14th IEEE International Conference on Information Reuse and Integration

Detecting Data Exfiltration by Integrating Information Across Layers

Puneet Sharma, Anupam Joshi, and Tim Finin

August 14, 2013

Data exfiltration is the unauthorized leakage of confidential data from a system. Unlike intrusions that seek to overtly disable or damage a system, it is particularly hard to detect because it uses a variety of low/slow vectors and advanced persistent threats (APTs). It is often assisted (intentionally or not) by an insider who might be an employee who downloads a trojan or uses a hardware component that has been tampered with or acquired from an unreliable source. Conventional scan and test based detection approaches work poorly, especially for hardware with embedded trojans. We describe a framework to detect potential exfiltration events that actively monitors of a set of key parameters that cover the entire stack, from hardware to the application layer. An attack alert is generated only if several monitors detect suspicious activity within a short temporal window. The cross-layer monitoring and integration helps ensure accurate alerts with fewer false positives and makes designing a successful attack more difficult.

BibTeX OWL Tweet Scholar

Tags: cybersecurity, exfiltration, ids, intrusion, malware, security

Type: InProceedings

Publisher: IEEE Computer Society Press

Downloads: 1963 downloads