Attacking and Defending Covert Channels and Behavioral Models

TL;DR

This paper introduces methods to attack and defend $k$-gram analysis in network traffic, demonstrating how to manipulate higher-order statistics to detect covert behaviors and highlighting an ongoing arms race in behavioral analysis techniques.

Contribution

The paper presents a novel approach to model behavior with controlled higher-order statistics and develops source coding constructs that embed covert information while respecting $k$-order statistics.

Findings

Behavior models can be manipulated to have the same $k$-order but different $(k+1)$-order statistics.

Defenders can detect covert behaviors by monitoring for designed higher-order statistical patterns.

Behavior analysis techniques are subject to an arms race due to computational resource disparities.

Abstract

In this paper we present methods for attacking and defending $k$-gram statistical analysis techniques that are used, for example, in network traffic analysis and covert channel detection. The main new result is our demonstration of how to use a behavior's or process' $k$-order statistics to build a stochastic process that has those same $k$-order stationary statistics but possesses different, deliberately designed, $(k+1)$-order statistics if desired. Such a model realizes a "complexification" of the process or behavior which a defender can use to monitor whether an attacker is shaping the behavior. By deliberately introducing designed $(k+1)$-order behaviors, the defender can check to see if those behaviors are present in the data. We also develop constructs for source codes that respect the $k$-order statistics of a process while encoding covert information. One fundamental consequence of these results is that certain types of behavior analyses techniques come down to an {\em arms race} in the sense that the advantage goes to the party that has more computing resources applied to the problem.