Using malware for the greater good: Mitigating data leakage

Accidental (i.e., non-malicious) data leakage can occur through emails, storage media, file-sharing services, social networks, and so on, and are one of the most commonly reported threats. We present DocGuard, a novel method designed to counter accidental data leakage. Unlike existing solutions, DocGuard is effective even when a file has already leaked out of the organization's network. However, our approach does not require additional installation or software update, outside the organizational network, and it supports virtually any type of file (e.g., binaries, source-code, documents and media). Specifically, the key idea is to let existing anti-malware/anti-virus (AV) products (at the user PCs, cloud services, ISPs and e-mail gateways) identify the leaked file and block access to the identified file, in the same manner the AV product stops the propagation of an identified malware. DocGuard injects a hidden signature associated with a known malware to sensitive files. If the files are somehow leaked out of the organization's boundaries, an AV, either on the user's PC or at the network, will detect it as a real threat and immediately delete or quarantine it before it can be accessed and shared further. We implement DocGuard and evaluate it on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. Our evaluations include different leakage paths such as e-mails, file-sharing and cloud services, social networks and physical media. The evaluation results have demonstrated almost 100% effectiveness in stopping the leakage at its initial phases. In order to evaluate DocGuard at a larger scale, we simulate a leakage scenario over the topology of real social networks. Our results show that DocGuard is highly effective not only for stopping the initial leak but also in preventing the propagation of leaked files over the Internet and though social networks.