Yali Liu

Hide and seek in time: robust covert timing channels

Covert timing channels aim at transmitting hidden messages by controlling the time between transmissions of consecutive payload packets in overt network communication. Previous results used encoding mechanisms that are either easy to detect with statistical analysis, thus spoiling the purpose of a covert channel, and/or are highly sensitive to channel noise, rendering them useless in practice. In this paper, we introduce a novel covert timing channel which allows to balance undetectability and robustness: i) the encoded message is modulated in the inter-packet delay of the underlying overt communication channel such that the statistical properties of regular traffic can be closely approximated and ii) the underlying encoding employs spreading techniques to provide robustness. We experimentally validate the effectiveness of our approach by establishing covert channels over on-line gaming traffic. The experimental results show that our covert timing channel can achieve strong robustness and undetectability, by varying the data transmission rate.

SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack

Detecting and mitigating insider threat is a critical element in the overall information protection strategy. By successfully implementing tactics to detect this threat, organizations mitigate the loss of sensitive information and also potentially protect against future attacks. Within the broader scope of mitigating insider threat, we focus on detecting exfiltration of sensitive data through a protected network. We propose a multilevel framework called SIDD (Sensitive Information Dissemination Detection) system which is a high-speed transparent network bridge located at the edge of the protected network. SIDD consists of three main components: 1) network-level application identification, 2) content signature generation and detection, and 3) covert communication detection. Further, we introduce a model implementation of the key components, demonstrating how our system can be deployed. Our approach is based on the application of statistical and signal processing techniques on traffic flow to generate signatures and/or extract features for classification purposes. The proposed framework aims to address methods to detect, deter and prevent deliberate and unintended distribution of sensitive content outside the organization using the organization’s system and network resources by a trusted insider.

A Novel Audio Steganalysis Based on High-Order Statistics of a Distortion Measure with Hausdorff Distance

Steganography can be used to hide information in audio media both for the purposes of digital watermarking and establishing covert communication channels. Digital audio provides a suitable cover for high-throughput steganography as a result of its transient and unpredictable characteristics. Distortion measure plays an important role in audio steganalysis - the analysis and classification method of determining if an audio medium is carrying hidden information. In this paper, we propose a novel distortion metric based on Hausdorff distance. Given an audio object xwhich could potentially be a stego-audio object, we consider its de-noised version xi¾? as an estimate of the cover-object. We then use Hausdorff distance to measure the distortion from xto xi¾?. The distortion measurement is obtained at various wavelet decomposition levels from which we derive high-order statistics as features for a classifier to determine the presence of hidden information in an audio signal. Extensive experimental results for the Least Significant Bit (LSB) substitution based steganography tool show that the proposed algorithm has a strong discriminatory ability and the performance is significantly superior to existing methods. The proposed approach can be easily applied to other steganography tools and algorithms.

Robust and undetectable steganographic timing channels for i.i.d. traffic

Steganographic timing channels exploit inter-packet delays in network traffic to transmit secret messages. The two most important design goals are undetectability and robustness. In previous proposals undetectability has been validated only against a set of known statistical methods, leaving the resistance against possible future attacks unclear. Moreover, many existing schemes do not provide any robustness at all. In this paper, we introduce a steganographic timing channel that is both robust and provably undetectable for network traffic with independent and identically distributed (i.i.d.) inter-packet delays. I.i.d. traffic models are very useful because they are simple to analyze, and constitute essential elements of many advanced network traffic models. In contrast to previous work on i.i.d. traffic we do not rely on any strong assumptions, e.g., bounded jitter, but require only the existence of a cryptographically secure pseudorandom generator. We verify the effectiveness of our approach by conducting a series of experiments on Telnet traffic and discuss the trade off between various encoding and modulation parameters.

Wavelet-Based Traffic Analysis for Identifying Video Streams over Broadband Networks

Network and service providers are rapidly deploying IPTV networks to deliver a wide variety of video content to subscribers. Some video content may be protected by copyright and/or may be subject to distribution restrictions. Encryption technologies may not always be effective to manage protected video content, particularly when video content is legally decrypted upon receipt by a subscriber. This paper presents a new approach to detect if specific (or protected) downloaded video is being redistributed by a subscriber using the broadband Internet connection. The approach employs a traffic-based signature of the protected video clip. The signature which is shown to be unique is stored in a signature store. We adopt a wavelet-based analysis to match video streams captured from the network to the signatures in the store. The performance of the detection algorithm is evaluated using a large video database populated with a variety of movies and TV shows. The experiment results show that our algorithm achieves high detection rates and low false alarm rates using video clips of only a few seconds.

A new source model and accurate rate control algorithm with QP and rounding offset adaptation

Rate control plays an important role in regulating the encoding bit rate to meet the bandwidth and storage requirement. Most existing works regulate the bit rate by adjusting the quantization step size. We propose to incorporate a new dimension: the quantization rounding offset into a rate control algorithm. Based on our previous work of multi-pass fine rate control, in this work, we present a unified one-pass rate control algorithm that jointly adjusts the quantization step size and the rounding offset for high bit rate accuracy. Unlike the quantization step size that has a limited number of choices, the rounding offset is a continuously adjustable variable that allows the rate control algorithm to reach any precision in principle. Our extensive experimental results show that the proposed algorithm greatly improves the rate control accuracy at almost no extra computational complexity.

Detecting sensitive data exfiltration by an insider attack

Detecting and mitigating insider threat is a critical element in the overall information protection strategy. By successfully implementing tactics to detect this threat, organizations mitigate the loss of sensitive information and also potentially protect against future attacks. Within the broader scope of mitigating insider threat, we focus on detecting exfiltration of sensitive data through a protected network. We propose a multilevel framework called SIDD (Sensitive Information Dissemination Detection) system which is a high-speed transparent network bridge located at the edge of the protected network. SIDD consists of three main components: 1) network-level application identification, 2) content signature generation and detection, and 3) covert communication detection. Further, we introduce a model implementation of the key components, demonstrating how our system can be deployed. Our approach is based on the application of statistical and signal processing techniques on traffic flow to generate signatures and/or extract features for classification purposes. The proposed framework aims to address methods to detect, deter and prevent deliberate and unintended distribution of sensitive content outside the organization using the organizations system and network resources by a trusted insider.

A novel fine rate control algorithm with adaptive rounding offset

The rate control algorithm is of essential importance to a video encoder. It enables the encoded bitstream to meet the bandwidth and storage requirement while maintaining good video quality. Most existing works adjust the quantization step size to achieve the required bit rate accuracy. This paper introduces a new dimension: the quantization rounding offset into a frame-level fine rate control algorithm. Specifically, we propose a novel fine rate control algorithm based on a linear model between the bit rate and the rounding offset. Unlike the quantization step size that has a limited number of choices, the quantization rounding offset is a continuously adjustable variable which allows the rate control algorithm to reach any precision in principle. Extensive experiment results show that the proposed algorithm greatly improves the bit rate accuracy and provides better visual quality by fine tuning of the rounding offset in addition to the quantization step size.

A Fine Rate Control Algorithm With Adaptive Rounding Offsets (ARO)

Rate control plays an important role in regulating the bit rate to meet the bandwidth and storage requirement. Most existing video encoders regulate the bit rate by adjusting the quantization step size. We propose to incorporate a new dimension: the quantization rounding offset into rate control. In this paper, we present a rate control algorithm with adaptive rounding offsets (ARO) that jointly adjusts the quantization step size and the rounding offset for high bit rate accuracy. Different from the quantization step size that has a limited number of choices, the rounding offset is a continuously adjustable variable that allows the rate control algorithm to reach any precision in principle. Our extensive experimental results show that the proposed ARO algorithm significantly improves the rate control accuracy at almost no extra computational complexity. Compared with the rho-domain rate control, the ARO algorithm reduces the rate control errors from about 2% to 0.5% for INTRA frames, and 5% to 1.5% for INTER frames. Our experiments also demonstrate that ARO provides the extra benefit of smoother visual quality.

Efficient probability based macroblock mode selection in H.264/AVC

To get high compress efficiency, the latest H.264/AVC international video coding standard introduced many more advanced tools than previously used standards, such as using sophisticated prediction and rate-distortion (RD) mode selection. Although these new coding tools can significantly improve video coding efficiency, the improvement in performance comes at substantially higher computational complexity as a result of more complicated mode decision. To reduce the complexity of H.264 encoding, various fast mode decision algorithms have been proposed. Many of these algorithms take advantage of motion and video content classification so as to reduce the number of modes tried during mode decision. When used for video sequences with high motion or detailed visual information, video coding e±ciency can be significantly compromised as a result of imperfect classification. In this paper, an efficient Probability Based Macroblock Mode Selection (PBMMS) algorithm is proposed. Each MB is predicted to different probability MB based on spatial and special correlation, which then leads to 50-60% computation savings and some compression performance improvements over existing H.264 fast mode decision algorithms.