ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (5): 995-1005.doi: 10.7544/issn1000-1239.2021.20200902

Special Issue: 2021人工智能安全与隐私保护技术专题

Previous Articles     Next Articles

An Unsupervised Method for Timely Exfiltration Attack Discovery

Feng Yun, Liu Baoxu, Zhang Jinli, Wang Xutong, Liu Chaoge, Shen Mingzhe, Liu Qixu   

  1. (Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093) (School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049)
  • Online:2021-05-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61902396), the Youth Innovation Promotion Association of Chinese Academy of Sciences (2019163), the Strategic Priority Research Program of Chinese Academy of Sciences (XDC02040100), the Project of the Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences, and the Project of Beijing Key Laboratory of Network Security and Protection Technology.

Abstract: In recent years, exfiltration attacks have become one of the severest threats to cyber security. In addition to malware, human beings, especially insiders, can also become the executor of the attack. The obvious anomalous digital footprint left by an insider can be minuscule, which brings challenges to timely attack discovery and malicious operation analysis and reconstruction in real-world scenarios. To address the challenge, a method is proposed, which treats each user as an independent subject and detects the anomaly by comparing the deviation between current behavior and the normal historical behavior. We take one session as a unit to achieve timely attack discovery. We use unsupervised algorithms to avoid the need for a large number of labeled data, which is more practical to real-world scenarios. For the anomalous session detected by the algorithm, we further propose to construct event chains. On the one hand, it can restore the specific exfiltration operation; on the other hand, it can determine the attack more accurately by matching it with the exfiltration attack mode. Then, the experiments are undertaken using the public CMU CERT insider threat dataset, and the results show that the accuracy rates were more than 99%, and there were no false-negative and low false-positive, demonstrate that our method is effective and superior.

Key words: exfiltration attack discovery, user events, insider threat detection, unsupervised algorithm, clustering, event chain

CLC Number: