Fundamental Limits of Covert Bit Insertion in Packets

10/08/2018 ∙ by Ramin Soltani, et al. ∙ University of Massachusetts Amherst 0

Covert communication is necessary when revealing the mere existence of a message leaks sensitive information to an attacker. Consider a network link where an authorized transmitter Jack sends packets to an authorized receiver Steve, and the packets visit Alice, Willie, and Bob, respectively, before they reach Steve. Covert transmitter Alice wishes to alter the packet stream in some way to send information to covert receiver Bob without watchful and capable adversary Willie being able to detect the presence of the message. In our previous works, we addressed two techniques for such covert transmission from Alice to Bob: packet insertion and packet timing. In this paper, we consider covert communication via bit insertion in packets with available space (e.g., with size less than the maximum transmission unit). We consider three scenarios: 1) packet sizes are independent and identically distributed (i.i.d.) with a probability mass function (pmf) whose support is a set of one bit spaced values; 2) packet sizes are i.i.d. with a pmf whose support is arbitrary; 3) packet sizes may be dependent. For the first and second assumptions, we show that Alice can covertly insert O(√(n)) bits of information in a flow of n packets; conversely, if she inserts ω(√(n)) bits of information, Willie can detect her with arbitrarily small error probability. For the third assumption, we prove Alice can covertly insert on average O(c(n)/√(n)) bits in a sequence of n packets, where c(n) is the average number of conditional pmf of packet sizes given the history, with a support of at least size two.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

With the rapid growth of communication systems and the Internet, security and privacy have emerged as critical concerns [1, 2, 3, 4, 5, 6]. Protecting the content of messages through encryption [7] or information-theoretic methods [8] forms the majority of the research on security. However, in many scenarios, the security is achieved by hiding not only the message but also the existence of the message. In other words, if the existence of the message is revealed, it can leak sensitive information to the adversary [9] or cause threats to users. Such scenarios include a situation where people do not have the freedom to communicate, military applications, and protecting location privacy of mobile users. Covert communication provides the solution in such scenarios by hiding the existence of the communication.

Although spread spectrum [10] and steganography [11, 12, 13] have been studied broadly [14], only recently have the fundamental limits of covert communication over noisy continuous-valued channels been studied. Bash et al. [15, 16] showed that the number of bits that can be transmitted covertly and reliably on an additive white Gaussian noise (AWGN) channel is on the order of the square root of the number of channel uses. The work of Bash et al. motivated a significant body of work [17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29], much of which is focused on models appropriate for point-to-point wireless communication channels.

[width=/2,height=keepaspectratio]sysmod2.png

Fig. 1: System configuration: Authorized user Jack sends packets through the network to authorized user Steve. Alice adds her information to packets transmitted by Jack to communicate covertly with Bob without detection by the (adversary) warden Willie. Bob removes Alice’s inserted bits from the packets. In each packet, the blue part shows the information added by Alice and the green part shows Jack’s information.

This paper focuses on the covert transmission of information on a network link. Consider a link where an authorized user (Jack) transmits a packet stream of length to an authorized receiver (Steve). The link is watched by an authority, warden Willie, who seeks to detect whether anybody other than the authorized users Jack and Steve might be using the link. Indeed, a covert transmitter Alice might attempt to transmit information reliably and covertly to a covert receiver Bob. After originating at Jack, the packet stream visits Alice, Willie, Bob, and Steve, respectively, as shown in Fig 1. In [23, 24], we presented two techniques for covert communication between Alice and Bob for the case that Jack’s packet timings are governed by a Poisson process  [23] or a renewal process [24]. If Willie can verify the sources of the packets, then Alice can transmit bits to Bob via timing if the timing channel between Alice and Bob has non-zero capacity. If the timing channel between Alice and Bob has zero capacity and Willie cannot authenticate packet senders, Alice can transmit bits to Bob via packet insertion.

In this paper, we turn our attention to a third technique for covert communication between Alice and Bob: employing the space in the payload of the packets. In [30], Handel et al. propose information embedding in the two least significant bits of packet headers as well as the time stamp. Rowland et al. [31] proposed information embedding in the TCP/IP header fields such as the IP identification field, the initial sequence number field, and the TCP acknowledge sequence number field. Furthermore, there is a significant body of work related to embedding information in the header of the packets [32, 33, 34, 35]. Here, we do not alter the original information in the payload of the packets, insert new packets, or employ timing channels. Rather, we consider adding extra information to the payload of the packets when packet sizes are variable without an adversary noticing a change in the packet length distribution. To the best of our knowledge, no previous work offers theoretical guarantees on the trade-off between the efficiency of bit insertion in payloads (number of inserted bits) and covertness.

We consider a setting similar to those of [23, 24]. Consider a network link where an authorized transmitter (Jack) sends a flow of packets to an authorized receiver (Steve). Alice wishes to employ the available (unused) space in the packets to insert her information to communicate covertly with Bob, in the presence of the network warden, Willie, who is observing the sizes and timings of the packets transmitted by Alice to detect such transmissions (see Fig. 1). Alice can use one bit of the header (as motivated by [32, 33, 34, 35, 31, 30]), which we refer to as “flag bit”, and the available space in the packets. Willie cannot modify packets. He knows the joint probability mass function (pmf) of the packet sizes of the stream transmitted by Jack, so he seeks to apply hypothesis testing to verify whether the packet process has the proper characteristics. First we consider Assumption 1, i.e., packet sizes are i.i.d. with a pmf whose support is a set of one bit spaced values across an interval , and we show that Alice can insert bits in the packet stream to communicate with Bob while lower bounding Willie’s error probability by for any (see Theorem 1). Conversely, we prove that if Alice inserts bits in the sequence of packets, Willie will detect her with arbitrarily small error probability.

To establish the result, we employ the following construction. Alice generates a secret key of length and shares it with Bob before the communication. The key indicates the location of the packets to be selected by Alice for a possible bit insertion. If the selected packet has available space, i.e., its size satisfies , where is the number of possible sizes implied by , then Alice adds bits to the packet and changes the flag bit to one; otherwise, she only changes the flag bit to zero. On the other side, Bob extracts Alice’s information using the shared key and the flag bits. We extend our results to the case where the possible packet sizes are spaced arbitrarily (Assumption 2), and the case where packet sizes may be dependent (Assumption 3).

The remainder of the paper is organized as follows. We present the system model and the metrics in Section II. Then, we present construction and analysis for Assumptions 1, 2, and 3 in Sections IIIIV, and V, respectively. In Section VII we present the future work. Finally, we discuss the assumptions and results in Section VI, and we conclude in Section VIII.

Ii System Model and Metrics

Ii-a System Model

Suppose that Jack transmits a sequence of packets to Steve on a network link, and Alice wishes to add her information to the packets on the link to communicate with Bob without being detected by adversary Willie. Alice is allowed to use a bit from the header (e.g., least significant bit) which we refer to as a “flag bit” and the available space in the payload of each packet. She generates a secret key of length bits and shares it with Bob before insertion. The key indicates the packets that will possibly be manipulated by Alice. Willie knows the joint pmf of the packet sizes and Alice’s bit insertion scheme but not the key. He cannot observe the content of the packets, but he observes the sizes of the packets coming from Alice and attempts to detect Alice’s transmission (see Fig. 1). Willie cannot observe the contents of the packets or modify them. We consider the following assumptions:

  • Assumption 1: The packet sizes are independent and identically distributed (i.i.d.) with pmf whose support is a set of one bit spaced values across an interval , and the number of packets sizes is at least two, i.e.,

    where denotes cardinality of a set.

  • Assumption 2: The packet sizes are i.i.d. and with pmf with an arbitrary support, and the number of packet sizes is at least two.

  • Assumption 3: The packet sizes might be dependent with joint pmf .

For the case of i.i.d. packet sizes (Assumptions 1 and 2), we denote the mean and the variance of packet sizes by

and , respectively, where . We assume that Alice, Willie, and Bob know the pmf of the packet sizes.

Ii-B Hypothesis Testing

Willie is faced with two hypotheses:

  • : Alice does not insert her own bits (null hypothesis)

  • : Alice inserts her own bits (alternative hypothesis)

He applies a binary hypothesis test to decide between and . Denote by and the distributions that Willie observes under and , respectively. Willie’s detection is associated with two errors:

  • : probability of detecting when

    is true (type I error or false alarm)

  • : probability of detecting when

    is true (type II error or missed detection)

We assume and that Willie seeks to minimize his probability of error

Our results are readily extended to the case where since minimizing is applicable when  [27].

Ii-C Covertness

Alice’s transmission is covert if and only if she can achieve for any  [16], which means Willie’s detector operates as close as desired to a random detector. In this paper, we use standard Big-O, little-omega, and Big-Theta notations [36, Ch. 3].

Iii Assumption 1: Packet sizes are i.i.d. with a pmf whose support is a set of one bit spaced values

In this section, we assume that packet sizes are i.i.d. with pmf whose support is a set of one bit spaced values across an interval , and it allows at least two packet sizes. We determine the total number of bits that Alice can insert in the packets.

Theorem 1.

If packet sizes are i.i.d. with a pmf whose support is a set of one bit spaced values, and there are at least two possible packet sizes, Alice can covertly insert bits in a sequence of packets transmitted by Jack. Conversely, if Alice inserts bits in a sequence of packets, Willie can detect her with arbitrarily small error probability .

Proof.

(Achievability) Denote by the size of the support of

, i.e., the number of possible packet sizes. The construction and analysis for the case of odd

follows from those of even with minor modifications. In particular, when is odd, Alice and Bob disregard all packets of a specific size (e.g., smaller packet size). We consider even in this proof.

Construction: Let . Alice generates a secret key of length , to which Willie does not have access. In particular, she first generates an i.i.d. bit sequence of length in which each bit is one with probability

(1)

where

(2)
(3)

The locations of the ones indicate the packets that will be selected by Alice for a possible bit insertion. Hence, the key contains addresses of maximum length for a possible bit insertion.

Alice shares the key with Bob. The key indicates which packets in the stream of length packets from Jack have been selected by Alice for a possible bit insertion. If the size of the selected packet satisfies , then Alice inserts bits to the end of the payload of the packet and sets the flag bit of the packet to one; otherwise, she only changes the flag bit to zero indicating that the packet did not have available space.

Bob, who has access to the key and the flag bits finds out which packets contain Alice’s bits. Therefore, he extracts and removes the last bits of those packets.

Analysis: (Covertness) If Willie applies hypothesis test, then [16]

(4)

where and are the joint pmf of the packet sizes when and are true, respectively, and is the relative entropy between and . Next, we show that Alice can upper bound by , and thus lower bound Willies error probability, , by , for arbitrary . Recall that packet sizes are i.i.d. with pmf

. Since the locations of the ones in the bit sequence are uniformly distributed, and thus Alice selects each packet for insertion independently, the distributions of the packet sizes remains i.i.d. after Alice’s manipulation. Denote by

the pmf of the packet sizes after Alice inserts information in them. Observe:

(5)
(6)

From the chain rule for relative entropy

[37, Eq.(2.67)]:

(7)

Next, we calculate . Note that from Willie’s perspective, the probability that a packet is selected by Alice for a possible insertion is . Observe:

(8)

Therefore,

(9)

Consider the first term on the right hand side (RHS) of (9). By (8):

(10)

where

denotes the cumulative distribution function (CDF) of packet sizes, and the last step is true since

following from (2).

Consider the second term on the RHS of (9) . Substituting from (8) yields:

(11)

where follows from (3), and follows from (2). By (9), (10), and (11),

(12)

where is true since for , and the last step follows from substituting the value of given in (1). By (4), (7), (III) , and thus Alice’s insertion is covert.

(Number of bits) The total number of inserted bits in the stream of packets transmitted by Jack is

where is the number of bits inserted in the packet form Jack. Recall that the key is generated independent of the packet stream. Therefore, Alice inserts bits in a packet if two independent events occur, the key selects the packet (with probability ) and the size of the packet satisfies (with probability ). Let . Observe:

Note that

s are i.i.d. since the locations of ones in the key are i.i.d. The law of large numbers yields:

(13)

Since (given in (1)),

(14)

Hence, Alice can insert bits in a sequence of packets from Jack.

(Converse) Willie uses a detector that is sufficient to limit Alice’s bit insertion in the packets across all potential schemes. Suppose that Willie observes a packet sequence of length and wishes to detect whether Alice inserts information in the packets or not. Since he knows that packet sizes are i.i.d. with pmf , he knows the expected size of packets. Recall that the mean and variance of packet sizes are and , respectively. Hence, he calculates the average size of packets and performs a hypothesis test by setting a threshold :

(15)

Consider

where the last step follows from the Chebyshev’s inequality. Since , if Willie sets , he can achieve arbitrary small probability of false alarm, i.e.,

(16)

for arbitrary .

Next, we will show that if Alice inserts total number of bits, Willie can achieve arbitrary small probability of missed detection as well, i.e., for arbitrary . Assume Alice inserts bits of information. Therefore,

Since , if , for large enough , , and thus the WLLN yields

Therefore, if Alice inserts total number of bits, Willie can achieve for any . Combined with (16), if Alice inserts bits, Willie can choose a to achieve any (small) and desired. ∎

Iv Assumption 2: Packet sizes are i.i.d. with a pmf whose support is general

In this section, we assume that packet sizes are i.i.d. with pmf whose support is , with . We determine the total number of bits that Alice can insert in the packets.

Theorem 2.

If packet sizes are i.i.d. with pmf that allows possible sizes, Alice can covertly insert bits in a sequence of packets transmitted by Jack. Conversely, if Alice inserts bits in a sequence of packets, Willie can detect her with arbitrarily small error probability .

Proof.

The construction and analysis follows from those of Theorem 1 with minor modifications. Alice generates a secret key of length and shares it with Bob. According to the key, Alice selects packets for insertion. Let be the size of the packet selected by Alice according to the key. Since the proof for odd follows from that of even case with disregarding one possible packet size, here we assume is even. If , then Alice adds bits to the end of the payload of the packet so that the size of the packet will be , and she sets the flag bit to one; else, she only changes the flag bit to zero. Note that in this case, since , Alice adds at least bits to each packets which is lower bounded by that of Theorem 1. Bob employs the key and the flag bits to extract and remove Alice’s bits from the packets. ∎

V Assumption 3: Dependent Packet Sizes

In this section, we assume that packet sizes may be dependent. We determine the total number of bits that Alice can insert in the packets.

Theorem 3.

If the packet sizes are dependent, Alice can covertly insert on average bits in a sequence of packets transmitted by Jack, where is the average number of conditional pmfs of packet sizes, s, that have a support of minimum size two, i.e.,

(17)

where denotes the indicator function, and is the size of the support of .

Proof.

(Achievability)

Construction: The construction is similar to that of Theorem 1 except that the number of bits that Alice adds to the packet from Jack depends on . If is odd, Alice and Bob disregard packets with the smallest possible size. Alice generates a secret key of length indicating the packets in the stream of length transmitted by Jack have to be selected by Alice for a possible bit insertion. She shares the key with Bob; however, Willie does not have access to it. To generate the key, she first generates an i.i.d. bit sequence of length in which each bit is one with probability

(18)

where

(19)
(20)

is the set of all possible sizes for the for all possible instantiations of sizes of packets. The locations of the ones indicate the packets that will be selected by Alice for a possible bit insertion.

If the key indicates that the packet has to be selected by Alice for a possible bit insertion, is the support of , and is the size of the packet from Jack, then Alice adds bits to the end of the payload of the packet so that the size of the packet will be , and she sets the flag bit to one; else, she only changes the flag bit to zero.

Bob, who has access to the key and the flag bits finds out which packets contain Alice’s bits. Therefore, he extracts and removes the last bits of those packets.

Analysis: (Covertness) Observe:

(21)
(22)

From the chain rule for relative entropy[37, Eq.(2.67)]:

(23)

Similar to the arguments leading to (8), we can show that if , then (18) yields:

(24)

By (4), (23), (24), , and thus Alice’s bit insertion is covert.

(Number of bits) Recall that is size of the support of , and if the key selects the packet for a possible insertion by Alice. Alice inserts bits in the packet from Jack if two independent events occur, and . Thus, the total number of bits that Alice inserts is

where the last step is true since if , then . In oter words, if Alice inserts bits in a packet, she inserts at least one bit in it. Consequently,

(25)

where is true since is independent of and . Because , Alice can insert on average bits in a sequence of packets from Jack. ∎

Vi Discussion

Vi-a Use of Other Techniques for Covert Communication

In this paper, we allowed Alice to hold packets to add additional bits of information to their payloads. This may allow her to release the packets at specific times to embed information in the inter-packet delays and establish a timing channel which results in a higher throughput [23, 24, 25]. However, this paper only focuses on establishing a covert communication via insertion of bits in packets, and everything else that Alice does besides this, such as timing channel and packet insertion [23, 24] is orthogonal to this work. Furthermore, Alice cannot alter the information in Jack’s packets to embed her information since if she does such, Steve may realize this and punish her.

Vi-B Assumption of variable packet lengths

Our analysis and results relied on the assumption that the packet sizes are variable so Alice can insert her information in the payloads of the packets and increase the packet sizes. Although in some scenarios the packet sizes are almost deterministic [38, Section III.A], there are many scenarios with variable packet lengths [39, 40, 41] where a covert channel may be established by embedding information in the packet sizes [38, 42, 43, 44, 45]. Besides, audio and video streaming applications with variable bit rate codecs (e.g., Skype) also might involve the transmission of variable packet sizes.

Vi-C Recovering the original size of the packets

In this paper, the mapping between the old sizes of the packets and new sizes of the packets is such that Bob can easily find the original size of each packet if it has information from Alice. Since he also knows that the bits are added to the end of the payload, he can extract Alice’s bits. Considering Assumption 1, we discuss an alternative mapping: if the key selects a packet for a possible bit insertion by Alice, then Alice uses all of the available space in the packet. Since the mapping does not preserve the original sizes of the manipulated packets, Alice has to allocate some of the added bits to indicate the original size of the packets. We can show that we achieve similar order results for Theorems 1,2, and 3.

Vi-D Alternative uses of key

We assumed that Alice and Bob share a secret key that is unknown to Willie, and that Alice can use a flag bit in the header of each packet to indicate if she inserted any bits in a packet that is selected by the key. Here we discuss two alternative schemes. In the first scheme, Alice generates a key of size and shares it with Bob. If she inserts bits in a packet, she inserts the key in the packet. Bob finds the packets in which the key exists and extracts Alice’s information. Because the key can appear in the payload randomly without Alice inserting it, one has to analyze the probability of such an error for Bob.

In the second scheme, instead of using a fixed key for each packet, Alice employs non-deterministic encryption to create a long secret key, then she slices it into pieces and inserts each piece in each packet that has Alice’s bits. In this case, the size of the key grows as grows and it is efficient only in a model where the size of the packets scales as some function of .

Vi-E Covertness of flag bits

Since Willie cannot see the content of the packets, he cannot see the flag bits. We consider Assumption 1 and we show that even if he observes the flag bits, Alice’s bit insertion is covert. We assume that if Alice does not insert bits, the flag bits are i.i.d. instantiations of a Bernoulli random variable with parameter

. Let and be the joint pmf of packet sizes and flag bits under and , respectively. If Willie applies hypothesis test, then [16]

(26)

where

and and are the join pmf of packet size and flag bit under and , respectively. From the chain rule for relative entropy [37, Eq.(2.67)]:

(27)

Recall that the pmf of packet sizes under and are and , respectively. Since the size of a packet is independent of its flag bit when is true, , where is a Bernoulli pmf of parameter . Let be the conditional pmf of the flag bits given the size of the packet under . The chain rule of relative entropy yields . Combined with (27):

(28)

Consider the first term on the RHS of (28). Similar to the arguments leading to (III), we can show that . Thus,

(29)

Next, we derive and upper bound the RHS of (28). Similar to the analysis of Theorem 1, we assume that the number of possible sizes for each packet () is odd, as the analysis for even follows from it readily. By (8) and the Bayes’ rule, we can show that for ,

(30)

and for ,

(31)

Consider the second term on the RHS of (28). Observe:

(32)

Note that the second summation on the RHS of (32) is only over because for , (30) implies that is . We show in Appendix that

(33)

Consequently, (32) yields:

(34)

where the last step is true since the summation in (34) is the probability that the packet size satisfies under . Substituting the value of from (1) and (34) yield:

(35)

where the last step follows from (2). By (26), (28), (29), and (35), for all as , and thus Alice’s insertion is covert, even if Willie observes the flag bits.

Vi-F Avoiding the use of flag bits

The use of the flag bit [32, 33, 34, 35, 31, 30]) are possible in various protocols where random-looking fields in the headers are generated (e.g., initial sequence numbers (ISN) in TCP, and IPID in IP). Considering Assumption 1, we discuss two alternative scheme where Alice and Bob do not use the flag bits. In the first scheme, if the key selects a packet, and the size of the selected packet satisfies , then Alice inserts bits to the end of the payload of the packet; otherwise, she removes and stores bits from the payload of the packet, and for bit insertion, she gives the highest priority to the oldest Jack’s bits in her buffer. She continues this until she transmits Jack’s last packet. Note that the mapping is one to one and thus Bob can find the original size of each packet and extract Alice’s bits. We can show that if the pmf of the packet sizes satisfies some conditions, with high probability Alice can transmit all Jack’s bits from her buffer as well as bits of her own. The packet stream transmitted by Bob has all Jack’s bits, but if Jack transmits the bit in the packet, the bit is not necessarily in the packet transmitted by Bob.

In the second scheme, Alice uses dummy bits. Assume Alice observes a packet that is selected by the key and that the size of the packet is . Alice chooses an integer , where . If , Alice adds of her bits to the end of the packet. If , she adds dummy packets. Assume Bob observes a packet that is selected by the key and the size of the packet is . If , he extracts bits from the end of the packet. The reason that Alice has to insert dummy bits in the packets of size is that the new size will be so Bob will have uncertainty about whether they contain bits from Alice or since they did not have enough space Alice did not insert any bits in them. Note that Bob cannot remove the dummy bits so that Steve will suffer from dummy bits in some packets of size . Alternatively, Alice can add of her won bits to a packet of size , and one dummy bit to a packet of size . In this case, only some of the packets of maximum size will have dummy bits; however, since the mapping between the old and new size does not preserve the old size, some of the inserted bits have to be used to indicate the original size of the packets.

Vii Future Work

In the future work, we will assume that Willie can see the contents of the packets so he can employ entropy attacks to detects Alice’s bit insertion, i.e., if he knows the order of the entropy of Jacks’ bits, he can verify that to restrict Alice’s bit insertion. Therefore, Alice has to employ a coding where generates bits whose entropy are close Jack’s bits. Even if Alice does not employ such this scheme, since Alice only manipulates packets, the conjecture is that the change of the entropy of the bits is covert and Alice can still insert bits when the packet sizes are i.i.d. We will verify this conjecture in the future work. Furthermore, we will consider the compression of Jacks bits to achieve more space available in the packets for Alice’s bit insertion.

Viii Conclusion

In this paper, we presented the fundamental limits of a third technique for the transmission of covert information on network links, covert insertion of bits in the payload of packets with available space, where the first and second schemes were packet insertion and timing channel presented in [23, 24]. In a network link where an authorized transmitter Jack sends a flow of packets intended for Steve, and the flow visits Alice (covert transmitter), Willie (network warden), Bob (covert receiver), and Steve (intended receiver), respectively, we have established that if the packet sizes are i.i.d. with a probability mass function whose support allows at least two possible packet sizes, Alice can insert bits in the packets of the flow while lower bounding Willie’s error probability by for all . Furthermore, we showed that if Alice inserts bits, Willie will detect her with an arbitrarily small error probability . For the case of dependent packet sizes, we showed that the average number of bits that Alice can insert in a stream of packets from Jack is , where is the average number of conditional pmfs of packet sizes given the history with support of minimum size two.

By (31),

(36)

where , and the last step is true since , , and . Note that . By (3), . Combined with (36), the proof is complete.

References

  • [1] R. K. Nichols, P. Lekkas, and P. C. Lekkas, Wireless security. McGraw-Hill Professional Publishing, 2001.
  • [2] N. Takbiri, R. Soltani, D. L. Goeckel, A. Houmansadr, and H. Pishro-Nik, “Asymptotic loss in privacy due to dependency in gaussian traces,” arXiv preprint arXiv:1809.10289, 2018.
  • [3] N. Takbiri, A. Houmansadr, D. L. Goeckel, and H. Pishro-Nik, “Matching anonymized and obfuscated time series to users’ profiles,” IEEE Transactions on Information Theory, accepted for publication, 2018, Available at https://arxiv.org/abs/1710.00197.
  • [4] M. Hadian, X. Liang, T. Altuwaiyan, and M. M. Mahmoud, “Privacy-preserving mhealth data release with pattern consistency,” in Global Communications Conference (GLOBECOM), 2016 IEEE, pp. 1–6, IEEE, 2016.
  • [5] M. Hadian, T. Altuwaiyan, X. Liang, and W. Li, “Privacy-preserving voice-based search over mhealth data,” Smart Health, 2018.
  • [6] N. Takbiri, A. Houmansadr, D. L. Goeckel, and H. Pishro-Nik, “Privacy against statistical matching: Inter- user correlation,” in International Symposium on Information Theory (ISIT), (Vail, Colorado, USA), 2018.
  • [7] J. Talbot and D. Welsh, Complexity and Cryptography: An Introduction. Cambridge University Press, 2006.
  • [8] M. Bloch and J. Barros, Physical-Layer Security. Cambridge, UK: Cambridge University Press, 2011.
  • [9] “Edward Snowden: Leaks that exposed US spy programme.” http://www.bbc.com/news/world-us-canada-23123964, Jan 2014.
  • [10] M. K. Simon, J. K. Omura, R. A. Scholtz, and B. K. Levitt, Spread Spectrum Communications Handbook. McGraw-Hill, 1994.
  • [11] A. D. Ker, “Batch steganography and pooled steganalysis,” vol. 4437 of Lecture Notes in Computer Science, pp. 265–281, Springer Berlin Heidelberg, 2007.
  • [12] A. D. Ker, “The square root law requires a linear key,” in Proceedings of the 11th ACM workshop on Multimedia and security, pp. 85–92, ACM, 2009.
  • [13] T. Filler, A. D. Ker, and J. Fridrich, “The square root law of steganographic capacity for markov covers,” in Media Forensics and Security, vol. 7254, p. 725408, International Society for Optics and Photonics, 2009.
  • [14] F. A. Petitcolas, R. J. Anderson, and M. G. Kuhn, “Information hiding-a survey,” Proceedings of the IEEE, vol. 87, no. 7, pp. 1062–1078, 1999.
  • [15] B. Bash, D. Goeckel, and D. Towsley, “Square root law for communication with low probability of detection on AWGN channels,” in Information Theory Proceedings (ISIT), 2012 IEEE International Symposium on, pp. 448–452, July 2012.
  • [16] B. Bash, D. Goeckel, and D. Towsley, “Limits of reliable communication with low probability of detection on AWGN channels,” Selected Areas in Communications, IEEE Journal on, vol. 31, pp. 1921–1930, September 2013.
  • [17] P. H. Che, M. Bakshi, and S. Jaggi, “Reliable deniable communication: Hiding messages in noise,” in Information Theory Proceedings (ISIT), 2013 IEEE International Symposium on, pp. 2945–2949, July 2013.
  • [18] B. Bash, S. Guha, D. Goeckel, and D. Towsley, “Quantum noise limited optical communication with low probability of detection,” in Information Theory Proceedings (ISIT), 2013 IEEE International Symposium on, pp. 1715–1719, July 2013.
  • [19] B. A. Bash, D. Goeckel, and D. Towsley, “LPD Communication when the Warden Does Not Know When,” in Information Theory Proceedings (ISIT), 2014 IEEE International Symposium on.
  • [20] B. A. Bash, D. Goeckel, D. Towsley, and S. Guha, “Hiding information in noise: Fundamental limits of covert wireless communication,” IEEE Communications Magazine, vol. 53, no. 12, pp. 26–31, 2015.
  • [21] M. R. Bloch, “Covert communication over noisy channels: A resolvability perspective,” IEEE Transactions on Information Theory, vol. 62, no. 5, pp. 2334–2354, 2016.
  • [22] R. Soltani, B. Bash, D. Goeckel, S. Guha, and D. Towsley, “Covert single-hop communication in a wireless network with distributed artificial noise generation,” in Communication, Control, and Computing (Allerton), 2014 52nd Annual Allerton Conference on, pp. 1078–1085, IEEE, 2014.
  • [23] R. Soltani, D. Goeckel, D. Towsley, and A. Houmansadr, “Covert communications on poisson packet channels,” in 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 1046–1052, IEEE, 2015.
  • [24] R. Soltani, D. Goeckel, D. Towsley, and A. Houmansadr, “Covert communications on renewal packet channels,” in 2016 54th Annual Allerton Conference on Communication, Control, and Computing (Allerton), IEEE, 2016.
  • [25] R. Soltani, D. Goeckel, D. Towsley, and A. Houmansadr, “Towards provably invisible network flow fingerprints,” in 2017 51st Asilomar Conference on Signals, Systems, and Computers, pp. 258–262, Oct 2017.
  • [26] R. Soltani, D. Goeckel, D. Towsley, B. Bash, and S. Guha, “Covert wireless communication with artificial noise generation,” IEEE Transactions on Wireless Communications, pp. 1–1, 2018.
  • [27] R. Soltani, D. Goeckel, D. Towsley, and A. Houmansadr, “Fundamental limits of invisible flow fingerprinting,” arXiv preprint arXiv:1809.08514, 2018.
  • [28] M. Tahmasbi and M. R. Bloch, “First and second order asymptotics in covert communication with pulse-position modulation,” arXiv preprint arXiv:1703.01362, 2017.
  • [29] K. S. K. Arumugam and M. R. Bloch, “Embedding covert information in broadcast communications,” arXiv preprint arXiv:1808.09556, 2018.
  • [30] T. G. Handel and M. T. Sandford, “Hiding data in the osi network model,” in International Workshop on Information Hiding, pp. 23–38, Springer, 1996.
  • [31] C. H. Rowland, “Covert channels in the tcp/ip protocol suite,” First Monday, vol. 2, no. 5, 1997.
  • [32] G. Fisk, M. Fisk, C. Papadopoulos, and J. Neil, “Eliminating steganography in internet traffic with active wardens,” in International Workshop on Information Hiding, pp. 18–35, Springer, 2002.
  • [33] K. Ahsan and D. Kundur, “Practical data hiding in tcp/ip,” in Proc. Workshop on Multimedia Security at ACM Multimedia, vol. 2, 2002.
  • [34] M. K. Shah and S. B. Patel, “Network based packet watermarking using tcp/ip protocol suite,” in Engineering (NUiCONE), 2011 Nirma University International Conference on, pp. 1–5, IEEE, 2011.
  • [35] E. Cauich, R. G. Cárdenas, and R. Watanabe, “Data hiding in identification and offset ip fields,” in International Symposium and School on Advancex Distributed Systems, pp. 118–125, Springer, 2005.
  • [36] T. H. Cormen, Introduction to algorithms. MIT press, 2009.
  • [37] T. M. Cover and J. A. Thomas, Elements of information theory. John Wiley & Sons, 2012.
  • [38] L. Zhang, G. Liu, and Y. Dai, “Network packet length covert channel based on empirical distribution function,” Journal of networks, vol. 9, no. 6, p. 1440, 2014.
  • [39] E. Garsva, N. Paulauskas, and G. Grazulevicius, “Packet size distribution tendencies in computer network flows,” in Electrical, Electronic and Information Sciences (eStream), 2015 Open Conference of, pp. 1–6, IEEE, 2015.
  • [40] J. Färber, “Network game traffic modelling,” in Proceedings of the 1st workshop on Network and system support for games, pp. 53–57, ACM, 2002.
  • [41] P. Salvador, A. Pacheco, and R. Valadas, “Modeling ip traffic: joint characterization of packet arrivals and packet sizes using bmaps,” Computer Networks, vol. 44, no. 3, pp. 335–352, 2004.
  • [42] Q.-z. Yao and P. Zhang, “Coverting channel based on packet length,” Computer engineering, vol. 34, no. 3, pp. 183–185, 2008.
  • [43] L. Ji, W. Jiang, B. Dai, and X. Niu, “A novel covert channel based on length of messages,” in Information Engineering and Electronic Commerce, 2009. IEEC’09. International Symposium on, pp. 551–554, IEEE, 2009.
  • [44] A. S. Nair, A. Kumar, A. Sur, and S. Nandi, “Length based network steganography using udp protocol,” in Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, pp. 726–730, IEEE, 2011.
  • [45] L. Ji, H. Liang, Y. Song, and X. Niu, “A normal-traffic network covert channel,” in Computational Intelligence and Security, 2009. CIS’09. International Conference on, vol. 1, pp. 499–503, IEEE, 2009.