Wireless channel modeling and malware detection using statistical and information-theoretic tools

This is a bipartite thesis that tackles two different research problems: (i) medium access control (MAC) layer wireless channel modeling and applications of the models in design, analysis and simulations of wireless systems; and (ii) malicious software (malware) detection at network endpoints. For both problems, we collect extensive new datasets which are analyzed and modeled using statistical and information-theoretic tools.; In the first part of this thesis, we provide analysis and modeling of bit-errors at the 802.11 b MAC layer. We show that the bit-errors at 2 Mbps and 5.5 Mbps can be modeled by high-order full-state Markov (FSM) chains. Bit-errors at 11 Mbps are shown to have long-range dependence (LRD), and consequently a multifractal wavelet model (MWM) is used to model these LRD bit-errors. The complexity of FSM chains is an exponential function of the bit-error process' memory-length. To mitigate the exponential FSM complexity, we derive guidelines for accurate approximation of an FSM chain of arbitrary memory-length. These guidelines lead to a novel and accurate constant-complexity model (CCM) which always consists of five states irrespective of a process' memory-length.; Two applications of the proposed channel models are explored. First, we use the models in a novel maximum-likelihood header estimation framework which can be used by wireless multimedia applications to realize considerable throughput improvements. Trace-driven wireless video simulations show that the proposed header estimation framework provides significant improvements over existing techniques. Second, we use protocol goodput and retransmission metrics to show that inaccurate channel models can lead to extremely misleading simulation and analytical results. The models proposed in this thesis, however, provide highly accurate estimates of goodput and retransmissions.; In the second part of this thesis, we propose three endpoint-based anomaly detection techniques that detect self-propagating malware in real-time by observing deviations from a behavioral model derived from a benign data profile. In the first technique, we leverage the Kullback-Leibler (K-L) information divergence of real-time source and destination ports' distributions to characterize deviations from the distributions observed in the benign traffic profile. Experiments using actual endpoint and malware data demonstrate that the source and destination ports' distributions are perturbed significantly on a compromised endpoint. K-L perturbations are used to train support vector machines which provide almost 100% detection rates and negligible false alarm rates.; The remaining two malware detection techniques proposed in this thesis employ perturbations in the distribution of keystrokes that are used to initiate network sessions. We show that the keystrokes' entropy increases and the session-keystroke mutual information decreases when an endpoint is compromised by a self-propagating malware. These two types of perturbations are used for real-time malware detection. Both detectors provide almost 100% detection rates and very low false alarm rates.