Visible to the public Biblio

Filters: Keyword is Data Exfiltration  [Clear All Filters]
2023-05-19
Soosahabi, Reza, Bayoumi, Magdy.  2022.  On Securing MAC Layer Broadcast Signals Against Covert Channel Exploitation in 5G, 6G & Beyond. 2022 IEEE Future Networks World Forum (FNWF). :486—493.
In this work, we propose a novel framework to identify and mitigate a recently disclosed covert channel scheme exploiting unprotected broadcast messages in cellular MAC layer protocols. Examples of covert channel are used in data exfiltration, remote command-and-control (CnC) and espionage. Responsibly disclosed to GSMA (CVD-2021-0045), the SPAR-ROW covert channel scheme exploits the downlink power of LTE/5G base-stations that broadcast contention resolution identity (CRI) from any anonymous device according to the 3GPP standards. Thus, the SPARROW devices can covertly relay short messages across long-distance which can be potentially harmful to critical infrastructure. The SPARROW schemes can also complement the solutions for long-range M2M applications. This work investigates the security vs. performance trade-off in CRI-based contention resolution mechanisms. Then it offers a rig-orously designed method to randomly obfuscate CRI broadcast in future 5G/6G standards. Compared to CRI length reduction, the proposed method achieves considerable protection against SPARROW exploitation with less impact on the random-access performance as shown in the numerical results.
2022-10-20
King, James, Bendiab, Gueltoum, Savage, Nick, Shiaeles, Stavros.  2021.  Data Exfiltration: Methods and Detection Countermeasures. 2021 IEEE International Conference on Cyber Security and Resilience (CSR). :442—447.
Data exfiltration is of increasing concern throughout the world. The number of incidents and capabilities of data exfiltration attacks are growing at an unprecedented rate. However, such attack vectors have not been deeply explored in the literature. This paper aims to address this gap by implementing a data exfiltration methodology, detailing some data exfiltration methods. Groups of exfiltration methods are incorporated into a program that can act as a testbed for owners of any network that stores sensitive data. The implemented methods are tested against the well-known network intrusion detection system Snort, where all of them have been successfully evaded detection by its community rule sets. Thus, in this paper, we have developed new countermeasures to prevent and detect data exfiltration attempts using these methods.
2020-09-18
Zhang, Fan, Kodituwakku, Hansaka Angel Dias Edirisinghe, Hines, J. Wesley, Coble, Jamie.  2019.  Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data. IEEE Transactions on Industrial Informatics. 15:4362—4369.
The growing number of attacks against cyber-physical systems in recent years elevates the concern for cybersecurity of industrial control systems (ICSs). The current efforts of ICS cybersecurity are mainly based on firewalls, data diodes, and other methods of intrusion prevention, which may not be sufficient for growing cyber threats from motivated attackers. To enhance the cybersecurity of ICS, a cyber-attack detection system built on the concept of defense-in-depth is developed utilizing network traffic data, host system data, and measured process parameters. This attack detection system provides multiple-layer defense in order to gain the defenders precious time before unrecoverable consequences occur in the physical system. The data used for demonstrating the proposed detection system are from a real-time ICS testbed. Five attacks, including man in the middle (MITM), denial of service (DoS), data exfiltration, data tampering, and false data injection, are carried out to simulate the consequences of cyber attack and generate data for building data-driven detection models. Four classical classification models based on network data and host system data are studied, including k-nearest neighbor (KNN), decision tree, bootstrap aggregating (bagging), and random forest (RF), to provide a secondary line of defense of cyber-attack detection in the event that the intrusion prevention layer fails. Intrusion detection results suggest that KNN, bagging, and RF have low missed alarm and false alarm rates for MITM and DoS attacks, providing accurate and reliable detection of these cyber attacks. Cyber attacks that may not be detectable by monitoring network and host system data, such as command tampering and false data injection attacks by an insider, are monitored for by traditional process monitoring protocols. In the proposed detection system, an auto-associative kernel regression model is studied to strengthen early attack detection. The result shows that this approach detects physically impactful cyber attacks before significant consequences occur. The proposed multiple-layer data-driven cyber-attack detection system utilizing network, system, and process data is a promising solution for safeguarding an ICS.
2020-09-04
Carpentier, Eleonore, Thomasset, Corentin, Briffaut, Jeremy.  2019.  Bridging The Gap: Data Exfiltration In Highly Secured Environments Using Bluetooth IoTs. 2019 IEEE 37th International Conference on Computer Design (ICCD). :297—300.
IoT devices introduce unprecedented threats into home and professional networks. As they fail to adhere to security best practices, they are broadly exploited by malicious actors to build botnets or steal sensitive information. Their adoption challenges established security standard as classic security measures are often inappropriate to secure them. This is even more problematic in sensitive environments where the presence of insecure IoTs can be exploited to bypass strict security policies. In this paper, we demonstrate an attack against a highly secured network using a Bluetooth smart bulb. This attack allows a malicious actor to take advantage of a smart bulb to exfiltrate data from an air gapped network.
2020-08-07
Carpentier, Eleonore, Thomasset, Corentin, Briffaut, Jeremy.  2019.  Bridging The Gap: Data Exfiltration In Highly Secured Environments Using Bluetooth IoTs.

IoT devices introduce unprecedented threats into home and professional networks. As they fail to adhere to security best practices, they are broadly exploited by malicious actors to build botnets or steal sensitive information. Their adoption challenges established security standard as classic security measures are often inappropriate to secure them. This is even more problematic in sensitive environments where the presence of insecure IoTs can be exploited to bypass strict security policies. In this paper, we demonstrate an attack against a highly secured network using a Bluetooth smart bulb. This attack allows a malicious actor to take advantage of a smart bulb to exfiltrate data from an air gapped network.

2020-07-16
Cronin, Patrick, Gouert, Charles, Mouris, Dimitris, Tsoutsos, Nektarios Georgios, Yang, Chengmo.  2019.  Covert Data Exfiltration Using Light and Power Channels. 2019 IEEE 37th International Conference on Computer Design (ICCD). :301—304.

As the Internet of Things (IoT) continues to expand into every facet of our daily lives, security researchers have warned of its myriad security risks. While denial-of-service attacks and privacy violations have been at the forefront of research, covert channel communications remain an important concern. Utilizing a Bluetooth controlled light bulb, we demonstrate three separate covert channels, consisting of current utilization, luminosity and hue. To study the effectiveness of these channels, we implement exfiltration attacks using standard off-the-shelf smart bulbs and RGB LEDs at ranges of up to 160 feet. We analyze the identified channels for throughput, generality and stealthiness, and report transmission speeds of up to 832 bps.

2020-02-26
Tychalas, Dimitrios, Keliris, Anastasis, Maniatakos, Michail.  2019.  LED Alert: Supply Chain Threats for Stealthy Data Exfiltration in Industrial Control Systems. 2019 IEEE 25th International Symposium on On-Line Testing and Robust System Design (IOLTS). :194–199.

Industrial Internet-of-Things has been touted as the next revolution in the industrial domain, offering interconnectivity, independence, real-time operation, and self-optimization. Integration of smart systems, however, bridges the gap between information and operation technology, creating new avenues for attacks from the cyber domain. The dismantling of this air-gap, in conjunction with the devices' long lifespan -in the range of 20-30 years-, motivates us to bring the attention of the community to emerging advanced persistent threats. We demonstrate a threat that bridges the air-gap by leaking data from memory to analog peripherals through Direct Memory Access (DMA), delivered as a firmware modification through the supply chain. The attack automatically adapts to a target device by leveraging the Device Tree and resides solely in the peripherals, completely transparent to the main CPU, by judiciously short-circuiting specific components. We implement this attack on a commercial Programmable Logic Controller, leaking information over the available LEDs. We evaluate the presented attack vector in terms of stealthiness, and demonstrate no observable overhead on both CPU performance and DMA transfer speed. Since traditional anomaly detection techniques would fail to detect this firmware trojan, this work highlights the need for industrial control system-appropriate techniques that can be applied promptly to installed devices.

2018-11-28
Bortolameotti, Riccardo, van Ede, Thijs, Caselli, Marco, Everts, Maarten H., Hartel, Pieter, Hofstede, Rick, Jonker, Willem, Peter, Andreas.  2017.  DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting. Proceedings of the 33rd Annual Computer Security Applications Conference. :373–386.

We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a host's network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 monitored host machines, an average detection rate of 97.7%, and that it cannot be evaded by malware using simple evasion techniques such as using known browser user agent values. We compare our solution with DUMONT [24], the current state-of-the-art IDS which detects HTTP covert communication channels by focusing on benign HTTP traffic. The results show that DECANTeR outperforms DUMONT in terms of detection rate, false positive rate, and even evasion-resistance. Finally, DECANTeR detects 96.8% of information stealers in our dataset, which shows its potential to detect data exfiltration.

2018-09-28
Hartl, Alexander, Annessi, Robert, Zseby, Tanja.  2017.  A Subliminal Channel in EdDSA: Information Leakage with High-Speed Signatures. Proceedings of the 2017 International Workshop on Managing Insider Security Threats. :67–78.
Subliminal channels in digital signatures provide a very effective method to clandestinely leak information from inside a system to a third party outside. Information can be hidden in signature parameters in a way that both network operators and legitimate receivers would not notice any suspicious traces. Subliminal channels have previously been discovered in other signatures, such as ElGamal and ECDSA. Those signatures are usually just sparsely exchanged in network protocols, e.g. during authentication, and their usability for leaking information is therefore limited. With the advent of high-speed signatures such as EdDSA, however, scenarios become feasible where numerous packets with individual signatures are transferred between communicating parties. This significantly increases the bandwidth for transmitting subliminal information. Examples are broadcast clock synchronization or signed sensor data export. A subliminal channel in signatures appended to numerous packets allows the transmission of a high amount of hidden information, suitable for large scale data exfiltration or even the operation of command and control structures. In this paper, we show the existence of a broadband subliminal channel in the EdDSA signature scheme. We then discuss the implications of the subliminal channel in practice using thee different scenarios: broadcast clock synchronization, signed sensor data export, and classic TLS. We perform several experiments to show the use of the subliminal channel and measure the actual bandwidth of the subliminal information that can be leaked. We then discuss the applicability of different countermeasures against subliminal channels from other signature schemes to EdDSA but conclude that none of the existing solutions can sufficiently protect against data exfiltration in network protocols secured by EdDSA.
2017-11-27
Settanni, G., Shovgenya, Y., Skopik, F., Graf, R., Wurzenberger, M., Fiedler, R..  2016.  Correlating cyber incident information to establish situational awareness in Critical Infrastructures. 2016 14th Annual Conference on Privacy, Security and Trust (PST). :78–81.

Protecting Critical Infrastructures (CIs) against contemporary cyber attacks has become a crucial as well as complex task. Modern attack campaigns, such as Advanced Persistent Threats (APTs), leverage weaknesses in the organization's business processes and exploit vulnerabilities of several systems to hit their target. Although their life-cycle can last for months, these campaigns typically go undetected until they achieve their goal. They usually aim at performing data exfiltration, cause service disruptions and can also undermine the safety of humans. Novel detection techniques and incident handling approaches are therefore required, to effectively protect CI's networks and timely react to this type of threats. Correlating large amounts of data, collected from a multitude of relevant sources, is necessary and sometimes required by national authorities to establish cyber situational awareness, and allow to promptly adopt suitable countermeasures in case of an attack. In this paper we propose three novel methods for security information correlation designed to discover relevant insights and support the establishment of cyber situational awareness.

2017-09-11
Van Acker, Steven, Hausknecht, Daniel, Sabelfeld, Andrei.  2016.  Data Exfiltration in the Face of CSP. Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. :853–864.

Cross-site scripting (XSS) attacks keep plaguing the Web. Supported by most modern browsers, Content Security Policy (CSP) prescribes the browser to restrict the features and communication capabilities of code on a web page, mitigating the effects of XSS.

This paper puts a spotlight on the problem of data exfiltration in the face of CSP. We bring attention to the unsettling discord in the security community about the very goals of CSP when it comes to preventing data leaks.

As consequences of this discord, we report on insecurities in the known protection mechanisms that are based on assumptions about CSP that turn out not to hold in practice.

To illustrate the practical impact of the discord, we perform a systematic case study of data exfiltration via DNS prefetching and resource prefetching in the face of CSP.

Our study of the popular browsers demonstrates that it is often possible to exfiltrate data by both resource prefetching and DNS prefetching in the face of CSP. Further, we perform a crawl of the top 10,000 Alexa domains to report on the cohabitance of CSP and prefetching in practice. Finally, we discuss directions to control data exfiltration and, for the case study, propose measures ranging from immediate fixes for the clients to prefetching-aware extensions of CSP.

2017-03-07
Allawi, M. A. A., Hadi, A., Awajan, A..  2015.  MLDED: Multi-layer Data Exfiltration Detection System. 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec). :107–112.

Due to the growing advancement of crime ware services, the computer and network security becomes a crucial issue. Detecting sensitive data exfiltration is a principal component of each information protection strategy. In this research, a Multi-Level Data Exfiltration Detection (MLDED) system that can handle different types of insider data leakage threats with staircase difficulty levels and their implications for the organization environment has been proposed, implemented and tested. The proposed system detects exfiltration of data outside an organization information system, where the main goal is to use the detection results of a MLDED system for digital forensic purposes. MLDED system consists of three major levels Hashing, Keywords Extraction and Labeling. However, it is considered only for certain type of documents such as plain ASCII text and PDF files. In response to the challenging issue of identifying insider threats, a forensic readiness data exfiltration system is designed that is capable of detecting and identifying sensitive information leaks. The results show that the proposed system has an overall detection accuracy of 98.93%.