Optimal Strategies for Detecting Data Exfiltration by Internal and External Attackers

We study the problem of detecting data exfiltration in computer networks. We focus on the performance of optimal defense strategies with respect to an attacker’s knowledge about typical network behavior and his ability to influence the standard traffic. Internal attackers know the typical upload behavior of the compromised host and may be able to discontinue standard uploads in favor of the exfiltration. External attackers do not immediately know the behavior of the compromised host, but they can learn it from observations.

[1]  Biswanath Mukherjee,et al.  SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack , 2009 .

[2]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[3]  Amin Saberi,et al.  Approximating nash equilibria using small-support strategies , 2007, EC '07.

[4]  D. Richard Kuhn,et al.  Data Loss Prevention , 2010, IT Professional.

[5]  Elisa Bertino,et al.  PANDDE: Provenance-based ANomaly Detection of Data Exfiltration , 2016, CODASPY.

[6]  S. Shankar Sastry,et al.  Optimal thresholds for intrusion detection systems , 2016, HotSoS.

[7]  Tomás Pevný,et al.  Randomized Operating Point Selection in Adversarial Classification , 2014, ECML/PKDD.

[8]  F. Pérez-González,et al.  Blind newton sensitivity attack , 2006 .

[9]  Yoav Shoham,et al.  Multiagent Systems - Algorithmic, Game-Theoretic, and Logical Foundations , 2009 .

[10]  Reid G. Simmons,et al.  Heuristic Search Value Iteration for POMDPs , 2004, UAI.

[11]  L. Jean Camp,et al.  Game-theoretic modeling and analysis of insider threats , 2008, Int. J. Crit. Infrastructure Prot..

[12]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[13]  Milind Tambe,et al.  Data Exfiltration Detection and Prevention: Virtually Distributed POMDPs for Practically Safer Networks , 2016, GameSec.

[14]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[15]  Leonidas J. Guibas,et al.  The Earth Mover's Distance as a Metric for Image Retrieval , 2000, International Journal of Computer Vision.

[16]  Branislav Bosanský,et al.  A Point-Based Approximate Algorithm for One-Sided Partially Observable Pursuit-Evasion Games , 2016, GameSec.