TY - JOUR
T1 - Using malware for the greater good
T2 - Mitigating data leakage
AU - Guri, Mordechai
AU - Puzis, Rami
AU - Choo, Kim Kwang Raymond
AU - Rubinshtein, Sergey
AU - Kedma, Gabi
AU - Elovici, Y.
N1 - Funding Information:
Mr. Sergey Rubinstein A software engineer with 4 years of experience. He received his BSc in Information Systems Engineering from Ben Gurion University in 2013. Currently Sergey is a graduate student in the same department working on the systemization of knowledge and modeling of advanced multistage cyber-attacks. He participated in a number of research projects sponsored by the Israeli Ministry of Defense, EMC, Lockheed Martin and now leads a team of students in a research project supported by IBM.
Funding Information:
Dr. Rami Puzis Lecturer, BSc Software Engineering, MSc Information Systems Engineering and PhD topic on Deployment of Intrusion Detection Systems. He has worked as a research associate in the Laboratory of Computational Cultural Dynamics, University of Maryland. His primary specialization is in the area of complex networks with applications to cyber security, social and communication network analysis. He has been the principal investigator of a series of research projects funded by Deutsche Telekom AG, Israeli Ministry of Defense, Israeli Ministry of Economy, and several leading cyber security industries.
Publisher Copyright:
© 2019 Elsevier Ltd
PY - 2019/11/1
Y1 - 2019/11/1
N2 - Accidental (i.e., non-malicious) data leakage can occur through emails, storage media, file-sharing services, social networks, and so on, and are one of the most commonly reported threats. We present DocGuard, a novel method designed to counter accidental data leakage. Unlike existing solutions, DocGuard is effective even when a file has already leaked out of the organization's network. However, our approach does not require additional installation or software update, outside the organizational network, and it supports virtually any type of file (e.g., binaries, source-code, documents and media). Specifically, the key idea is to let existing anti-malware/anti-virus (AV) products (at the user PCs, cloud services, ISPs and e-mail gateways) identify the leaked file and block access to the identified file, in the same manner the AV product stops the propagation of an identified malware. DocGuard injects a hidden signature associated with a known malware to sensitive files. If the files are somehow leaked out of the organization's boundaries, an AV, either on the user's PC or at the network, will detect it as a real threat and immediately delete or quarantine it before it can be accessed and shared further. We implement DocGuard and evaluate it on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. Our evaluations include different leakage paths such as e-mails, file-sharing and cloud services, social networks and physical media. The evaluation results have demonstrated almost 100% effectiveness in stopping the leakage at its initial phases. In order to evaluate DocGuard at a larger scale, we simulate a leakage scenario over the topology of real social networks. Our results show that DocGuard is highly effective not only for stopping the initial leak but also in preventing the propagation of leaked files over the Internet and though social networks.
AB - Accidental (i.e., non-malicious) data leakage can occur through emails, storage media, file-sharing services, social networks, and so on, and are one of the most commonly reported threats. We present DocGuard, a novel method designed to counter accidental data leakage. Unlike existing solutions, DocGuard is effective even when a file has already leaked out of the organization's network. However, our approach does not require additional installation or software update, outside the organizational network, and it supports virtually any type of file (e.g., binaries, source-code, documents and media). Specifically, the key idea is to let existing anti-malware/anti-virus (AV) products (at the user PCs, cloud services, ISPs and e-mail gateways) identify the leaked file and block access to the identified file, in the same manner the AV product stops the propagation of an identified malware. DocGuard injects a hidden signature associated with a known malware to sensitive files. If the files are somehow leaked out of the organization's boundaries, an AV, either on the user's PC or at the network, will detect it as a real threat and immediately delete or quarantine it before it can be accessed and shared further. We implement DocGuard and evaluate it on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. Our evaluations include different leakage paths such as e-mails, file-sharing and cloud services, social networks and physical media. The evaluation results have demonstrated almost 100% effectiveness in stopping the leakage at its initial phases. In order to evaluate DocGuard at a larger scale, we simulate a leakage scenario over the topology of real social networks. Our results show that DocGuard is highly effective not only for stopping the initial leak but also in preventing the propagation of leaked files over the Internet and though social networks.
KW - Data exfiltration
KW - Data leakage
KW - Insider threat
KW - Malware signature
UR - http://www.scopus.com/inward/record.url?scp=85073700263&partnerID=8YFLogxK
U2 - 10.1016/j.jnca.2019.07.006
DO - 10.1016/j.jnca.2019.07.006
M3 - Article
AN - SCOPUS:85073700263
SN - 1084-8045
VL - 145
JO - Journal of Network and Computer Applications
JF - Journal of Network and Computer Applications
M1 - 102405
ER -