SBIR-STTR Award

We propose a hybrid system framework for detecting, classifying, and mitigating Malicious Outbound Network Traffic flows based on our work in botnet detection, security risk management, covert channel detection and intrusion detection. In particular, we propose to develop a taxonomy of data exfiltration based on application classes and underlying protocols, select a representative set of data exfiltration methods from this taxonomy, develop sensors for detecting malicious outbound network traffic flow the selected use cases, build a set of classifiers that fuse netflow sensor indicators, and research mitigation solutions. Performance metrics for our feasibility testing will be based on probability of detection, false alarm and misclassification rates. The data leak and exfiltration threat is broad-based and evolving. While our proposed framework provides the extensibility required to respond to a diverse and dynamic range of adversary tactics, we will concentrate on two emerging threat vectors we believe are especially challenging and underrepresented in the cybersecurity community – the use of covert networks and outbound DNS requests for data exfiltration. This capabilities-based focus takes direct aim at the botnets and Cyber Espionage attacks types described as ‘most likely to cause significant damage’ on the SANS Institute ‘Top Ten Cyber Security Menaces for 2008’ list.

Keywords:
Ids System, Network Traffic Classification, Network Fingerprinting, Information Leakage, Data Exfiltration, Network Flow Sensors, Bayesian Classifiers, Covert Channel

In Phase I, Milcord LLC and Dartmouth College jointly researched and developed a software prototype that applies machine learning algorithms on contextual metadata, and entropy based sensors for the purpose of detecting data exfiltration on a computer network in real-time while accurately distinguishing between legitimate and anomalous behavior. In particular, we built empirical belief indicators that weigh evidence for and against data exfiltration, stream entropy based indicators that compute the entropy of network protocol features, and conditional entropy among selected features, and Bayesian belief network based classifiers that fuse the outputs of these indicators for data exfiltration decision. We evaluated our sensors by testing them on datasets containing simulated data exfiltration to prove the feasibility of our approach. In Phase II, we propose to build a full-scale flexible prototype that can be applied to not only known covert channels but also to any covert channel that is likely to sprout within the course of our project, evaluate the performance of the developed system using live large scale network traffic data by implementing the developed algorithms on a state of the art parallel supercomputer for near real-time analysis, and on the emerging stream processing engines for real-time detection performance.

Keywords:
Data Exfiltration, Data Loss Prevention, Covert Channel, Stream Entropy Estimation, Malicious Networ