Skip to Main Content
This paper develops techniques for attacking and defending behavioral anomaly detection methods commonly used in network traffic analysis and covert channels. The main new result is our demonstration of how to use a behavior's or process' k-order statistics to build a stochastic process that has the same k-order stationary statistics but possesses different, deliberately designed, (k+1) -order statistics if desired. Such a model realizes a “complexification” of the process or behavior which a defender can use to monitor whether an attacker is shaping the behavior. We also describe a source coding technique that respects the k -order statistics, including entropy which is a first order statistic for example, of a process while encoding information covertly, and we show how to achieve optimizing information rates. Although the main results and examples are stated in terms of behavioral anomaly detection for covert channels, the techniques are more generally applicable to behavioral anomaly analysis. One fundamental consequence of these results is that certain types of behavioral anomaly detection techniques come down to an arms race in the sense that the advantage goes to the party that has more computing resources applied to the problem.