Detecting Data Exfiltration by Integrating Information Across Layers
Links to Fileshttps://ebiquity.umbc.edu/paper/html/id/625/Detecting-Data-Exfiltration-by-Integrating-Information-Across-Layers
MetadataShow full item record
Type of Work8 pages
conference papers and proceedings pre-print
Citation of Original PublicationPuneet Sharma, Anupam Joshi and Tim Finin, Detecting Data Exfiltration by Integrating Information Across Layers, IEEE 14th Int. Conf. on Information Reuse and Integration, San Francisco, Aug. 2013, https://ebiquity.umbc.edu/paper/html/id/625/Detecting-Data-Exfiltration-by-Integrating-Information-Across-Layers
RightsThis item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
© 2013 IEEE
Data exfiltration is the unauthorized leakage of confidential data from a system. Unlike intrusions that seek to overtly disable or damage a system, it is particularly hard to detect because it uses a variety of low/slow vectors and advanced persistent threats (APTs). It is often assisted (intentionally or not) by an insider who might be an employee who downloads a trojan or uses a hardware component that has been tampered with or acquired from an unreliable source. Conventional scan and test based detection approaches work poorly, especially for hardware with embedded trojans. We describe a framework to detect potential exfiltration events that actively monitors of a set of key parameters that cover the entire stack, from hardware to the application layer. An attack alert is generated only if several monitors detect suspicious activity within a short temporal window. The cross-layer monitoring and integration helps ensure accurate alerts with fewer false positives and makes designing a successful attack more difficult.