Data Exfiltration Detection Using Provenance

12th April 2016


Abir Awad

Postdoctoral Researcher

09:30  -  10:00
DCU Business School, Q303

It is nowadays almost impossible to avoid hearing or reading about cyber-security on a daily basis.

The cybercrime phenomenon is usually related to the Advanced Persistent Threats (APT), which are the most difficult security threats that organizations face today. In this presentation, we will consider the data leakage, which can be described by the last two phases of the APT; Data collection and Exfiltration, where the data are moved in an unauthorized way from the trusted environment and/or exfiltrated to an external destination. We will present two ways of data exfiltration detection based on provenance data. The first one is “rule-based detection method” which is based on the correlation of provenance logs and the creation of algorithmic rules to detect the unauthorised actions performed on the sensitive file and the second is “visualisation based human-intelligence augmentation”, which allows an expert to detect the sensitive data exfiltration by the mean of the provenance graph. Same methods can be also used in a different context e.g. to monitor personal data transfers in the cloud or to detect any actions leading to a disrespect of laws and regulations especially in case of banks or hospitals where data should not move outside the state boundary or a trusted zone defined by a policy.

Session Category :  Cloud Security