Information Technology Reference
In-Depth Information
a define knowledge about the existence of such dependencies at the moment of
transmission. It produces very complex probability models.
We use the term ”system” in several senses. We think that the context deter-
mines the sense of the term ”system” everywhere in the paper. The main sense of
the term ”system” means that there is a generator of data sequence from the task
control computer to the computer where tasks are solved. This data sequence
is unidirectional. Sometimes we say about computer systems to point that data
generator in the task control computer is a complex system where independent
hardware/software adversary agent can function besides task computation. The
same can be said about the computer where tasks are solved.
We analyze the system with infinite sequences of messages and show that
the final results of analysis are almost independent of the probability model.
The word ”almost” means that we need to have a probability measure of normal
behavior being perpendicular to the probability measure of a covert channel.
This assumption seems to be quite natural when we are dealing with the usage
of statistical methods in signal detection. We prove also that under certain con-
ditions the warden can construct consistent tests for covert channel detection. If
the warden's capacities are limited we examine the possibilities for the warden
to detect a covert transmission when amethodofdatahidingisknown.
Likewise ideas were investigated in intrusion detection models, for example in
[2,5]. But intrusion detection demands the quickest reaction to an attack. That
means that the decision should be based on the shortest trace of entrance data.
There are a lot of traces that should be considered as input of intrusion detection
automaton. There is no decision rule that produces good detection of intrusion
and a few false alarms. This fact is well known in mathematical statistics as
the problem of large amount of short samples and also as detection of rare
events in the sequence of homogeneous samples [3]. The best interpretation of
this problem for intrusion detection systems is presented in [2]. We consider the
problem which is likewise but different from intrusion detection. Warden can
permit covert transmission to get enough information for proving covert channel
existence (data hiding). Warden's problem consists of knowledge absence about
a data hiding method. That means that he knows hypothesis
H
0
but doesn't
know alternatives. Our work solves theoretical problems and helps to understand
weaknesses of statistical covert channels. It uses probability models and methods.
That is why we cannot simultaneously consider construction of the practical tools
for the warden. Nevertheless the proof of the existence of the consistent test is
constructive. The hardness of the problem is to be researched.
The paper is structured as follows. In section 2 the proof of existence of a
consistent test for hidden transfer detection is presented. Section 3 specifies con-
ditions for the warden with the limited resources to detect a covert transmission.
Section 4 presents the conclusions.
2
Existence of Consistent Tests
In the paper we analyze the simplest case of the system which consists of two
computers connected by the only unidirectional link
S
.
