Data Exfiltration Detection and Prevention: Virtually Distributed POMDPs for Practically Safer Networks

We address the challenge of detecting and addressing advanced persistent threats APTs in a computer network, focusing in particular on the challenge of detecting data exfiltration over Domain Name System DNS queries, where existing detection sensors are imperfect and lead to noisy observations about the network's security state. Data exfiltration over DNS queries involves unauthorized transfer of sensitive data from an organization to a remote adversary through a DNS data tunnel to a malicious web domain. Given the noisy sensors, previous work has illustrated that standard approaches fail to satisfactorily rise to the challenge of detecting exfiltration attempts. Instead, we propose a decision-theoretic technique that sequentially plans to accumulate evidence under uncertainty while taking into account the cost of deploying such sensors. More specifically, we provide a fast scalable POMDP formulation to address the challenge, where the efficiency of the formulation is based on two key contributions: i we use a virtually distributed POMDP VD-POMDP formulation, motivated by previous work in distributed POMDPs with sparse interactions, where individual policies for different sub-POMDPs are planned separately but their sparse interactions are only resolved at execution time to determine the joint actions to perform; ii we allow for abstraction in planning for speedups, and then use a fast MILP to implement the abstraction while resolving any interactions. This allows us to determine optimal sensing strategies, leveraging information from many noisy detectors, and subject to constraints imposed by network topology, forwarding rules and performance costs on the frequency, scope and efficiency of sensing we can perform.

[1]  Neil Immerman,et al.  The Complexity of Decentralized Control of Markov Decision Processes , 2000, UAI.

[2]  David A. McAllester,et al.  Approximate Planning for Factored POMDPs using Belief State Simplification , 1999, UAI.

[3]  Anne Condon,et al.  On the Undecidability of Probabilistic Planning and Infinite-Horizon Partially Observable Markov Decision Problems , 1999, AAAI/IAAI.

[4]  Vern Paxson,et al.  Practical Comprehensive Bounds on Surreptitious Communication over DNS , 2013, USENIX Security Symposium.

[5]  Rob Johnson,et al.  Text Classification for Data Loss Prevention , 2011, PETS.

[6]  Maja J. Mataric,et al.  Multi-robot task allocation: analyzing the complexity and optimality of key architectures , 2003, 2003 IEEE International Conference on Robotics and Automation (Cat. No.03CH37422).

[7]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[8]  Joel Veness,et al.  Monte-Carlo Planning in Large POMDPs , 2010, NIPS.

[9]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  D. Richard Kuhn,et al.  Data Loss Prevention , 2010, IT Professional.

[11]  Prasanna Velagapudi,et al.  Distributed model shaping for scaling to decentralized POMDPs with hundreds of agents , 2011, AAMAS.

[12]  John N. Tsitsiklis,et al.  The Complexity of Markov Decision Processes , 1987, Math. Oper. Res..

[13]  Makoto Yokoo,et al.  Networked Distributed POMDPs: A Synergy of Distributed Constraint Optimization and POMDPs , 2005, IJCAI.

[14]  Milind Tambe,et al.  Exploiting Coordination Locales in Distributed POMDPs via Social Model Shaping , 2009, ICAPS.

[15]  Milind Tambe,et al.  Performance models for large scale multiagent systems: using distributed POMDP building blocks , 2003, AAMAS '03.

[16]  Trey Smith,et al.  Probabilistic planning for robotic exploration , 2007 .