Detecting target data in network traffic
17Mar_Haycraft_Aaron.pdf (666.5Kb)Abstract
Data exfiltration over a network poses a threat to confidential information. Due to the possibility of malicious insiders, this threat is especially difficult to mitigate. Our goal is to contribute to the development of a method to detect exfiltration of many targeted files without incurring the full cost of reassembling flows. One strategy for accomplishing this would be to implement an approximate matching scheme that attempts to determine whether a file is being transmitted over the network by analyzing the quantity of payload data that matches fragments of the targeted file. Ourwork establishes the basic feasibility of such an approach by matching Transmission Control Protocol (TCP) payloads of traffic containing exfiltrated data against a database of MD5 hashes, each representing a fragment of our target data. We tested against a database of 415 million fragment hashes, where the length of the fragments was chosen to be smaller than the payload size expected for most common Maximum Transmission Units (MTUs), and we simulated exfiltration by sending a sample of our targeted data across the network along with other non-target files representing noise. We demonstrate that under these conditions, we are able to detect the targeted content with a recall of 98.3% and precision of 99.1%.
Rights
Copyright is reserved by the copyright owner.Collections
Related items
Showing items related by title, author, creator and subject.
-
Expeditionary Mine Countermeasures (ExMCM) C4I Requirements (Continuation)
(Monterey, California: Naval Postgraduate SchoolMonterey, California. Naval Postgraduate School, 2019-12); NPS-19-N065-AThe ExMCM is a broad program providing an innovative approach to the Mine Warfare mission area, required to operate with both U.S Navy and U.S. Marine Corps forces. The large number of sonar imagery files (from the MK18 ... -
The multi-lingual database system
(Monterey, California. Naval Postgraduate School, 1986-02); NPS52-86-011In the past, the design and implementation of a database system has followed a rather conventional approach. First, a specific data model for the database system is chosen. Second, a corresponding model-based data language ... -
SOCIAL NETWORK ANALYSIS: ENHANCING THREAT ASSESSMENTS FOR TARGETED VIOLENCE
(Monterey, CA; Naval Postgraduate School, 2020-06);This research applies social network analysis and social identity theory to threat assessment investigations of subjects who commit acts of targeted violence. It provides a framework for understanding the expanding threat ...
