Towards mechanisms for detection and prevention of data exfiltration by insiders

Elisa Bertino*, Gabriel Ghinita

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

44 Citations (Scopus)

Abstract

Data represent an extremely important asset for any organization. Confidential data such as military secrets or intellectual property must never be disclosed outside the organization. Therefore, one of the most severe threats in the case of cyber-insider attacks is the loss of confidential data due to exfiltration. A malicious insider who has the proper credentials to access the organization databases may, over time, send data outside the organization network through a variety of channels, such as email, crafted HTTP requests that encapsulate data, etc. Existing security tools for detection of cyber-attacks focus on protecting the boundary between the organization and the outside world. Numerous network-level intrusion detection systems (IDS) exist, which monitor the traffic pattern and attempt to infer anomalous behavior. While such tools may be effective in protecting against external attacks, they are less suitable when the data exfiltration is performed by an insider who has the proper credentials and authorization to access resources within the organization. In this paper, we argue that DBMS-layer detection and prevention systems are the best alternative to defend against data exfiltration because: (1) DBMS access is performed through a standard, unique language (SQL) with well-understood semantics; (2) monitoring the potential disclosure of confidential data is more effective if done as close as possible to the data source; and (3) the DBMS layer already has in place a thorough mechanism for enforcing access control based on subject credentials. By analyzing the pattern of interaction between subjects and the DBMS, it is possible to detect anomalous activity that is indicative of early signs of exfiltration. In the paper, we outline a taxonomy of cyber-insider dimensions of activities that are indicative of data exfiltration, and we discuss a high-level architecture and mechanisms for early detection of exfiltration by insiders. We also outline a virtualization-based mechanism that prevents insiders from exfiltrating data, even in the case when they manage to gain control over the network. The protection mechanism relies on explicit authorization of data transfers that cross the organizational boundary.

Original languageEnglish
Title of host publicationProceedings of the 6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011
PublisherAssociation for Computing Machinery
Pages10-19
Number of pages10
ISBN (Print)9781450305648
DOIs
Publication statusPublished - 2011
Externally publishedYes
Event6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011 - Hong Kong, China
Duration: 22 Mar 201124 Mar 2011

Publication series

NameProceedings of the 6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011

Conference

Conference6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011
Country/TerritoryChina
CityHong Kong
Period22/03/1124/03/11

Keywords

  • Data exfiltration
  • Insider threat

Fingerprint

Dive into the research topics of 'Towards mechanisms for detection and prevention of data exfiltration by insiders'. Together they form a unique fingerprint.

Cite this