Mordechai Guri
ABSTRACT
Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.
- A. Shabtai, Y. Elovici and L. Rokach, "A Survey of Data Leakage Detection and Prevention Solutions," Springer, 2012. Google Scholar
Digital Library
- BBC, "UK's families put on fraud alert," BBC NEWS, November 20, 2007. {Online}. Available: http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm.Google Scholar
- K. Sack, "Patient Data Posted Online in Major Breach of Privacy," The New York Times, 8 September 201 {Online}. Available: http://www.nytimes.com/2011/09/09/us/09breach.html?_r=2&ref=stanforduniversity&.Google Scholar
- K. Stewart, "Utah Medicaid contractor loses job over data breach," The Salt Lake tribune, 17 Jan 2013 . {Online}. Available: http://www.sltrib.com/sltrib/news/55650800--78/health-medicaid-utah-breach.html.csp.Google Scholar
- Detica and Office of Cyber Security and Information Assurance, "The Cost of Cyber Crime," 2011.Google Scholar
- R. Anderson, C. Barton, R. Boehme, R. Clayton, M. van Eeten, M. Levi, T. Moore and S. Savage, "Measuring the Cost of Cybercrime," 2012.Google Scholar
- Z. Xiaosong, L. Fei, C. Ting and L. Hua, "Research and Application of the Transparent Data Encpryption in Intranet Data Leakage Prevention," Computational Intelligence and Security, 2009. CIS '09. , vol. II, pp. 376--379, 2009. Google ScholarDigital Library
- C. Phua, "Protecting organisations from personal data breaches," Computer Fraud & Security, vol. 2009, no. 1, p. 13--18, 2009.Google ScholarCross Ref
- Microsoft, "About Information Rights Management," Microsoft Office Website, 2013. {Online}. Available: http://office.microsoft.com/en-us/help/about-information-rights-management-HP006220859.aspx.Google Scholar
- OPSWAT, "Security Industry Market Share Analysis," OPSWAT, Inc., March 2012.Google Scholar
- M. Christodorescu and J. Somesh, "Testing Malware Detectors," in ACM SIGSOFT International Symposium on Software, Boston, Massachusetts, USA., 2004. Google ScholarDigital Library
- P. Szor, "The art of computer virus research and defense," Addison Wesley, 2005. Google ScholarDigital Library
- Microsoft, "Microsoft Portable Executable and Common Object File Format Specification," Microsoft, 2010.Google Scholar
- "elf - format of Executable and Linking Format (ELF) files," The Linux man-pages project, 2010. {Online}. Available: http://man7.org/linux/man-pages/man5/elf.5.html.Google Scholar
- M. Sikorsky and A. Honig, "Practical malware analysis," No Starch Press, 2012.Google Scholar
- Kaspersky, "File Anti-Virus: actions upon threat detection," Kaspersky PURE 2.0, {Online}. Available: http://utils.kaspersky.com/special/pure_2/46_pure_file_antivir_actions_upon_threat_en.pdf. {Accessed 17 March 2013}.Google Scholar
- EICAR, "Anti-Malware testfile," European Institute for Computer Antivirus Research, 7 September 2006. {Online}. Available: http://www.eicar.org/86-0-Intended-use.html.Google Scholar
- VirusTotal, "VirusTotal, Free online virus, malware and URL scanner," {Online}. Available: https://www.virustotal.com/. {Accessed Feb. 2013}.Google Scholar
- Kaspersky Lab, "Digital Consumer's Online Trends and Risks," Kapersky Lab, 2012.Google Scholar
- Raschke, T. "The Forrester Wave : Data Leak Prevention, Q2 2008," Technical report, Forrester Research, Inc. 2008.Google Scholar
- Lawton, G. "New technology prevents data leakage," Computer 41.9 (2008): 14--17. Google ScholarDigital Library
- Spitzner, L. "Honeypots: Catching the insider threat," Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE, 2003. Google ScholarDigital Library
- Storey, D. "Catching flies with honey tokens," Network Security 2009.11 (2009): 15--18. Google ScholarDigital Library
- Papadimitriou, P, and Garcia-Molina, H. "Data leakage detection," Knowledge and Data Engineering, IEEE Transactions on 23.1 (2011): 51--63. Google ScholarDigital Library
- Stevens, D. "Malicious PDF documents explained," IEEE Security & Privacy, Vol. 9. No. 1, p. 80--82, 2011. Google ScholarDigital Library
- Microsoft, "The evolution of malware and the threat landscape -- a 10-year review," Microsoft Security Intelligence Report, special edition, 2012.Google Scholar
- Lenny Seltzer, "Malware sample sources for researchers," {Online}. Available: http://zeltser.com/combating-malicious-software/malware-sample-sources.html.Google Scholar
- Securelist, "Virus.DOS.Aids.552", {Online}. Available: http://www.securelist.com/en/descriptions/6880300/Virus.DOS.Aids.552.Google Scholar
- Symantec, "Understanding virus behavior under Windows NT," Symantec Reasearch Center. {Online}. Available: http://www.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf.Google Scholar
- A. Shabtai, R. Moskovitch, Y. Elovici and C. Glezer, "Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey," Information Security Technical Report, vol. 14, no. 1, pp. 16--29, 2009. Google ScholarDigital Library
- Garetto, M., Gong, W., & Towsley, D. 2003. "Modeling malware spreading dynamics," In INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies (Vol. 3, pp. 1869--1879). IEEE.Google Scholar
- Wang, P., González, M. C., Hidalgo, C. A., & Barabási, A. L. 2009. "Understanding the spreading patterns of mobile phone viruses," Science, 324(5930), 1071--1076.Google Scholar
- Moreno, Y., Nekovee, M., & Pacheco, A. F. 2004. "Dynamics of rumor spreading in complex networks," Physical Review E, 69(6), 066130.Google Scholar
- Chierichetti, F., Lattanzi, S., & Panconesi, A. 2009. "Rumor spreading in social networks," In Automata, Languages and Programming (pp. 375--386). Springer Berlin Heidelberg. Google ScholarDigital Library
- Bordia, P., & DiFonzo, N. 2005. "Psychological motivations," in rumor spread. Rumor mills: The social impact of rumor and legend, 87--101.Google Scholar
- Evans, K. M., & Kuenning, G. H. 2002. "A study of irregularities in file-size distributions," In Proceedings of the 2002 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS).Google Scholar
- Scarfo, A. 2012. "New security perspectives around BYOD," In Proceedings of the 2012 Seventh International Conference on Broadband, Wireless Computing, Communication and Applications (pp. 446--451). IEEE Computer Society. Google ScholarDigital Library
Index Terms
- Limiting access to unintentionally leaked sensitive documents using malware signatures
Recommendations
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion DetectionThe execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceWe present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication ...
Screening smartphone applications using malware family signatures
The sharp increase in smartphone malware has become one of the most serious security problems. Since the Android platform has taken the dominant position in smartphone popularity, the number of Android malware has grown correspondingly and represents ...
Comments