Hide-and-seek: Concealment and detection of sensitive data exfiltration in network traffic

Detecting and mitigating sensitive data exfiltration are critical elements of a complete information protection strategy. Within the broader scope of mitigating sensitive data exfiltration threat, in this thesis, we first propose a multilevel framework called SIDD (Sensitive Information Dissemination Detection) to detect the exfiltration of sensitive data through a protected network. Then we focus on two very important problems related: concealment and detection of exfiltration of sensitive data.;To conceal (namely, hide) sensitive data in network traffic, we propose a method to establish advance covert timing channels that can evade detection by mimicking the statistical characteristics of legitimate (also referred to as overt) traffic. In addition, we combine this scheme with an efficient encoding method to increase the robustness of the covert channel against deliberate and unintended disruptions and noises in the communication medium. The overall covert timing channel framework provides a method to balance the channel efficiency and security requirements which are defined in terms of an adversary being able to detect and/or disrupt the covert channel. The design of more advanced methods is critical to evaluate the limitations of existing detection approaches and consequently develop new ones.;To detect (namely, seek) the leakage of sensitive information, we present a method to identify sensitive content from the network packets. We demonstrate how our system can be deployed using the specific example of detecting variable-bit-rate video using characteristics that are gleaned from the packet headers observed in the network flow. The approach is based on the application of statistical and signal processing techniques on the packet flow to generate signatures and/or extract features for classification purposes. Significance testing methods are employed to model the detection problem and to address the unknown boundaries of a given content set. Another important contribution in the context of detecting the exfiltration of sensitive information is our investigation of the covert network storage channel with audio as the carrier medium. Particularly, we show how well established signal processing techniques can be used to extract statistical features that can capture small changes in the audio traffic characteristics introduced with the storage of the hidden information.