Title :
Exfiltrations using polymorphic blending techniques: Analysis and countermeasures
Author :
Casenove, Matteo
Author_Institution :
Vrije Univ., Amsterdam, Netherlands
Abstract :
Cyber espionage campaigns and cyber attacks make use of data exfiltration on a regular basis causing damages for billions of dollars. Nowadays, they represent one of the primary threats, and they are performed by criminals, companies and states. Normally, data exfiltration uses classic application-layer protocols (e.g. FTP or HTTP) in combination with very basic obfuscation mechanisms. Even though in most cases these techniques are effective enough, this paper describes how instead they can be detected using properly configured IDSs. Moreover, we introduce a novel approach named polymorphic blending exfiltration that serves to avoid detection from signature-based as well as anomaly-based IDSs. This technique permits to blend the exfiltrated data in the normal and legitimate traffic. We show how IDSs can be easily improved in order to be able to detect such exfiltration. Finally, we conclude presenting different evasion techniques that can be included in the polymorphic blending exfiltration to keep providing a safe undetectable exfiltration.
Keywords :
digital signatures; security of data; FTP; HTTP; anomaly-based IDSs; classic application-layer protocols; cyber attacks; cyber espionage campaigns; data exfiltration; intrusion detection system; legitimate traffic; polymorphic blending exfiltration; polymorphic blending techniques; signature-based IDSs; Companies; Computers; Encryption; Entropy; Intrusion detection; Protocols; IDS; cyber-espionage; exfiltration; obfuscation;
Conference_Titel :
Cyber Conflict: Architectures in Cyberspace (CyCon), 2015 7th International Conference on
Conference_Location :
Tallinn
Print_ISBN :
978-9-9499-5442-1
DOI :
10.1109/CYCON.2015.7158479
