We propose a hybrid system framework for detecting, classifying, and mitigating Malicious Outbound Network Traffic flows based on our work in botnet detection, security risk management, covert channel detection and intrusion detection. In particular, we propose to develop a taxonomy of data exfiltration based on application classes and underlying protocols, select a representative set of data exfiltration methods from this taxonomy, develop sensors for detecting malicious outbound network traffic flow the selected use cases, build a set of classifiers that fuse netflow sensor indicators, and research mitigation solutions. Performance metrics for our feasibility testing will be based on probability of detection, false alarm and misclassification rates. The data leak and exfiltration threat is broad-based and evolving. While our proposed framework provides the extensibility required to respond to a diverse and dynamic range of adversary tactics, we will concentrate on two emerging threat vectors we believe are especially challenging and underrepresented in the cybersecurity community the use of covert networks and outbound DNS requests for data exfiltration. This capabilities-based focus takes direct aim at the botnets and Cyber Espionage attacks types described as most likely to cause significant damage on the SANS Institute Top Ten Cyber Security Menaces for 2008 list.
Keywords: Ids System, Network Traffic Classification, Network Fingerprinting, Information Leakage, Data Exfiltration, Network Flow Sensors, Bayesian Classifiers, Covert Channel