Behavior model for detecting data exfiltration in network environment

Ramachandran, Rajamenakshi; Neelakantan, Subramanian; Bidyarthy, Ajay Shankar

doi:10.1109/imsaa.2011.6156340

Cited by 12 publications

(14 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some of the data exfiltration detection approaches take into account both the network logs and the host logs to identify abnormal behaviour. For example, Ramachandran et al [156] develop a data exfiltration countermeasure system which relies on building a behaviour model of network traffic. They train their model on correlations between activity on a host (abnormal CPU and memory utilisation) and activity in the network, the grounding principle being that unusually-sized data transmissions are suspicious exfiltration behaviour when not correlated with the other indicators of hosts engaged in productive activity.…”

Section: Network + Host-based Anomaly Detectionmentioning

confidence: 99%

“…Flood & Keane [155] In use A framework that helps in detection of data exfiltration in multi-cloud system VM level attacks Network + Host-based Anomaly Ramachandran et al [156] In use/in transit Correlates the CPU activity with network activity and any large size data transfer which doesn't correlate with host CPU is considered exfiltration of data SQL Injection attack, XSS attack, Malware attacks, Phishing attack Myers et al [157] In use/in transit A combination of network and host-based analysis to detect exfiltration…”

Section: Sql Injection Attackmentioning

confidence: 99%

See 1 more Smart Citation

Data exfiltration: A review of external attack vectors and countermeasures

Ullah

Edwards

Ramdhany

et al. 2018

Journal of Network and Computer Applications

104

View full text Add to dashboard Cite

Context: One of the main targets of cyber-attacks is data exfiltration, which is the leakage of sensitive or private data to an unauthorized entity. Data exfiltration can be perpetrated by an outsider or an insider of an organization. Given the increasing number of data exfiltration incidents, a large number of data exfiltration countermeasures have been developed. These countermeasures aim to detect, prevent, or investigate exfiltration of sensitive or private data. With the growing interest in data exfiltration, it is important to review data exfiltration attack vectors and countermeasures to support future research in this field. Objective: This paper is aimed at identifying and critically analysing data exfiltration attack vectors and countermeasures for reporting the status of the art and determining gaps for future research. Method: We have followed a structured process for selecting 108 papers from seven publication databases. Thematic analysis method has been applied to analyse the extracted data from the reviewed papers. Results: We have developed a classification of (1) data exfiltration attack vectors used by external attackers and (2) the countermeasures in the face of external attacks. We have mapped the countermeasures to attack vectors. Furthermore, we have explored the applicability of various countermeasures for different states of data (i.e., in use, in transit, or at rest). Conclusion: This review has revealed that (a) most of the state of the art is focussed on preventive and detective countermeasures and significant research is required on developing investigative countermeasures that are equally important; (b) Several data exfiltration countermeasures are not able to respond in real-time, which specifies that research efforts need to be invested to enable them to respond in real-time (c) A number of data exfiltration countermeasures do not take privacy and ethical concerns into consideration, which may become an obstacle in their full adoption (d) Existing research is primarily focussed on protecting data in 'in use' state, therefore, future research needs to be directed towards securing data in 'in rest' and 'in transit' states (e) There is no standard or framework for evaluation of data exfiltration countermeasures. We assert the need for developing such an evaluation framework.

show abstract

Section: Network + Host-based Anomaly Detectionmentioning

confidence: 99%

Section: Sql Injection Attackmentioning

confidence: 99%

Data exfiltration: A review of external attack vectors and countermeasures

Ullah

Edwards

Ramdhany

et al. 2018

Journal of Network and Computer Applications

104

View full text Add to dashboard Cite

show abstract

“…For insider threat detection, Crawford and Peterson [140], Meng et al [141], and Chiu et al [142] used a methodology that is dependent on scanning the memory of running virtual machines, a Bayesian inference-based trust mechanism, and a frequent pattern outlier factor, respectively. The works [143][144][145][146][147] highlighted correlation coefficient methods and kernel density estimation (KDE) to determine CPU usage, a medium access layer MAC based solution, design science research to detect USB usage, a fuzzy multi-criteria aggregation method, and the hidden Markov model (HMM) and Baum-Welch algorithm to model resource misuse, respectively. Jaenisch and Handley [148] analyzed email and text features using the random forest algorithm, which identifies the various behaviors of suspicious users or their abnormal derivatives.…”

Section: Cyber Activity Behaviormentioning

confidence: 99%

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

et al. 2020

View full text Add to dashboard Cite

Insider threat has become a widely accepted issue and one of the major challenges in cybersecurity. This phenomenon indicates that threats require special detection systems, methods, and tools, which entail the ability to facilitate accurate and fast detection of a malicious insider. Several studies on insider threat detection and related areas in dealing with this issue have been proposed. Various studies aimed to deepen the conceptual understanding of insider threats. However, there are many limitations, such as a lack of real cases, biases in making conclusions, which are a major concern and remain unclear, and the lack of a study that surveys insider threats from many different perspectives and focuses on the theoretical, technical, and statistical aspects of insider threats. The survey aims to present a taxonomy of contemporary insider types, access, level, motivation, insider profiling, effect security property, and methods used by attackers to conduct attacks and a review of notable recent works on insider threat detection, which covers the analyzed behaviors, machine-learning techniques, dataset, detection methodology, and evaluation metrics. Several real cases of insider threats have been analyzed to provide statistical information about insiders. In addition, this survey highlights the challenges faced by other researchers and provides recommendations to minimize obstacles.

show abstract

“…Ramachandran et al [23] claim that their behaviorbased model can catch most network data exfiltration scenarios. They first learn the normal behavior of a system by using kernel density estimation methods on system features like memory consumption, CPU utilization and disk usage.…”

Section: Related Workmentioning

confidence: 99%

Detecting data exfiltration by integrating information across layers

Sharma

Joshi

Finin

2013

2013 IEEE 14th International Conference on Information Reuse &Amp; Integration (IRI)

View full text Add to dashboard Cite

Data exfiltration is the unauthorized leakage of confidential data from a system. Unlike intrusions that seek to overtly disable or damage a system, it is particularly hard to detect because it uses a variety of low/slow vectors and advanced persistent threats (APTs). It is often assisted (intentionally or not) by an insider who might be an employee who downloads a trojan or uses a hardware component that has been tampered with or acquired from an unreliable source. Conventional scan and test based detection approaches work poorly, especially for hardware with embedded trojans. We describe a framework to detect potential exfiltration events that actively monitors of a set of key parameters that cover the entire stack, from hardware to the application layer. An attack alert is generated only if several monitors detect suspicious activity within a short temporal window. The cross-layer monitoring and integration helps ensure accurate alerts with fewer false positives and makes designing a successful attack more difficult.

show abstract

Behavior model for detecting data exfiltration in network environment

Cited by 12 publications

References 5 publications

Data exfiltration: A review of external attack vectors and countermeasures

Data exfiltration: A review of external attack vectors and countermeasures

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

Detecting data exfiltration by integrating information across layers

Contact Info

Product

Resources

About