An Integrated Approach for Detection and Classification of Data Exfiltration Anomalies Based on Host Behaviours in Network Environment

Abstract

Network security is an important area of research over many decades. Network attacks of the newlinerecent times are more dynamic in nature and leaves no trace of the attack. Zero day attacks and newlineAdvanced Persistent Threats (APT) attacks are multi-stage attacks of the present day leading to data newlineexfiltration. These attacks are targeted for various reasons leaving huge impact to the organization in newlineterms of incurring financial loss, loss of repudiation and loss of intellectual property. Current day newlineattacks exploit the gaps and inconsistencies in the existing system while performing these attacks. The newlinepresent day perimeter and the end-point security solutions are not designed to handle the current day newlineattacks. The cyber-crime reports show the substantial increase in the spending over the recent times newlineaffecting various industry sector. newlineAlthough there are data exfiltration anomaly detection methods that explore different attack newlineindicators for identifying anomalies, these methods do not converge or provide an integrated and a newlineconsolidated view of the data exfiltration anomalies that are present. Moreover, the data exfiltration newlineattacks are staged on the compromised host and hence any significant change in the behaviour of the newlinehost can indicate an attack. The anomaly detection approach based on the network and the system newlinebehaviour of the host along with the threats posed by the host is studied. Based on the challenges newlineposed by the data exfiltration attacks and the research gaps that exist, the objectives of this research newlinework are formulated after studying significant literatures. This research work is based on the detecting newlinethe data exfiltration attacks using network flows in an unencrypted data and over physical devices. newlineA five step methodology is proposed with four contributions to meet the objectives of the thesis. Data newlineexfiltration detection is proposed based on Host network behaviours that combines host network and newlinesystem behaviour based features.