Behavior model for detecting data exfiltration in network environment

Abstract

There is a growing concern across the globe about exfiltration of sensitive data over network. This coupled with the increase in other insider threats pose greater challenge. Present day perimeter security solutions such as Intrusion detection & prevention system, firewall are not capable of detecting data-exfiltration. Also existing behavior models that can detect intrusions and worms do not incorporate mechanims to detect data-exfiltration. Devising an exclusive behavior based model is essential to detect data-exfiltration over network by utilizing parameters from both system and network. In this paper, we present a behavior approach based on Kernel Density Estimation (KDE) and co-relation co-efficient methods to detect data-exfiltration. Firstly, during the learning phase, we profile each host in a network and compute KDE values individually for system and network parameters. Secondly, during the detection phase we compute KDEs for the identified parameters and then correlate current KDE values with the learnt KDE values using Carl Pearsons correlation coefficient method to detect data-exfiltration over the network. We present our approach, analysis and the findings based on our model. Results obtained reveal that our approach detect data-exfiltration incidents over the network.