Malicious Outbound Network Traffic Flow Detection

From MilcordWiki

Overview

Covert channels pose multiple threats including intellectual property and identify theft, delivery channel for malicious code, and signaling/control channel for botnets. HYMONT detects and classifies outbound network flows that are indicative of data exfiltration.

Need

Botnets and Cyber Espionage attacks types are described as ‘most likely to cause significant damage’ on the SANS Institute ‘Top Ten Cyber Security Menaces for 2008’ list. Covert channels provide a stealthy means for data exfiltration and include several techniques such as storage covert channels where data is written to storage by one process and read by another process, timing techniques based on modulating the time between the packets that are sent and encode the data in the inter-packet delays, exploiting header fields as a storage transport mechanism for data in IP and application layer protocols (IP, TCP, UDP, and ICMP), and the use of ACK frames for encoding and decoding exfiltrated data.

Approach

• Build information theoretic entropy estimation sensors
• Build meta-data based short-term statistics sensors
• Build a classifier to fuse the sensors and other contextual indicators

Benefits

• Government:

  • Information record protection against stealthy exfiltration techniques

• Commercial:

  • Enterprise intellectual property protection against theft

Applications

• Military: Adaptable Intelligent Malfaisance Detection
• Civilian: Vulnerability Detection and Management

References

• Arackaparambil, C., Bratus, S., Kotz, D. and Shubina, A. Distributed Monitoring of Conditional Entropy for Anomaly Detection in Streams, The 10th Workshop on Communication Architecture for Clusters, Atlanta, GA, April 19, 2010.
• Bratus, S. and Joshua Brody, David Kotz, Anna Shubina: Streaming Estimation of Information-Theoretic Metrics for Anomaly Detection (Extended Abstract). RAID 2008: 412-414
• Caglayan, A., Toothaker, M. and Windholz, T. (2007) “A Bayesian Activity Monitor for Botnet Defense”, 2007 Monterey Homeland Security Conference, Monterey, CA August 2007.
• Giani, A., and Vincent H. Berk, and George V. Cybenko “Data Exfiltration and Covert Channels”, in Proceedings of the SPIE Vol. 6201, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense IV Orlando, Florida, April 2006.
• Bhuvanagiri, L. and Sumit Ganguly, Estimating Entropy over Data Streams. ESA 2006: 148-159
• Lall, A., Sekar, V., Ogihara, M., Xu, J. and Zhang, H. Data Streaming Algorithms for Estimating Entropy of Network Traffic, In Proceedings of ACM SIGMETRICS 2006/IFIP Performance 2006, Saint Malo, France, June 2006.