SteaLTE: Private 5G Cellular Connectivity as a Service with Full-stack Wireless Steganography
Leonardo Bonati, Salvatore D'Oro, Francesco Restuccia, Stefano Basagni, Tommaso Melodia
SSteaLTE : Private 5G Cellular Connectivity as aService with Full-stack Wireless Steganography
Leonardo Bonati, ∗ Salvatore D’Oro, ∗ Francesco Restuccia, ∗† Stefano Basagni, ∗ Tommaso Melodia ∗∗ Institute for the Wireless Internet of Things, Northeastern University, Boston, MA, U.S.A. † Roux Institute, Northeastern University, Portland, ME, U.S.A.
Abstract —Fifth-generation (5G) systems will extensively em-ploy radio access network (RAN) softwarization. This key in-novation enables the instantiation of “virtual cellular networks”running on different slices of the shared physical infrastructure. Inthis paper, we propose the concept of
Private Cellular Connectivityas a Service (PCCaaS), where infrastructure providers deploy covert network slices known only to a subset of users. We thenpresent
SteaLTE as the first realization of a PCCaaS-enablingsystem for cellular networks. At its core,
SteaLTE utilizes wirelesssteganography to disguise data as noise to adversarial receivers.Differently from previous work, however, it takes a full-stack ap-proach to steganography, contributing an LTE-compliant stegano-graphic protocol stack for PCCaaS-based communications, andpacket schedulers and operations to embed covert data streams on top of traditional cellular traffic ( primary traffic ). SteaLTE balances undetectability and performance by mimicking channelimpairments so that covert data waveforms are almost indistin-guishable from noise. We evaluate the performance of
SteaLTE onan indoor LTE-compliant testbed under different traffic profiles,distance and mobility patterns. We further test it on the outdoorPAWR POWDER platform over long-range cellular links. Resultsshow that in most experiments
SteaLTE imposes little loss of pri-mary traffic throughput in presence of covert data transmissions( < ), making it suitable for undetectable PCCaaS networking. Index Terms —Steganography, 5G, Private Cellular Connectiv-ity as a Service, Undetectability.
This paper has been accepted for publication at IEEE International Conference on Computer Communications (INFOCOM) 2021. ©2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media including reprinting/republishingthis material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
I. I
NTRODUCTION
The softwarization of the Radio Access Network (RAN) isbeing heralded as the core of fifth generation (5G) cellular net-works [1–7]. Enabling virtualization technologies, softwariza-tion will allow Infrastructure Providers (IPs) to create virtualnetworks on top of their physical infrastructure, each assignedto a different infrastructure slice [8–10]. This fundamental in-novation will concretely realize the long-standing vision of
Cel-lular Connectivity as a Service (CCaaS) , where the IP assignsphysical resources (e.g., spectrum, power, base stations, etc.)to each Mobile Virtual Network Operator (MVNO) accordingto their requirements [11, 12]. CCaaS is envisioned to provideunparalleled levels of Quality of Experience (QoE) to mobileusers, as well as usher in new business opportunities betweenIPs and MVNOs [13, 14].In this paper we leverage RAN softwarization and networkslicing to concretely realize
Private Cellular Connectivity as aService (PCCaaS) , pushing the CCaaS innovation to the realm
E-mail: { l.bonati, s.doro, frestuc, s.basagni, t.melodia } @northeastern.eduThis work was supported by the U.S. Office of Naval Research under GrantsN00014-19-1-2409 and N00014-20-1-2132. of private networking. Through PCCaaS the IPs can instanti-ate and deploy private network slices sharing the virtualizedinfrastructure with other (public) slices. In this paper we use theword private to identify slices whose existence is known onlyto selected users that can exchange sensitive data embedding it covertly and undetectably into primary traffic , used as decoy.The opportunities and applications of PCCaaS are multifold.For instance, with PCCaaS law enforcement agencies couldleverage the ubiquitous connectivity offered by extant cellularinfrastructure and use private slices to establish undetectablecommunications with undercover agents in the field. Similarly,law enforcement could deploy tiny Internet of Things (IoT)devices as “bugs,” collecting audio and video content andcommunicating it covertly. Such devices would pose as regularIoT sensors and conceal sensitive covert information on topof innocuous primary traffic, e.g., temperature readings. Anexample of PCCaaS is shown in Fig. 1. T i m e FrequencySlicing profile
Primary-onlysliceCovertreceiverCovert IoTreceiver SteganographicslicePrimary-onlyreceiver
Decoytraffic CoverttrafficPublictraffic
PublicslicePrivateuser PrivateslicePublicuser Eavesdropper
Decoytraffic
Primary sliceCovertreceiverPrivate slice Covert IoTreceiver Primary-onlyreceiverEavesdropper
Fig. 1: Private Cellular Connectivity as a Service (PCCaaS).
The IP instantiates three slices whose profile is communi-cated to the cellular base station. Two slices are public (inred). These slices are for public users of the infrastructures(e.g., cellular subscribers). The third slice is private. In thisslice, private users exchange data that is of non-sensitive nature(decoy traffic, in blue). This is their primary traffic. They alsoexchange covert traffic (in orange), which is hidden into theprimary data. The challenge of PCCaaS is that of fooling amalicious eavesdropper to believe that the private users are onlyexchanging decoy traffic, namely, in allowing the eavesdropperto capture only their primary traffic.Clearly, no form of effective data encryption is the solutionto realizing the vision of PCCaaS. First of all, not all deviceshave the necessary resources to support the execution of power-hungry and computationally complex encryption algorithms.The IoT scenario described above is a typical example. Fur- a r X i v : . [ c s . N I] F e b hermore, encrypted traffic is still subject to jamming: Anadversarial user that is capable to detect the transmission ofsensitive information could prevent its intended recipient toreceive it. The key question is therefore how to ensure thatcommunication of sensitive data is not only secure, but also undetectable , independently of encryption.One of the key challenges in realizing PCCaaS is thatdata transmitted over wireless channels cannot be easily hid-den. To address this problem, wireless steganography directlyoperates on Radio Frequency (RF) waveforms by applying“hand-crafted” tiny displacements to the I/Q symbols beingtransmitted, also known as primary symbols [15–22]. While asteganographic receiver (the private user of Fig. 1) can decodethe covert information by translating the “dirty” I/Q symbols toa corresponding covert bit sequence, public users would be ableto decode primary symbols only.Fig. 2 illustrates a practical example of wireless steganogra-phy where covert data are embedded into a QPSK-modulatedsignal. IQ IQ IQ (a) QPSK w/o steganography. (b) QPSK w/ steganography. IQ (c) Encoding examples. Primary: 10Covert: 1Primary: 01Covert: 0 𝜃 = 30 o Fig. 2: Wireless steganography over a QPSK modulation.
Specifically, Fig. 2a shows the set of QPSK symbols used toform the primary message. Let us assume that the transmittersends the primary symbol “01” to deceive adversaries, butat the same time it wants to embed a covert message in itthrough wireless steganography. To achieve this, the transmittercan rotate the phase of the I/Q symbols of Fig. 2a by anangle θ to send the covert bit “1” (Fig. 2b), while symbolswith no rotations correspond to the bit “0” (Fig. 2c) [23]. (Moresophisticated schemes are described in Section II-B.)Despite recent advances, wireless steganography has not yetfound widespread application in networking. We believe this isbecause existing approaches operate only at the physical layer,which is insufficient to make PCCaaS systems possible.In this paper we leverage steganography as the core of aready-to-use full-stack approach to PCCaaS-based networking.Our system, that for testing purposes has been realized on open-source LTE implementations, is called SteaLTE to indicate the stealthy , private nature of the networking it enables to satisfyPCCaaS requirements.
SteaLTE achieves: • End-to-end Reliability and Security . We design a full-stacksteganographic system leveraging proven reliable data transfertechniques. These are integrated to a steganographic mutual au-thentication mechanism where legitimate parties authenticateeach other before exchanging confidential information. • Adaptive Traffic Embedding . Covert data need to be embed-ded over primary traffic, which is inherently varied and unpre- dictable. Clearly, a large covert data packet cannot be embeddedon a small primary packet, or cannot be transmitted at all inthe absence of primary traffic. This requires the process ofembedding covert traffic to be flexible enough to deal with suchunpredictability. To this purpose,
SteaLTE features a covertpacket generator component that creates and embeds covertpackets that seamlessly adapt to primary data traffic, generating“dummy” primary traffic on-demand, if necessary. • Standard compliance . To successfully operate over existingcellular networks, PCCaaS must adhere to standard protocolimplementations of 4G/5G systems.
SteaLTE has been designedto seamlessly integrate with cellular systems without disruptingprimary communications or affecting their performance. • Undetectability . A goal of PCCaaS is to make covert datacommunications undetectable, concealing them from eaves-droppers and jammers. To this aim, we design a stochasticsteganography scheme that embeds covert transmissions bymimicking wireless channel noise. We show that
SteaLTE reduces the Kolmogorov–Smirnov (K-S) distance from the“clean” (i.e., without covert data) distribution by . x, improv-ing undetectability with respect to previous solutions [24].Our LTE-compliant prototype of SteaLTE —the first forPCCaaS-based cellular networking—has been evaluatedthrough experiments over indoor and outdoor testbeds(including the POWDER platform from the PAWRprogram [25, 26]) on scenarios with varying parameters,including topology, traffic patterns, mobility and link ranges.Our results show that, overall, the
SteaLTE covert throughputis comparable to the primary throughput, that it minimallyaffects primary transmissions imposing < loss of primarythroughput, and that, even in challenging outdoor settings,effectively delivers covert data on links up to
852 ft long.The rest of paper is organized as follows. The
SteaLTE system design is presented in Section II. Its prototype overLTE-compliant implementations is described in Section III.Section IV reports results from our testbed-based experimentalevaluation of
SteaLTE . A review of previous work on the topicis surveyed in Section V. Conclusions are drawn in Section VI.II. S
TEA
LTE D
ESIGN
In this section we describe
SteaLTE , providing details on its covert communications (Section II-A), transmitter and receiverdesign (sections II-B and II-C), and the mechanisms to enable undetectable covert communications (Section II-D).
A. Covert Communications: Formats and Operations
This section describes the packet format and the operationsthat allow
SteaLTE to enable PCCaaS-based reliable and securecovert communications.
1) Packet format:
The structure of
SteaLTE covert packetsis illustrated in Fig. 3a. Each packet consists of three elements:A header , a payload and the
Cyclic Redundancy Check (CRC) .The header consists of 32 bytes carrying information on howto decode a received covert packet. For packet detection anddemodulation, the header is modulated through a fixed covertmodulation known by the receiver. Its structure is as follows: eader(32 bytes) Payload(variable) CRC32(4 bytes)Info(2 bytes) CRC8(1 byte)Packet Number(10 bits) ThresholdFlag (2 bits) Packet Type(3 bits)Modulation(1 bit)Payload w/ CRC32 length,L P + L PC (29 bytes) L H L P L PC Type Flag Description (a) Packet structure.
Header(32 bytes) Payload(variable) CRC32(4 bytes)Info(2 bytes) CRC8(1 byte)Packet Number(10 bits) ThresholdFlag (2 bits) Packet Type(3 bits)Modulation(1 bit)Payload w/ CRC32 length,L P + L PC (29 bytes) L H L P L PC Type Flag Description0 000 ACK1 001 NACK2 010 Data3 011 Source / Destination, Packet Info4 100 Challenge5 101 Challenge Response6 110 Authentication ACK7 111 Reserved (b) Packet types.
Fig. 3:
SteaLTE covert packet structure and types. (i) A 29-byte field with the length of the covert payload ( L P )and the CRC ( L P C ); (ii) a 2-byte info field with information onhow to demodulate the covert packet, and (iii) a 1-byte CRC8field to detect errors on the header. The info field contains: • Packet Number:
10 bits uniquely identifying a packet, alsoused to request packet retransmission (Section II-A2). • Modulation:
A bit flag indicating the modulation used toencode payload and CRC.
SteaLTE chooses between two covertmodulation schemes depending on the quality of the wirelesschannel. This field can be extended to account for additionalcovert modulation schemes (see also Section II-B1). • Threshold Flag: • Packet Type:
A 3-bit field to discern among data and controlpackets. The different packet types and their flags are shownin Fig. 3b. Packet types 0 and 1 are
ACK and
NACK controlpackets sent by the receiver to give feedback on the coverttransmission (Section II-A2). Packets carrying covert data areof type 2. Packets of type 3 carry information on source anddestination of covert packets and on the total number of packetsin the current transmission. Each source and destination addressis encoded by 5 bytes containing the corresponding MobileSubscription Identification Number (MSIN) (i.e., the telephonenumber commonly used to identify mobile subscribers). Uponreceiving an uplink covert transmission, the Base Station (BS)maps the destination MSIN to the corresponding InternationalMobile Subscriber Identity (IMSI), which uniquely identifiesthe User Equipment (UE). It then relays the covert message tothe receiver via a downlink covert transmission or forwards it tothe
SteaLTE
BS serving the receiver, as for regular voice traf-fic). Packets of type 4, 5 and 6 are used for the mutual authen-tication of covert transmitters and receivers (Section II-A3).Packet type 7 is reserved for future use.
Payload and CRC32.
The variable-size packet payload car-ries sensitive user data to be transmitted covertly. This fieldadapts to the size of primary packets to improve the efficiencyof covert communications (Section II-B1). To ease reception,the length of this field is included in the packet header (Fig. 3a).The packet ends with a 4-byte CRC32 field utilized for errordetection and to ensure the integrity of covert transmissions.
2) Reliable covert communications: SteaLTE provides built-in reliability through standard reliable data transfer mecha- nisms. These include error detection, receiver-to-transmitterfeedback (positive and negative acknowledgments), packet se-quence numbers, timeouts, and retransmissions [27]. Error de-tection is performed through two Cyclic Redundancy Check(CRC) codes: A CRC8 code is used to protect the header of thepacket and a CRC32 code for the packet payload (see Fig. 3a).
3) Mutual Authentication: SteaLTE implements a schemefor the mutual authentication of BSs and UEs through covertchallenge/response operations. After standard cellular attach-ment procedures are completed, the BS sends a randomly-generated challenge to the UE using a type 4 packet (Fig. 3b).Upon receiving this packet the UE computes the Keyed-HashMessage Authentication Code (HMAC) from the BS challengeand key (which has been pre-shared), and sends the HMACresult as the challenge response (packet of type 5). Afterreceiving the response from the UE, the BS compares it withthe expected HMAC result. If the two match, the BS considersthe UE authenticated . To notify the successful end of the UEauthentication procedures, the BS sends an authentication
ACK message to the UE (packet of type 6). If the challenge responseis not received, the BS retransmits the challenge to the UE.After a certain number of unresponded attempts, or in case oferroneous response, the BS considers the UE not authenticated and will avoid any covert communication with it. When theUE receives the authentication
ACK from the BS, it follows asimilar procedure to authenticate the BS.
B. Transmitter Design
This section presents the main components of
SteaLTE trans-mitter: The
Covert Packet Generator , the
Covert Modulator ,and the
Covert Embedder . In the reminder of the paper, orange-colored blocks with dashed lines denote system components of
SteaLTE . All other colors identify standard cellular componentsthat do not require hardware or software modifications.Fig. 4 provides a high-level overview of the building blocksof a
SteaLTE transmitter.
Primary data buffer Covert Packet Generator …… Covert data bufferPrimarydataCovertdata …… PrimarysymbolsCovert data chunks Primary onlysymbolsPrimary + Covertsymbols RF front-endMapper & PrecoderScheduler & Modulator
Fig. 4: High-level
SteaLTE transmitter design.
Primary and covert data streams are separate and indepen-dent from one another. Primary data are processed throughstandard scheduling and signal processing procedures (e.g.,modulation) of the primary system. These data result in asequence of primary symbols that are fed to the
SteaLTE covertpacket generator (Section II-B1). After the covert symbolshave been embedded in the primary symbols, they are mappedand precoded according to standard cellular procedures (Sec-tion III), and transmitted through the RF front-end.
1) Covert Packet Generator:
This block reads covert datafrom the covert data buffer, and embeds it in the modulatedprimary symbols. This is achieved by executing the followinghree steps (see Fig. 5): (i) Verifying that there are enoughprimary symbols to embed a complete covert packet; (ii) gen-erating covert symbols to be transmitted, and (iii) embeddingthem into primary ones.
Generate Header Covert Embedder …… Covert dataPrimarysymbols YES …… Primary onlysymbolsPrimary w/ covert symbolsCovert modulation parameters Count primary symbols
Covertpayload& CRC32 Covertpacket
Primary symbolsL PS L PS NOGenerate Payload & CRC32
Modulated covert symbols
Covert Modulator> L H + L PC Fig. 5: Covert packet generator block overview.
The covert packet generator starts by verifying if the numberof primary symbols L P S is large enough to accommodate atleast L min = 36 bytes, which are required for the covert packetheader ( L H = 32 bytes) and the CRC32 field ( L P C = 4 bytes). In the positive, it generates the covert packet payloadand CRC32 field. The length of the payload and of the CRC32are included in the packet header, as described in Section II-A1.The packet is then modulated through the covert modulator according to set covert modulation parameters (also in theheader). Finally, the resulting covert modulated symbols areembedded in the primary symbols through the covert embedder .If L P S ≤ L min no covert data are embedded in the primarytraffic. Note that the adaptive structure of the covert packetsallows to embed variable size covert data on top of time-varying and unpredictable primary traffic. This feature makes SteaLTE transparent to primary traffic dynamics, thus enabling the inte-gration of
SteaLTE with any softwarized cellular system.
Covert Modulator.
This block is in charge of encodingcovert packets into covert symbols that can be embedded intoprimary transmissions (Fig. 5). Several approaches are possiblefor covert embedding of data through wireless steganography.Fig. 6 illustrates three examples of 2 covert bits to be added ontop of a primary QPSK constellation.
IQIQ IQ IQ
00 01 11 10Covert coding map:(a) Virtual Constellation (d) (b) Pseudo-noise (c) Phase-shift000111 10 000111 10 000111 10Primary coding symbols Transmitted symbols Primary bit sequence: 11 Covert bit sequence: 01
Fig. 6: Approaches to wireless steganography.
The first approach generates a “dirty” QPSK constellationaround each primary symbol (Fig. 6a) mimicking a hierarchicalconstellation on top of the primary QPSK constellation [16].The second one introduces a hierarchical Amplitude ShiftKeying (ASK) modulation manipulating the amplitude of theprimary symbols (Fig. 6b) such that different amplitude valuesencode different covert bit sequences [24]. The third approach modifies the phase offset of the primary symbols (Fig. 6c)in a way that each phase rotation encodes a specific bit se-quence [23]. As
SteaLTE is not tied to any specific stegano-graphic procedure its covert modulator supports any of theseapproaches. In the following we assume that the covert modu-lator block implements the approach depicted in Fig. 6b [24],which we call M C -ASK, where M C is the number of symbolsin the covert constellation. The advantages of this approachinclude that it is robust against phase rotations introduced byfading, that it supports high-order modulation schemes (forhigh covert data rates), and that it can be seamlessly integratedwith OFDM systems such as those used in the latest generationsof cellular networks. The covert modulator receives the covertpackets together with the set of covert modulation parameters,which specify the modulation order, the corresponding codingmap, and the packet type (Fig. 5). The coding map uniquelyassociates covert packets (i.e., bit sequences) to modulatedcovert symbols. Covert symbols are, then, embedded in primarysymbols through the covert embedder block. Covert Embedder.
Once covert symbols have been gener-ated, they are embedded by the covert embedder (Fig. 5). Thisprocedure modulates the amplitude (and phase) of the primarysymbols based on the covert symbols to embed [24]. The outputis a sequence of primary symbols with embedded covert data.The symbols are then processed by mapping and precodingblocks and transmitted through the RF front-end (Fig. 4).
2) Downlink and Uplink Procedures: SteaLTE runs seam-lessly on both downlink and uplink transmissions (Fig. 7), anddoes not depend on specific Medium Access Control (MAC)strategies (e.g., TDD/FDD, OFDMA/SC-FDMA).
Resource Element Mapping
DL Primary traffic
UE 1 (Covert)
DL Covert traffic DL Primary traffic
UE 3 (Covert)
DL Covert traffic
UE 2 (Standard)
DL Primary traffic
Covert Packet GeneratorUE 1
OFDMA resource grid T i m e Frequency
DL StandardScheduler & ModulatorCovert Packet GeneratorUE 3 (a) Downlink (DL) transmitter.
UL Primary traffic
UE 1 (Covert)
UL Covert traffic UL Primary traffic
UE 2 (Standard)
SC-FDMA resource grid T i m e FrequencyUL Standard Scheduler & ModulatorCovert Packet GeneratorUL Standard Scheduler & Modulator (b) Uplink (UL) transmitter.
Fig. 7: High-level
SteaLTE downlink and uplink transmitter design.
Fig. 7a shows the downlink transmitter design at the BS. Inthis example, the BS is serving three subscribers: Two covertusers (UE 1 and UE 3), and a standard user (UE 2). Afterscheduling the primary transmissions through typical cellularprocedures, the BS generates the covert packet to embed on theprimary traffic of UE 1 and UE 3 (Section II-B1). Then, theata for all users is mapped on the cellular resource grid (e.g.,the OFDMA grid in case of LTE downlink), and transmitted.The high-level uplink transmitter design is shown in Fig. 7b,where two users are connected to a
SteaLTE
BS: UE 1 (covertuser), and UE 2 (standard user). After completing the mutualauthentication procedures, UE 1 generates and embeds thecovert packets in the primary uplink traffic to send to the BS.Then, it maps the primary uplink transmission with embeddedcovert data on the cellular resource grid (e.g., SC-FDMA gridin case of LTE networks). On the other hand, UE 2, which isnot aware of the ongoing covert communications, schedules itsuplink transmission according to standard cellular procedures.
C. Receiver Design
Fig. 8 shows the receiver design. Primary data are processedas per standard cellular procedures. Covert data follow a sep-arate receive chain with two main components: The
CovertPacket Detector and the
Covert Payload Demodulator . RF front-end
Receivedsymbols
Covert Packet Detector Covert Payload DemodulatorPrimary Demodulator
Primary data bufferCovert data bufferCovert symbols
Fig. 8: High-level
SteaLTE receiver design.
1) Covert Packet Detector:
This block detects the presenceof covert packets demodulating the covert packet header (first L H bytes of the covert packet). As mentioned in Section II-A1,the covert header is modulated through a -ASK modulation.Thus, if the CRC8 check passes (Section II-A2), the receiverassumes a covert packet has been received.Upon detecting a covert packet, the covert packet detectorreads the length L P + L P C of the covert payload and CRC32fields, the packet number and the modulation parameters in theinfo field of the header (Fig. 3a). Finally, it extracts the symbolscorresponding to the encoded L P + L P C bytes of the covertpacket, that will be demodulated by the covert demodulator block of Section II-C2.
2) Covert Demodulator:
This block extracts the encodedcovert information from each packet. As shown in Fig. 3a,covert modulation parameters necessary to demodulate covertpackets, such as employed covert modulation, packet lengthand the packet type are specified in the header. This way, thedemodulator block can reconstruct the decoding map and useit to demodulate the received symbols into covert data (e.g.,bit sequence). Since all the covert modulation parameters arespecified in the packet header, no further interaction is requiredbetween transmitter and receiver. Section II-D (below) showsthat this approach also enables time-varying coding/decodingmappings that make covert transmissions undetectable and se-cure against eavesdroppers. Finally, the received CRC32 valueis checked (Section II-A2). If the check passes, the data aresaved, otherwise a retransmission will be requested.
D. Undetectable Covert Communications
Steganography is not immune from attacks. For instance,through steganalysis [28] an eavesdropper may analyze thestatistical properties of captured I/Q samples and infer thepresence of a covert slice. For example, let us consider the caseof primary QPSK transmissions where
SteaLTE embeds covertdata through a -ASK covert modulation [24]. Fig. 9 showsthe Probability Density Function (PDF) of the I/Q samplescaptured through the testbed described in Section IV-A inthree different cases: Primary-only transmissions are shown inFig. 9a; primary with fixed , i.e., detectable, -ASK covert trans-missions in Fig. 9b, and primary with SteaLTE undetectable covert transmissions in Fig. 9c. We also show the CumulativeDistribution Function (CDF) of all cases in Fig. 9d. The Kol-mogorov–Smirnov (K-S) distance is also shown to measure thesimilarity of the CDFs: The smaller the distance, the better. (a) PDF w/o covert. (b) PDF w/ fixed covert.(c) PDF w/ undetectable covert. (d) CDF and K-S distance.
Fig. 9: PDF and CDF of received I/Q samples.
Fig. 9a shows the PDF of the absolute value of the capturedprimary I/Q samples without any covert transmission. As ex-pected, the PDF assumes a Gaussian distribution with mean due to noise and fading. Fig. 9b shows the PDF when covertdata are embedded through a -ASK covert modulation [24].Comparing Fig. 9b with the primary-only case of Fig. 9a, wenotice that the absolute value of the captured samples no longerexhibits a Gaussian PDF centered around , but multiple bell-shaped Gaussian curves centered at . , . , . , and .This is also illustrated in Fig. 9d where the CDF of the I/Qsamples resembles a step function with a K-S distance withthe primary-only case equal to . . Such statistical behavioris not surprising: This result is inherited from the -ASK covertscheme in Fig. 6b, whose operation results in 4 possible covertpoints per primary symbol with amplitude equal to . , . , . , and . Steganalysis can easily identify such an abnormalstatistical pattern, thus revealing the ongoing covert transmis-sions to the eavesdropper. For steganographic communicationsto be undetectable, they must statistically behave like primaryones, which is possible by reducing their K-S distance.For this reason, SteaLTE implements a mechanism that mim-ics I/Q displacements introduced by channel noise by random-zing the covert embedding procedures. Rather than utilizinga fixed distance between covert symbols (as done in [24]),
SteaLTE randomly changes this distance, providing the first-of-its-kind undetectability mechanism . This process is illustratedin Fig. 10, where we show 4 possible configurations of a -ASKcovert constellation. IQ (d) (b) Flag = 11(a) Flag = 01 D i s t a n c e Flag Distance00 0.33301 0.2510 0.16511 0.0825 (a) Flag = 01. IQ (d) (b) Flag = 11(a) Flag = 01Distance Flag Distance00 0.33301 0.2510 0.16511 0.0825 (b) Flag = 11. IQ (d) (b) Flag = 11(a) Flag = 01Distance Flag Distance00 0.33301 0.2510 0.16511 0.0825 (c) Thresholds.
Fig. 10: Examples of covert -ASK constellations with different dis-tances and threshold flag values. To decode covert ASK messages, the receiver must be awareof the distance between covert symbols. As a consequence, ran-domizing the transmitted covert constellation could potentiallyundermine the receiver’s covert demodulation procedures. Toovercome this problem,
SteaLTE packets carry a threshold flag field (see Section II-A1) instructing the receiver on the covertconstellation used by the transmitter. The value of this flag ischanged on a per-packet basis, thus reducing the probability ofsuccessful steganalysis attacks. In our current implementation,this field consists of 2 bits encoding the 4 different distance con-figurations shown in Fig. 10c. However, it is straightforward toincrease the size of this field to further enhance undetectability.The effectiveness of our approach is depicted in Fig. 9c,where we show the PDF of
SteaLTE undetectable covertmessages. The absolute value of the captured I/Q samples iscentered around , while the remaining small peaks are hardlydistinguishable from the noise of the wireless channel. Thesame behavior can also be observed in the CDF of the primaryI/Q samples shown in Fig. 9d. When compared with the CDFof the primary-only LTE transmissions (solid line), the CDFof the covert signal not only does not show the steps observedwith fixed displacements (dashed line), but it also results in a . x shorter K-S distance.III. S TEA
LTE P
ROTOTYPE
We prototyped
SteaLTE on Commercial Off-the-Shelf(COTS) NI USRPs B210 and X310 Software-defined Radios(SDRs). Our implementation is based on the LTE-compliantsrsLTE open-source software, which offers protocol stack im-plementations for LTE base stations (eNBs), UEs, and corenetwork [29]. We remark that as
SteaLTE follows a software-defined approach, it is not bound to LTE technology, and it canbe easily extended to future 5G-and-beyond cellular networks.We extended srsLTE to allow
SteaLTE to embed , encode ,and decode covert data on the downlink and uplink LTE pri-mary traffic. Specifically, we enhanced the Physical DownlinkShared Channel (PDSCH) and Physical Uplink Shared Channel(PUSCH) procedures at the PHY-layer. The PDSCH carries thedownlink data sent by the eNB to the UEs, and the random access response messages if the PDSCH is mapped to theRandom Access Channel (RACH). The PUSCH carries theuplink data that the UEs transmit to the eNB, and ACKs andNACKs for PDSCH data. Fig. 11 depicts the modified structureof the SteaLTE covert transmitter, i.e., the PDSCH at the eNBdownlink side or the PUSCH at the UE uplink side.
Primary Symbols NPrimary Symbolsw/ Covert 1Primarydata Codeword 1Codeword N … Primary Symbols 1
Layer Mapping & PrecodingResource Element Mapping
Primary data bufferCovert data buffer … … Covert data chunks ………
Covertdata
DL-SCH (UL-SCH)
Primary Symbolsw/ Covert NPrecodedSymbols
Scrambling & Modulation … Covert Packet Generator
OFDMA (DL) grid(SC-FDMA (UL) grid) T i m e Frequency
Fig. 11: The
SteaLTE covert transmitter.
When there is primary data to transmit (either in downlinkto the UE or uplink to the eNB), this is converted into code-words through the Downlink Shared Channel (DL-SCH) (or theUplink Shared Channel (UL-SCH)), which performs transportchannel encoding operations. Then, the resulting codewords are scrambled and modulated into primary symbols (for illustrationpurposes, in our experiments we adopt a QPSK modulationfor the primary traffic that carries covert data). After theseoperations the
SteaLTE covert packet generator (Section II-B1)modifies the amplitude of the resulting primary symbols, thusapplying a second (covert) modulation to them. This way, the covert data chunks are embedded on the primary symbols. Atthis point, the complex-modulated primary symbols with em-bedded covert are mapped into layers for spatial multiplexing,and then precoded, as per LTE specifications. Finally, the re-sulting precoded symbols are mapped into resource elements tobe transmitted via OFDMA (downlink), or SC-FDMA (uplink).IV. E
XPERIMENTAL E VALUATION
We report results from experimental campaigns for eval-uating the performance of
SteaLTE . Setups are described inSection IV-A. Results are shown and discussed in Section IV-B.
A. Experimental Setup
We evaluated
SteaLTE on indoor and outdoor testbeds.
Indoor scenarios . For our indoor experiments we lever-aged Arena, an indoor ceiling testbed covering an area of [30]. We instantiate LTE-compliant eNBs and UEson NI USRP X310 SDRs, USRP B210 and COTS XiaomiRedmi Go smartphones. In all configurations the eNB usesa
10 MHz channel bandwidth corresponding to PhysicalResource Blocks (PRBs). These devices are used in the indoortestbed configurations depicted in Fig. 12.The static scenario comprises one eNB and three UEs that arestatically placed
10 ft ,
15 ft and
20 ft away from the eNB(Fig. 12a). In this configuration all devices are USRPs X310. In
NB UE10 ft15 ft20 ft UE Trajectory
12 34 5 610 ft
USRP X310 (a) Static scenario. eNB UE10 ft15 ft20 ft UE Trajectory
12 34 5 610 ft
USRP X310 (b) Dynamic scenario. eNB UE10 ft15 ft20 ft UE Trajectory
12 34 5 610 ft
USRP X310
COTS UE (c) PCCaaS scenario.
Fig. 12: Indoor testbed setup and experiment configuration on theArena testbed [30]. this scenario eNB and UE exchange primary traffic generatedthrough iperf3 [31], a software tool for network performanceevaluation with TCP and UDP traffic. For experiments withUDP traffic the bitrate varies in the set { . , . , } Mbps .We also use traffic generated by a user-initiated speed test.The dynamic scenario is made up of the eNB and one UE travel-ing a distance of around the eNB as illustrated in Fig. 12b.Measurements are collected at six different location in the UEjourney. In this configuration the eNB is a USRP X310 and themobile device is a USRP B210. Primary traffic is generatedthrough the ping software utility, which uses Internet ControlMessage Protocol (ICMP) echo request and reply messages.The
PCCaaS scenario comprises two slices, one public andone private, with one eNB (USRP X310), one UE using theprivate slice for covert traffic (USRP X310), and two COTS Xi-aomi Redmi Go smartphones transmitting data over the publicslice. All users are statically positioned as in Fig. 12c within
10 ft from the eNB. In this scenario, primary traffic concernsYouTube videos streamed by the users.
Outdoor scenario . For outdoor, long-range testing we ported
SteaLTE to the Platforms for Advanced Wireless Research(PAWR) Platform for Open Wireless Data-driven ExperimentalResearch (POWDER) platform [25, 26]. We use the NR versionof srsLTE to instantiate one outdoor 5G base station (gNB)and one UE. The gNB is located on the rooftop of a
95 ft -tallbuilding and is realized by a USRP X310. The UE is staticallypositioned at ground-level. It is implemented through a USRPB210. The distance between gNB and UE is
852 ft . The gNBuses a -bandwidth ( PRBs). Covert data are embeddedthrough a -ASK modulation. Primary traffic between gNB andUE is generated through the ping utility.In all scenarios covert data are images and text files. B. Experimental results
In this section we report the results of the performanceevaluation of
SteaLTE in each of the considered scenarios. Foreach scenario, we describe the investigated metrics and theirrelevance, and illustrate the corresponding experimental results.Plots include 95% confidence intervals (not shown if < ).
1) Indoor static scenario:
In the static scenario of Fig. 12awe start by measuring the performance of
SteaLTE to de-liver covert data by investigating throughout (data delivery over time) and the percentage of packets that needs to beretransmitted. Fig. 13 shows the downlink and uplink covertthroughput and retransmissions for both -ASK and -ASKcovert modulations under TCP primary traffic. (a) Throughput. (b) Retransmissions. Fig. 13: Downlink and uplink covert performance with TCP primarytraffic for different covert modulations.
Being of higher order, -ASK obtains a higher throughputthan -ASK (Fig. 13a). However, this comes at the cost of trans-mission errors, leading to a higher percentage of covert packetretransmissions (Fig. 13b). This is because of the higher re-silience to errors of the -ASK modulation, which requires 38%less retransmissions than the -ASK case (uplink).Fig. 14 depicts the covert throughput (Fig. 14a) and per-centage of covert packet retransmissions (Fig. 14b) under UDPprimary traffic. The iperf3 UDP bitrate was set as follows:(A) .
75 Mbps ; (B) . , and (C) . (a) Throughput. (b) Retransmissions. Fig. 14: Downlink covert performance with UDP primary traffic fordifferent traffic profiles and covert modulations.
Differently from TCP traffic (see downlink performance inFig. 13a), the covert throughput is higher when data are em-bedded through a -ASK modulation. This is because, unlikeTCP, UDP streams data at the specified bitrate, as it does notimplement reliable data transfer. This behavior can be furtherobserved in Fig. 14b, which shows a much higher (close to x)number of covert retransmissions in case of -ASK modulation.Figures 15a and 15b show the covert throughput and the per-centage of packet retransmissions when TCP primary traffic isexchanged between eNB and UE, as a function of their distance(Fig. 12a). We notice that for short distances (i.e.,
10 ft ) -ASKprovides the highest performance. However, as the distanceincreases ( ≥
15 ft ), modulating the covert message through -ASK yields a better performance, both for throughput andretransmissions. This is because of the higher robustness toerrors of this modulation compared to the -ASK modulation. a) Throughput. (b) Retransmissions. Fig. 15: Downlink covert performance with TCP primary traffic fordifferent covert modulations and distances between eNB and UE.
We now investigate the impact of the undetectability schemespresented in Section II-D on the performance of primary trans-missions. Their effectiveness in concealing covert data has beenshown in Fig. 9. Here we show results for metrics that indicatethat these schemes do not have a significant impact over thequality of transmission and on channel quality: Throughput, thenumber of bytes that are to be transmitted in the downlink andthe Signal-to-Interference-plus-Noise Ratio (SINR). The resultsshown in Fig. 16 refer to UE-generated traffic according to aspeed test application at . . (a) Downlink throughput. (b) Downlink buffer size.(c) Downlink buffer and SINR. Fig. 16: Impact of
SteaLTE on speed test primary traffic.
Figures 16a and 16b show the downlink primary throughputand transmission buffer size averaged over 10 independentexperiments. Fig. 16a clearly indicates that embedding covertmessages—both fixed and undetectable—does not noticeablyaffect primary traffic. In Fig. 16b we notice a slight increaseof the size of the downlink buffer queue when covert com-munications happen, especially for the -ASK undetectabilityschemes. This suggests that a higher number of retransmissionsis needed for the eNB to deliver the primary traffic to the UEs,with an impact on the number of resources that the eNB uses to communicate to the users. Yet again, in this scenario, this doesnot translate in a noticeable degradation of the throughput.Fig. 16c shows the distribution of the downlink buffer size(top) and the SINR measured by the user (bottom). These tworesults show that the statistical distributions of these two met-rics do not vary significantly in the case when SteaLTE is used(independently of the undetectability scheme and modulationused) and the case when it is not. Particularly, the averagedifference among the downlink buffer size in the two casesnever exceeds . . Also, the difference among SINRis within .
15 dB , indicating that embedding covert data doesnot increase noise perceptively.
2) Indoor dynamic scenario:
The throughput and retrans-mission performance of
SteaLTE for the different user locationsof Fig. 12b and covert modulations is shown in Fig. 17. (a) Throughput. (b) Retransmissions.
Fig. 17: Covert performance with ICMP echo reply primary traffic fordifferent covert modulations in presence of UE mobility.
As the distance between eNB and UE increases (as forlocations 4, 5 and 6—Fig. 12b), the covert throughput (Fig. 17a)for both -ASK and -ASK modulations decreases, while thepercentage of packet retransmissions increases (Fig. 17b). Asnoticed before, in general, -ASK outperforms -ASK becauseof its higher robustness to channel impairments, which are morenoticeable at larger distances. Despite the performance degra-dation, SteaLTE still manages to enable secret communicationsbetween covert transmitter and receiver in presence of mobility.
3) Indoor PCCaaS scenario:
We now set to investigatethe effectiveness of
SteaLTE for instantiating private networkslices on a shared cellular infrastructure, which serves the needof those critical applications requiring rapid instantiation ofprivate and secure cellular networks. In this set of experiments,we instantiate two slices: A primary-only slice (Slice 1) servingcovert-agnostic UEs 1 and 2 (for which we use smartphones),and a
SteaLTE private slice (Slice 2) for covert communicationsbetween UE 3 and the eNB (both USRPs X310). The covertdata of UE 3 is embedded through -ASK modulation. We con-sider two different network slicing allocations: (A) Spectrumresources are evenly split among the two slices, and (B) 70%of the resources are allocated to Slice 1 and 30% to Slice 2.For these scenarios we investigate the primary throughput andthe percentage of packets erroneously received for both slicingconfigurations when all users stream videos from YouTube.Results are shown in Fig. 18.We notice that in both allocations, the primary throughput ofall users is not impacted by the presence of covert communi- a) Allocation A, throughput. (b) Allocation A, packet errors.(c) Allocation B, throughput. (d) Allocation B, packet errors. Fig. 18: Throughput and percentage of packet errors on primary trafficfor different resource allocations of the private and standard slices. cations. The percentage of packet errors (Figures 18b and 18d)is negligible in both allocations (i.e., below . on average,with a peak of . ). As a result, Figures 18a and 18c showthat the throughput level achieved by all users is enough forrate-demanding applications, thus confirming the low impactof SteaLTE on primary communications.
4) Outdoor scenario: SteaLTE has been tested also on along-rage link ( > ft) in the outdoor scenario providedby the POWDER platform [25]. Results on throughput andretransmission percentage are shown in Fig. 19. Specifically,Fig. 19a shows downlink covert throughput and retransmissionsand Fig. 19b depicts the same metrics for the primary traffic(with and without covert). (a) Covert. (b) Primary. Fig. 19: Long-range experiments on the POWDER platform.
Fig. 19a shows that
SteaLTE is capable of delivering covertdata despite the severe path-loss, multi-path and fading condi-tions experienced over the long-range link, thus demonstratingits suitability for traditional (mostly outdoors) cellular appli-cations. As for the indoor results above, Fig. 19b confirmsthat embedding covert data into primary traffic has negligibleeffect on its throughput performance. The primary throughputdegradation over the long-range link is merely . , whereasthe packet retransmission percentage increases from . to . ( . increase) when covert traffic is embedded. V. R ELATED W ORK
Wireless steganography has been frequently used for covertcommunications among parties. Differently from approacheswhere covert data are embedded in the packet control fields(e.g., checksum [32], flags [33, 34], and padding fields [35],among others [36, 37]), wireless steganography introducestiny displacements in the I/Q constellation plane that canbe controlled to encode covert information. Typical methodsinclude frequency/phase shifts [17, 23], I/Q imbalance [38],superimposing noisy constellations [16, 24, 39, 40] or trainingand preamble sequences manipulations [23, 41]. These ap-proaches, however, lack reliability as they are prone to demod-ulation errors and rarely support long-range communications,quintessential for many communication systems.These reliability issues have been partially addressed at thehigher layers of the protocol stack. Hamdaqa and Tahvildaridescribe a steganographic system for Voice-over-IP (VoIP)that encodes covert information by carefully delaying packettransmissions [42]. Although this approach is highly reliableand undetectable, it operates over large temporal windows,which considerably limits the achievable covert rate. Nainand Rajalakshmi develop a steganographic communicationsystem that hides information over chip sequences of IEEE802.15.4 networks integrating error-coding techniques to mit-igate errors [43]. Although being reliable, this method onlyachieves low transmission rates. Overall, previous solutionseither achieve low covert throughput , or are highly detectablethrough steganalysis [28, 44], or lack practical implementationsdemonstrating their effectiveness and feasibility.
SteaLTE is the missing answer to the high throughput, re-liability, and undetectability requirements of PCCaaS appli-cations characterized by mobility, time-varying channels andlarge distances. As a reliable end-to-end steganographic sys-tem
SteaLTE : (i) Achieves high throughput through wirelesssteganography; (ii) provides reliable and channel-resilient com-munications through a combination of error-coding, retransmis-sions and adaptive covert modulation schemes, and (iii) can beseamlessly integrated in 3GPP-compliant cellular systems.VI. C
ONCLUSIONS
This paper proposes
SteaLTE , the first practical PCCaaS-enabling system for softwarized cellular networks.
SteaLTE supports reliable, undetectable, high-throughput, and long-range covert communications. We have prototyped
SteaLTE and implemented it on LTE-compliant testbeds, including in-door settings and the PAWR POWDER platform (ourdoors).We have extensively evaluated the performance of
SteaLTE under diverse traffic profiles, distance and mobility patterns,highlighting the feasibility of undetectable transmissions andtheir negligible impact on primary traffic. Results over themultiplicity of the considered scenarios show that, in the vastmajority of our experiments
SteaLTE achieves a throughputof covert traffic that is at least 90% of the throughput of theprimary traffic, affecting the latter negligibly ( < loss). EFERENCES[1] P. Rost, C. Mannweiler, D. S. Michalopoulos, C. Sartori, V. Sciancale-pore, N. Sastry, O. Holland, S. Tayade, B. Han, D. Bega, D. Aziz, andH. Bakker, “Network slicing to enable scalability and flexibility in 5Gmobile networks,”
IEEE Communications Magazine
Proceedings of ACMCoNEXT 2014 , Sydney, Australia, December 2–5 2014, pp. 377–390.[5] L. Bonati, M. Polese, S. D’Oro, S. Basagni, and T. Melodia, “Open,programmable, and virtualized 5G networks: State-of-the-art and the roadahead,”
Computer Networks , vol. 182, pp. 1–18, December 2020.[6] L. Bonati, S. D’Oro, M. Polese, S. Basagni, and T. Melodia, “Intelli-gence and learning in O-RAN for data-driven nextG cellular networks,” arXiv:2012.01263 [cs.NI] , December 2020.[7] L. Bonati, S. D’Oro, L. Bertizzolo, E. Demirors, Z. Guan, S. Basagni, andT. Melodia, “CellOS: Zero-touch softwarized open cellular networks,”
Computer Networks , vol. 180, pp. 1–13, October 2020.[8] S. D’Oro, F. Restuccia, and T. Melodia, “The slice is served: Enforcingradio access network slicing in virtualized 5G systems,” in
Proceedingsof IEEE INFOCOM , Paris, France, May 2019.[9] S. D’Oro, F. Restuccia, and T. Melodia, “Toward operator-to-waveform5G radio access network slicing,”
IEEE Communications Magazine ,vol. 58, no. 4, pp. 18–23, April 2020.[10] S. D’Oro, L. Bonati, F. Restuccia, M. Polese, M. Zorzi, and T. Melodia,“Sl-EDGE: Network slicing at the edge,” in
Proceedings of ACM Mobi-hoc , Virtual Conference, October 2020.[11] I. Afolabi, T. Taleb, K. Samdanis, A. Ksentini, and H. Flinck, “Networkslicing and softwarization: A survey on principles, enabling technologies,and solutions,”
IEEE Communications Surveys & Tutorials , vol. 20, no. 3,pp. 2429–2453, March 2018.[12] C. Marquez, M. Gramaglia, M. Fiore, A. Banchs, and X. Costa-P´erez,“Resource sharing efficiency in network slicing,”
IEEE Transactions onNetwork and Service Management , vol. 16, no. 3, pp. 909–923, Septem-ber 2019.[13] D. Bega, M. Gramaglia, A. Banchs, V. Sciancalepore, K. Samdanis, andX. Costa-P´erez, “Optimising 5G infrastructure markets: The business ofnetwork slicing,” in
Proceedings of IEEE INFOCOM 2017 , Atlanta, GA,May 1–4 2017, pp. 1–9.[14] X. Foukas, G. Patounas, A. Elmokashfi, and M. K. Marina, “Networkslicing in 5G: Survey and challenges,”
IEEE Communications Magazine ,vol. 55, no. 5, pp. 94–100, May 2017.[15] F. Y. Shih,
Digital watermarking and steganography: Fundamentals andtechniques . CRC Press, April 2017.[16] A. Dutta, D. Saha, D. Grunwald, and D. Sicker, “Secret agent radio:Covert communication through dirty constellations,” in
Proceeding ofSpringer IH 2012 , Berkeley, CA, May 15–18 2012, pp. 160–175.[17] S. Grabski and K. Szczypiorski, “Steganography in OFDM symbols offast IEEE 802.11n networks,” in
Proceedings of the IEEE CS Securityand Privacy Workshops 2013 , San Francisco, CA, May 24–25 2013, pp.158–164.[18] K. Szczypiorski and W. Mazurczyk, “Hiding data in OFDM symbols ofIEEE 802.11 networks,” in
Proceedings of IEEE MINES 2010 , Nanjing,Jiangsu, China, November 4–6 2010, pp. 835–840.[19] T. Kho, “Steganography in the 802.15.4 physical layer,”
U.C. Berkeley ,December 17 2007.[20] E. Zielinska and K. Szczypiorski, “Direct sequence spread spectrumsteganographic scheme for IEEE 802.15.4,” in
Proceedings of IEEEMINES , Shanghai, China, November 2011, pp. 586–590.[21] B. A. Bash, D. Goeckel, D. Towsley, and S. Guha, “Hiding informationin noise: Fundamental limits of covert wireless communication,”
IEEECommunications Magazine , vol. 53, no. 12, pp. 26–31, December 2015.[22] D. Kahn, “The history of steganography,” in
Proceedings of Springer IH1996 , Cambridge, U.K., May 30–June 1 1996, pp. 1–5. [23] J. Classen, M. Schulz, and M. Hollick, “Practical covert channels for WiFisystems,” in
Proceedings of IEEE CNS 2015 , Florence, Italy, September28–30 2015, pp. 209–217.[24] S. D’Oro, F. Restuccia, and T. Melodia, “Hiding data in plain sight:Undetectable wireless communications through pseudo-noise asymmetricshift keying,” in
Proceedings of IEEE INFOCOM 2019 , Paris, France,April 29–May 2 2019, pp. 1585–1593.[25] J. Breen, A. Buffmire, J. Duerig, K. Dutt, E. Eide, M. Hibler, D. Johnson,S. Kumar Kasera, E. Lewis, D. Maas, A. Orange, N. Patwari, D. Reading,R. Ricci, D. Schurig, L. B. Stoller, K. Van der Merwe, K. Webb, andG. Wong, “POWDER: Platform for open wireless data-driven experimen-tal research,” in
Proceedings of ACM WiNTECH , September 2020.[26] Platforms for Advanced Wireless Research. (2020) https://advancedwireless.org.[27] J. F. Kurose and K. W. Ross,
Computer networking: A top-down ap-proach , 7th ed. Pearson, 2017.[28] Z. Xia, X. Wang, X. Sun, and B. Wang, “Steganalysis of least significantbit matching using multi-order differences,”
Wiley Security and Commu-nication Networks , vol. 7, no. 8, pp. 1283–1291, August 2014.[29] I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano,C. Cano, and D. J. Leith, “srsLTE: An open-source platform for LTEevolution and experimentation,” in
Proceedings of ACM WiNTECH 2016 ,New York City, NY, October 3 2016, pp. 25–32.[30] L. Bertizzolo, L. Bonati, E. Demirors, A. Al-Shawabka, S. D’Oro,F. Restuccia, and T. Melodia, “Arena: A 64-antenna SDR-based ceilinggrid testing platform for sub-6 GHz 5G-and-beyond radio spectrumresearch,”
Computer Networks , vol. 181, pp. 1–17, November 2020.[31] Iperf3. (2021) https://iperf.fr.[32] Z. Liu, Y. Jiang, and P. Qian, “A data-hiding method based on TCP/IPchecksum,” in
Advances in Computer Science and its Applications .Springer, 2014, pp. 1039–1044.[33] S. J. Murdoch and S. Lewis, “Embedding covert channels into TCP/IP,”in
Proceedings of Springer IH 2005 , Barcelona, Spain, June 6–8 2005,pp. 247–261.[34] K. Ahsan and D. Kundur, “Practical data hiding in TCP/IP,” in
Proceedingof the ACM IH&MMSec , Juan-les-Pins, France, December 6 2002, pp. 1–8.[35] I. Grabska and K. Szczypiorski, “Steganography in long term evolutionsystems,” in
Proceedings of the IEEE CS Security and Privacy Workshops2014 , San Jose, CA, May 17–18 2014, pp. 92–99.[36] D. Martins and H. Guyennet, “Steganography in MAC layers of 802.15.4protocol for securing wireless sensor networks,” in
Proceedings of IEEEMINES 2010 , Nanjing, Jiangsu, China, November 4–6 2010, pp. 824–828.[37] A. M. Mehta, S. Lanzisera, and K. S. J. Pister, “Steganography in 802.15.4wireless communication,” in
Proceedings of IEEE ANTS 2008 , Mumbai,India, December 15–17 2008, pp. 1–3.[38] K. Sankhe, F. Restuccia, S. D’Oro, T. Jian, Z. Wang, A. Al-Shawabka,J. Dy, T. Melodia, S. Ioannidis, and K. Chowdhury, “Impairment shiftkeying: Covert signaling by deep learning of controlled radio imperfec-tions,” in
Proceedings of IEEE MILCOM 2019 , Norfolk, VA, November12–14 2019, pp. 598–603.[39] P. Cao, W. Liu, G. Liu, X. Ji, J. Zhai, and Y. Dai, “A wireless covertchannel based on constellation shaping modulation,”
Hindawi Securityand Communication Networks , vol. 2018, pp. 1–15, January 8 2018.[40] V. Kumar, J.-M. Park, T. C. Clancy, and K. Bian, “PHY-layer au-thentication using hierarchical modulation and duobinary signaling,” in
Proceedings of IEEE ICNC 2014 , Honolulu, HI, February 3–6 2014, pp.782–786.[41] Z. Hijaz and V. S. Frost, “Exploiting OFDM systems for covert commu-nication,” in
Proceedings of IEEE MILCOM 2010 , San Jose, CA, October31–November 3 2010, pp. 2149–2155.[42] M. Hamdaqa and L. Tahvildari, “ReLACK: A reliable VoIP steganogra-phy approach,” in
Proceedings of IEEE SSIRI 2011 , Jeju Island, SouthKorea, June 27–29 2011, pp. 189–197.[43] A. K. Nain and P. Rajalakshmi, “A reliable covert channel over IEEE802.15.4 using steganography,” in
Proceedings of IEEE WF-IoT 2016 ,Reston, VA, December 12–14 2016, pp. 711–716.[44] S. Grabski and K. Szczypiorski, “Network steganalysis: Detection ofsteganography in IEEE 802.11 wireless networks,” in