Provenance Transmission through a Two-Dimensional Covert Timing Channel in WSNs

Provenances, which record the history of data acquisition and transmission, are hard to be transmitted in resource-tightened wireless sensor networks (WSNs) due to their drastic size expansion with the increase in packet transmission hops. To ease the burden caused by the provenance transmission, we first designed a two-dimensional covert timing channel (2dCTC) and then applied it to provenances transmission in WSNs. Based on Cantor Expansion, 2dCTC uses pseudo packet IDs permutation and packet sizes variation together to form a two-dimensional communication medium. Both theoretical analysis and experimental results show that 2dCTC not only has a much higher channel capacity than those of most of the known CTCs, but also conserves more energy for provenance transmission in WSNs. Furthermore, 2dCTC provides a new way to increase CTCs channel capacity and stealthiness through multi-dimensional approaches.


Introduction
In the context of wireless sensor networks (WSNs), the provenance of a data item refers to where the item is produced and how it is delivered, i.e., forwarded and/or aggregated to the base station (BS) [1]. Provenance plays an important role in data trust evaluations. Because the size of provenance grows rapidly when packet transmission hop increases, it is then critical to efficiently transmit provenance in resource-tightened WSNs [2]. As a result, several lightweight provenance schemes have been proposed [2][3][4][5][6].
Originally, in a multilevel security system, a covert channel is a mechanism by which a user with high security level can violate the system's security policy to leak sensitive information to a user with lower security level [7]. Now it has been extended to various communication networks and generally defined as the following: if a sender and a receiver use a medium that is not originally designed as the communication medium for the overt channel, it is a covert channel. As a result, a covert channel has two interesting characteristics: (1) as a side channel it can enlarge its overt channel's capacity without consuming extra energy on signals transmission; (2) its channel capacity is much smaller than that of its overt channel in general. Although the first characteristic is fascinating for provenance transmission through covert channel in WSNs, the second characteristic limits such a usage due to the fact that the channel capacity is too small.
In a packet-switched network, according to the applied communication mediums, covert channels can be roughly categorized as covert storage channels (CSCs) and covert timing channels (CTCs). CSC uses the shared storage in a packet as the communication mediums, e.g., the reserved bits in a packet head; CTC uses the timing characteristics relevant to packet transmissions as the communication mediums, e.g., packet sending frequencies, inter-packet delays, etc. Due to the mediums' deference, CSC can be eliminated by a network firewall through traffic normalization [8], whereas CTC is hardly to be removed thoroughly. Many CTC schemes such as [9][10][11][12] are then proposed. e inspiration of the paper is to build a CTC which has much higher channel capacity for provenance transmission in WSNs. We then propose a two-dimensional CTC (2dCTC) scheme which uses pseudo packet IDs permutation and packet sizes variation together as the communication medium. Because the two-dimensional communication medium can carry more information, 2dCTC has a much higher channel capacity than the known traditional CTCs. e main contributions of this paper are as follows: (1) We propose a 2dCTC which encodes covert messages into multiple dimension spaces. 2dCTC overwhelms most of the known CTCs with respect to both channel capacity and channel stealthiness. (2) We devise the message encoding and decoding algorithms for 2dCTC through Cantor Expansion, which is the key to build a two-dimensional communication medium. (3) We apply 2dCTC to the provenance transmissions in resource-tightened WSNs, which saves both energy and channel capacity. e remainder of this paper is arranged as follows: Section 2 provides the related works. Section 3 presents 2dCTC's design and implementation. Section 4 shows 2dCTC's performance and corresponding experimental results. Section 5 gives the practice of provenance transmission through 2dCTC. Section 6 concludes the paper.

Related Works
Generally, CTCs adopt the timing behaviour of an entity to transmit covert messages in overt network communication.
Among the entities, inter-packet delays (IPDs) are the most common one that are modulated to encode covert messages. Berk et al. [10] proposed encoding messages through the intervals between adjacent packet transmissions, which avoids the time synchronization requirement that may threat the channel's concealment. In [11], a CTC is built through mimicking the inter-packet delays (IPDs) of the normal packet traffic flow, by which to implement a detect-resisting CTC. In addition to the IPDs, packet order can also be used to establish CTC, in which the covert messages are represented as reorderings of packets. El-Atawy et al. [12] proposed a packet-reordering channel which uses the packet sequence disorder in transmission as the communication medium. Such a CTC simulates the phenomenon of naturally occurring packet reordering over networks, which has higher channel capacity than those of CTCs based on the fixed time windows and the IPDs. Zhang et al. [13] proposed a method for establishing a VoLTE CTC through packet re-orderings. To further improve the robustness of such a CTC, Gray code is employed to encode the covert message for the purpose of alleviating the packet loss and packet out-of-order. Liang et al. [14] proposed a payload-dependent packet rearranging CTC for mobile VoIP traffic. Such a CTC can deal with the traffic with more complicated packet distributions such as that in the mobile VoIP environments. In contrast to the aforementioned packet re-ordering methods, we use pseudo packet IDs permutation to encode messages, which can gain more flexibility. ere are also some studies using packet length information to build CTC. Liang et al. [15] proposed a packet length covert channel for mobile VoIP traffics, in which the packet length distribution was partitioned and such partitions were mapped to data symbols. e main concept of such a CTC is to send covert messages through transmitting packets of corresponding size. Our method is inspired by such a concept. ere is also a category of CTCs using the number of packets transmitted within a time slot to encode/decode messages. Cabuk et al. [9] proposed the Simple Timing Covert Channel (STC), in which the sender divides the timeline into a series of smaller time slots with fixed length; the binary number 1 or 0 is then encoded based on whether a packet is sent within a given time slot. However, such a method requires the clock synchronization between the sender and receiver, which is hard to achieve especially in large-scale networks.
Because each of the CTCs mentioned above uses only one communication medium, all of them are one-dimensional CTCs. To drastically raise the CTCs' capacity, in addition to applying any hardware-based methods, we propose the concept of multi-dimensional CTCs. As a first step for multidimensional CTCs' practice, we design and implement a twodimensional CTC named 2dCTC in the paper.
Among the existing provenance schemes in WSNs, Probabilistic Provenance Flow (PPF) scheme [16] as a block provenance scheme probabilistically appends the node IDs on the packet path to the provenance, and therefore each packet only carries a block of the provenance, i.e., a connected subgraph of a packet transmission path, to the BS. Similarly, Probabilistic Provenance Mark (PPM) scheme [17] probabilistically incorporates node ID to the packet and each packet only contains one node ID. As to provenance transmission through covert channels, to the best of our knowledge, only one paper can be found; viz., in [18], Sultana et al. use the IPDs (inter-packets delays) based CTC for provenance transmission, in which the original purpose is to increase the concealment of the transmission, but objectively saves both energy and channel capacity in WSNs. As a one-dimensional CTC, the IPDs based CTC has very limited channel capacity; the steady packet flows are then required for provenance transmission in [18].

2dCTC's Design and Implementation
e 2dCTC proposed in this paper uses pseudo packet IDs permutation and packet sizes variation together as the communication medium. Like the works in [18], the relatively stable data packets flow is required. To facilitate understanding our two-dimensional CTC scheme, we first provide the message encoding and decoding in two onedimensional mediums, viz., messages encoding and decoding through pseudo packet IDs permutation and packet sizes variation, respectively.

Pseudo Packet IDs Permutation as the Medium.
In packet-switched networks, the packet ID disorder rate in transmission is between 0.1% and 3% roughly [19], which provides few packets to form a CTC by the packet IDs permutation. We thus propose the concept of pseudo packet ID that is a data block with a unique value appended to a packet. Unlike packet ID that resided in packet-header, the pseudo packet ID resided in the payload area. Figure 1 shows the working principle of a CTC using the pseudo packet IDs permutation as the communication medium. At the beginning, the message is divided into N binary blocks, i.e., s 1 , s 2 , s 3 , . . . , s i , . . . , s N , and each block contains 8 bits. e corresponding decimal number of s i is S i . Let sid i | sid n ∈ R + , i � 1, 2, . . . , n represent the set of pseudo packet IDs; the main steps of the message encoding through the pseudo packet IDs permutation are as follows.
(1) With the number of bits in s i , the number of packets n that satisfies 2 L ≤ n! is chosen. So, each s i keeps 8 bits and n � 6. (2) With the value of S i , a pseudo packet IDs permutation generated from sid 1 , sid 2 , sid 3 , . . . , sid n is processed by Cantor Expansion inverse operation [20], which provides a bijection between a Cantor value X and a permutation. If there are n packets, a pseudo packet IDs permutation of where a Cantor value X can be derived through the following equation: (3) Each generated pseudo packet ID is appended to the payload area of the sending packets in a stream manner.
Note that, compared to the message encoding and decoding through a mapping table whose time complexity is O(nlgn), the time complexity of our Cantor Expansion based scheme is O(n).
After the CTC receiver filtrates the required packets, the pseudo packet IDs are rearranged according to the packet's arrival time and then the messages can be retrieved through Cantor Expansion by equation (1).

Packet Sizes Variation as the Medium.
Using packet sizes variation to encode and decode messages has several obvious advantages. For instance, such a coding method cannot be easily affected by the channel noise such as packet transmission delays and jitters. e working principle of a packet sizes variation based CTC is illustrated in Figure 2. By adopting such a CTC, the message can be encoded through the following steps: , and X denote the number of packets of each group, the group distance, and the sample data sequence, respectively. e statistical function M � Hg B,R (X), in which R sets the packet sizes range for each group, is used to calculate the value of M, i.e., the number of packets in each group.
(2) A mapping table is built to represent the correlation between the packet sizes barrel, i.e., a packet size group, and the corresponding binary blocks. Obviously, if a packet size barrel represents α bits, the number of packet size barrels will be equal to 2 α . (3) e message s i in a binary representation is encoded into the sending packets based on the mapping table built in the previous step.
After the receiver filtrates the corresponding packets, the messages can be retrieved by looking up the mapping table.
A simple example is provided here for better understanding such a coding method. Assume the message s i to be sent is represented in binary as 00001011.
ere are 9 packets, i.e., p 1 , p 2 , . . . , p 9 with different sizes, i.e., l 1 , l 2 , . . . , l 9 . We suppose to classify these 9 packets into two packet size barrels, B 1 and B 2 according to the packet size threshold l; i.e., packets whose sizes are less than l are associated with B 1 ; otherwise, B 2 . Assume that p 1 , p 3 , p 4 , p 5 , p 6 and p 9 belong to B 1 and others belong to B 2 . In this example, α is equal to 1 and the number of packet size barrel is 2. en, s i can be encoded into packet transmission order: p 1 , p 3 , p 4 , p 5 , p 8 , p 6 , p 2 , p 9 . After the receiver filtrates the packet size as l 1 , l 3 , l 4 , l 5 , l 8 , l 6 , l 2 , l 9 , it can decode s i as 00001011 by looking up the mapping table.

Two Mediums Are Used Together.
To transmit a message consisting of L bits, the message needs to be organized as two parts. e first part (K bits) is encoded through packet sizes variation and the second part (L − K bits) is encoded through pseudo packet IDs permutation. Figure 3 shows the working principle of 2dCTC. e main steps are shown as follows.
(1) Calculate n, the number of packets needed in communication, by where α denotes the number of bits represented by one packet size in the mapping table. As a result, K bits are the first αn bits of the message counting from the left.

Mobile Information Systems
(2) Encode K bits through packet sizes variation and (L − K) bits through pseudo packet IDs permutation.
Algorithms 1 and 2 are messages encoding and decoding, respectively.
To better understand the approach in this subsection, we provide an example in here. Assume that s i is equal to 00001011; α is equal to 1; the packet size variation satisfies l 1 < l 3 < l 4 < l 5 < l < l 2 ; and the set of the pseudo packet IDs is 1, 2, 3, 4 { }. According to equation (2), n � 4, K � 0000, and L − K � 1011. e first part K bits are encoded as the packet sending order as follows: 1 st , 3 rd , 4 th , 5 th , and the second part L − K bits are encoded as the pseudo packet IDs permutation 2, 4, 3, 1 { }. erefore, the pseudo packet IDs, viz., 2, 4, 3, 1, are appended to the sending packets. At the receiver, the packet sizes variation l 1 < l 3 < l 4 < l 5 < l and the pseudo packet IDs permutation 2, 4, 3, 1 { } can be retrieved. ereafter, K � 0000 can be decoded by looking up the mapping table. Furthermore, L − K � 1011 can be decoded through Cantor Expansion. s i is then successfully decoded as 00001011.

Provenance Transmission through 2dCTC
To transmit provenance through 2dCTC, a new provenance scheme 2dCTCP (2dCTC provenance scheme) is devised.

Provenance Encoding.
In the continuous data flow environment of WSNs, it is assumed that the network topology is relatively stable, which is the basis for the provenance  transmission method based on 2dCTC proposed in this paper. 2dCTCP is a segmented scheme, which probabilistically incorporates the provenance at each node on the packet path into a series of packets provenance blocks.
In this paper, we consider a node-level provenance; i.e., the node IDs on the path the packet traversed are encoded as provenance. For the formal network model of the WSN we considered and provenance model, one can refer to [3][4][5].
e main steps of provenance transmission by 2dCTC are as follows.
(1) Set the hash value to group the provenance blocks.

Mobile Information Systems
In order to identify the packets that have the same provenance, we calculate the hash value for the packet path at each node through where n i and H(n i− 1 ) denote i th node's ID and the hash value on the (i − 1) th node, respectively. erefore, the packets that encoded the different part of the same provenance share the same hash value.
(2) Determine the number of packets needed to encode provenance.
Assume that the length of the maximum ID is L bits; the number of packets n then satisfies (3) Update the provenance. If the random probability p i generated at the current node is larger than the preset probability threshold P, the provenance and hash value will be updated; otherwise, only the hash value is updated. (4) Encode the provenance to the sending packets.

Provenance Decoding.
When the BS receives the packets, the main steps of provenance decoding are as follows: (1) e BS classifies these packets according to the hash values and assigns n packets into a group (2) In each group, the BS gets the packet sizes and decodes partial provenance through looking up the mapping table; thereafter, the BS retrieves the reminder provenance part according to the Cantor value formed by the pseudo packet IDs permutation Algorithm 4 shows the provenance decoding through 2dCTCP. In the related works, the only known provenance transmission through CTC uses the IPDs based one-dimensional CTC [18], which was designed mainly to improve the concealment of provenance transmission. Compared to such a method, our 2dCTC provenance scheme can conserve more energy and channel capacity in WSNs.

2dCTC Performance Analysis.
e performance of 2dCTC is analysed and the corresponding experimental results are provided.

Channel Capacity.
Note that n packets can represent (1) n! bits through pseudo packet IDs permutation and (2) m n bits through packet sizes variation, where m is the number of packet size differences. If L bits are encoded by n packets, L, n, and m should satisfy the following equation: As a result, the upper bound of the channel capacity is as follows:

Channel Error
Rate. e 2dCTC's channel error rate can be caused: (1) the noise that spoils the order of packets in transmission, e.g., packet transmission jitters and delays; (2) the noise that spoils the number of packets in transmission, i.e., packet loss, packets aggregation, packet division, and dummy packet padding.
In our previous work [21], the negative influence of those noises has been thoroughly discussed for one-dimensional CTCs. Here, we used part of the conclusions from [21] to derive 2dCTC's channel error rate.
As to the error rate caused by the packet transmission delays and jitters, the inter-packet delay T r at the receiver can be calculated by where t k and t k+1 denote the sending moments of the k th and (k + 1) th packets, respectively; T d denotes the transmission expectation time; j k and j k+1 denote the transmission jitters of the k th and (k + 1) th packets, respectively; and j k and j k+1 are normal distribution random variables. As a result, to keep the order of packets in transmission, Δ + j (1) k > 0 must be satisfied. Since n packets in transmission form n − 1 delays, the channel error rate is then as the following [22]: where To decrease the channel error rate caused by packet transmission jitters and delays, the interval between adjacent packets sending should be enlarged.
As to the channel error rate caused by packet loss, packets aggregation, packet division, and dummy packet padding, without loss of generality, assuming λ denotes the probability of packet loss, μ denotes the probability of a packet aggregated with its following packet, υ denotes the probability of a dummy packet insertion, and ω denotes the probability of a packet division. e expectation for the channel error rate under those kinds of noise is then e physical meaning of φ is that the probability of at least one of those kinds of noise has happened.
To mitigate the negative influence caused by packet loss, packets aggregation, packet division, and dummy packet padding, the redundant information should be added, i.e., sending the same message K times under a noisy 2dCTC, where K ≥ 1 and k ∈ N + .

2dCTC Experiments.
In order to verify the correctness and effectiveness of 2dCTC, we used Python to implement the covert communication between two hosts. e IP addresses of the two hosts were 112.24.29.117 and 10.3.11.180, respectively, where TCP is used as the communication protocol. In the experiment, packets are generated through the Scapy library. A 400-byte text file is selected as the message. e intervals between packets are selected from 5 ms to 40 ms. We compare the total time consumption and capacity of 2dCTC with those of two one-dimensional CTCs, where the unit of capacity is Bps, i.e., the number of bytes transmitted in 1 s. e first one-dimensional CTC is packet rearrangement CTC, which uses different packet IDs permutation to represent the message. e other one-dimensional CTC is packet rearrangement CTC that applies the packet sizes variation to represent the message. Packet rearrangement CTC represents 8 bits by 6 packets, and the other packet rearrangement CTC uses each different packet size to represent 1 bit, viz., 8 packets bearing 8 bits. e 2dCTC uses 4 packets to represent 8 bits. e experimental results are shown in Figures 4(a) and 4(b), respectively, in which 2dCTC has the smallest time consumption and the higher channel capacity than those of the two one-dimensional CTCs.

2dCTCP
Simulations. We used TinyOS 2.1.2 TOSSIM as the simulator to evaluate the performance of the 2dCTCP scheme.
e energy consumption is measured by POW-ERTOSSIMz [23]. We compared the performance of our scheme with those of segment based provenance schemes, i.e., Probabilistic Provenance Mark (PPM) scheme [17] and Probabilistic Provenance Flow (PPF) scheme [16]. e sensor network of 121 nodes with IDs 0 through 120 is deployed. e node with ID 0 is set as the BS. e maximum network diameter is 12, the communication protocol is CTP (Collection Tree Protocol) [24], and the data stream was generated by TinyOS through setting the packets sending interval.

Performance Metrics.
e main performance metrics are as follows: (A) Average Provenance Size (APS). e APS is defined as follows [4]: where PS i is the provenance length of the i th packet and m is the total number of packets received by the BS. (B) Total Energy Consumption (TEC). e TEC is defined as follows [4]: where EC n i is the energy consumed by the node n i and N is the total number of nodes in the WSN. Mobile Information Systems hops increases and remains constant at around 1 byte, whereas for PPM and PPF schemes, APS increases with the increases of packet transmission hops. In the 2dCTCP scheme, the provenances were encoded and transmitted in the timing channel but not in the packets. Although the packets are required to carry pseudo packet IDs, the size of packets is not expanded further according to the provenance's expansion. Hence, our scheme has much better performance than the PPM and PPF schemes with respect to provenance size. Figure 5(b) shows the relationship between the number of packet transmission hops and TEC of the PPM, PPF, and 2dCTCP schemes. e trend of the curves in Figure 5(b) is closely consistent with that of the curves in Figure 5(a). As a result, under the same condition, the 2dCTCP scheme is more efficient than that of the PPM and PPF schemes regarding energy consumption.

Conclusion
In the paper, we propose 2dCTC, a two-dimensional CTC. By using both pseudo packet IDs permutation and packet sizes variation as the communication medium, 2dCTC can dramatically increase the channel capacity compared to the one-dimensional CTC. To ease the burden of provenance transmission, we apply 2dCTC to provenance transmission  in resource constrained WSNs. We analysed the performance of the 2dCTC and validated the benefits of our method through experiments. e simulation results show that using 2dCTC for provenance transmission can conserve more energy than that of PPM and PPF, which further confirms the efficiencies of our method.

Data Availability
No data are associated with this study.

Conflicts of Interest
e authors declare no conflicts of interest regarding the publication of this paper.