ExFILD: a tool for the detection of data exfiltration using entropy and encryption characteristics of network traffic
Date
2010
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
The twin goals of easy communication and privacy protection have always
been in con
ict. Everyone can agree that important information such as social secu-
rity numbers, credit card numbers, proprietary information, and classi ed govern-
ment information should not be shared with untrusted and unknown entities. The
Internet makes it rather simple for an attacker to steal this information from even
security conscious users without the victims ever discovering the theft. All it takes
is one lapse in judgment and an attacker can have access to sensitive information.
Currently the computer and network security industry places its focus on
tools and techniques that are concerned with what is entering a system and not what
is exiting a system. The industry has no reason to not inspect the outgoing tra c.
Many attacks' success and e ectiveness rely heavily on tra c exiting the computer
system. Outgoing tra c is just as, if not more important to inspect as incoming
tra c to detect attacks involving theft of con dential information or interaction
between the attacker and victim's computer systems. Frequently recurring data
breaches reinforce the necessity of tools and techniques capable of alerting the users
when data is being ex ltrated from their computer systems.
This thesis explores the use of entropy characteristics of network tra c to
ascertain whether egress tra c from computer systems is encrypted. The inspection
of network tra c at the session level instead of the packet is proposed to improve
the accuracy of the entropy values. It establishes that entropy can indeed be used
as an accurate metric of the tra c's actual state of encryption.