**5. Conclusions**

Multilayer steganography detection is a method that utilizes a top-down approach for network steganography detection and introduces an intelligent choice of steganographic methods applied to specific network traffic. As a part of the method, we have presented a steganalysis layer selection method that provides an intelligent selection of steganalysis algorithms, preserving the balance between resource consumption and detection performance. To the authors' best knowledge, this is the first generic network steganography detection method that utilizes a top-down approach for a detection method selection algorithm to ensure optimal computation resource allocation.

We have described the method's concept and its key components and discussed the method's applicability for network steganography detection in the context of known data-hiding methods. We also considered steganography detection in real networks in a wider context. The method requires the use of other existing network steganography detection methods for optimum effectiveness. The main novelty of the proposed method is providing a capability for intelligent selection of the best-fit steganalysis method for analyzed network traffic to maintain optimal resource utilization. Other generic detection methods presented so far do not provide orchestration for network steganography detection.

We applied our method for the detection of the RSTEG data-hiding method, presented the proposed detection techniques and assigned them to specific layers. The results demonstrated the method's performance gain over the steganalysis of raw network data. The presented characteristics of performance gain lead us to the conclusion that the method's application for real-time steganalysis is promising as it introduces a non-linear increase in processing time.

We sugges<sup>t</sup> the following areas of future research:


**Author Contributions:** M.S. contributed to theoretical formulation, design methodology, dataset development, experiment design and implementation, results interpretation, original draft preparation and revision. The other authors (K.S., J.P.) contributed to project supervision, theoretical formulation, result interpretation, and revision of the initial draft. All authors have read and agreed to the published version of the manuscript.

**Funding:** This scientific research work was co-financed by the European Union, project name: "The system for identification and monitoring of anomalies and risks in ICT networks". The amount financed by the European Union was EUR 1,044,534.63. The investment outlay value for the entire project was EUR 1,407,526.46. The subsidy was allocated from the European Regional Development Fund, Operational Program "Smart Growth", sub-measure 1.1.1 "Industrial research and development work implemented by enterprises" (grant number: POIR.01.01.01-00-0554/15).

**Conflicts of Interest:** The authors declare no conflict of interest.
