Horizon extender: long-term preservation of data leakage evidence in web traffic

This paper presents Horizon Extender, a system for long-term preservation of data leakage evidence in enterprise networks. In contrast to classical network intrusion detection systems that keep only packet records of suspicious traffic (black-listing), Horizon Extender reduces the total size of captured network traces by filtering out all records that do not reveal potential evidence about leaked data (white-listing). Horizon Extender has been designed to exploit the inherent redundancy and adherence to protocol specification of general Web traffic. We show in a real-life network including more than 1000 active hosts that Horizon Extender is able to reduce the total HTTP volume by 99.8%, or the outgoing volume by 90.9% to 93.9%, while preserving sufficient evidence to recover retrospectively time, end point identity, and content of information leaked over the HTTP communication channel.

[1]  Aditya Akella,et al.  Redundancy in network traffic: findings and implications , 2009, SIGMETRICS '09.

[2]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[3]  Anja Feldmann,et al.  Enriching network security analysis with time travel , 2008, SIGCOMM '08.

[4]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[5]  David Wetherall,et al.  A protocol-independent technique for eliminating redundant network traffic , 2000, SIGCOMM.

[6]  Anja Feldmann,et al.  Building a time machine for efficient recording and retrieval of high-volume network traffic , 2005, IMC '05.

[7]  Evangelos P. Markatos,et al.  RRDtrace: Long-term Raw Network Traffic Recording using Fixed-size Storage , 2010, 2010 IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[8]  Petros Efstathopoulos,et al.  Building a High-performance Deduplication System , 2011, USENIX Annual Technical Conference.

[9]  Farnam Jahanian,et al.  Resource-aware multi-format network security data storage , 2006, LSAD '06.

[10]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[11]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[12]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[13]  A. Broder Some applications of Rabin’s fingerprinting method , 1993 .