Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks
We address the challenge of detecting and addressing advanced persistent threats (APTs) in a computer network, focusing in particular on the challenge of detecting data exfiltration over Domain Name System (DNS) queries, where existing detection sensors are imperfect and lead to noisy observations a...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2016
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4665 https://ink.library.smu.edu.sg/context/sis_research/article/5668/viewcontent/Data_ExfiltrationPaper_1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5668 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-56682020-01-02T07:14:27Z Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks MC CARTHY, Sara Marie SINHA, Arunesh TAMBE, Milind MANADHATA, Pratyusa We address the challenge of detecting and addressing advanced persistent threats (APTs) in a computer network, focusing in particular on the challenge of detecting data exfiltration over Domain Name System (DNS) queries, where existing detection sensors are imperfect and lead to noisy observations about the network’s security state. Data exfiltration over DNS queries involves unauthorized transfer of sensitive data from an organization to a remote adversary through a DNS data tunnel to a malicious web domain. Given the noisy sensors, previous work has illustrated that standard approaches fail to satisfactorily rise to the challenge of detecting exfiltration attempts. Instead, we propose a decision-theoretic technique that sequentially plans to accumulate evidence under uncertainty while taking into account the cost of deploying such sensors. More specifically, we provide a fast scalable POMDP formulation to address the challenge, where the efficiency of the formulation is based on two key contributions: (i) we use a virtually distributed POMDP (VD-POMDP) formulation, motivated by previous work in distributed POMDPs with sparse interactions, where individual policies for different sub-POMDPs are planned separately but their sparse interactions are only resolved at execution time to determine the joint actions to perform; (ii) we allow for abstraction in planning for speedups, and then use a fast MILP to implement the abstraction while resolving any interactions. This allows us to determine optimal sensing strategies, leveraging information from many noisy detectors, and subject to constraints imposed by network topology, forwarding rules and performance costs on the frequency, scope and efficiency of sensing we can perform. 2016-11-02T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4665 info:doi/10.1007/978-3-319-47413-7_3 https://ink.library.smu.edu.sg/context/sis_research/article/5668/viewcontent/Data_ExfiltrationPaper_1_.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Databases and Information Systems |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Databases and Information Systems |
| spellingShingle |
Databases and Information Systems MC CARTHY, Sara Marie SINHA, Arunesh TAMBE, Milind MANADHATA, Pratyusa Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks |
| description |
We address the challenge of detecting and addressing advanced persistent threats (APTs) in a computer network, focusing in particular on the challenge of detecting data exfiltration over Domain Name System (DNS) queries, where existing detection sensors are imperfect and lead to noisy observations about the network’s security state. Data exfiltration over DNS queries involves unauthorized transfer of sensitive data from an organization to a remote adversary through a DNS data tunnel to a malicious web domain. Given the noisy sensors, previous work has illustrated that standard approaches fail to satisfactorily rise to the challenge of detecting exfiltration attempts. Instead, we propose a decision-theoretic technique that sequentially plans to accumulate evidence under uncertainty while taking into account the cost of deploying such sensors. More specifically, we provide a fast scalable POMDP formulation to address the challenge, where the efficiency of the formulation is based on two key contributions: (i) we use a virtually distributed POMDP (VD-POMDP) formulation, motivated by previous work in distributed POMDPs with sparse interactions, where individual policies for different sub-POMDPs are planned separately but their sparse interactions are only resolved at execution time to determine the joint actions to perform; (ii) we allow for abstraction in planning for speedups, and then use a fast MILP to implement the abstraction while resolving any interactions. This allows us to determine optimal sensing strategies, leveraging information from many noisy detectors, and subject to constraints imposed by network topology, forwarding rules and performance costs on the frequency, scope and efficiency of sensing we can perform. |
| format |
text |
| author |
MC CARTHY, Sara Marie SINHA, Arunesh TAMBE, Milind MANADHATA, Pratyusa |
| author_facet |
MC CARTHY, Sara Marie SINHA, Arunesh TAMBE, Milind MANADHATA, Pratyusa |
| author_sort |
MC CARTHY, Sara Marie |
| title |
Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks |
| title_short |
Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks |
| title_full |
Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks |
| title_fullStr |
Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks |
| title_full_unstemmed |
Data exfiltration detection and prevention: Virtually distributed POMDPs for practically safer networks |
| title_sort |
data exfiltration detection and prevention: virtually distributed pomdps for practically safer networks |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2016 |
| url |
https://ink.library.smu.edu.sg/sis_research/4665 https://ink.library.smu.edu.sg/context/sis_research/article/5668/viewcontent/Data_ExfiltrationPaper_1_.pdf |
| _version_ |
1770574957780140032 |