Optimal Strategies for Detecting Data Exfiltration by Internal and External Attackers
(K. Durkota, V. Lisy, C. Kiekintveld, K. Horak, B. Bosansky, T. Pevny)
In Conference on Decision and Game Theory for Security (GameSec). 2017.
This is the author's version of the work.
Download
Abstract
We study the problem of detecting data exfiltration in computer networks.
We focus on the performance of optimal defense strategies with respect to
an attacker's knowledge about typical network behavior and his ability to influence
the standard traffic. Internal attackers know the typical upload behavior of
the compromised host and may be able to discontinue standard uploads in favor
of the exfiltration. External attackers do not immediately know the behavior of
the compromised host, but they can learn it from observations.
We model the problem as a sequential game of imperfect information, where
the network administrator selects the thresholds for the detector, while the attacker
chooses how much data to exfiltrate in each time step. We present novel
algorithms for approximating the optimal defense strategies in the form of Stackelberg
equilibria. We analyze the scalability of the algorithms and efficiency of
the produced strategies in a case study based on real-world uploads of almost
six thousand users to Google Drive. We show that with the computed defense
strategies, the attacker exfiltrates 2-3 times less data than with simple heuristics;
randomized defense strategies are up to 30% more effective than deterministic
ones, and substantially more effective defense strategies are possible if the defense
is customized for groups of hosts with similar behavior.
