UTFacultiesEEMCSEventsPhD Defence Riccardo Bortolameotti

PhD Defence Riccardo Bortolameotti

detection and evaluation of data exfiltration

Riccardo Bortolameotti is a PhD student in the research group Services and Cybersecurity (SCS) His supervisors are prof.dr. P.H. Hartel and prof.dr. W. Jonker from the faculty of Electrical Engineering, Mathematics & Computer Science.

Nowadays data breaches are one of the most prominent cyber incidents affecting enterprises across all industries. These incidents are not only an issue for the finances and reputation of companies, but they are also a legal problem. According to data breach notification laws, companies are obliged to disclose incident details, including the number of affected individuals.

Thus, companies need technical solutions to detect data breaches and to evaluate their impact.  The development of defensive mechanisms against data breaches is difficult because attackers deploy offensive techniques that increase in sophistication. This technical development is the consequence of the attacker's need of being stealthy, in order to perpetrate

her offensive actions for a longer period of time. Currently, companies lack in efficient defensive mechanisms to deal with such sophisticated attacks: (1) traditional detection systems do not effectively detect data exfiltration attacks, because they either cannot detect new and sophisticated attacks or they produce too many false alerts; (2) traditional logging systems are not designed to protect information from an attacker that compromised parts of the system and thus they cannot be relied upon for evaluating the impact of a data breach.

This thesis proposes technical systems that can help companies to better detect and evaluate data breaches despite the presence of sophisticated attacks. Concretely, we investigate the problem of detecting data exfiltration over HTTP and we propose different

technical solutions to tackle it. Data exfiltration detection is a difficult problem because there are no clear predefined patterns to be identified. The attacker chooses how much data to hide, how to encode it, etc.

Attackers can further improve the stealthiness of their communication by mimicking the traffic of their victim. In this thesis we address both scenarios: non-mimicking and mimicking attacks.

In the setting of non-mimicking attacks, traditional signature-based detection solutions are not effective because they cannot detect unforeseen attacks. Similarly, existing anomaly-based detection systems rely on coarse-grained models that are imprecise and often miss malicious communication. Thus, we introduce a new anomaly-based detection approach for data exfiltration called passive application fingerprinting, which relies on fine-grained detection models to better identify anomalous connections. We show that our proposed system outperforms the current state-of-the-art solutions in terms of detection performance and evasion resistance. Moreover, we evaluate the current state-of-the-art detection systems against mimicking attackers over HTTP, and we show that none of them can accurately detect malicious communication while triggering few false alerts.

The reason is that mimicked communication helps malicious traffic to not deviate from normal traffic, thereby breaking a fundamental assumption in detection systems.

Consequently, we present \emph{honey traffic}, a deception-based detection system to identify mimicked communication, without relying on the same assumptions as existing approaches.

The main idea is to generate fake network messages that an attacker may mimic while observing the victim communication.

If an attacker mimics fake messages, then a security monitor detects the attacker by identifying

inconsistencies between the original and mimicked messages. We also present a technical solution for the impact evaluation of a data breach. Existing logging mechanisms are not reliable for impact evaluation because they can be tampered with by an attacker.

The reason behind this is that machines are the \emph{sole} responsible to generate the content of the log. Once they are compromised, it is not possible to know whether the content is legitimate or not. We present a distributed logging system to determine what has leaked after a data breach by combining threshold cryptography and Byzantine consensus protocols.

Compared with related work, our system is more reliable in adversarial environments and more precise in determining what data has leaked.

To conclude, our work reduces the technical gap for detecting data exfiltration over HTTP for non-mimicking attackers, by providing better solutions than the current state-of-the-art.

We provide insights in the inherent limitations of passive network monitoring solutions against mimicking attacks, specifically, for a sub-category that we call victim-aware adaptive covert channels. Our work makes a step forward in addressing the open problem of detecting victim-aware adaptive covert channels by introducing the first detection mechanism for such threat. Finally, under certain assumptions, we solve the problem of determining what has leaked after a data breach in adversarial environments.