data leak detection as a service
play

Data Leak Detection As a Service Xiaokui Shu and Danfeng (Daphne) - PowerPoint PPT Presentation

Apr 02, 2023 •198 likes •445 views

Data Leak Detection As a Service Xiaokui Shu and Danfeng (Daphne) Yao Department of Computer Science Virginia Tech danfeng@cs.vt.ed u http://people.cs.vt.edu/~danfeng/ Xiaokui Shu (3 rd year PhD student) SECURECOMM 2012, Padua Italy 1 Data

  1. Data Leak Detection As a Service Xiaokui Shu and Danfeng (Daphne) Yao Department of Computer Science Virginia Tech danfeng@cs.vt.ed u http://people.cs.vt.edu/~danfeng/ Xiaokui Shu (3 rd year PhD student) SECURECOMM 2012, Padua Italy 1

  2. Data breach, data leak, data exfiltration, data exportation 2007 data from Wall Street Technology 2

  3. Multiple points where you may stop some data leak Data Data encryption on PC encryption on Patching server Avoid social engineering attack Internal servers Employee Data leak Patching detection IDS/IPS Work-place PC Secure OS e.g., memory protection Firewall Secure applications e.g., Email authentication e.g., Browser sandbox How to minimize the exposure of sensitive data during inspection? Server Our solution: inspection based on special irreversible digests An organization Internet 3

  4. Data Loss Prevention in the Cloud Problem: Data leaked through human errors, malware, insiders e.g., Hydraq malware, Wikileak Solution: Outsource DLP e.g., cloud providers (Amazon, HP, Rackspace), network providers (Verizon, AT&T), network appliances (CISCO, Huawei) Challenge: To preserve data privacy Issues: providers’ trustworthiness, cloud’s security data owner does not reveal sensitive data to providers Our algorithm: Providers inspect traffic for patterns, without knowing what sensitive data is. 4

  5. Other DLP deployment scenarios and data exposure • Personal firewall on PC User-defined traffic filters for data sanitization Internet • Local area networks of organizations To deploy DLP filter at gateway routers Data may be of any size or type Need to avoid exposing sensitive data at filters 5

  6. Overview of Our Architecture 1 2 Valuable data Shingles Fingerprint filters Types of players: 3 1. Data owner Outbound Hosts traffic 2. User DLP 3. DLP provider Provider (honest-but-curious) (cloud) Sensitive data Shingles are a sequence of fixed-size contiguous words (q-gram); Mozilla is aware of a critical vulnerability Mozilla is ozilla is a zilla is aw illa is awa 6

  7. Our Security/Privacy Goal: Data owner delegates DLP provider to detect data leak caused by malicious attackers (i.e., malware infecting hosts or insider), without revealing sensitive data to provider. Assume that the traffic is not encrypted; Host-based detection needed for encrypted traffic. 7

  8. An example of fingerprints on shingles of two similar messages Sensitive data to be protected Captured payload in outbound traffic <p>Critical vulnerability in Firefox 3.5 and Firefox 3.6</p> Critical vulnerability in Firefox 3.5 and Firefox 3.6 <p>10.26.10 - 02:30pm</p> 10.26.10 - 02:30pm <p>Update (Oct 27, 2010 @ 20:12):<br /> Update (Oct 27, 2010 @ 20:12): A fix for this vulnerability has been released for Firefox and A fix for this vulnerability has been released for Firefox and Thunderbird users.</p> <p>Firefox 3.6.12 and 3.5.15 security Thunderbird users. updates now available<br /> Thunderbird 3.1.6 and 3.0.10 Firefox 3.6.12 and 3.5.15 security updates now available security updates now available</p> <p>Issue:<br /> Thunderbird 3.1.6 and 3.0.10 security updates now available Mozilla is aware of a critical vulnerability affecting Firefox 3.5 Issue: and Firefox 3.6 users. We have received reports from several Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and security research firms that exploit code leveraging this Firefox 3.6 users. We have received reports from several security vulnerability has been detected in the wild.</p> research firms that exploit code leveraging this vulnerability has <p>Impact to users:<br /> been detected in the wild. Users who visited an infected site could have been affected Impact to users: by the malware through the vulnerability. The trojan was Users who visited an infected site could have been affected by the initially reported as live on the Nobel Peace Prize site, and malware through the vulnerability. The trojan was initially reported that specific site is now being blocked by Firefox's built-in as live on the Nobel Peace Prize site, and that specific site is now malware protection. However, the exploit code could still be being blocked by Firefox's built-in malware protection. However, the live on other websites.</p> exploit code could still be live on other websites. 10 smallest fingerprints: ( 4482868, 10 smallest fingerprints: ( 4482868, 5207155, 5538456, 16590970, 18891336, 5538456, 16590970, 18891336, 28959745, 29523072, 30605011, 46912339, 28959745, 29523072, 30605011, 47163843 ) 46912339, 47163843, 60018488 ) Total fingerprints set size: 756 Total fingerprints set size: 806 SHA-1: SHA-1: 3c1e4ca6505e5d307cfe105104233e1b82b e86d8771e82c613706fab67adbee2e2b0 39b33 e8e762e 8

  9. Rabin’s Fingerprint m 1 m 2 A ( t ) a t a t  a − − = + + + 1 2 m f ( A ) A ( t ) mod P ( t ) = A=(a 1 , a 2 , … , a m ) is a binary string P is a irreducible polynomial. An example 110101 mod 101 = 11 is equivalent to: X 5 + X 4 + X 2 + 1 mod X 2 + 1 = X + 1 In binary: Advantages: oneway, fast • 1 – 0 = 1 • 0 – 1 = -1 = 1 • So it is just XOR operation 9

  10. A naïve data-loss detection protocol 1. Data pre-processing -- data owner computes digests; and reveals to DLP provider a subset of the digests • e.g., to select a smallest 20 fingerprints to release 2. Traffic pre-processing – DLP provider collects outbound network traffic of data owner; and computes digests of packets 3. Inspection – DLP provider alerts data owner if traffic digests match data digests e.g., based on pre-defined threshold Sensitivity test Number of sensitive-data fingerprints per packet Total fingerprints per packet 10

  11. The naïve detection leaks info to DLP provider if there is a match L Company A has a secret recipe: fish with garlic bake 20-min 450F DLP provider 2. Fingerprints 375835 and 949609 3. Monitor the traffic of A 1. Compute digest = f(data) 4. Find a packet whose 8-gram fingerprint fingerprints contain 375835 Fish wit 375835 and 949609 ish with 907948 sh with 867025 h with g 098600 DLP has the content of the packet, with ga 114534 Thus learns the secret recipe L with gar 949609 … … 11

  12. Our solution: fuzzy fingerprint – to hide sensitive fingerprint in a crowd 1. Original sensitive fingerprint f 4. DLP provider alerts all fingerprints of traffic that are close to f* True leak 5. Data owner 3. Fuzzy fingerprint f* examines alerts for true given to DLP provider leaks 2. Perturb f by randomizing least significant bits Similar to the k-anonymity in relational DB 12

  13. Hide fingerprints in a crowd How big is the crowd? False alarm True leak Fuzzy fingerprint f* Data owner: how to perturb the sensitive fingerprint? 13

  14. Operations in Fuzzy Fingerprints DLD provider cannot distinguish true leaks and false alarms 14

  15. Generalization – bit mask Sensitive fingerprint f 01000101111011010111100010 Fuzzy fingerprint f* 01000101111011100010111011 Perturb least significant bits Data owner may randomize arbitrary bit positions Sensitive fingerprint f 01000101111011010111100010 Bit mask _+++_+++_+__+_+_+++__++_++ Bit may change No change Fuzzy fingerprint f* 11000101010011010110100110 DLP provider applies bit mask to traffic; and reports fingerprint that matches non-changing bits; 15

  16. Implementation and experiments Implemented all components of our framework in Python including packet collection, shingling, Rabin fingerprinting Fingerprint filter = Bloom filter + Rabin fingerprint Bloom filter for membership test Space saving Pybloom library Experimental condition: 8-byte shingle 32-bit polynomial 1024-byte packet payload www.cs.wisc.edu 16

  17. Setup of the malware test Internet SMTP server Network B Web server 192.168.2.0/24 Router w/ DLP Network A Leaking Route 192.168.1.0/24 DLP: Data-leak protection system We detect packets whose sensitivity values are above a threshold Sensitivity test: Number of sensitive-data fingerprints per packet Total fingerprints per packet 17

  18. Preliminary experiments on privacy- preserving network traffic filtering Leaking Methods Protocol Traffic # of Maximum Average sensitive sensitivity sensitivity in pkt found sensitive pkts Backdoor TCP Out 19 0.97 0.93 Keylogger SMTP Out 3 0.23 0.18 Malicious SMTP Out 20 0.97 0.81 Browser Extension Wiki System HTTP All 41 0.97 0.70 (MediaWiki) Out 20 0.97 0.89 Blog System HTTP All 37 0.95 0.31 (WorldPress) Out 22 0.25 0.10 18

  19. Detection rates vs. size of partial fingerprint sets used 1 0.9 0.8 Normalized sensitivity (averaged per packet) 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 10% 20% 40% 60% 80% 100% Percentage of sensitive data fingerprints compared Backdoor Keylogger Mal-extension Wiki [all] Wiki [out] Blog [all] Blog [all] [out] 19

  20. Overhead for preparing the Bloom filter (BF) and fingerprint filter (FF) BF w/ SHA-1 is slightly faster to prepare than FF 20

  21. Overhead of detection with Bloom filter (BF) and fingerprint filter (FF) FF is slightly faster than BF for detection (fingerprinting is faster than hashing) 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical

Pipeline leak detection eLearning Part 1 of 2 Please turn on your speakers Historical development Leak detection system requirements Causes of leaks Leak detection options Non-continuous leak detection Continuous external leak detection

806 views • 49 slides
Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona

Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona

Soil Gas Sampling with a Helium Leak Detection Shroud Bruce Godfrey &amp; Stefan DAngona Introduction a. Leak Detection Options b. Helium Leak Detection c. Leak Tracer System Design d. Use and experience Why Leak Check? Proof of Sample

569 views • 16 slides
Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition:

Methods for Prevention, Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition: RFC 7908) K. Sriram, D. Montgomery, B. Dickson, K. Patel, and A. Robachevsky IDR Working Group Meeting,

244 views • 9 slides
Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

November 2017 Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential Contents Needs for Leak Detection Sensors Review of Leak Detection Systems Husky Leak N. Battleford, SK; July 2016 Platform

635 views • 24 slides
LEAK DETECTION AND REPAIR RECENT ENHANCEMENTS PRESENTED BY STEVE BANNISTER MANAGING DIRECTOR

LEAK DETECTION AND REPAIR RECENT ENHANCEMENTS PRESENTED BY STEVE BANNISTER MANAGING DIRECTOR

THE LEAK DETECTION SPECIALISTS LEAK DETECTION AND REPAIR RECENT ENHANCEMENTS PRESENTED BY STEVE BANNISTER MANAGING DIRECTOR ENSERVE ENGINEERING SERVICES THE LEAK DETECTION SPECIALISTS SERVICES PORTFOLIO VALVE REPAIR MANUAL , SAFETY

645 views • 19 slides
Evolution of Hydrostatic Leak Detection Ronnie Little, rlittle@rmudata.com , 281-743-2033 SPL

Evolution of Hydrostatic Leak Detection Ronnie Little, rlittle@rmudata.com , 281-743-2033 SPL

5/22/2018 Evolution of Hydrostatic Leak Detection Ronnie Little, rlittle@rmudata.com , 281-743-2033 SPL Leak Detection IN THE BEGINNING According to PHMSA, hydrostatic testing for pipelines began in the 1940s. MADE MANDATORY in

496 views • 12 slides
Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers

Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers

Conco System s The Practical Application of Tracer Gas Leak Detection for Air Cooled Condensers Andrew H. Leavitt Conco Systems, Inc. Tracer Gas Leak Detection Focusing On: Air inleakage Impact on system Limitations of air removal

691 views • 31 slides
Rationale Conventional Computational Pipeline Monitoring (CPM) methods have very limited

Rationale Conventional Computational Pipeline Monitoring (CPM) methods have very limited

Liquid Pipeline Leak Detection - Ongoing Research to Evaluate Selected External Leak Detection Technologies Mark Stephens, C-FER Technologies Pipeline Safety Trust Conference, New Orleans LA October 20, 2016 www.cfertech.com 1 2016 Pipeline

182 views • 17 slides
Optical Leak Testing Technology October 9th, 2014 Hermetic Leak Test Methods Helium Mass

Optical Leak Testing Technology October 9th, 2014 Hermetic Leak Test Methods Helium Mass

Optical Leak Testing Technology October 9th, 2014 Hermetic Leak Test Methods Helium Mass Spectrometry (Fine) Bubble Leak testing (Gross) Dye Penetrant (Gross) (Destructive) Residual Gas Analysis (Destructive) Cumulative Helium Leak Detection

326 views • 31 slides
Gas Leak Detection and Visualization www.dmda.biz Why Stop Leaks of Fugitive Emissions?

Gas Leak Detection and Visualization www.dmda.biz Why Stop Leaks of Fugitive Emissions?

Gas Leak Detection and Visualization www.dmda.biz Why Stop Leaks of Fugitive Emissions? Loss of Revenue Safety Environmental Our - Services Typical Large Refinery 130,000 valves 325,000 connectors 1,000 pump seals

509 views • 46 slides
AmSys Leak Detection Unit (amsys.no) Main features AmSys 1 Adaptive Measurement Systems AmSys

AmSys Leak Detection Unit (amsys.no) Main features AmSys 1 Adaptive Measurement Systems AmSys

AmSys Leak Detection Unit (amsys.no) Main features AmSys 1 Adaptive Measurement Systems AmSys 2 Adaptive Measurement Systems The AmSys solution for leak detection: Can be used in all systems where heat exchanger leakage may be detected as

544 views • 23 slides
RaySense Fiber Optic Distributed Acoustic Sensing for Pipeline Security and Leak Detection 1 P

RaySense Fiber Optic Distributed Acoustic Sensing for Pipeline Security and Leak Detection 1 P

RaySense Fiber Optic Distributed Acoustic Sensing for Pipeline Security and Leak Detection 1 P IPELINE M ONITORING AND S ECURITY The oil &amp; gas industry is currently facing a serious challenge in assuring spill and accident free operations

1.07k views • 18 slides
8/10/10 A Fiber-Optic Sensor for Leak Detection in a Space Environment John Sinko Valentin

8/10/10 A Fiber-Optic Sensor for Leak Detection in a Space Environment John Sinko Valentin

8/10/10 A Fiber-Optic Sensor for Leak Detection in a Space Environment John Sinko Valentin Korman Adam Hendrickson Madison Research Kurt A. Polzin NASA, Marshall Space Flight Center AIAA/ASME/SAE/ASEE Joint Propulsion Conference, Aug. 3-5,

209 views • 4 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Effective interprocedural resource leak detection Emina Torlak and Satish Chandra IBM T.J. Watson

Effective interprocedural resource leak detection Emina Torlak and Satish Chandra IBM T.J. Watson

Effective interprocedural resource leak detection Emina Torlak and Satish Chandra IBM T.J. Watson Research Center Hawthorne, NY Resource leaks in Java void test(File file, String enc) throws IOException { PrintWriter out = null; Unlike

502 views • 46 slides
Data-Intensive Distributed Computing CS 431/631 451/651 (Fall 2019) Part 6: Data Mining (3/4)

Data-Intensive Distributed Computing CS 431/631 451/651 (Fall 2019) Part 6: Data Mining (3/4)

Data-Intensive Distributed Computing CS 431/631 451/651 (Fall 2019) Part 6: Data Mining (3/4) November 5, 2019 Ali Abedi Thanks to Jure Leskovec, Anand Rajaraman, Jeff Ullman (Stanford University) These slides are available at

757 views • 52 slides
Midterm Review Li Xiong Department of Mathematics and Computer Science Emory University

Midterm Review Li Xiong Department of Mathematics and Computer Science Emory University

CS573 Data Privacy and Security Midterm Review Li Xiong Department of Mathematics and Computer Science Emory University Principles of Data Security CIA Triad Confidentiality Prevent the disclosure of information to unauthorized users

1.03k views • 81 slides
The Congregation regational al Church h of Plai ainvill ville Capital Campaign Sanctuary

The Congregation regational al Church h of Plai ainvill ville Capital Campaign Sanctuary

The Congregation regational al Church h of Plai ainvill ville Capital Campaign Sanctuary Wall Structural Reinforcement Project Scope: Install three more pairs of tie rods similar to what was previously installed in the sanctuary to stabilize

555 views • 20 slides
Util ilit ity P y Prop oper ertie ies Guide Guidelin ines Chap apter er 9 9 1 Guide

Util ilit ity P y Prop oper ertie ies Guide Guidelin ines Chap apter er 9 9 1 Guide

Util ilit ity P y Prop oper ertie ies Guide Guidelin ines Chap apter er 9 9 1 Guide Guidelin ines Chap apter er 9 9 This chapter describes the process used for valuing utility properties. It also provides information about

437 views • 43 slides
Web Characteristics CE-324: Modern Information Retrieval Sharif University of Technology M.

Web Characteristics CE-324: Modern Information Retrieval Sharif University of Technology M.

Web Characteristics CE-324: Modern Information Retrieval Sharif University of Technology M. Soleymani Fall 2018 Most slides have been adapted from: Profs. Manning, Nayak &amp; Raghavan (CS-276, Stanford) Some slides have been adapted from:

1k views • 65 slides
Data Mining Learning from Large Data Sets Lecture 2

Data Mining Learning from Large Data Sets Lecture 2

Data Mining Learning from Large Data Sets Lecture 2 Nearest neighbor search 263-5200-00L Andreas Krause Announcement Homework 1 out by

980 views • 56 slides
Jeffrey D. Ullman You can download a free copy of Mining of Massive Datasets , by Jure

Jeffrey D. Ullman You can download a free copy of Mining of Massive Datasets , by Jure

Finding Similar Sets Application to Document Similarity Shingling Minhashing Cloud and Big Data Summer School, Stockholm, Aug., 2015 Jeffrey D. Ullman You can download a free copy of Mining of Massive Datasets , by Jure Leskovec, Anand

856 views • 43 slides
Discovering Similar Passages Within Large Text Documents Demetrios

Discovering Similar Passages Within Large Text Documents Demetrios

Discovering Similar Passages Within Large Text Documents Demetrios Glinos glinos@eecs.ucf.edu 1 The Problem Domain The task is to find one or more

437 views • 18 slides

More recommend