Detection and evaluation of data exfiltration

In this work we investigate the problem of detecting data exfiltration over HTTP and we propose different technical solutions to tackle it. We introduce a new anomaly-based detection approach for data exfiltration called passive application fingerprinting, which relies on fine-grained detection models to better identify anomalous connections. We show that our proposed system outperforms the current state-of-the-art solutions in terms of detection performance. Furthermore, we investigate the problem of victim-aware data exfiltration over HTTP, where an attackers mimic the victim's traffic to camouflage her presence. We show that none of existing detection solutions can accurately detect malicious communication while triggering few false alerts. The reason is that mimicked communication helps malicious traffic to not deviate from normal traffic, thereby breaking a fundamental assumption in detection systems. Consequently, we present honey traffic, a deception-based detection system to identify mimicked communication, without relying on the same assumptions as existing approaches. The main idea is to generate fake network messages that an attacker may mimic while observing the victim communication. If an attacker mimics fake messages, then a security monitor detects the attacker by identifying inconsistencies between the original and mimicked messages. We also present a technical solution for the impact evaluation of a data breach. Existing logging mechanisms are not reliable for impact evaluation because they can be tampered with by an attacker. The reason behind this is that machines are the sole responsible to generate the content of the log. Once they are compromised, it is not possible to know whether the content is legitimate or not. We present a distributed logging system to determine what has leaked after a data breach by combining threshold cryptography and Byzantine consensus protocols. Compared with related work, our system is more reliable in adversarial environments and more precise in determining what data has leaked.