Behavior model for detecting data exfiltration in network environment

There is a growing concern across the globe about exfiltration of sensitive data over network. This coupled with the increase in other insider threats pose greater challenge. Present day perimeter security solutions such as Intrusion detection & prevention system, firewall are not capable of detecting data-exfiltration. Also existing behavior models that can detect intrusions and worms do not incorporate mechanims to detect data-exfiltration. Devising an exclusive behavior based model is essential to detect data-exfiltration over network by utilizing parameters from both system and network. In this paper, we present a behavior approach based on Kernel Density Estimation (KDE) and co-relation co-efficient methods to detect data-exfiltration. Firstly, during the learning phase, we profile each host in a network and compute KDE values individually for system and network parameters. Secondly, during the detection phase we compute KDEs for the identified parameters and then correlate current KDE values with the learnt KDE values using Carl Pearsons correlation coefficient method to detect data-exfiltration over the network. We present our approach, analysis and the findings based on our model. Results obtained reveal that our approach detect data-exfiltration incidents over the network.

[1]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[2]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[3]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[4]  Tarem Ahmed,et al.  Online Anomaly Detection Using KDE , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[5]  Gurvirender P. Tejay,et al.  Developing insider attack detection model: A grounded approach , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[6]  Biswanath Mukherjee,et al.  SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack , 2008, 2009 42nd Hawaii International Conference on System Sciences.

[7]  Kenton Born Browser-Based Covert Data Exfiltration , 2010, ArXiv.

[8]  Suraj Nellikar Insider threat simulation and performance analysis of insider detection algorithms with role based models , 2010 .

[9]  Akaninyene Walter Udoeyop,et al.  Cyber Profiling for Insider Threat Detection , 2010 .

[10]  Rosa Haydée Baranzano Non-parametric kernel density estimation- based permutation test: Implementation and comparisons. , 2011 .

[11]  Carol J. Fung Collaborative Intrusion Detection Networks and Insider Attacks , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..