Creativity in Mind: Evaluating and Maintaining Advances in Network Steganographic Research1footnote 11footnote 1This is a pre-print version. The final version will be available from as an article of the Journal of Universal Computer Science (J.UCS), Vol. 21 (2015).

Creativity in Mind: Evaluating and Maintaining Advances in Network Steganographic Research111This is a pre-print version. The final version will be available from as an article of the Journal of Universal Computer Science (J.UCS), Vol. 21 (2015).

Steffen Wendzel
(Department of Cyber Security, Fraunhofer FKIE, Bonn, Germany
   Carolin Palmer
(Justus-Liebig-Universität, Giessen, Germany

The research discipline of network steganography deals with the hiding of information within network transmissions, e.g. to transfer illicit information in networks with Internet censorship. The last decades of research on network steganography led to more than hundred techniques for hiding data in network transmissions. However, previous research has shown that most of these hiding techniques are either based on the same idea or introduce limited novelty, enabling the application of existing countermeasures. In this paper, we provide a link between the field of creativity and network steganographic research. We propose a framework and a metric to help evaluating the creativity bound to a given hiding technique. This way, we support two sides of the scientific peer review process as both authors and reviewers can use our framework to analyze the novelty and applicability of hiding techniques. At the same time, we contribute to a uniform terminology in network steganography.


sec[Section LABEL:#1] \newrefformatfig[Fig. LABEL:#1] \newrefformattab[Tab. LABEL:#1]


Covert channels, network steganography, creativity, patterns, novelty evaluation, peer review


D.2.11, D.4.6, K.6.5, K.7.m

1 Introduction

Steganography is the research discipline that aims on hiding information within a medium; it dates back to ancient Greece, [see Petitcolas et al., 1999; Katzenbeisser and Petitcolas, 2000]. For instance, information can be hidden in music scores, in paintings, on letters written using invisible ink, or on human skin, just to mention a few options [Petitcolas et al., 1999]. Digital media steganography is a newer area of the research discipline and focuses on hiding information in digital content, such as audio files or digital images. The newest sub-discipline of steganography is network steganography, which hides information within data sent over a computer network, such as Internet chats, network protocol headers, or within the content of Voice over IP (VoIP) transmissions [Mazurczyk et al., in press]. In comparison to cryptography, which aims on concealing the content of a secret message, network steganography hides the existence of a secret transmission. For this reason, network steganography is a dual-use good and can, for instance, be used by journalists to transfer illicit information when facing Internet censorship but it can also be applied by botnets to hide malicious data transfers.

In order to hide information within network transmissions, research led to more than hundred so-called hiding techniques. These hiding techniques are functions that accept an input in form of data to be hidden. The hiding technique embeds the input into a transmission such that the input remains concealed within the transfer until a receiver applies another function to extract the embedded hidden information from the transmission.

So-called ‘patterns’ are used in various sciences, from architecture to software engineering. Patterns are abstract descriptions of recurring designs, which provide a solution for a problem (in a given context). In our work, a pattern describes the design of a technique (solution), which hides data (problem) in network transmissions (context). In previous work [Wendzel et al., 2015], it was shown that 109 network information hiding techniques developed between 1987 and 2013 can be reduced to only 11 different ‘hiding patterns’, i.e. abstract descriptions of these hiding techniques. Moreover, it was shown that the majority (approx. 70%) of these 109 techniques is represented by only 4 hiding patterns. Although it must be noted that many of these techniques differ in slight detail, their novelty is limited. However, the amount of published techniques reflects a great demand of steganographic techniques and stresses the need for continuously improved solutions.

A major drawback of having a high number of similar hiding techniques is that countermeasures can be adjusted easily to slightly new hiding techniques while it would be harder to create completely new countermeasures which have to deal with entirely novel hiding techniques. For this reason, the research community should foster such fully novel methods.

Moreover, while the number of publications presenting hiding techniques is steadily increasing, the chances for redundant techniques with similar basis increase as well — a problem which is also known by the patterns research community [Henninger and Corrêa, 2007]. Another problem is that such redundancies lead to terminological inconsistencies as different terms can be used to describe similar (or equal) hiding techniques. A means to handle redundancies and terminological inconsistencies is to compile surveys on a regular basis.

Another problem of published hiding techniques are the huge differences in the explanation of novelty and usefulness. To provide an example, some researchers motivate the quality of their hiding techniques on the basis of the channel capacity while others highlight the fact that their technique is the first to hide data inside a new network protocol header. The divergence of such provided arguments allows no comparison and hinders experimental verification by other peers.

In this paper, we provide a framework and a metric for evaluating the creativity in network steganography research. In line with creativity research, creativity comprises the novelty and applicability of products (solutions). Based on our creativity framework and metric, the contributions of this paper are:

  • Long-term improvement of terminology: Our framework deals with the problem of terminological inconsistencies by providing a step-by-step approach on the basis of the hiding patterns presented in [Wendzel et al., 2015]. A key aspect in this regard is the handling of redundant hiding techniques.

  • Creativity evaluation for hiding techniques: Our framework contributes to two aspects of the academic peer review process. Firstly, it helps authors to clearly underpin the creativity, i.e. novelty and applicability, of their proposed steganographic hiding techniques. Secondly, it helps reviewers to evaluate the creativity of steganographic hiding techniques. Therefore, the framework introduces a novelty metric.

  • Applicability in practice: The proposed framework is designed to fit the needs of the actual workflows in academia and is thus embedded into the academic peer review process rather than being a theoretical discussion.

  • Support for novel hiding techniques: Moreover, our framework fosters the creation of entirely novel, highly creative hiding techniques by giving the most creative researchers the chance to publish new patterns.

The remainder of this paper is structured as follows. Section 2 discusses related work and draws the link between creativity research and network steganography; in addition, it provides a background on patterns and presents lessons of the pattern community to be taken into account for our work. Section 3 presents our pattern-based creativity framework while section 4 introduces the metric to evaluate the creativity of a hiding technique. Section 5 provides an exemplary walk-through for the creativity framework. We provide a discussion of our framework in section 6 and conclude in Section 7.

2 Background

We first discuss related work and afterwards describe the link we draw between creativity and network steganography followed by the link between patterns and network steganography. Thereafter, we describe the lessons learned from the pattern community.

2.1 Related Work

Terminology of computer security was discussed by a number of authors, [e.g. Brinkley and Schell, 1995; Freiling et al., 2014]. The terminology of information hiding and its sub-discipline, network steganography, was discussed in additional publications [see Petitcolas et al., 1999; Zander et al., 2007; Lubacz et al., 2014]. Although a systematic categorization of hiding techniques is presented, these publications on network steganography lack the discussion of underlying patterns. [Wendzel et al., 2015] and [Mazurczyk et al., in press] provide the only surveying content on network information hiding using patterns — these publications serve as basis for our work but it is not required to be familiar with these publications to understand this paper.

Our aim is not to provide a new approach for knowledge management, as a plethora of work on especially organizational knowledge management and frameworks is already available [Alavi and Leidner, 2001]. Our work is also not the first that applies patterns for knowledge management. Henninger and Corrêa discussed advantages and drawbacks of a pattern-based knowledge management already in [Henninger and Corrêa, 2007] and we highlight their relevant outcomes in \prettyrefsec:LearningFromPatCommty. Other approaches for scientific knowledge and terminology management are especially i) publication of ideas in textual form, without using the structure of patterns; these publications include books, journal articles, conference papers, technical reports, Wikis and other forms, and ii) publishing ideas in structured form, e.g. in databases. These approaches are also useful for a framework for creativity evaluation but due to the availability of hiding patterns of [Wendzel et al., 2015] and [Mazurczyk et al., in press] and the high level of knowledge on patterns within the computer science community, we have chosen patterns as a basis for our framework.

However, our work is the first that is tailored to match the requirements of network steganography research by providing a metric to evaluate and compare the novelty and applicability of hiding techniques while also enabling a unified terminology and providing an integration into the peer review process.

2.2 Bridging Creativity and Network Steganography

Described briefly, creativity is ‘adaptive originality’, i.e. creativity requires the generation of an idea that is both original as well as adaptive to a particular context [Simonton, 2011; Amabile, 1983; Csikszentmihaly, 1996; Drazin et al., 1999; Farmer et al., 2003]. Creativity is seen as one of society’s biggest assets [Simonton, 2011]. Overlapping the fields of science, technology, economics and arts, creative efforts lead to competitive advantages, innovative products and processes and are honored by awards like the Nobel prize [Agars et al., 2012; Caroff and Lubart, 2012].

Being such an important driver for social and economic progress and wealth, it is obvious that a great deal of research has focused on the ‘creativity phenomenon’ [Mumford and Gustafson, 1988; Runco, 2006; Ward, 2004]. Different sciences are dealing with the topic, such as engineering, sociology, and psychology to only name the most relevant for our purpose. Due to varying research backgrounds and different research focuses and aims, conceptualizations of creativity (e.g. creativity as logic, genius, chance, and zeitgeist) differ and so do the findings. Smith counts more than 100 definitions of creativity [Smith, 2005], and his focus is limited to psychological literature only. Thereby it is not surprising, that Simonton emphasizes the inconsistencies of research on creativity [Simonton, 2004].

However, the diverse approaches to creativity can be categorized by their primary focus. In this tradition the ‘4p’ classification is used: creativity as product, person, process or press [Mooney, 1963; Rhodes, 1961]:

  • Product: As mentioned above, for a product to be labeled creative, two characteristics are indispensable: it has to be original as well as adaptive. Original refers to: new, unusual, unique, new viewpoints, varied, breaking from existing patterns. Adaptive means: useful, valuable, effective, efficient, and contributing to society [Palmer et al., 2015].

  • Person: In psychology a strong focus lies on the identification of individual traits fostering creativity. A combination of cognitive (intelligence, knowledge), non-cognitive (personality) and motivational (need for creativity, interests, achievement motivation) abilities and predispositions determines creative potential on an individual basis [Palmer, 2015].

  • Process: Especially in highly experience- or knowledge-driven domains, creative ideas and innovative solutions do not emerge out of a sudden. Process research deals with the challenges one faces on his way from initial recognition of a problem or demand to a sustainable and accepted creative solution and describes the relevant traits and behavior in respective process phases. Psychological literature proposes several process models (for an overview see [Palmer, 2015; Howard et al., 2008]). An initial understanding of the creative process distinguishes four process stages: preparation, illumination, verification, and implementation [Lubart, 2001].

  • Press: ‘Press’ comprises the creative environment. This research stream investigates the variety of situational and social contextual factors influencing the creative success, such as motivation, scope of action, leadership style and required support. For an overview of influencing variables in an organizational setting, see [Krause, 2013], [Oldham and Cummings, 1996], [Schuler and Görlich, 2007] or [Zhou and Shalley, 2003].

Network steganographic research describes, develops, and evaluates hiding techniques and thereby focuses on products according to the 4p taxonomy. In the field of network steganography, many research is available, i.e. a high total output due to the number of publications is present. And, of course, the amount of publications as well as their quality (e.g. measured via citation index) can be used to quantify the impact of a person’s productions [Simonton, 2011] — measures also applied to rank researchers. In this paper, we primarily focus on the creative products rather than on the creative person, the creative process or the creative press.

As mentioned, a large extent of publications on hiding techniques provides a rather small novelty as they belong to the same hiding patterns. To introduce a bridge between creativity and network steganography, novelty and applicability as key characteristics of creative products must be taken into account. We present a metric to evaluate both aspects.

2.3 Bridging Patterns and Network Steganography

Patterns provide a solution to a problem in a given context and are well-known from other scientific areas, such as software engineering [Gamma et al., 1994; May and Taylor, 2003; Smith et al., 2000]. They originate from a non-computer science field, namely architecture, but are now also common in the area of computer security [Yoshioka et al., 2008]. In computer security, patterns are especially used for security engineering; they are separated into those used for requirements engineering, for the design phase and for the implementation phase of a security system.

So far, patterns were only applied twice in network steganography as a means to create a taxonomy and survey of network hiding techniques [Wendzel et al., 2015; Mazurczyk et al., in press]. In network steganography, the general problem is to hide information within the context of a network transmission; however, many solutions for this problem-context pair exist, which results in a number of patterns.

Patterns are linked to a several advantages, including their flexibility, the fact that they can serve as an easy basis for the expression and discussion of ideas, and their easy structure [May and Taylor, 2003]. These advantages make patterns a known tool for knowledge management, also outside of science in business and governmental organizations [May and Taylor, 2003].

In general, patterns can be described in different forms, which complicate their comparison and understanding. For this reason, common languages were developed to describe patterns in a unified manner. A well-known and established pattern language is the pattern language markup language (PLML) [Fincher, 2003]. All pattern languages comprise own attributes used to describe a pattern. In PLML, a pattern comprises a number of XML-based attributes, of which only a few are of significance for hiding methods [Wendzel et al., 2015]:

  • Pattern Id: identifies a pattern

  • Name: the name of a pattern

  • Alias: alternative names for a pattern

  • Context: description of where a pattern is located within the hierarchy of patterns (e.g. as a sub-pattern of another pattern)

  • Solution and Implementation: describe the functioning of a pattern and add implementational details, e.g. code fragments

  • Evidence and Literature: describe exemplary areas of application for the pattern and reference publications

Using such pattern languages, patterns can be easily grouped in a pattern collection. A pattern collection comprises multiple patterns belonging to a similar domain, e.g. all patterns that describe hiding methods for networks.

As stated by Henninger et al., one of the main intentions of patterns is to provide a common vocabulary by which people can succinctly communicate well-known solutions to recurring problems [Henninger and Corrêa, 2007]. A so-called pattern collection is a set of patterns addressing a fairly cohesive problem domain [Henninger and Corrêa, 2007]. Patterns for the problem domain of hiding techniques can thus be considered a pattern collection.

2.4 Learning from the Software Patterns Community

While pattern collections offer a clear advantage of cleaning up a domain and helping to share ideas and abstractions between people working in the same conceptual space [May and Taylor, 2003], they are also linked to a number of challenges [Henninger and Corrêa, 2007].

Firstly, pattern collections are stored in a multitude of locations, e.g. conference proceedings or on the web (in wikis and websites of different format). For this reason, patterns are not easily accessible as many potential sources must be used to find new patterns. Secondly, pattern collections are not easy to link as different styles for pattern collections exist, which describe patterns with a different set of attributes. Thirdly, duplicates of patterns can arise under different names. On the other hand, Henninger mentions the need for duplicates as people may want to express the patterns different[ly], and patterns should allow a certain degree of expression [Henninger and Corrêa, 2007]. Our creativity framework addresses all three issues as we will explain in the next section.

3 A Pattern-based Framework for Network Steganography

We first illustrate the requirements of our creativity framework and then present the framework itself by explaining all the steps that must be performed within it.

3.1 Requirements

Our aim is to learn from the known drawbacks of pattern collections which we discussed in the previous section and to adjust our framework to scientific practice. Hence, we compiled the requirements to address these drawbacks in our creativity framework:

  1. The framework must require a researcher to publish his patterns in a publicly accessible way to ensure that all patterns and all updates to the pattern collection are accessible to the scientific community.

  2. The framework must emphasize the need for a unified form of pattern description, which is the pattern language markup language (PLML).

  3. The framework must address the aspect of duplicates; PLML contains an attribute that allows aliases for existing patterns.

  4. To find use in practice, the framework must comply with the common workflow of scientific research, especially within a peer review.

  5. The framework must not rely on the participation of all scientists of the research community. It is unlikely that a whole community will accept and work according to the same framework as people may not even aware of the framework or reject its idea.

  6. The framework should foster the development of new and applicable, that is creative, hiding methods.

3.2 Creativity Framework

Our creativity framework is visualized in \prettyreffig:Framework and consists of five steps, which we will explain one after another. Each step in the framework is performed by at least one role; either the scientific community (C), which performs peer reviews and maintains the pattern collection, or the researcher(s) (R), which publish novel network steganographic techniques. If a step of the framework is performed by both roles (C and R), the leading role is highlighted in \prettyreffig:Framework.

Figure 1: Creativity framework for network steganography

3.2.1 Step One: Generate Pattern Collection

Before a pattern collection can be used and serve as basis for further research, it must be created by one or many researchers (R). This step is performed by compiling a survey in which recurring design principles of hiding techniques are analyzed and grouped into hiding patterns. These patterns must be explained in the form of a pattern language – in our case PLML – to provide a unified and clear structure of the grouped hiding techniques. The compilation process for a new pattern collection may require several months of work. By publication in a public journal, the pattern collection becomes available to the scientific community (C).

The hiding patterns described in [Wendzel et al., 2015; Mazurczyk et al., in press] are suitable for the initial pattern collection. Due to the detailed description of the approach, these publications can also serve as a guideline for the development of new pattern collections.

3.2.2 Step Two: Create Novel Approaches

Completely new and thereby highly creative ideas are quit rare. In fact, a closer look at creative contributions shows that a lot of innovative products on the product market, theories in science or contributions in literature and arts are reinterpretations or advancements of already existing concepts. For example, Kepler proposed his three laws of planetary motion after he drew an analogy between planetary observations and magnetism [Gentner et al., 1997]. Accordingly, creativity research focusing on the process perspective also emphasizes the importance of conclusions by analogy. Many models of the creative process include a distinct process stage often labeled category combination. Category combination comprises the combination or reorganization of knowledge (respectively, information) for the generation of new ideas [Baughman and Mumford, 1995; Mumford et al., 1997, 2003; Mumford and Gustafson, 1988].

Various offensive as well as defensive cyber security techniques, including firewalls, intrusion detection systems, honeypots, botnets, and worms, follow ideas whose equivalents can be found in nature [Mazurczyk and Rzeszutko, 2015]. Not only does their technical logic represent an adaption of proven evolutionary concepts, but also the naming of these techniques stresses their close link to already existing mechanisms.

Applying concept combination from creativity research to the area of network steganography, researchers (R) should thus keep the patterns of the pattern collection in mind when designing new hiding techniques. For instance, an existing pattern’s technique could be inverted or combined with other patterns to build ideas for new patterns. Therefore, a researcher may select the most diverse patterns to produce higher novelty in comparison to extending ideas of hiding patterns with lower diversity. However, a sole parallel application of two patterns (e.g. a timing channel pattern combined with a storage channel pattern) cannot be considered a new pattern as each technique has to be handled by a separate pattern. It may, however, be imaginable to introduce hybrid patterns which combine existing patterns in useful ways. Such hybrid patterns must be considered as second tier patterns and cannot possess the same status like non-hybrid pattern as firstly, basically all patterns can be combined to form hybrid patterns, and secondly, the idea of hybrid hiding methods was already published [by Mazurczyk and Szczypiorski, 2008].

Indeed, a researcher may apply his very own discovery methods and can create entirely novel approaches without taking existing patterns as a basis. An uncommon approach to discover novel patterns may even result in higher creativity [Simonton, 2004]. In this case of applying own discovery methods, the researcher may only use the pattern collection to ensure that his new hiding technique is not already represented by an existing pattern. In other words, the framework does not limit the creativity and freedom of researchers but aims to support it.

However, all proposed hiding techniques of a researcher must fulfill the requirements of a creative product. Firstly, the new techniques must be original with respect to the existing patterns; secondly, they must be adaptive, i.e. applicable in practice, and must be proven by an implementation.

3.2.3 Step Three: Identify Creative Potential

In the form of a scientific paper that features a PLML-based description of the hiding technique, the researchers (R) submit their pattern (or evidence for an existing pattern) for peer review to the research community (C).

Both, C and R, evaluate the creativity of the proposed technique, while R initiates the process. Firstly, R evaluates his hiding technique (the creative product) based on his own internal criteria for what can be considered a promising idea [Simonton, 2004]. If R concludes that his idea matches the necessary quality requirements for a scientific contribution, he needs to prepare a scientific manuscript for submission. In the manuscript, he underpins the creativity of his new technique using the creativity metric we introduce in \prettyrefsec:NoveltyMetric. Afterwards, R submits the manuscript for peer review.

The peers (C) rate whether the stated arguments of R are actually true by performing a review, e.g. as described in [Smith, 1990]. Within the review, the peers additionally evaluate the creativity of R’s work by applying the same metric of \prettyrefsec:NoveltyMetric.

This metric will help to distinguish between contributions to network steganography research of a high level of creativity and such contributions that improve our understanding of steganographic techniques but do not widen the existing pattern collection. The classification of new ideas, products or concepts by their level of creativity is quite popular in creativity research. In Psychology, the term ‘small-c’ is used to express that a creative product is linked to low creativity [Simonton, 2014; Silvia et al., 2014; Kaufman and Beghetto, 2009, 2013]. In such a case, the work represents an existing pattern and can be added to the references of the particular pattern, i.e. R’s proposed hiding technique is added to the pattern collection in order to provide evidence for an existing pattern. Therefore, R must (monitored by C’s peer review) explicitly reference the existing pattern, which leads to step five. Indeed, R is able to withdraw and re-submit his work to another conference or journal if he does not accept the small-c categorization.222While most journals allow to have multiple peer review rounds per submission, conferences often directly accept or reject a submission. For this reason, conference reviewers (C) must explicitly state that a paper should be accepted under the condition that i) R references a particular pattern and that ii) R declares his contribution as ‘evidence’, what should be monitored by the conference chairs (also C) as the reviewers will have no further control over the process.

In case of a high level of creativity, the term ‘Big-C’ is used. In such a case, a new pattern can be created and added to the collection, which leads to step four. In both cases, ‘small-c’ and ‘Big-C’, the publication of a paper containing a pattern (or adding ‘evidence’ to an existing pattern) automatically integrates R’s contribution to the pattern collection.

Note that C can also reject the work of R, which means that no alternation of the pattern collection is achieved. Criteria for rating the creativity level of R’s hiding technique are presented in \prettyrefsec:NoveltyMetric.

3.2.4 Step Four: Optimize Pattern Description After Acceptance

In step four, which only applies for ‘Big-C’ cases, R’s idea was accepted as new pattern and will be published. To this end, R optimizes the pattern description within the submitted paper based on C’s review. This step is a part of the process in which R creates the camera-ready version of his paper.

3.2.5 Step Five: Publication (Maintenance of the Pattern Collection)

Within the network steganography community, research groups – forming the people behind the role ‘C’ – are maintaining the pattern collection, basically due to peer review in step three. A project website for long-term maintenance of network steganography patterns was set up that allows participants to discuss and question existing patterns and their evidence: Every author showing an accepted paper that adds a pattern or evidence to an existing pattern can request that his publication will be added to the webpage. This allows an easy access for the research community to the pattern collection.

However, a scientific research field may not only be driven by the power of few established research groups. It is thus necessary that a pattern collection is not only accessible due to scientific publications, but also forkable. Forking a pattern collection is similar to forking an open source software project. In the case of an open source project fork, the code is copied; the existing contributor’s names remain but the copy of the code is from that date on edited independently from the original and the names of the new contributors are added to the code. In other words, the pattern collection can be copied and extended by other individuals which can be part of C or stay even outside of the previous C. This allows changing the rules applied to evaluate the creativity of the hiding methods and also the rules of the framework. However, the reputation of a pattern collection is represented by its acceptance by leading scientists in a field and by the publication in high-quality journals and conference proceedings.

One aspect that can lead to a fork are so-called multiples: Simonton highlights multiples which appear on a regular basis in scientific history in form of parallel discoveries or rediscoveries [Simonton, 2004]. As mentioned, such multiples – or duplicates – also appear in the area of patterns [Henninger and Corrêa, 2007] but Simonton adds the aspect of grade to it [Simonton, 2004]. The grade is the number of rival claimants to the discovery or invention. For instance, if authors propose the same hiding technique, the associated pattern multiple’s grade is also . The scientific community, which is in charge of the pattern maintenance, takes care of spotting multiples and their divergent naming.333It is important to emphasize the fact that creativity research differs between the origination and acceptance of ideas [Simonton, 2004; Hammond et al., 2011; Lubart, 2001] The research community may forget non-accepted research work over the years, which can lead to a rediscovery of the same idea by another researcher. Therefore, pattern duplicates can be added as aliases to an existing pattern (step three) and members of C can act as R to propose such changes (step two).

4 A Network Steganography Creativity Metric

One of the core goals of our framework is to provide a metric for the creativity of a hiding technique. Such a metric cannot be built on a single aspect as hiding techniques in network steganography are linked to a variety of attributes.

Therefore, we provide a threefold metric, which requires a textual description within R’s manuscript for each of the following categories. Of these three categories, the primary category is considered the most important and the tertiary category the least important to evaluate the creativity of a hiding method:

  1. Primary category (originality of hiding technique): The major aspect to evaluate the creativity of a hiding technique is the extent to which it differs from the existing hiding techniques represented in known hiding patterns. Due to the large divergence of hiding techniques, a textual representation is necessary to explain this part. For instance, using a reserved flag of a network protocol cannot be considered novel as patterns already describe this technique.

  2. Secondary category (steganographic quality): A researcher (R) can take various steganographic attributes into account to support the quality of his hiding technique. The classical aspects to highlight in this regard are the detectability, robustness, and bandwidth of a hiding technique, but it is also possible to highlight its steganographic cost [Mazurczyk et al., 2014]. An optimally prepared manuscript highlights all four attributes.

  3. Tertiary category (adaptability or novelty of application area): A steganographic hiding method may be applied to a new area (e.g. to smart vehicle networks) that was not subject to a network steganographic research before. A new area of application can also be a particular network protocol. However, a new area of application does not necessarily increase the creativity of the hiding method itself since it represents only the adaptation of an exiting idea to another context. Instead, the adaptation to a new area supports the addition of R’s hiding technique to the ‘evidence’ attribute of a given hiding pattern.

    In other words, the novelty of the application area depends on the time of a technique’s presentation. For instance, several years ago, steganographic methods in smart buildings might have been a novel application area but after first publications arose in this context, the novelty of the application area is now lower. Similarly, hiding information in the IP header was a newer area of application in the mid-1990’s than it is today.

In step three of the framework, the researcher (R) provides arguments in his paper to support all three categories while the reviewers (C) review the correctness and reasonability of the provided arguments. On this basis, C can decide whether the approach is a new pattern, ‘evidence’ for an existing pattern, or not novel enough or of not acceptable quality to become a part of a pattern collection. If C decides to allow R a modified re-submission of his work, an additional review round can be performed — possibly multiple times.

5 Exemplary Walk-though

For a better illustration, we now provide an example on how to use the creativity framework. We assume that both, R and C are aware of our framework. If neither R nor C is aware of the framework, the framework would simply remain unused by these individuals, providing no update to the pattern collection at all. However, publications not based on patterns can be integrated into pattern collections a posteriori by creating surveys or by adding evidence to online pattern collections.

Step one of the framework (the creation of a pattern collection) must only be performed if no pattern collection is already available. For this reason, R can use the existing pattern collection as the basis for the following steps.

In step two of the framework, R combines the concepts of a reasonable number of patterns in the hope to create a new pattern — as mentioned, a typical process to generate a creative product. Alternatively, R can create ideas for new hiding techniques from scratch without taking existing patterns into account at this step.

Finally, R ends up with a considerably useful idea, namely to signal hidden information by the ‘position’ of a packet corruption within a network flow. For instance, if the third packet in a network flow is intentionally corrupted, it represents a hidden symbol while a corruption of the sixth packet represents a hidden symbol .

Being aware of the framework, R can recognize that his hiding technique is a combination of the two patterns PDU Corruption/Loss and Position. The PDU Corruption/Loss pattern represents hiding techniques which signal hidden data via packet loss or via corrupted network packets (e.g. those having invalid checksums). The Position pattern transfers hidden information by modifying the order of header elements (e.g. the order of header lines of in a HTTP request).

Based on his idea of a hiding technique, R implements a prototype to verify the feasibility of the technique and to evaluate its technical details such as the channel capacity. R compiles all relevant information about his hiding technique in form of a scientific paper. When describing the hiding technique in his paper, R either explains to which patterns the technique provides new evidence or why the technique cannot be associated with an existing pattern and, for this reason, necessarily represents a new pattern. Finally, R submits his paper for peer review to a scientific conference.

During the review process, R’s paper is sent to several peer reviewers (C). The peer reviewers state that the major aspect of the proposed hiding pattern is the position of a given PDU in a network flow (in R’s case, the important PDU is the one that contains an error). Therefore, the reviewers consider the hiding technique as being ‘small-c’, i.e. it provides additional ‘evidence’ to the Position pattern, but cannot be seen as a new pattern itself (still step three).

Based on all received comments of the reviewers, R finalizes his paper and submits a camera-ready version for publication. After the camera-ready version of the paper is published and if patterns were taken into account, the ‘evidence’ is officially provided to the existing pattern through the accessible paper (step five).

If R’s proposed hiding technique would have been accepted as a new hiding pattern (Big-C) by the peer reviewers, the published paper would represent the description of a new pattern, eventually featuring an optimized description to match the reviewer’s requirements (step four).

R can support the visibility of his hiding technique (being it a patern or an evidence entry to an existing pattern) in form of a comment on the existing pattern listings (e.g. or at any other place where a pattern collection is published to increase the distribution of research findings.

6 Discussion

To achieve our goal of a practical framework, we do not provide a low-level discussion on scientific creativity as can be found in [Simonton, 2004]. For instance, our framework does not focus on the slight, and in some aspects unclear, differences between multiples and their opposite (singletons). If the scientific community decides to accept the proposed framework and makes the decision to change the aspects of it or to add the handling of more details of scientific creativity, the model is open for change.

We will first discuss whether our framework achieves the previously introduced framework requirements, followed by a description on how to match the general requirement that a pattern cannot be called a pattern until at least three evidence cases are provided. We end this section with a note on alternative application areas for the framework.

6.1 Discussion of the framework’s requirements

We address the requirement of publicly accessible patterns (requirement one) by requiring R to publish novel patterns in publicly accessible, peer reviewed organs and by providing the option to provide comments to the existing pattern collection on-line or on alternative websites every researcher can create himself.

The requirement of a unified pattern description (requirement two) is addressed by the use of PLML as it ensures unified descriptions by its pre-defined set of attributes (e.g. evidence, alias or solution).

Our framework limits duplicates (requirement three) due to the framework’s integration into the academic peer review process in which duplicates may be spotted. In addition, requirement three is addressed by the use of PLML aliases. Aliases allow the a posteriori merging of redundant ideas published using different names, i.e. they can be applied if duplicates were not identified during the peer review.

The integration into the peer review process matches the requirement of the framework’s applicability to scientific practice (requirement four). Given the framework awareness of R or C, the consideration of patterns for a new hiding technique can be enforced. At the same time, the traditional review procedures are kept. The overhead of checking whether a proposed hiding technique matches an exiting pattern is minimal due to the small number of patterns and their hierarchical order.

The framework is applicable even under the circumstance that only a minority of researchers of the network steganography domain will apply it (requirement five). Even if only applied by few researchers, their combined effort for a unified pattern collection will lead to a more unified terminology and less re-inventions for hiding techniques. However, the more researchers apply in the framework, the more efficient it will be. In that sense, the framework represents a living process and the number of researchers participating in it can change over time.

Our framework fosters the creation of novel hiding techniques (requirement six) by giving researchers the chance to contribute an own pattern to the pattern collection. On the other hand, our concept can lead to the situation that a proposed hiding technique becomes a pattern although it should only be considered as ‘evidence’ for an existing pattern. For instance, one researcher could propose a new pattern and an unqualified reviewer might accept it as such although it should only be accepted as an ‘evidence’ entry for an existing pattern (or not at all) — this contradicts requirement three and is an existing problem of the network steganographic field that the framework will not solve but reduce if applied correctly.

Creativity research focusing on creative products outlines the problems related to creativity ratings of products like hiding techniques. Whenever products are rated, this evaluation underlies a social construction of criteria. Which solution is considered as non-, lowly or highly creative depends strongly on the raters’ background. Their individual expertise, experience and strategy influence ratings as well as the zeitgeist, cultural factors or simply a changing technological context in change of time. Little expertise or experience of the raters is one of the key issues. Rather uninformed reviewers might not be aware of already existing techniques. In consequence, they might not be able to detect the linkage of an alleged new pattern to an already known pattern of hiding techniques.

To deal with such problems and the resulting inconsistencies, we recommend compiling pattern surveys every 3-10 years and publishing these surveys in recognized journals or conferences. New surveys can modify the pattern collection by publishing a new version of it. Such surveys can, for instance, move a ‘pattern’ into the ‘evidence’ attribute of an existing pattern. The proposal of regular survey compilation matches the requirements four and five for integration into scientific practice as it keeps the pattern collection updated and provides good knowledge management for the scientific community as well as for practitioners. In addition, a scientific discussion about patterns should be performed using moderated websites as these can be updated at any time while surveys remain as mid-term and long-term solutions.

6.2 Pattern’s Requirement of Recurring Designs

Patterns must – per definition – occur multiple times. A typical boundary value for a design to become a pattern is three occurrences, provided as references in the ‘evidence’ attribute of PLML. It is our belief that the scientific community should ensure that all hiding techniques with ‘Big-C’ are represented by new patterns and rediscoveries are kept at a minimum. For this reason, we suggest that for the few new patterns to be found, patterns with a ‘pending’ status are created. Such patterns are part of a pattern collection as all other patterns but feature the keyword ‘pending’ in their name. A simple heuristic could be to consider the ‘pending’ keyword obsolete as soon as three references are listed in the ‘evidence’ attribute. An actual removal of the keyword cannot be done a posteriori in the same publication but by the above-mentioned regular surveys.

6.3 Applicability in Other Areas

We assume that our creativity framework can also be applied to other areas of information hiding besides network steganography. An imaginable area is digital media steganography. Moreover, our framework can be used to create a pattern collection of steganographic countermeasures, which were also already linked to patterns in [Wendzel et al., 2015]. For instance, various techniques similar to the pump [Kang and Moskowitz, 1993; Ogurtsov et al., 1996] can form a pattern while traffic normalization [Handley et al., 2001] must be considered a clearly different pattern due to its fundamentally different functioning. The initial step of creating a pattern collection must be performed first in these areas. Finally, the framework will be applicable to non-information hiding, even non-computer science, areas due to its generic approach.

7 Conclusion

We provide a framework and a metric for evaluating the creativity linked to hiding techniques and to handle inconsistencies in the terminology of network steganography. The framework can be applied in practice and is thus embedded into the academic peer review process. By providing an exemplary walk-through, we have shown the applicability of the approach. The framework’s design is not static and can be modified by the scientific community to fit their needs and it can be adapted to future developments. As patterns serve as basic elements of our framework, the framework takes advantage of their flexibility, accessibility and structure. In addition, the community benefits from the framework’s application even if only applied by a minority of researchers.

A drawback of our framework lies in the fact that different, especially low-qualified, researchers may allow the integration of a pattern that is only a representation of another hiding technique. We foresee regular surveys (every 3-10 years) as a clean-up solution for this drawback.

In addition to steganographic hiding techniques, the creativity framework is also applicable to other areas of information hiding, such as countermeasures or digital media steganography, as well as to other sciences.


We highly appreciate the valulable comments received by the reviewers and we like to thank Jernej Tonejc and Jaspreet Kaur for proof-reading our paper.


  • Agars et al. [2012] Agars, M. D., Kaufman, J. C., Deane, A., Smith, B.: “Fostering individual creativity through organizational context”; M. D. Mumford, ed., Handbook of organizational creativity; 271–291; Elsevier, 2012.
  • Alavi and Leidner [2001] Alavi, M., Leidner, D.: “Knowledge management and knowledge management systems: Conceptual foundations and research issues”; MIS Quarterly; 25 (2001), 25, 107–136.
  • Amabile [1983] Amabile, T.: The social psychology of creativity; Springer, 1983.
  • Baughman and Mumford [1995] Baughman, W. A., Mumford, M. D.: “Process-analytic models of creative capacities: Operations influencing the combination-and-reorganization process”; Creativity Research Journal; 8 (1995), 1, 37–62.
  • Brinkley and Schell [1995] Brinkley, D. L., Schell, R. R.: “Concepts and terminology for computer security”; Information security: An integrated collection of essays; (1995), 40–97.
  • Caroff and Lubart [2012] Caroff, X., Lubart, T.: “Multidimensional approach to detecting creative potential in managers”; Creativity Research Journal; 24 (2012), 11, 13–20.
  • Csikszentmihaly [1996] Csikszentmihaly, M.: Creativity: flow and the psychology of discovery and invention; Harper Collins, 1996.
  • Drazin et al. [1999] Drazin, R., Glynn, M., Kazanjian, R.: “Multilevel theorizing about creativity in organizations: A sensemaking perspective”; Academy of Management Review; 24 (1999), 286–307.
  • Farmer et al. [2003] Farmer, S., Tierney, P., Kung-Mcintyre, K.: “Employee creativity in Taiwan: an application of role identity theory”; Academy of Management Journal; 46 (2003), 618–630.
  • Fincher [2003] Fincher, S.: “Perspectives on HCI patterns: concepts and tools (introducing PLML)”; Interfaces; (2003), 56, 182–196.
  • Freiling et al. [2014] Freiling, F., Grimm, R., Großpietsch, K.-E., Keller, H. B., Mottok, J., Münch, I., Rannenberg, K., Saglietti, F.: “Technische Sicherheit und Informationssicherheit”; Informatik-Spektrum; 37 (2014), 1, 14–24; (in German).
  • Gamma et al. [1994] Gamma, E., Helm, R., Johnson, R. E., Vissides, J.: Design Patterns. Elements of Reusable Object-Oriented Software; Prentice Hall, 1994.
  • Gentner et al. [1997] Gentner, D., Brem, S., Ferguson, R., Wolff, P., Markman, A. B., Forbus, K.: “Analogy and creativity in the works of Johannes Kepler”; T. B. Ward, S. M. Smith, J. Vaid, eds., Creative thought: An investigation of conceptual structures and processes; 403–459; American Psychological Association, 1997.
  • Hammond et al. [2011] Hammond, M. M., Neff, N. L., Farr, J. L., Schwall, A. R., Zhao, X. Y.: “Predictors of individual-level innovation at work: A meta-analysis”; Psychology of Aesthetics Creativity and the Arts; 5 (2011), 1, 90–105.
  • Handley et al. [2001] Handley, M., Paxson, V., Kreibich, C.: “Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics”; Proc. 10th USENIX Security Symposium; volume 10; 115–131; 2001.
  • Henninger and Corrêa [2007] Henninger, S., Corrêa, V.: “Software pattern communities: Current practices and challenges”; Technical Report TR-UNL-CSE-2007-0015; University of Nebraska (2007).
  • Howard et al. [2008] Howard, T. J., Culley, S. J., Dekoninck, E.: “Describing the creative design process by the integration of engineering design and cognitive psychology literature”; Design Studies; 29 (2008), 2, 160–180.
  • Kang and Moskowitz [1993] Kang, M. H., Moskowitz, I.: “A pump for rapid, reliable, secure communication”; Proc. 1st ACM Conference on Computer and Communication Security; 119–129; 1993.
  • Katzenbeisser and Petitcolas [2000] Katzenbeisser, S., Petitcolas, F. A., eds.: Information Hiding Techniques for Steganography and Digital Watermarking; Artech House, Inc., Norwood, MA, USA, 2000; 1st edition.
  • Kaufman and Beghetto [2009] Kaufman, J. C., Beghetto, R. A.: “Beyond big and little: The four c model of creativity”; Review of General Psychology; 13 (2009), 1, 1–12.
  • Kaufman and Beghetto [2013] Kaufman, J. C., Beghetto, R. A.: “Do people recognize the four Cs? examining layperson conceptions of creativity”; Psychology of Aesthetics, Creativity, and the Arts; 7 (2013), 3, 229–236.
  • Krause [2013] Krause, D. E.: Kreativität, Innovation und Entrepreneurship; Springer, 2013; (in German).
  • Lubacz et al. [2014] Lubacz, J., Mazurczyk, W., Szczypiorski, K.: “Principles and overview of network steganography”; IEEE Communications Magazine; 52 (2014), 5, 225–229.
  • Lubart [2001] Lubart, T. L.: “Models of the creative process: Past, present and future”; Creativity Research Journal; 13 (2001), 3-4, 295–308.
  • May and Taylor [2003] May, D., Taylor, P.: “Knowledge management with patterns”; Communications of the ACM; 46 (2003), 7, 94–99.
  • Mazurczyk and Rzeszutko [2015] Mazurczyk, W., Rzeszutko, E.: “Security – a perpetual war: lessons from nature”; IEEE IT Professional; (2015).
  • Mazurczyk and Szczypiorski [2008] Mazurczyk, W., Szczypiorski, K.: “Steganography of VoIP streams”; Proc. OnTheMove Federated Conferences and Workshops (OTM) 2008, Part II – The 3rd International Symposium on Information Security (IS’08); volume 5332 of LNCS; 1001–1018; Springer-Verlag Berlin Heidelberg, 2008.
  • Mazurczyk et al. [2014] Mazurczyk, W., Wendzel, S., Villares, I. A., Szczypiorski, K.: “On importance of steganographic cost for network steganography”; Wiley Security and Communication Networks (SCN); (2014).
  • Mazurczyk et al. [in press] Mazurczyk, W., Wendzel, S., Zander, S., Houmansadr, A., Szczypiorski, K.: Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications; IEEE Series on Information and Communication Networks Security; Wiley-IEEE Press, in press.
  • Mooney [1963] Mooney, R. L.: “A conceptual model for integrating four approaches to the identification of creative talent”; C. W. Taylor, F. Barron, eds., Scientific Creativity: Its Recognition and Development; Wiley, 1963.
  • Mumford et al. [1997] Mumford, M. D., Baughman, W. A., Maher, M. A., Costanza, D. P., Supinski, E. P.: “Process-based measures of creative problem-solving skills: IV. category combination”; Creativity Research Journal; 10 (1997), 1, 59–71.
  • Mumford et al. [2003] Mumford, M. D., Connelly, S., Gaddis, B.: “How creative leaders think”; The Leadership Quarterly; 14 (2003), 4-5, 411–432.
  • Mumford and Gustafson [1988] Mumford, M. D., Gustafson, S. B.: “Creativity syndrome: Integration, application, and innovation”; Psychological Bulletin; 103 (1988), 1, 27–43.
  • Ogurtsov et al. [1996] Ogurtsov, N., Orman, H., Schroeppel, R., et al.: “Covert channel elimination protocols”; Technical report; Department of Computer Science, University of Arizona (1996).
  • Oldham and Cummings [1996] Oldham, G. R., Cummings, A.: “Employee creativity: Personal and contextual factors at work”; Academy of Management Journal; 39 (1996), 3, 607–634.
  • Palmer [2015] Palmer, C.: Berufsbezogene Kreativitätsdiagnostik. Entwicklung und Validierung eines Verfahrens zur Erfassung der personalen Voraussetzungen von Innovationen; Ph.D. thesis; Justus-Liebig-Universität Giessen (2015); (in German).
  • Palmer et al. [2015] Palmer, C., Cesinger, B., Gellèri, P., Putsch, D., Winzen, J.: “Psychometrical testing of entrepreneurial creativity”; International Journal of Entrepreneurial Venturing; 7 (2015), 2, 194–210.
  • Petitcolas et al. [1999] Petitcolas, F. A., Anderson, R. J., Kuhn, M. G.: “Information hiding—a survey”; Proceedings of the IEEE; 87 (1999), 7, 1062–1078.
  • Rhodes [1961] Rhodes, M.: “An analysis of creativity”; Phi Delta Kappa; 42 (1961), 305–310.
  • Runco [2006] Runco, M. A.: “Introduction to the special issue: Divergent thinking”; Creativity Research Journal; 18 (2006), 3, 249–250.
  • Schuler and Görlich [2007] Schuler, H., Görlich, Y.: Kreativität. Ursachen, Messung, Förderung und Umsetzung in Innovation; Hogrefe, 2007; (in German).
  • Silvia et al. [2014] Silvia, P. J., Beaty, R. E., Nusbaum, E. C., Eddington, K. M., Levin-Aspenson, H., Kwapil, T. R.: “Everyday creativity in daily life: An experience-sampling study of “little c” creativity”; Psychology of Aesthetics, Creativity, and the Arts; 8 (2014), 2, 183–188.
  • Simonton [2004] Simonton, D. K.: Creativity in Science. Chance, Logic, Genius, and Zeitgeist; Cambridge University Press, 2004.
  • Simonton [2011] Simonton, D. K.: “Creativity”; S. J. Lopez, C. R. Snyder, eds., The Oxford Handbook of Positive Psychology; chapter 24, 261–269; Oxford University Press, 2011; 2nd edition.
  • Simonton [2014] Simonton, D. K.: “More method in the mad-genius controversy: A historiometric study of 204 historic creators”; Psychology of Aesthetics, Creativity, and the Arts; 8 (2014), 1, 53–61.
  • Smith [1990] Smith, A. J.: “The task of the referee”; IEEE Computer; 23 (1990), 4, 65–71.
  • Smith et al. [2000] Smith, D. C., Stal, M., Rohnert, H., Buschmann, F.: Pattern-Oriented Software Architecture: Volume 2: Patterns for Concurrent and Networked Objects; John Wiley & Sons, 2000; 1 edition.
  • Smith [2005] Smith, G. J. W.: “How should creativity be defined?”; Creativity Research Journal; 17 (2005), 293–295.
  • Ward [2004] Ward, T. B.: “Cognition, creativity, and entrepreneurship”; Journal of Business Venturing; 19 (2004), 2, 173–188.
  • Wendzel et al. [2015] Wendzel, S., Zander, S., Fechner, B., Herdin, C.: “Pattern-based survey and categorization of network covert channel techniques”; ACM Computing Surveys (CSUR); 47 (2015), 3, 50:1–26.
  • Yoshioka et al. [2008] Yoshioka, N., Washizaki, H., Maruyama, K.: “A survey on security patterns”; Progress in Informatics; 5 (2008), 5, 35–47.
  • Zander et al. [2007] Zander, S., Armitage, G., Branch, P.: “Covert channels and countermeasures in computer network protocols”; IEEE Communications Magazine; 45 (2007), 12, 136–142.
  • Zhou and Shalley [2003] Zhou, J., Shalley, C. E.: “Research on employee creativity: A critical review and directions for future research”; Research in Personnel and Human Resources Management; 22 (2003), 165–217.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description