TY - GEN
T1 - Limiting access to unintentionally leaked sensitive documents using malware signatures
AU - Guri, Mordechai
AU - Kedma, Gabi
AU - Carmeli, Buky
AU - Elovici, Yuval
PY - 2014/1/1
Y1 - 2014/1/1
N2 - Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.
AB - Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.
KW - Anti-virus program
KW - Data leakage
KW - Detectable malware signature
KW - Sensitive document
UR - http://www.scopus.com/inward/record.url?scp=84904497679&partnerID=8YFLogxK
U2 - 10.1145/2613087.2613103
DO - 10.1145/2613087.2613103
M3 - Conference contribution
AN - SCOPUS:84904497679
SN - 9781450329392
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 129
EP - 140
BT - SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014
Y2 - 25 June 2014 through 27 June 2014
ER -