A Time-Based Dynamic Operation Model for Webpage Steganography Methods

: The webpage steganography technique has been used for a covert communication method for various purposes in which a sender embeds a secret message into a plain webpage file like an HTML file by using various steganography methods. With human eyes, it is very difficult to distinguish between the original webpage (cover webpage) and the modified webpage with the secret data (stego webpage) because both are displayed alike in a web browser. In this approach, when two communicating entities want to share a secret message, a sender uploads a stego webpage to a web server or modifies an existing webpage in the web server by using a webpage steganography method, and then a receiver accesses the stego webpage to download and extract the embedded secret data from it. Meanwhile, according to our extensive survey, we observed that most webpage steganography methods focused on proposing or improving steganography algorithms but did not well address how to operate a stego webpage as time passes. However, if a stego webpage is used in a static way such that the stego webpage does not change and is constantly exposed to web clients until the sender removes it, such a static operation approach will limit or badly affect the hiding capacity and undetectability of a webpage steganography method. By this motivation, in this paper, we proposed a time-based dynamic operation model (TDOM) that improves the performance of existing webpage steganography methods in terms of hiding capacity and undetectability by dynamically replacing the stego webpage with other stego webpages or the original webpage. In addition, we designed two time-based dynamic operation algorithms (TDOA-C and TDOA-U), which improve the hiding capacity of existing methods and TDOA-U for improving the undetectability of existing methods, respectively. To validate our model and show the performance of our proposed algorithms, we conducted extensive comparative experiments and numerical analysis by implementing two webpage steganography methods with our TDOM (CCL with TDOA-C and COA with TDOA-C) and tested them in the web environment. According to our experiments and analysis, our proposed algorithms could significantly improve the hiding capacity and undetectability of two existing webpage steganography methods.


Introduction
Steganography techniques have been used for covert communication between a sender and a receiver who want to hide their secret communication even in the presence of unauthorized entities [1,2]. In this approach, the sender creates a stego medium by embedding a secret message into a cover medium (e.g., image, audio, video, text, webpage, etc.) by using various steganography methods depending on the characteristics of cover mediums. Due to its undetectability, the steganography techniques have been used for terrors, crimes, and espionage, and it is not difficult to find many related cases and reports on news media [3][4][5].
The webpage steganography technique is one of the representative steganography techniques that use a webpage file (e.g., HTML, XHTML, XML, SMIL, etc.) as a cover medium [6]. The created webpage with the secret message is called stego webpage. The webpage steganography exploits the characteristic of a webpage file like HTML such that it is less sensitive to the change of its syntax in displayed view in the web browser compared with other web programming languages such as Java or Python. Thus, a sender can hide a secret message easily into a webpage file by manipulating its source codes such that changes to the webpage file do not affect the view of the webpage in the web browser to avoid being detected by a monitoring entity (warden). In addition, the webpage steganography technique can deliver a secret message to more receivers than other types of steganography techniques. For example, while a sender delivers a secret message to one or a group of receivers in other types of steganography techniques (Figure 1b), a secret message can be delivered to many receivers (especially, to anonymous receivers) efficiently because a stego webpage is deployed in a web server, which is accessed by many web users (Figure 1a). As a representative webpage steganography-based cyberattack case, Kaspersky released a report on Platinum in 2019, which is one of the famous hacking groups [7]. According to the report, the Platinum had leaked critical information from governmental and military domains of southeast Asian countries by using two webpage steganography methods to hide their behaviors. For example, one of the methods is to add some special characters such as whitespace and tab as much as they need to embed secret data into HTML files because those special characters are not visualized when they are parsed by the web browser ( Figure 2a). The other method is to change the order of attributes in HTML files. This method uses the fact that the order of attributes in the same tag does not affect the display generated by the web browser ( Figure 2b).
(a) Adding special characters (b) Changing the order of attributes Figure 2. Webpage steganography methods used by Platinum [7].
According to our extensive survey [6,, most existing studies did not consider how the stego webpage should be operated as time passes. However, how to operate a stego webpage should be well addressed. Thus, if a stego webpage is operated simply in a static manner such that such a static operation feature will make a webpage steganography method very inefficient and inferior in terms of hiding capacity and undetectability because the stego webpage does not change as time passes. We will discuss in detail in Section 2.3.
On the other hand, if we operate a stego webpage in a dynamic manner such that the stego webpage is replaced with other stego webpages containing different secret messages or with its original webpage (cover webpage), we believe that the hiding capacity and undetectability of the webpage steganography method used for generating the stego webpage can be significantly improved. By this motivation, in this study, we propose and design our time-based dynamic operation model for webpage steganography methods.
Our contributions in this study can be summarized as the following:  We proposed a time-based dynamic operation model (TDOM) that improves the performance of existing webpage steganography methods in terms of hiding capacity and undetectability.  We designed two time-based dynamic operation algorithms TDOA-C and TDOA-U, which improve the hiding capacity of existing methods and TDOA-U for improving the undetectability of existing methods, respectively.  We conducted comparative experiments and numerical analysis to validate our model and show the performance of our proposed algorithms. For this, we implemented two webpage steganography methods with our TDOM (CCL with TDOA-C and COA with TDOA-C) and tested them in the web environment; CCL stands for Changing the Cases of Letters in tags and attributes and COA stands for Changing the Order of Attributes.  In addition to the above contributions, we hope that this study can provide useful information about webpage steganography techniques and their dynamic operations, which can be used in cyberattacks or cybercrimes, raise an alarm to security engineers and researchers, and, thus, attract them to research defense mechanisms and techniques against them. Meanwhile, we note that our study can be used in positive use cases because the steganography-based covert communication can be used to avoid unauthorized and illegal eavesdroppers.
The rest of this paper is organized as follows. In Section 2, we overview backgrounds and related studies. In Section 3, we propose our time-based dynamic operation model (TDOM) for existing webpage steganography methods and design two time-based dynamic operation algorithms (TDOA-C and TDOA-U) based on two existing methods (CCL and COA). In Section 4, we conduct comparative experiments and numerical analysis. Finally, we conclude in Section 5.

Webpage Steganography-Based Covert Communication Model
In steganography-based covert communication [1,2,8], the sender hides a secret message into a cover medium (e.g., image, video, audio, and text file) by using a steganography technique depending on the characteristics of the cover medium. The modified cover medium with a secret message is called the stego medium.
In a webpage steganography-based covert communication model, a webpage is used for a cover medium and various applications and platforms on the Internet are used for transmission channels. In this model, the cover medium and stego medium are called cover webpage (the original webpage) and stego webpage (the modified webpage), respectively. As shown in Figure 3, a sender hides a secret message into a cover webpage by using a webpage steganography method and then transmits it to the receiver over the Internet. However, a monitor (a passive or active warden) [1,2,8] may watch the transmission channel to detect the existence of covert communication between the communicating parties (sender and receiver). Therefore, a sender must choose a webpage steganography method that can avoid the monitor's detection, and, for this reason, many webpage steganography methods have been devised and proposed in this research area [6,. We note that a webpage is created by using various web programming languages (e.g., HTML, XHTML, XML, etc.), and, since HTML is the most popular and familiar, we will use an HTML file for a representative webpage example for the rest of our paper without the loss of generality to validate our proposed idea. As shown in Figure 4, a general HTML webpage file consists of several elements, and each element starts with <tagname> and end with </tagname>. In a real HTML file, <tagname> can be replaced with <body>, <table>, <form>, and so on. Each tag can have multiple attributes that have a certain value to provide additional information to the element. Compared to other programming languages such as Java or Python, HTML is insensitive to changing the positions of attributes, inserting invisible characters, or capitalizing (or down-casing) the names of attributes [9]. By using such a characteristic of HTML, a sender can embed a secret message into a webpage file by manipulating the HTML source code while maintaining not only the screen view of the modified webpage displayed in the web browser, which is the same but also the syntax (grammar) of the modified HTML syntax is not captured by a simple HTML markup checker or validator. We will explain more details on embedding methods in Section 2.3. The performance of a webpage steganography method can be evaluated in terms of the following three characteristics (hiding capacity, undetectability, and robustness) [1,9,32].


Hiding capacity: The amount of information that can be embedded in a cover webpage, and this depends on the embedding algorithm of the webpage steganography method and a cover webpage.  Undetectability: This refers to a degree that the embedded hidden message is not detected by a monitor (passive warden).  Robustness: This refers to a degree that the embedded hidden message is not destroyed by a monitor (active warden).

Adding Invisible Tags or Characters
In a webpage like HTML, special characters (e.g., whitespace) or tags without contents (e.g., <a></a> or <b></b>) are not displayed in a web browser even if they exist in the webpage's source codes. In addition, comments (e.g., texts between <!--and --> in HTML) are not displayed since they are not parsed by the web browser [10,11]. By using them, this approach hides a secret message into a webpage. While this approach can embed a huge amount of data by simply adding those tags and characters into an HTML file, it can be detected easily due to the suspiciously increased file size. Moreover, previous representative studies are below.


Reference [12] proposed a method of inserting extra spaces and tabs into an HTML file.  References [13,14] proposed a method of using various characters such as &#x20; or &#32 that are displayed as blank spaces in the web browser. In addition to this method, References [15][16][17] applied cryptography techniques for improving undetectability, Reference [15] used AES(Advanced Encryption Standard), Reference [16] used Caesar cipher, and Reference [17] used RSA(Rivest Shamir Adleman), respectively.  Reference [18] suggested a method that inserts elements only containing tags without contents (attributes and values). For example, texts between <b> with </b> are bolded, but, if there are no texts between tags, there will be no change in the web browser even though those elements are added.  There are a couple of webpage steganography tools such as Wbstego [33], Invisible Secret [34], and Snow [35].

Changing the Case of Letters in Tags and Attributes (CCL Approach)
This approach hides a secret message by changing cases of letters in a webpage source code like a case-insensitive HTML file. For example, <HeaD> hides 1001 including 1 for an upper case and 0 for a lower case. Unlike the above approach, this approach does not increase the webpage's file size and, thus, can avoid a simple file checker that examines the file size. Meanwhile, if source codes of a cover webpage and a stego webpage are known to a monitor, this approach can be easily detected. Representative previous studies are below.


Reference [6] proposed a method that hides a secret message by encoding 0 or 1 according to the case of each character in HTML tags or attributes.  References [19,20] and [21] proposed a similar method for watermarking.  Reference [22] proposed a method to create a tag dictionary by gathering all the case-insensitive elements in the HTML specification.

Changing the Order of Attributes (COA Approach)
This approach uses the order of attributes in a tag because, even if the order of attributes is changed, the screen view on the web browser does not change. In addition, this approach does not increase the webpage's file size. Representative previous studies are below.


Reference [23] proposed methods in which the order of a pair of attributes (two attributes) are used for data hiding. For example, if attribute A is before attribute B, 1 is hidden. Otherwise, 0 is hidden. References [24,25] proposed methods using the permutation of attributes.  References [26][27][28][29] applied some techniques for improving hiding capacity. Reference [26] used CCL, Reference [27] used Huffman coding, Reference [28] used various types of quotation marks, and Reference [29] proposed a combined approach of References [26] and [28].  Reference [30] tried to improve the security of this approach by applying cryptography techniques.  Reference [31] proposed a method that hides 0 or 1 by using whether the attribute belongs to a specific tag. Thus, 1 is hidden when two attributes belong to the same tag. Otherwise, 0 is hidden.  Reference [36] is a webpage steganography tool, but some HTML tags or attributes newly added after 2006 are not included in their tool.

Limitations of Previous Studies
In general, all webpage steganography methods have the following covert communication models (see Figure 5).
First, the sender must upload a stego webpage to the web server. Next, when the receiver accesses and requests the stego webpage, which looks like its original webpage (cover webpage), the web server transmits the stego webpage file to the receiver. Lastly, the received webpage file is displayed by the receiver's web browser. According to our extensive survey [6,, most existing studies did not consider how the stego webpage should be operated as time passes. However, how to operate a stego webpage should be well addressed. Thus, if a stego webpage is operated simply in a static manner such that it does not change as time passes, such a static operation feature will make a webpage steganography method very inefficient and inferior in terms of hiding capacity and undetectability because of the following reasons.


Hiding Capacity (or Capacity): Assuming that, given a webpage, the steganography method and the maximum hiding capacity of a stego webpage is m bits, the total amount of a secret message that the sender can deliver to the receiver is limited to the constant value m bits because the stego webpage does not change and, thus, the receiver will always obtain the same m-bit secret message regardless of request times to the stego webpage.  Undetectability: Assuming that there is a perfect monitoring and detection tool, the static stego webpage will be captured by the tool at the time when the tool accesses the stego webpage since the stego webpage does not change and, thus, is constantly exposed to any web client.
Meanwhile, when a stego webpage is operated dynamically such that it is replaced with other stego webpages containing different secret messages or with its original webpage, we believe that the hiding capacity and undetectability of the webpage steganography method used for generating the stego webpage can be significantly improved. By this motivation, in this study, we will propose and design our time-based dynamic operation model for webpage steganography methods.

Our Approach: Time-Based Dynamic Operation Model (TDOM)
To improve the hiding capacity and undetectability of existing webpage steganography methods, we propose a simple but effective Time-based Dynamic Operation Model (TDOM) for them that controls when a stego webpage is replaced with a new stego webpage with a different secret message for higher capacity or when a stego webpage is exposed to users for higher undetectability. Figure 6 shows how our TDOM (dynamic operation model) can improve the hiding capacity and undetectability of an existing method, which is operated in a static manner (static operation model). We note that, according to our survey, there is no clear static operation model for existing steganography methods but, for better understanding, we consider the latter case the static operation model in this study. Thus, we here compare how an existing method can work differently when it is operated in the static operation model and our dynamic operation model.  Figure 6c, a stego webpage keeps exposed to users, and, thus, if a powerful monitor (detection system) visits the stego webpage, the monitor can detect the existence of the stego webpage. Meanwhile, as shown in Figure 6d, when the stego webpage is deactivated and replaced with the original webpage two times, the chance that the monitor detects the stego webpage will definitely decrease accordingly.
Our model is designed as a generic architecture to existing webpage steganography methods. Thus, it is not necessary to modify existing methods and our model can be easily combined with them. Although TDOM can be designed and implemented in various ways considering the degree of hiding capacity and undetectability, which are in a trade-off relationship, we show two time-based dynamic operation algorithms: (1) TDOA-C mainly focusing on hiding capacity and TDOA-U mainly focusing on undetectability.

Time-based Dynamic Operation Algorithm for Hiding Capacity (TDOA-C)
As we briefly explained in Section 3.1, TDOA-C mainly focuses on improving the hiding capacity of an existing webpage steganography method without modifying it. Thus, as shown in Figure 7, when our TDOA-C is combined with an existing webpage steganography method, given a specific time period, the hiding capacity of the method can be significantly improved as the following steps. Let us assume that a sender wants to send a secret message to a receiver by using a certain webpage steganography method . In addition, the sender uses a cover webpage (original webpage) and the maximum hiding capacity [ ] = bits. Algorithm 1 describes TDOA-C for the sender and receiver.


Step 1. partitions into smaller messages , , …, .  Step 2. creates stego webpages , , …, by using , , and , , …, .  Step 3. uploads , , …, to the web server, in turn, at a certain time ∈ = { , , … , }, which is agreed with . For this step, the sender and receiver exchange such information by using another covert channel or in person.  Step 4. receives each stego webpage, in turn, by accessing the URL where the cover webpage is located at the time period agreed with .  Step 5. extracts the partitioned secret messages , , …, from received stego webpages.  Step 6. restores the complete secret message by combining , , …, . By this manner, the existing method with TDOA-C can deliver × bits, which means our algorithm can improve the hiding capacity of the method in the static operation model by × 100%. The hiding capacity (or the amount of delivered secret messages) [ − ] can be expressed in Equation (1) below.

Time-based Dynamic Operation Algorithm for Undetectability (TDOA-U)
We introduce another algorithm (TDOA-U) based on our TDOM and on-off strategy [37] for improving the undetectability of an existing webpage steganography method. Unlike the existing static operation model, by using this algorithm, the sender controls when a stego webpage is activated (on) and deactivated (off) as time passes. Thus, as shown in Figure 8, only when the stego webpage is activated (on), the stego webpage can be accessed by the receiver and, thus, a secret message can be delivered to the receiver . Meanwhile, when a stego webage is deactivated (off), it is replaced with the original cover webpage without any secret message, and, thus, the monitor will not detect the stego webpage when it accesses . Consequently, the chance that the monitor detects the stego webpage will decrease according to the deactivated time of given a certain time period.
Our TDOA-U works as the following steps (see Algorithm 2). We assume the following. First, a monitor with steg analysis capability is checking periodically if a webpage (a cover webpage ) is a stego webpage. Second, a sender uses a dynamic webpage for a cover webpage to avoid a simple webpage change detector (or a file integrity checker) without a steganography detection function. Lastly, there are multiple receivers who want to receive the same secret message from the web server for a certain period of time. 1.
Step 1. The sender creates stego webpages , , …, by embedding a secret message into a cover webpage . We assume that n stego webpages have the same secret message.
uploads , , …, to the web server, in turn, at ∈ = { , , … , } and replace them with at ∈ = { , , … , } in which both and are agreed in advance between and . For this step, the sender and receiver need to exchange such information by using another covert channel or in person. In addition, each will be replaced with again when a small amount of time passes to avoid the monitor. Therefore, the accurate time synchronization between and is very important so that this step can succeed. Moreover, to successfully get even in the presence of a possible time difference between and due to the unexpected network or processing delay, the receiver may need to access the web address of multiple times. Meanwhile, we do not delve into designing a sophisticated time synchronization and guaranteed delivery method for and in this study but, instead, we want to leave it for our future research.
receives each stego webpage, in turn, by accessing the URL where the cover webpage is located at the time period agreed with .
can extract the secret message from received stego webpages , , …, , which means that can obtain at any time between and .

The Hybrid Model of Combining TDOA-C and TDOA-U
As described previously, we have designed our TDOA-C and TDOA-U for hiding capacity and undetectability, respectively. Meanwhile, these two algorithms can be combined in a hybrid manner depending on which factor of hiding capacity (the amount of secret message delivery) or undetectability is more necessary. Thus, as shown in Figure 9, the hybrid model can be designed and implemented in various ways by considering the following factors, such as the goal of covert communication between and , the expected monitoring and detection capability, the frequency, or cycle, the amount of a secret message or its delivery frequency, and so on. In this paper, we do not implement this hybrid model and consider it in our comparative experiments in Section 4, since our main goal of this study is to show how our idea (dynamic operation model) can improve existing webpage steganography methods rather than showing the optimized performance of our proposed model, which will be conducted for one of our future works.

Experimental Results
In this section, we conduct two experiments for the following purposes.


Experiment 1: Validating TDOA-C has a higher hiding capacity (or a larger amount of secret message delivery) than the existing static model.  Experiment 2: Validating TDOA-U has a higher undetectability than the existing static model.
We will describe details on the experimental purpose, methods, and results of each experiment. All our experiments were conducted with Python 3 on a laptop (Intel i5 10th GEN and 16GB RAM).

Experiment 1: Validation of TDOA-C
Experiment 1 consists of two parts (Part 1 and Part 2) as follows. In Part 1, we implement an existing method combined with our TDOA-C in a real web environment and show our model can work. In the second part, we conduct numerical analysis to validate our TDOA-C that will improve the hiding capacity of two representative existing methods (CCL and COA) compared with it in the static operation model.

Experiment 1. Part 1: Implementation of TDOA-C in the Web Environment
To show our TDOA-C works in a real web environment, we built a web server and then implemented TDOA-C according to Algorithm 1 (see Figure 10). We used the Flask web framework [38] to build a web server in our laptop and urllib.request library [39] to receive stego webpages from the webserver.
Based on the constructed web environment, we conducted Part 1 of Experiment 1 as follows (see Figure 10). For the secret message , we generated 100 UUID (Universally Unique Identifiers) by using UUID version 4 algorithm [40] and used the combined 100 UUIDs for . Each UUID consists of 32 hexadecimal numbers (16 bytes). Next, we created 100 s by embedding each UUID into a cover web page, uploaded each to the web server every 10 s, and then accessed and received from the web server. We confirm that our algorithm works in the web environment if the embedded and extracted UUIDs are the same. The experimental results show that all 100 UUIDs are exactly matched. Table 1 shows part of the experimental results of part 1 for = 1, 2, 3, 4, 5, 10, 50, and 100. For example, for ( = 1), the sender embedded the first UUID (b8ab647e-4042-46bc-87b4-615c720ab068) into and then generated , and the receiver could extract the same UUID from the received . According to our experimental results, since all 100 UUIDs are received and extracted successfully at the receiver, (combined 100 UUIDs) is delivered correctly. Therefore, based on the experimental result, we confirmed our TDOA-C works properly in the web environment. To show how our TDOA-C can improve the hiding capacity (or the amount of a secret message delivery) of two representative existing methods in the static operation model, we conducted the comparative numerical analysis as follows.
First, we measured the average hiding capacity of existing methods (CCL and COA) by considering the top popular global websites' main webpages. For cover webpages, we collected the top 50 webpages introduced by two popular websites Alexa [41] and SimilarWeb [42] that provide the global website ranks in terms of the number of visitors to websites.
For the CCL method, we implemented it by adopting Sui and Luo's CCL method [6] and measured the hiding capacity of CCL for each of the collected webpages as: where denotes th elements in the webpage, and denotesa function that returns to the number of alphabetic letters except to attribute values and contents in an element, and denotes the number of elements in a webpage. We averaged all obtained [ ]. In addition, for the COA method, we implemented it by adopting Huang et al.'s COA method [25], which measured the hiding capacity of COA for each of the collected webpages as: where is the th tag in a webpage, ( ) is a function that returns the number of attributes in , and is the number of tags within the webpage. If ( ) ≥ 2, the maximum number of permutations is equal to { ( )}!, and, thus, the hiding capacity of is equal to ⌊log { ( )}!⌋ bits. We averaged all obtained values of [ ]. All measured values of the hiding capacity of existing methods (CCL and COA) are shown in Table 2 and Figure 11. Second, we compared the average hiding capacity calculated of the existing two methods (CCL and COA) in the static operation model with our approaches (CCL with TDOA-C and COA with TDOA-C). For our approaches, we measured the average hiding capacity of our two methods as the change cycle time ( ) decreases from 100 to 10 by 10. For simplicity, we set to a fixed value between 10 and 100, which means the interval of and is equally set where ∈ 1 ≤ ≤ − 1 (see Algorithm 1). For example, if is 2 s, an existing stego webpage will be updated with the next stego webpage every two seconds in our dynamic operation model. Thus, for 10 s, five different stego webpages (i.e., the number of stego webpages = 5) will be uploaded to the web server while only one stego webpage is exposed in the static operation model regardless of . Based on the above settings, we conducted the comparative numerical analysis in terms of hiding capacity by using various operation times (1000 s, 2000 s, 5000 s, and 10,000 s). The operation time is − .
We now explain our experimental results as follows (see Table 3 and Figure 12). First, for all value of , the average hiding capacities of our proposed algorithms (CCL with TDOA-C and COA with TDOA-C) are much higher than those of the existing two methods (CCL and COA).  Table 3 and Figure 12. In case of a SimilarWeb, the analysis results are shown similarly.
Second, the difference between the hiding capacity of existing methods and our methods increases as the operation time increases from 1000 s, 2000 s, 5000 s, and 10,000 s. For example, Figure 12 shows Third, the hiding capacity of CCL with TDOA-C is much larger than the capacity of COA with TDOA-C. For example, Figure 13a, Figure 13c,d, such a tendency holds as well. This is because the CCL method can embed data more into a cover webpage than the COA method, as we discussed above (see Table 3).
(a) CCL with TDOA-C from Alexa (b) COA with TDOA-C from Alexa (c) CCL with TDOA-C from SimilarWeb (d) COA with TDOA-C from SimilarWeb Figure 13. The capacity of our methods (CCL with TDOA-C and COA with TDOA-C) and existing methods (CCL and COA) according to .

Experiment 2: Validation of TDOA-U
The purpose of Experiment 2 is to show how our TDOA-U can improve the undetectability of an existing method in the static operation model. The concept to measure undetectability is depicted in Figure 14. We consider that an existing method in the static operation model has zero undetectability because, as shown in Figure 14a, it will always be detected by a monitor since there is no concealed time period between and . In addition, we consider that a method in Case 2 has higher undetectability than a method in Case 3 because Case 2′s exposure time to users including a monitor is smaller than Case 3 given the same operation time period (= − ). Thus, the chance that Case 2 is not detected by the monitor is lower than the chance that Case 3 is not detected. To compare two methods quantitatively in terms of undetectability, we define undetectability as: where is the exposure time period of the th stego webpage, is a set of ∈ [1, ], is the exposure time period of the th cover webpage, is a set of ∈ [1, ], and ∈ [0, 1]; | | = | | = . This metric indicates the ratio of the amount of time that a stego webpage is not exposed to the total operation time. Thus, a method has its maximum undetectability when = 1, and, for the existing method in the static operation model, = 0. To see how differently our proposed methods has depending on and , we conducted the comparative numerical analysis as follows. For simplicity, we set = = ⋯ = = ⋯ = and = = ⋯ = = ⋯ = , and the total operation time (= − ) = 1000 s. In addition, we used various values for and from 10 s to 100 s by 10 s. In addition, we implemented our CCL with TDOA-U and conducted an experiment in a real web environment to see if its measured in the real web environment is similar with calculated in our numerical analysis (see Figure 15). The experimental environment is the same as Experiment 1, Part 1. To create an actual stego webpage, we used the main webpage of Google as a cover webpage, and then embedded the secret string "STEGANOGRAPHY" (91 bits) by using the CCL method. The total operation time period (= − ) is 100 s, and we considered three cases: Case 1 ( = 50 s and = 50 s), Case 2 ( = 30 s and = 70 s), and Case 3 ( = 70 s and = 30 s). In addition, we implemented a monitor such that it accesses the webpage one time randomly during the operation time of 100 s and then check if the accessed time point is in the stego webpage's exposed time period. The experiment was repeated 100 rounds, and then we measured as the total number of detections of the stego webpage over the total number of accesses. We now explain the results of Experiment 2 (see Tables 4 and 5). First, our proposed method TDOA-U has higher undetectability than the existing method in the static operational model. As we can see in Table 4, for all values of and , all measured values of were higher than zero in our experimental settings. That means that our proposed method has higher undetectability than the existing method in the static operation model. Therefore, we confirmed that our TDOA-U can improve the undetectability of the existing webpage steganography methods.
Second, depending on the values of and of TDOA-U, the undetectability varies. As shown in Table 4, is blue-colored when > 0.6 and is red-colored when < 0.4. As we expected, when > , ≥ 0.5 because the total amount of exposure time of is greater than the total amount of exposure time of during the operation time of 1000 s. On the other hand, when < , ≤ 0.5 because the total amount of exposure time of is lower than the total amount of exposure time of during the operation time of 1000 s. In addition, when = , ≈ 0.5 because the total amount of exposure time of is almost equal to the total amount of exposure time of during the operation time of 1000 s. There were some small deviations from 0.5 due to the fixed operation time of 1000 s (e.g., when = 30 s and = 30 s, = 0.49). We can use and for various purposes. For example, for higher undetectability, we can set > and, for higher secret message delivery, we can set < .  Table 5). For Case 1, Case 2, and Case 3, the measured , is 0.49, 0.67, and 0.29, respectively, and they are similar to the , calculated for Case 1, Case 2, and Case 3. The small difference , and , between each case can be ignored.

Conclusions and Future Works
In this paper, to improve the hiding capacity or undetectability of existing webpage steganography, we proposed a time-based dynamic operation model (TDOM) that dynamically replaces the stego webpage with other stego webpages or the original webpage. We designed two time-based dynamic operation algorithms (TDOA-C and TDOA-U), which improve the hiding capacity of existing methods and TDOA-U for improving the undetectability of existing methods, respectively. In addition, we validated and showed the performance of our proposed methods, conducted extensive comparative experiments and numerical analysis by implementing two webpage steganography methods with our TDOM (CCL with TDOA-C and COA with TDOA-C), and tested them in the web environment.
Our future research directions are as follows. First, we will consider a spatial factor for our dynamic operation model by studying the concept of recent moving target defense techniques [43,44] to better improve the hiding capacity or the undetectability of existing webpage steganography methods. Second, we will devise a new webpage steganography method that overcomes the limitations of existing webpage steganography methods, and then combine it with our dynamic operation model. Third, we will design a secured and sophisticated time synchronization method for the sender and receiver. Fourth, we will study randomizing the change-replacement pattern of the stego webpage and the cover webpage to improve the undetectability of our dynamic operation model. Lastly, we will design the hybrid model to combine TDOA-C and TDOA-U and examine how the hybrid approach can improve the performance of existing methods.