An Analytical Framework to Address the Data Exfiltration of Advanced Persistent Threats

Detecting and preventing the data exfiltration of advanced persistent threats is a challenging problem. These attacks can remain in their target system for several years while retrieving information at a very slow rate, possibly after reformatting and encrypting the data they have accessed. Tainting and tracking some of the files in the system and deploying honeypots are two of the potentially effective measures against advanced persistent threats. In this paper, we introduce an analytical framework to study the effect of these measures on the amount of files that an attacker can exfiltrate. In particular, we obtain upper bounds on the expected amount of files at risk given a certain ratio of tainted and honey files in the system by using dynamic programming and Pontryagin's maximum principle. In addition, we show that in some cases tainting more of the files does not necessarily improve the security of the system. The results highlight the effectiveness and the necessity of deception for combatting advanced persistent threats.

[1]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[2]  Suresh P. Sethi,et al.  A Survey of the Maximum Principles for Optimal Control Problems with State Constraints , 1995, SIAM Rev..

[3]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[4]  Dimitris Gritzalis,et al.  Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game? , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[5]  Oscar Serrano Serrano,et al.  Changing the game: The art of deceiving sophisticated attackers , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[6]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Emmanouil Magkos,et al.  Evaluating Low Interaction Honeypots and On their Use against Advanced Persistent Threats , 2014, Panhellenic Conference on Informatics.

[8]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[9]  Daniel Liberzon,et al.  Calculus of Variations and Optimal Control Theory: A Concise Introduction , 2012 .

[10]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[11]  F. A. Bostock,et al.  Deception Games , 1988, Encyclopedia of Law and Economics.

[12]  M. Hasan Islam,et al.  Towards proactive detection of advanced persistent threat (APT) attacks using honeypots , 2015, SIN.

[13]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.