Data exfiltration and covert channels

Giani, Annarita; Berk, Vincent H.; Cybenko, George

doi:10.1117/12.670123

Cited by 46 publications

(30 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [5], it is shown how data can be exfiltrated by embedding sensitive information in conventional browser HTTP requests. In [6], the authors study exfiltration through covert channels. For instance, the rate of sending packets to a destination can be tuned such that the frequency or inter-arrival time of packets corresponds to an encoding of the data.…”

Section: Related Workmentioning

confidence: 99%

The optimization of situational awareness for insider threat detection

Brancik

Ghinita

2011

Proceedings of the First ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

In recent years, organizations ranging from defense and other government institutions to commercial enterprises, research labs, etc., have witnessed an increasing amount of sophisticated insider attacks that manage to bypass existing security controls. Insider threats are staged by either disgruntled employees, or employees engaged in malicious activities such as industrial espionage. The objectives of such threats range from sabotage, e.g., in order to disrupt the completion of a project, to exfiltration of sensitive data such as trade secrets, patents, etc. Insiders are often skilled and motivated individuals with good knowledge of internal security measures in the organization. They devise effective and carefully planned attacks, prepared over long periods of time and customized to inflict maximum damage. Such attacks are difficult to detect and protect against, because insiders have the proper credentials to access services and systems within the organization, and possess knowledge that may allow them to deceive network defense controls. As a result, a large number of hosts may be taken over, allowing malicious insiders to maintain control over the network even after leaving the organization.The objective of this study is to identify a high-level architecture and mechanisms for early detection and protection against insider threats. One of the main aspects we focus on is preventing data exfiltration, which is known to cost billions of dollars in losses annually. The goal is to either (i) detect attacks as they occur and prevent insiders from gaining control over the network, or (ii) detect early hosts and services that are compromised such that malware is prevented from spreading/morphing, hence insiders are no longer able to control the network or to exfiltrate sensitive data. We envision a data-intensive approach that leverages large amounts of events collected from a diverse set of sources such as network sensors, intrusion detection systems, service logs, as well as known attack databases (e.g., virus signature collections, digital artifacts), security and service logs, etc. The proposed approach aims to study and understand the relationships and correlations between events, with the purpose of detecting anomalous and/or malicious behavior.

show abstract

Section: Related Workmentioning

confidence: 99%

The optimization of situational awareness for insider threat detection

Brancik

Ghinita

2011

Proceedings of the First ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

show abstract

“…The following discussion shows how a timing covert channel can be constructed based on a beacon and argues that a naive encoding of covert messages based on packet inter-arrival times produces a clearly detectable distortion of the 1-order statistics of those time intervals in network traffic [39], [16]. We emphasize that this timing channel is merely an example and in no way meant to limit the applicability of these techniques.…”

Section: Background and Illustrative Examplesmentioning

confidence: 99%

Engineering Statistical Behaviors for Attacking and Defending Covert Channels

Crespi

Cybenko

Giani

2013

IEEE J. Sel. Top. Signal Process.

Self Cite

View full text Add to dashboard Cite

This paper develops techniques for attacking and defending behavioral anomaly detection methods commonly used in network traffic analysis and covert channels. The main new result is our demonstration of how to use a behavior's or process' -order statistics to build a stochastic process that has the same -order stationary statistics but possesses different, deliberately designed, -order statistics if desired. Such a model realizes a "complexification" of the process or behavior which a defender can use to monitor whether an attacker is shaping the behavior. We also describe a source coding technique that respects the -order statistics, including entropy which is a first order statistic for example, of a process while encoding information covertly, and we show how to achieve optimizing information rates. Although the main results and examples are stated in terms of behavioral anomaly detection for covert channels, the techniques are more generally applicable to behavioral anomaly analysis. One fundamental consequence of these results is that certain types of behavioral anomaly detection techniques come down to an arms race in the sense that the advantage goes to the party that has more computing resources applied to the problem.

show abstract

“…Giani et al [21] state in 'Data Exfiltration and Covert Channels': "While any comprehensive taxonomy of widelydiverse and overlapping members is bound to be subject to debate, we feel that this approach will be helpful to identifying abstractions of pathologies and weaknesses that are common to many methods. And this will allow a systematic development of defences and countermeasures independently of a specific platform or context in which specific exfiltration phenomena take place."…”

Section: ) Data Exfiltrationmentioning

confidence: 99%

Network Attack Analysis and the Behaviour Engine

Benham

Read

Sutherland

2013

Int. J. Com. Net. Tech.

View full text Add to dashboard Cite

Behaviour Engines allow the acquisition of tacit knowledge by using a learn-by-doing workflow and provide a direct interface between the expert user and the developing project code based on an intuitive justification-conclusion language; thus surpassing legacy policy engines by being a self developing and learning mechanism. This paper seeks to formulate the current state of the art in technology and processes and attempts to merge the application of ontological decision techniques of behaviour engines with network packet capture data, to detect data exfiltration attempts over covert channelling. The final goal of the research will be to develop a behaviour engine/intrusion detection solution for pre-emptive counter-measures to anomalous behaviour from within or without a network.speed.

show abstract

Data exfiltration and covert channels

Cited by 46 publications

References 4 publications

The optimization of situational awareness for insider threat detection

The optimization of situational awareness for insider threat detection

Engineering Statistical Behaviors for Attacking and Defending Covert Channels

Network Attack Analysis and the Behaviour Engine

Contact Info

Product

Resources

About