Abstract
We address the challenge of detecting and addressing advanced persistent threats (APTs) in a computer network, focusing in particular on the challenge of detecting data exfiltration over Domain Name System (DNS) queries, where existing detection sensors are imperfect and lead to noisy observations about the network’s security state. Data exfiltration over DNS queries involves unauthorized transfer of sensitive data from an organization to a remote adversary through a DNS data tunnel to a malicious web domain. Given the noisy sensors, previous work has illustrated that standard approaches fail to satisfactorily rise to the challenge of detecting exfiltration attempts. Instead, we propose a decision-theoretic technique that sequentially plans to accumulate evidence under uncertainty while taking into account the cost of deploying such sensors. More specifically, we provide a fast scalable POMDP formulation to address the challenge, where the efficiency of the formulation is based on two key contributions: (i) we use a virtually distributed POMDP (VD-POMDP) formulation, motivated by previous work in distributed POMDPs with sparse interactions, where individual policies for different sub-POMDPs are planned separately but their sparse interactions are only resolved at execution time to determine the joint actions to perform; (ii) we allow for abstraction in planning for speedups, and then use a fast MILP to implement the abstraction while resolving any interactions. This allows us to determine optimal sensing strategies, leveraging information from many noisy detectors, and subject to constraints imposed by network topology, forwarding rules and performance costs on the frequency, scope and efficiency of sensing we can perform.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Detecting DNS Tunneling. https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152. Accessed 14 June 2016
New FrameworkPOS variant exfiltrates data via DNS requests. https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests. Accessed 14 June 2016
Iodine (2014). http://code.kryo.se/iodine/
Grand theft data, data exfiltration study: Actors, tactics, and detection (2015). http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf
arstechnica: Cluster of megabreaches compromises a whopping 642 million passwords. http://arstechnica.com/security/2016/05/cluster-of-megabreaches-compromise-a-whopping-642-million-passwords/
Bernstein, D.S., Zilberstein, S., Immerman, N.: The complexity of decentralized control of Markov decision processes. In: Proceedings of the Sixteenth Conference on Uncertainty in Artificial Intelligence, pp. 32–37. Morgan Kaufmann Publishers Inc. (2000)
Borders, K., Prakash, A.: Web tap: detecting covert web traffic. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 110–120. ACM (2004)
FarnHam, G.: Detecting DNS tunneling. Technical report, SANS Institute InfoSec Reading Room, Februrary 2013
Gerkey, B.P., Mataric, M.J.: Multi-robot task allocation: analyzing the complexity and optimality of key architectures. In: IEEE International Conference on Robotics and Automation Proceedings, ICRA 2003, vol. 3, pp. 3862–3868. IEEE (2003)
Hart, M., Manadhata, P., Johnson, R.: Text classification for data loss prevention. In: Proceedings of the 11th International Conference on Privacy Enhancing Technologies, PETS 2011 (2011)
Journal, T.W.S.: Home depot’s 56 million card breach bigger than target’s. http://www.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571
Jung, H., Tambe, M.: Performance models for large scale multiagent systems: using distributed POMDP building blocks. In: Proceedings of the Second International Joint Conference on Autonomous Agents and Multiagent Systems, pp. 297–304. ACM (2003)
Labs, T.: Data exfiltration: How do threat actors steal yourdata? (2013). http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/how_do_threat_actors_steal_your_data.pdf
Madani, O., Hanks, S., Condon, A.: On the undecidability of probabilistic planning and infinite-horizon partially observable Markov decision problems. In: Proceedings of the Sixteenth National Conference on Artificial Intelligence and the Eleventh Innovative Applications of Artificial Intelligence Conference Innovative Applications of Artificial Intelligence, AAAI 1999/IAAI 1999, pp. 541–548. American Association for Artificial Intelligence, Menlo Park (1999)
McAfee: Data loss prevention. http://www.mcafee.com/us/products/total-protection-for-data-loss-prevention.aspx
McAllester, D.A., Singh, S.: Approximate planning for factored POMDPS using belief state simplification. In: Proceedings of the Fifteenth Conference on Uncertainty in Artificial Intelligence, pp. 409–416. Morgan Kaufmann Publishers Inc. (1999)
Nair, R., Varakantham, P., Tambe, M., Yokoo, M.: Networked distributed POMDPS: a synthesis of distributed constraint optimization and POMDPS. AAAI 5, 133–139 (2005)
Papadimitriou, C.H., Tsitsiklis, J.N.: The complexity of Markov decision processes. Math. Oper. Res. 12(3), 441–450 (1987)
Paxson, V., Christodorescu, M., Javed, M., Rao, J., Sailer, R., Schales, D., Stoecklin, M.P., Thomas, K., Venema, W., Weaver, N.: Practical comprehensive bounds on surreptitious communication over DNS. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 17–32. USENIX Association, Berkeley (2013). http://dl.acm.org/citation.cfm?id=2534766.2534769
Bromberger, S.: Co-Principal Investigator, NESCOCo-Principal Investigator, N.: DNS as a covert channel within protected networks. Technical Report WP2011-01-01, National Electric Sector Cyber Security Organization, January 2011
Silver, D., Veness, J.: Monte-carlo planning in large POMDPS. In: Advances in Neural Information Processing Systems, pp. 2164–2172 (2010)
Smith, T.: Probabilistic Planning for Robotic Exploration. Ph.D. thesis. The Robotics Institute, Carnegie Mellon University, Pittsburgh, PA, July 2007
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316. IEEE (2010)
Symantec: Data Loss Prevention and Protection. https://www.symantec.com/products/information-protection/data-loss-prevention
Varakantham, P., young Kwak, J., Taylor, M., Marecki, J., Scerri, P., Tambe, M.: Exploiting coordination locales in distributed POMDPS via social modelshaping (2009). http://aaai.org/ocs/index.php/ICAPS/ICAPS09/paper/view/733/1128
Velagapudi, P., Varakantham, P., Sycara, K., Scerri, P.: Distributed model shaping for scaling to decentralized POMDPS with hundreds of agents. In: The 10th International Conference on Autonomous Agents and Multiagent Systems, vol. 3, pp. 955–962. International Foundation for Autonomous Agents and Multiagent Systems (2011)
Wikipedia: Office of personnel management data breach. https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
Acknowledgements
This research was supported by ARO Grant W911NF-15-1-0515.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Mc Carthy, S.M., Sinha, A., Tambe, M., Manadhata, P. (2016). Data Exfiltration Detection and Prevention: Virtually Distributed POMDPs for Practically Safer Networks. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds) Decision and Game Theory for Security. GameSec 2016. Lecture Notes in Computer Science(), vol 9996. Springer, Cham. https://doi.org/10.1007/978-3-319-47413-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-47413-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47412-0
Online ISBN: 978-3-319-47413-7
eBook Packages: Computer ScienceComputer Science (R0)