Detection of data theft using fuzzy inference system

Abstract

One of the challenges in detection of data theft is the difficulty to distinguish copy operation from other type of access operations. Existing work in this area focuses on the stochastic model of filesystem behaviour to identify emergent patterns in MAC timestamps unique to copying. Such an approach produces lot of false positives because of the fact that patterns emerging due to copying are similar to other access operations like searching a file in folder, compressing a folder and scanning a folder by antivirus software. This paper proposes a technique that can be used to distinguish copy operation from other type of operations so that forensic analyst can concentrate on more relevant artefacts. The paper describes fuzzy inference system based technique that gives a confidence value to each cluster generated by stochastic forensic approach. Experimental results have shown that the false positives that are generated by the stochastic forensic approach can be filtered using the cluster confidence of our technique.