Attacking and Defending Covert Channels and Behavioral Models

In this paper we present methods for attacking and defending k-gram statistical analysis techniques that are used, for example, in network traffic analysis and covert channel detection. The main new result is our demonstration of how to use a behavior’s or process’ k-order statistics to build a stochastic process that has those same k-order stationary statistics but possesses different, deliberately designed, (k + 1)order statistics if desired. Such a model realizes a “complexification” of the process or behavior which a defender can use to monitor whether an attacker is shaping the behavior. By deliberately introducing designed (k + 1)-order behaviors, the defender can check to see if those behaviors are present in the data. We also develop constructs for source codes that respect the k-order statistics of a process while encoding covert information. One fundamental consequence of these results is that certain types of behavior analyses techniques come down to an arms race in the sense that the advantage goes to the party that has more computing resources applied to the problem. Points of view in this document are those of the authors and do not necessarily represent the official position of the sponsoring agencies or the U.S. Government. V. Crespi is with the Department of Computer Science, California State University at Los Angeles, Los Angeles CA, 90032 USA. email: [email protected]. Crespi’s work was partially supported by AFOSR Grant FA9550-07-1-0421 and by NSF Grant HRD-0932421. G. Cybenko is with the Thayer School of Engineering, Dartmouth College, Hanover NH 03755. email: [email protected]. Cybenko’s work was partially supported by Air Force Research Laboratory contracts FA8750-10-1-0045, FA8750-09-1-0174, AFOSR contract FA9550-07-1-0421, U.S. Department of Homeland Security Grant 2006-CS-001-000001 and DARPA Contract HR001-06-1-0033 A. Giani is with the Department of EECS, University of California at Berkeley, Berkeley CA 94720. email: [email protected]. Giani’s’s work was partially supported by U.S. Department of Homeland Security Grant 2006-CS001-000001 and DARPA Contract HR001-06-1-0033 when she was a Ph.D. student at Dartmouth January 20, 2013 DRAFT ar X iv :1 10 4. 50 71 v1 [ cs .L G ] 2 7 A pr 2 01 1 CRESPI, CYBENKO, GIANI 2