PhD Thesis Defense: Amir Reza Ramtin,Statistical Analysis of Covert Cybersecurity Activities: Scaling Laws and Detection Methodologies
Content
Speaker:
Abstract:
Covert activity is a central problem in modern cybersecurity because, in many settings, the mere detection of an action can be as damaging as the disclosure of its content. This dissertation studies the fundamental limits of such activity across communication, network attack, and sequential detection settings. The unifying challenge across these domains is the mathematics of hiding in plain sight: determining how much information can be transmitted, how much traffic can be injected, or how long an adversarial process can persist while remaining statistically indistinguishable from normal behavior.
The first part of this dissertation investigates covert communication in wireless environments with fading and jamming. In both settings, Alice seeks to communicate reliably with Bob while preventing Willie (the warden) from reliably detecting whether a transmission has occurred. For block fading channels, this part extends the classical square-root law by characterizing how the number of covert bits scales with the codeword length and the fading block structure. It then studies covert communication in the presence of an uninformed jammer whose power is constant within each block and varies independently across blocks, capturing intermediate temporal correlation in the interference. This structure leads to distinct detection regimes: when the block size is fixed, the classical square-root law remains the governing limit; when both the block size and the number of blocks grow with the codeword length, Willie’s detector is either dominated by random fluctuations or shaped by averaging over long blocks. These regimes result in different covert throughput scaling laws, showing that the temporal structure of jamming fundamentally shapes covert throughput.
The second part turns from communication to covert Distributed Denial-of-Service (DDoS) attacks. Here the central question is how much aggregate attack traffic can be injected by a distributed adversary without being detected by statistical tests at the network edge. This part models DDoS traffic as a volume-based disturbance hidden within normal traffic generated by many devices, including compromised hosts in home or IoT networks. For Gaussian-mixture and multivariate Gaussian settings, the analysis establishes strict square-root scaling laws for the maximum covert traffic. However, examining exponential distributions reveals a high sensitivity to the assumed traffic model, demonstrating that covert throughput ultimately diverges from the classical square-root limit.
The third part studies covert adversaries in sequential detection problems. It first considers stationary pre-change and post-change distributions, where a detector seeks to identify a distributional change as quickly as possible while maintaining a prescribed average time to false alarm. In this setting, the adversary is covert if the average detection delay grows asymptotically at the same rate as the false-alarm constraint, so that detection is delayed to the same order as false alarms. The analysis assumes that the adversary knows the false-alarm constraint and can tune its statistical parameters accordingly, and focuses on the Shewhart test and the Cumulative Sum (CuSum) procedure. This part then extends the analysis to non-stationary adversaries, where the post-change distribution evolves over time and the adversary does not know the detector’s false-alarm constraint. This more restrictive setting shows that covertness can still be achieved even when the adversary cannot tune a fixed post-change distribution to a known threshold, as long as the post-change statistics drift sufficiently slowly. The results derive the corresponding asymptotic scaling laws for the average detection delay.
Advisor:
Don Towsley