Detection and evaluation of data exfiltration

Riccardo Bortolameotti

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

44 Downloads (Pure)

Abstract

In this work we investigate the problem of detecting data exfiltration over HTTP and we propose different technical solutions to tackle it. We introduce a new anomaly-based detection approach for data exfiltration called passive application fingerprinting, which relies on fine-grained detection models to better identify anomalous connections. We show that our proposed system outperforms the current state-of-the-art solutions in terms of detection performance. Furthermore, we investigate the problem of victim-aware data exfiltration over HTTP, where an attackers mimic the victim's traffic to camouflage her presence. We show that none of existing detection solutions can accurately detect malicious communication while triggering few false alerts. The reason is that mimicked communication helps malicious traffic to not deviate from normal traffic, thereby breaking a fundamental assumption in detection systems. Consequently, we present honey traffic, a deception-based detection system to identify mimicked communication, without relying on the same assumptions as existing approaches. The main idea is to generate fake network messages that an attacker may mimic while observing the victim communication. If an attacker mimics fake messages, then a security monitor detects the attacker by identifying inconsistencies between the original and mimicked messages.

We also present a technical solution for the impact evaluation of a data breach. Existing logging mechanisms are not reliable for impact evaluation because they can be tampered with by an attacker. The reason behind this is that machines are the sole responsible to generate the content of the log. Once they are compromised, it is not possible to know whether the content is legitimate or not. We present a distributed logging system to determine what has leaked after a data breach by combining
threshold cryptography and Byzantine consensus protocols. Compared with related work, our system is more reliable in adversarial environments and more precise in determining what data has leaked.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
Supervisors/Advisors
  • Hartel, Pieter Hendrik, Supervisor
  • Jonker, Willem , Supervisor
  • Peter, Andreas , Co-Supervisor
Award date11 Oct 2019
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-4824-3
DOIs
Publication statusPublished - 11 Oct 2019

Fingerprint

HTTP
Communication
Camouflage
Cryptography
Network protocols

Cite this

Bortolameotti, R. (2019). Detection and evaluation of data exfiltration. Enschede: University of Twente. https://doi.org/10.3990/1.9789036548243
Bortolameotti, Riccardo . / Detection and evaluation of data exfiltration. Enschede : University of Twente, 2019. 157 p.
@phdthesis{e6a292c7f6ad4038aa68203f5e6b4045,
title = "Detection and evaluation of data exfiltration",
abstract = "In this work we investigate the problem of detecting data exfiltration over HTTP and we propose different technical solutions to tackle it. We introduce a new anomaly-based detection approach for data exfiltration called passive application fingerprinting, which relies on fine-grained detection models to better identify anomalous connections. We show that our proposed system outperforms the current state-of-the-art solutions in terms of detection performance. Furthermore, we investigate the problem of victim-aware data exfiltration over HTTP, where an attackers mimic the victim's traffic to camouflage her presence. We show that none of existing detection solutions can accurately detect malicious communication while triggering few false alerts. The reason is that mimicked communication helps malicious traffic to not deviate from normal traffic, thereby breaking a fundamental assumption in detection systems. Consequently, we present honey traffic, a deception-based detection system to identify mimicked communication, without relying on the same assumptions as existing approaches. The main idea is to generate fake network messages that an attacker may mimic while observing the victim communication. If an attacker mimics fake messages, then a security monitor detects the attacker by identifying inconsistencies between the original and mimicked messages.We also present a technical solution for the impact evaluation of a data breach. Existing logging mechanisms are not reliable for impact evaluation because they can be tampered with by an attacker. The reason behind this is that machines are the sole responsible to generate the content of the log. Once they are compromised, it is not possible to know whether the content is legitimate or not. We present a distributed logging system to determine what has leaked after a data breach by combiningthreshold cryptography and Byzantine consensus protocols. Compared with related work, our system is more reliable in adversarial environments and more precise in determining what data has leaked.",
author = "Riccardo Bortolameotti",
year = "2019",
month = "10",
day = "11",
doi = "10.3990/1.9789036548243",
language = "English",
isbn = "978-90-365-4824-3",
series = "DSI Ph.D. thesis series",
publisher = "University of Twente",
number = "19-013",
address = "Netherlands",
school = "University of Twente",

}

Bortolameotti, R 2019, 'Detection and evaluation of data exfiltration', Doctor of Philosophy, University of Twente, Enschede. https://doi.org/10.3990/1.9789036548243

Detection and evaluation of data exfiltration. / Bortolameotti, Riccardo .

Enschede : University of Twente, 2019. 157 p.

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

TY - THES

T1 - Detection and evaluation of data exfiltration

AU - Bortolameotti, Riccardo

PY - 2019/10/11

Y1 - 2019/10/11

N2 - In this work we investigate the problem of detecting data exfiltration over HTTP and we propose different technical solutions to tackle it. We introduce a new anomaly-based detection approach for data exfiltration called passive application fingerprinting, which relies on fine-grained detection models to better identify anomalous connections. We show that our proposed system outperforms the current state-of-the-art solutions in terms of detection performance. Furthermore, we investigate the problem of victim-aware data exfiltration over HTTP, where an attackers mimic the victim's traffic to camouflage her presence. We show that none of existing detection solutions can accurately detect malicious communication while triggering few false alerts. The reason is that mimicked communication helps malicious traffic to not deviate from normal traffic, thereby breaking a fundamental assumption in detection systems. Consequently, we present honey traffic, a deception-based detection system to identify mimicked communication, without relying on the same assumptions as existing approaches. The main idea is to generate fake network messages that an attacker may mimic while observing the victim communication. If an attacker mimics fake messages, then a security monitor detects the attacker by identifying inconsistencies between the original and mimicked messages.We also present a technical solution for the impact evaluation of a data breach. Existing logging mechanisms are not reliable for impact evaluation because they can be tampered with by an attacker. The reason behind this is that machines are the sole responsible to generate the content of the log. Once they are compromised, it is not possible to know whether the content is legitimate or not. We present a distributed logging system to determine what has leaked after a data breach by combiningthreshold cryptography and Byzantine consensus protocols. Compared with related work, our system is more reliable in adversarial environments and more precise in determining what data has leaked.

AB - In this work we investigate the problem of detecting data exfiltration over HTTP and we propose different technical solutions to tackle it. We introduce a new anomaly-based detection approach for data exfiltration called passive application fingerprinting, which relies on fine-grained detection models to better identify anomalous connections. We show that our proposed system outperforms the current state-of-the-art solutions in terms of detection performance. Furthermore, we investigate the problem of victim-aware data exfiltration over HTTP, where an attackers mimic the victim's traffic to camouflage her presence. We show that none of existing detection solutions can accurately detect malicious communication while triggering few false alerts. The reason is that mimicked communication helps malicious traffic to not deviate from normal traffic, thereby breaking a fundamental assumption in detection systems. Consequently, we present honey traffic, a deception-based detection system to identify mimicked communication, without relying on the same assumptions as existing approaches. The main idea is to generate fake network messages that an attacker may mimic while observing the victim communication. If an attacker mimics fake messages, then a security monitor detects the attacker by identifying inconsistencies between the original and mimicked messages.We also present a technical solution for the impact evaluation of a data breach. Existing logging mechanisms are not reliable for impact evaluation because they can be tampered with by an attacker. The reason behind this is that machines are the sole responsible to generate the content of the log. Once they are compromised, it is not possible to know whether the content is legitimate or not. We present a distributed logging system to determine what has leaked after a data breach by combiningthreshold cryptography and Byzantine consensus protocols. Compared with related work, our system is more reliable in adversarial environments and more precise in determining what data has leaked.

U2 - 10.3990/1.9789036548243

DO - 10.3990/1.9789036548243

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-4824-3

T3 - DSI Ph.D. thesis series

PB - University of Twente

CY - Enschede

ER -

Bortolameotti R. Detection and evaluation of data exfiltration. Enschede: University of Twente, 2019. 157 p. (DSI Ph.D. thesis series; 19-013). https://doi.org/10.3990/1.9789036548243