University of Twente Student Theses

Login

Detecting adaptive data exfiltration in HTTP traffic

Ede, Thijs S. van (2017) Detecting adaptive data exfiltration in HTTP traffic.

This is the latest version of this item.

[img] PDF
1MB
Abstract:Our work introduces a new type of attack which adapts the network communication of an adversary such that it mimics communication of the applications active on an infected host. By doing so, the adversary aims to remain undetected by fully blending in with benign traffic. We demonstrate this novel attack through several case studies in which we created multiple variants of data exfiltrating malware, which adapt their communication to mimic the HTTP traffic of the browser application of the infected host. In addition, we introduce novel heuristics to detect adaptive data exfiltration and combine them in our Adaptive Browser-Imitating Data Exfiltration Detector (ABIDED). We compare our solution to DECANTeR and DUMONT, two state-of-the-art detection mechanisms which detect covert communication over HTTP. Our analysis shows that ABIDED's performance is comparable to existing solutions in detecting existing exfiltrating communication. However, it greatly improves detection of adaptive exfiltration with a detection rate of 93.3% against 5.2% for DECANTeR and 23.2% for DUMONT. Moreover, our analysis shows that the false positive rate of ABIDED is significantly lower than that of the other systems, making it a powerful solution for detecting data exfiltration.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:https://purl.utwente.nl/essays/74268
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page