A multilayer framework to catch data exfiltration.

摘要

Data exfiltration is the unauthorized leakage of confidential data from a particular system. It is a specific form of intrusion that is particularly hard to catch due to the most common cause: an insider entity who is responsible for the leak. That entity could be a person employed in the organization or a malicious hardware component bought from an unreliable third party. Catching such intrusions, therefore, can be extremely difficult. We describe a framework comprising multiple parameters that are constantly monitored in a system. These parameters can cover the entire stack of the computer architecture, from the hardware up to the application layer. Malicious behavior is detected by different modules monitoring these parameters and an aggregated attack alert is produced if multiple modules detect malicious activity within a short period of time. A more distributed and comprehensive monitoring framework should ensure that designing an attack becomes extremely difficult since an attack must go through multiple detectors present in the system without raising any alarms.