate abnormal covert traffic or possess distinct properties compared with the normal case, making it vulnerable to be detected. Countering such deficiencies, network steganography tends to mimic the normal traffic by shapefitting. e feature model is considered in the modulation process of the secret message to resist statistical detection tools [13,21,22]. Predominantly, appropriate and feasible network services with more popularity, reliability, and security are sought after as steganographic carrier.
Nowadays, mobile network has become a predominant means of data transmission, dynamically evolving network steganography subfield. Under this background, recent network steganography solutions exploit 4G service like VoLTE [12,23,24]. Since 5G communication technique based on New Radio (NR) standard possesses the advantages of high data rate, low cost, low power consumption, ultralow latency, and availability, it has gradually become the main means of data transfer in the Industrial Internet. Moreover, it will achieve more wide and comprehensive application in the future. In 5G network, VoNR (Voice over New Radio) is an IP-based voice calling scheme, which will be the most prevailing and popular telecommunication level-communication service. erefore, the potential continuous and large amount of VoNR traffic provides chances of launching steganography in Industrial Internet. However, in the state of the art, there are few literature studies engaged in studying the mobile steganography of 5G network.
On the basis of the above analysis, in order to overcome the drawbacks of the current methods, a VoNR-IPD covert timing steganography based on 5G network is proposed in this paper, in which VoNR traffic is employed as the steganographic carrier of covert communication in Industrial Internet. e main contribution of this paper is as follows: (1) Interference of network jitter noise is fully considered and the high-order statistical properties of jittered VoNR traffic are imitated during the steganographic process. Specifically, the cumulative distribution function (CDF) of jittered VoNR IPDs is fitted and utilized in the modulation of confidential industrial data. us, the generated covert VoNR IPDs can possess consistent statistical properties with the normal case in order to resist detection.
(2) e synchronization mechanism of steganographic embedding mode is designed to control the embedding density of industrial data flexibly. In this manner, our scheme can resist the network noise effectively, so as to improve the undetectability and robustness of covert communication in Industrial Internet. e remainder of this paper is organized as follows. In Section 2, related works are reviewed. e basis of our scheme is described in Section 3. In Section 4, the proposed scheme is introduced in detail. In Section 5, experimental results are presented and analyzed. Finally, the whole paper is concluded in Section 6.

Related Work
IPD-based steganography is a notable branch of covert timing steganography, which manipulates the timing intervals of adjacent network packets to transmit secret information. To achieve better understanding, four typical interpacket-delays-based schemes are reviewed and analyzed; they are Jitterbug [25], TRCTC [10], MBCTC [26], and CTCDM [27], respectively.
Jitterbug [25] is a keyboard device that slowly leaks typed information over network. It operates by deliberately inserting additional small delays into the original traffic. e sender transmits a bit "0" by adding certain delay to the original intervals such that the modified one module w milliseconds (ms) is 0. Similarly, a bit "1" is transmitted by increasing the original intervals to a value such that module w ms is w/2. e timing window w limits the maximum delay that can be added, which determines the discrepancy between the legitimate traffic and covert traffic. In our implementation, parameter w is set as 20 ms. Jitterbug modifies the normal traffic for information leaking without producing additional traffic, whereas the variation will cause anomaly.
To mitigate this problem, designers try to mimic the statistical feature of normal traffic. TRCTC [10] uses a sample of normal traffic captured from the overt network and replays it later to transfer secret. Since the covert traffic of TRCTC is composed of scrambled normal interpacket delays, its distribution is close to that of the normal one. However, the scrambled traffic may also raise suspicion of monitoring device.
MBCTC [26] provided an automated framework that fits the statistical model of normal traffic using parametric estimation, where the candidate distributions are Exponential, Weibull, Poisson, and other common ones. e estimated distribution with the smallest root mean squared error (RMSE) is the best fit of normal traffic. To imitate the normal distribution, covert traffic is generated using the inverse cumulative distribution function (ICDF) of normal traffic. In addition, the model is refitted to update its parameters every 100 packets. However, it should be noted that mathematical model of some network application may not exist; thus, MBCTC is not applicable in some scenarios.
Similar to MBCTC, CTCDM [27] fits the histogram distribution property of normal traffic. e fitted histogram is utilized in the encoding of secret information in order to make the distribution of covert traffic more natural and similar to the normal one. CTCDM is designed as a binary channel, where bit "0" is decoded when the observed timing interval is smaller than the center value α * of the histogram; otherwise a bit "1" is retrieved. However, the normal pattern of transmission is also overlooked in this scheme. Hence, we are motivated to design a method that achieves well undetectability and robustness. In this paper, under the scenario of Industrial Internet, a novel IPD-based covert timing steganography is proposed by modulating the confidential industrial data into VoNR traffic of 5G network.

Basis of Our Scheme
3.1. Application Scenario of 5G Network. Nowadays, 5G has been the latest mobile communication technique, which mainly contains three kinds of application scenarios: enhanced Mobile Broadband Communication (eMBB), massive Machine-Type Communication (mMTC), and Ultrareliable Low-Latency Communication (URLLC), among which eMBB refers to the direct evolution of the mobile broadband service, which can support larger amount of data traffic and further enhance the user experience, such as higher data rate in user terminal. mMTC represents a kind of service that supports massive terminals, for instance, the remote sensors, manipulators, device monitor, and so on. e critical requirements of this service comprise extremely low cost and energy consumption of terminals. In general, such kind of terminals only consumes and produces relatively small amount of data. Meanwhile, the services under URLLC demand extraordinary low latency and extremely high reliability, such as Traffic Safety Control System and Industrial Automated Control System. Hence, 5G network will become the major means of data transmission in Industrial Internet.

VoNR Traffic
Analysis. NR (New Radio) is a novel standard of 5G communication, which is evolved from and compatible with LTE. NR networks provide greater data capacity and lower latency for mobile broadband. In order to make up for the lack of circuit-switched voice domain, VoNR, an IP-based NR voice calling scheme, has been adopted by the mobile industry, which can be integrated with low-level drivers and network interfaces. It is a globally interoperable solution and also progresses innovative communication services.
In order to improve the undetectability and security of covert communication in Industrial Internet, the normal traffic, as well as its properties of certain network service, should be preserved or mimicked as possible during the steganographic process. In other words, alteration of the original carrier should not reveal anomaly to raise suspicion.
us, the characteristics of VoNR traffic are analyzed initially. e normal and jittered IPDs of VoNR traffic are compared in Figure 1, where the x-axis is the sequence number of IPD and y-axis represents the corresponding value. It can be found that the normal IPDs of VoNR mainly concentrate on 20 ms. Meanwhile the jittered IPDs reveal the regularity of a random distribution between 10 ms and 30 ms. Furthermore, jitters of the normal VoNR traffic are presented in Figure 2. It is observed that jitters of such service mainly vary from −10 ms to 10 ms. As is known, jitter is the amount of network delay variation, which is generated by any two adjacent packets during network transmission.
Excessive jitter is usually a symptom of a network congestion or insufficient bandwidth to handle traffic [12].
Above all, since the IPDs of network traffic are independent identical distribution (i.i.d), it can be concluded that the normal or jittered IPDs of VoNR traffic are limited to a small range and possess distinct and obvious regularity. e direct modification of normal IPDs might generate abnormal properties, making such scheme detectable. erefore, in this paper, the interference of network jitter is considered and imitated in the modulation of secret information. In that, the statistical properties of the covert IPDs can be almost consistent with those of the jittered normal ones.

The Proposed Scheme
In order to improve the undetectability and robustness of covert communication in Industrial Internet, interference of network jitter noise is fully considered and the high-order statistical properties of jittered VoNR traffic are imitated during the steganographic process. Specifically, the CDF of jittered VoNR IPDs is fitted and utilized in the modulation of confidential industrial data. us, the generated covert traffic can possess consistent statistical properties with the normal case. In addition, the synchronization mechanism of steganographic embedding mode is designed to control the embedding density of covert VoNR IPDs.

System Model.
e proposed system model of VoNR-IPD for covert communication in Industrial Internet is presented in Figure 3, which is implemented as follows: (1) VoNR link of 5G network is constructed between the steganographic sender and receiver; then, the legitimate service is performed. (2) e confidential industrial data are modulated into the covert VoNR IPDs by utilizing the encoder of our scheme. (3) e steganographic embedding mode is selected according to the comprehensive assessment of the transferred data size and Quality of Service (QoS). us, the generated covert IPDs can be inserted into the normal ones intensively or sparsely. (4) e VoNR traffic is initially sent according to the synchronization IPD of the selected mode and then the normal or covert IPDs successively. (5) e noised VoNR IPDs are obtained by the steganographic receiver, from which the steganographic embedding mode is recovered according to the synchronization IPD. (6) e covert IPDs are extracted from all IPDs, and the confidential industrial data are retrieved by the decoder.

Steganographic Process.
e VoNR traffic will inevitably suffer from network noise, such as jitter, packet loss, or disorder, during the transmission via the overt wireless

Security and Communication Networks
Encoder Synchronization s 1 , s 2 , s 3 , ···, s m channel. Moreover, only the noised VoNR traffic may be captured and analyzed by the network monitor device or an adversary. us, it should be noted that only the jittered case of normal or covert traffic is considered in this paper. e main notations and symbols of our scheme are presented in Table 1.

Steganography Encoding
Step 1: the jittered VoNR IPDs are collected during the normal communication in 5G network, which is denoted as Jit < NorIPD > . Jit<•> refers to the interference of network jitter, and NorIPD represents the normal VoNR IPDs. en, the distribution of network jitter in VoNR is analyzed, which is denoted as [−ε, +ε], satisfying ε > 0.
Step 2: the CDF of Jit < NorIPD > is fitted and its corresponding IPD interval with larger probability is defined as Δ D|p max . en Δ D|p max is divided into two portions utilized in the steganographic encoding, which is represented as ΔDê k � [dê k , dê k ](k � 0, 1), where ΔDê k is the mapping interval of IPDs to the secret bit "0" or "1." dê k and dê k refer to the upper and lower limits of the corresponding IPD interval, respectively, which is required to satisfy the following condition: (1) Figure 4 presents the fitted CDF of Jit < NorIPD > and its corresponding mapping intervals of IPDs. In our case, ε is set to 5 and the IPD interval with larger probability is Δ D|p max � [10,30]. e effect of network noise should be taken into consideration in order to guarantee the robustness of covert communication. erefore, in our implementation, the mapping interval of secret bit is set to ΔDê 0 � [10,15] and ΔDê 1 � [25, 30].
Step 3: the confidential industrial data is converted into its binary form, denoted as S � s i | i � 1, 2, . . . , m , where s i ∈{0,1}. For the i th secret bit s i , the encoding function E(s i ) is defined as where sd i is the i th steganographic IPD and rand⌊•⌋ represents a predefined function used to select a value from the given set randomly.

Steganography Synchronization.
In order to further enhance the detection-resistance and reliability of our scheme, a synchronization mechanism of steganographic embedding mode is designed in this paper. In this mode, Steg-IPDs is embedded into Nor-IPDs according to certain density. In our case, there are four modes set as M ∈ 0, 1, 2, 3 { }, and the embedding interval of Steg-IPDs is denoted as Interv � 2 M , which is depicted in Figure 5.
Step 1: for the CDF of Jit <NorIPD>, its corresponding IPD interval with relatively smaller probability is defined as Δ D|p min . en Δ D|p min is divided into four portions utilized in the steganographic synchronization, which is represented as ΔDŝ j � [dŝ j , dŝ j ](j � 0, 1, 2, 3), where ΔDŝ j is the mapping interval of IPDs to the embedding mode. dŝ j and dŝ j refer to the upper and lower limits of the corresponding IPD interval, respectively, which should satisfy the following condition: In our case, ε is set to 5 Figure 4.
Step 2: the synchronization IPD md is generated according to the selected mode M, by using the steganography synchronization function F (•), which can be represented as Step 3: as presented in Figure 5, the VoNR traffic is initially sent according to the synchronization IPD md. en it is delivered according to the normal IPDs d i (i � 1, 2, . . .) or the generated steganographic IPDs sd i (i � 1, 2, . . . , m) successively.

Steganography Decoding
Step 1: the covert VoNR traffic is captured on the receiver side. Firstly, all the covert IPDs are calculated according to the timestamp, which may not be equivalent to the original one owing to the impact of network noise. Secondly, the initial IPD is extracted as the synchronization md′. e steganographic embedding mode M ′ can be recovered by where F(•)denotes a predefined function used to attain the steganographic embedding mode. σ 1 and σ 2 refer to the intensity factor of antinoise, which can be set according to the distribution of network jitter [−ε,+ε]. e better capability of noise-resistance will be achieved by our scheme with larger σ 1 and σ 2 , which should simultaneously satisfy the following conditions: Security and Communication Networks 5 Step 2: the steganographic IPDs sd i ′ (i � 1, 2, . . . , m) are extracted from the whole covert IPDs according to the interval 2 M′ . For the i th steganographic IPD, the decoding function D(sd i ′ ) is defined in

Data Set and Implementation.
In the experiment, our proposed scheme is implemented in a manufacturing enterprise under the scenario of Industrial Internet. e proprietary steganography software of our scheme is developed and deployed in the SCADA (Supervisory Control and Data Acquisition) system, where 5G network is utilized as the means of industrial data transmission. e normal VoNR traffic is captured during the legitimate 5G communication by using Huawei Mate30. e total number of the captured normal VoNR IPDs is 20,000. en the confidential industrial data is modulated into the covert VoNR IPDs under four steganographic embedding modes, respectively, according to the aforementioned steps. From Figures 6-9, the original and jittered covert IPDs of our scheme are compared with those of the normal case under different modes. It can be seen that the original covert IPDs of our scheme slightly differ from those of the normal one, which seem like the noise-added normal IPDs. Meanwhile, it is manifested that the jittered covert IPDs of our scheme and the normal ones are mixed with each other, which can hardly be differentiated. Meanwhile, the covert IPDs become closer to the normal ones when the value of M is larger. e alteration of normal IPDs declines as the decrement of Steg-IPD embedding density.
e VoNR traffic will inevitably suffer from network noise, such as jitter, packet loss, or disorder, during the transmission via the overt wireless channel. Moreover, only the noised VoNR traffic may be captured and analyzed by the network monitor device or an adversary. us, it should be noted that only the jittered case of normal or covert traffic is considered in this paper.
Further experiments are performed to evaluate the main performance metrics of the proposed scheme, which contain the undetectability, robustness, and capacity analysis.

Undetectability.
As the core property, undetectability refers to the fact when the covert traffic cannot be differentiated from the normal one, which is all dependent on the similarity between the two. erefore, in order to improve undetectability, the modulation of secret information cannot generate abnormal traffic or properties. Statistical-based steganalysis is the most common and popular method to detect the potential covert traffic, in which statistical properties such as traffic regularity or distribution function are exploited to distinguish the normal traffic and covert traffic.
In the experiment, the high-order statistical property-CDF of normal and covert IPDs are compared in Figure 10 under different steganographic embedding modes, where the x-axis shows the value of IPD ranging from 0 to 200 ms and y-axis represents the corresponding probability. It can be noticed that the CDF of our scheme is deviated slightly from the normal case when M � 0. Meanwhile, with the increase of embedding interval, the CDF of our scheme becomes closer to the normal one. In addition, it is obvious that the CDF of our scheme matches the normal one quite well when M � 3.
Meanwhile, two notable detection methods are employed to reckon the detection resistance of our scheme compared with Jitterbug [25] quantitatively, which are entropy test [5] and Kolmogorov-Smirnov test [28]. For normal and covert IPDs, they are both divided into 20 consecutive windows, the size of which is 1000. Certain   Security and Communication Networks statistical feature of each window is calculated and used during the detection process, as depicted in Figure 11.

Kolmogorov-Smirnov Test.
e K-S test [28] measures the maximum distance between two distributions. A small value indicates that two distributions are close to each other. Conversely, a large value means one distribution does not fit the other one. e Kolmogorov-Smirnov test value (K-S test value) is attained by taking the supremum of absolute difference between two empirical distribution functions for all x, which can be defined as where S 1 (x) and S 2 (x) refer to the empirical distribution functions of two samples. e comparison of K-S test values between the normal and covert IPDs is shown in Figure 12.  Likewise, 20 windows of normal and covert traffic are tested in the experiment. e x-axis is the window number and yaxis shows the corresponding K-S test value. It is found that the K-S test values of our scheme are all below 0.15 under different modes and are confused with those of the normal traffic. us, the distribution of our scheme is close to that of the normal one. Nevertheless, the corresponding values of Jitterbug occur from 0.13 to 0.25, which are deviated from the normal case. en, the covert traffic is detected using the K-S test and the detection results are shown in Table 2, where the detection threshold is denoted as THD. It is observed that the false negative (FN) rate of the normal traffic declines when the threshold increases. FN refers to the normal sample which is misclassified as the covert one. Hence, the detection threshold is set appropriately from 0.13 to 0.15 in order to guarantee that the false negative rate remains under 1%. Meanwhile, the true positive (TP) rates of covert samples are presented in the table. In this paper, the detection rate is represented by TP. From the results, it is easily seen that the detection rate of Jitterbug is more than 93% when tested with different thresholds. But in our case it is located under 3% for  different modes, indicating that the Kolmogorov-Smirnov test cannot effectively detect the covert traffic generated by our scheme.

Entropy Test.
Entropy can describe the degree of chaos in a process. In the entropy test (EN test), it is utilized to measure the regularity of data traffic [5]. If the traffic is less regular, the entropy value will be larger, and vice versa. Since the less regularity indicates more randomness, the big amount of information is contained in the traffic. e entropy value is obtained by calculating the statistical average of all possible self-information, which is denoted as where X represents a one-dimensional discrete random variable, the set of values of which is Ω � {x i |i � 1, 2, . . ., n}. e self-information of x i is I(x i ) and the probability of x i is denoted as p(x i ) � P{X � x i }. e entropy values of 20 windows for normal and covert IPDs are compared in Figure 13. From the result, it can be seen that most entropy values of normal IPDs range approximately from 0.45 to 1.24, whereas those of the covert IPDs generated by Jitterbug vary from 0.82 to 1.47. But the values of our scheme mix with those of the normal case under different modes, which can hardly be differentiated.
Subsequently, 20 windows of normal and covert IPDs are tested using theentropy test, respectively, when the window size is 1000. e results are presented in Table 3, where the detection threshold is denoted as THD. It is observed that the false negative rate of normal IPDs declines when the threshold increases. Meanwhile, the detection rates (true positive rates) of covert samples are shown in the table. We can see that the detection rate of Jitterbug ranges from 92% to 99%, while that of our scheme is only below 7%. Hence, the entropy test fails to distinguish the covert IPDs of our scheme from the normal ones. erefore, it is indicated that our scheme possesses better undetectability than the existing methods.

Robustness.
Robustness requires the covert communication to keep working with relatively high accuracy and low bit error rate (BER), resisting the perturbation of natural or malicious network noise. In the experiment, the robustness of our proposed scheme is reckoned in terms of network jitter, packet loss, and packet disorder, respectively. When suffered from network jitter, the BERs of the proposed scheme are attained under different intensity factors of antinoise (σ 1 and σ 2 ), compared with those of Jitterbug, as shown in Figure 14, where σ 1 and σ 2 are set to 2 to 5, respectively, satisfying the aforementioned condition. Since the BERs will remain consistent under different modes of our scheme, when the jitter noise of different power is injected into the covert traffic, the proposed scheme is implemented only when M is 0. e power of noise is measured by signal-to-noise ratio (SNR) when the power of signal is fixed. In other words, the power of noise increases as  Hence, our scheme can achieve relatively well accuracy when the SNR is above 40 dB. However, as for Jitterbug, the BER reaches up to 20%, which is much larger than that of the proposed scheme. en, the comparison of BERs between our scheme and Jitterbug is demonstrated in Figure 15 under different rates of packet disorder/loss when σ 1 and σ 2 are fixed to 5. It is obvious that the proposed scheme is more reliable with the increase of embedding interval. e confidential industrial data can be almost accurately obtained by our scheme under different modes when packet disorder rate is less than 3%. In addition, the BERs entirely locate under 6% in our scheme when 20% of the packets are lost. Meanwhile, the BER of Jitterbug increases sharply with the increment of packet disorder rate. e BER of Jitterbug reaches up to 12% when 20% of packets are lost, which will degrade the reliability of covert communication in Jitterbug (Figure 16).

Capacity.
Capacity is the maximum data size that can be reliably transmitted over the covert channel per second or packet. In other words, capacity refers to the transfer rate of Meanwhile, from the result presented in Figure 17, it is obvious that the capacity of our scheme declines when M becomes larger. However, better undetectability and robustness will be achieved under larger M. Since the embedding density of the secret information will be lower in the steganographic synchronization mode of larger interval, the modification of the normal carrier will be less. us, tradeoff between the main performance metrics will be taken into consideration in the future research. en the optimal steganographic embedding mode can be analyzed and selected.

Conclusions
In this paper, under the scenario of Industrial Internet, a VoNR-IPD covert timing steganography based on 5G network is proposed in order to guarantee the secure transmission of confidential industrial data. e VoNR traffic is employed as the steganographic carrier to conduct covert communication in Industrial Internet. Interference of network jitter noise is fully considered and the high-order statistical properties of jittered VoNR traffic are imitated during the modulation of confidential industrial data. us, the generated covert IPDs can possess consistent statistical properties with the normal case in order to resist detection. Additionally, the synchronization mechanism of steganographic embedding mode is designed to control the embedding density of industrial data flexibly. Hence, our scheme has been proven to have better undetectability and robustness than the current methods. In the future work, another 5G-based steganographic algorithm will be designed and researched, in which trade-off between the main performance metrics will be taken into consideration. en the optimal steganographic embedding mode can be analyzed and selected.
Data Availability e software code data used to support the findings of this study are available from the corresponding author upon request (e-mail: wmq1989219@126.com).

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.