Limiting access to unintentionally leaked sensitive documents using malware signatures
Pages 129 - 140
Abstract
Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.
References
[1]
A. Shabtai, Y. Elovici and L. Rokach, "A Survey of Data Leakage Detection and Prevention Solutions," Springer, 2012.
[2]
BBC, "UK's families put on fraud alert," BBC NEWS, November 20, 2007. {Online}. Available: http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm.
[3]
K. Sack, "Patient Data Posted Online in Major Breach of Privacy," The New York Times, 8 September 201 {Online}. Available: http://www.nytimes.com/2011/09/09/us/09breach.html?_r=2&ref=stanforduniversity&.
[4]
K. Stewart, "Utah Medicaid contractor loses job over data breach," The Salt Lake tribune, 17 Jan 2013 . {Online}. Available: http://www.sltrib.com/sltrib/news/55650800--78/health-medicaid-utah-breach.html.csp.
[5]
Detica and Office of Cyber Security and Information Assurance, "The Cost of Cyber Crime," 2011.
[6]
R. Anderson, C. Barton, R. Boehme, R. Clayton, M. van Eeten, M. Levi, T. Moore and S. Savage, "Measuring the Cost of Cybercrime," 2012.
[7]
Z. Xiaosong, L. Fei, C. Ting and L. Hua, "Research and Application of the Transparent Data Encpryption in Intranet Data Leakage Prevention," Computational Intelligence and Security, 2009. CIS '09., vol. II, pp. 376--379, 2009.
[8]
C. Phua, "Protecting organisations from personal data breaches," Computer Fraud & Security, vol. 2009, no. 1, p. 13--18, 2009.
[9]
Microsoft, "About Information Rights Management," Microsoft Office Website, 2013. {Online}. Available: http://office.microsoft.com/en-us/help/about-information-rights-management-HP006220859.aspx.
[10]
OPSWAT, "Security Industry Market Share Analysis," OPSWAT, Inc., March 2012.
[11]
M. Christodorescu and J. Somesh, "Testing Malware Detectors," in ACM SIGSOFT International Symposium on Software, Boston, Massachusetts, USA., 2004.
[12]
P. Szor, "The art of computer virus research and defense," Addison Wesley, 2005.
[13]
Microsoft, "Microsoft Portable Executable and Common Object File Format Specification," Microsoft, 2010.
[14]
"elf - format of Executable and Linking Format (ELF) files," The Linux man-pages project, 2010. {Online}. Available: http://man7.org/linux/man-pages/man5/elf.5.html.
[15]
M. Sikorsky and A. Honig, "Practical malware analysis," No Starch Press, 2012.
[16]
Kaspersky, "File Anti-Virus: actions upon threat detection," Kaspersky PURE 2.0, {Online}. Available: http://utils.kaspersky.com/special/pure_2/46_pure_file_antivir_actions_upon_threat_en.pdf. {Accessed 17 March 2013}.
[17]
EICAR, "Anti-Malware testfile," European Institute for Computer Antivirus Research, 7 September 2006. {Online}. Available: http://www.eicar.org/86-0-Intended-use.html.
[18]
VirusTotal, "VirusTotal, Free online virus, malware and URL scanner," {Online}. Available: https://www.virustotal.com/. {Accessed Feb. 2013}.
[19]
Kaspersky Lab, "Digital Consumer's Online Trends and Risks," Kapersky Lab, 2012.
[20]
Raschke, T. "The Forrester Wave : Data Leak Prevention, Q2 2008," Technical report, Forrester Research, Inc. 2008.
[21]
Lawton, G. "New technology prevents data leakage," Computer 41.9 (2008): 14--17.
[22]
Spitzner, L. "Honeypots: Catching the insider threat," Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE, 2003.
[23]
Storey, D. "Catching flies with honey tokens," Network Security 2009.11 (2009): 15--18.
[24]
Papadimitriou, P, and Garcia-Molina, H. "Data leakage detection," Knowledge and Data Engineering, IEEE Transactions on 23.1 (2011): 51--63.
[25]
Stevens, D. "Malicious PDF documents explained," IEEE Security & Privacy, Vol. 9. No. 1, p. 80--82, 2011.
[26]
Microsoft, "The evolution of malware and the threat landscape -- a 10-year review," Microsoft Security Intelligence Report, special edition, 2012.
[27]
Lenny Seltzer, "Malware sample sources for researchers," {Online}. Available: http://zeltser.com/combating-malicious-software/malware-sample-sources.html.
[28]
Securelist, "Virus.DOS.Aids.552", {Online}. Available: http://www.securelist.com/en/descriptions/6880300/Virus.DOS.Aids.552.
[29]
Symantec, "Understanding virus behavior under Windows NT," Symantec Reasearch Center. {Online}. Available: http://www.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf.
[30]
A. Shabtai, R. Moskovitch, Y. Elovici and C. Glezer, "Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey," Information Security Technical Report, vol. 14, no. 1, pp. 16--29, 2009.
[31]
Garetto, M., Gong, W., & Towsley, D. 2003. "Modeling malware spreading dynamics," In INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies (Vol. 3, pp. 1869--1879). IEEE.
[32]
Wang, P., González, M. C., Hidalgo, C. A., & Barabási, A. L. 2009. "Understanding the spreading patterns of mobile phone viruses," Science, 324(5930), 1071--1076.
[33]
Moreno, Y., Nekovee, M., & Pacheco, A. F. 2004. "Dynamics of rumor spreading in complex networks," Physical Review E, 69(6), 066130.
[34]
Chierichetti, F., Lattanzi, S., & Panconesi, A. 2009. "Rumor spreading in social networks," In Automata, Languages and Programming (pp. 375--386). Springer Berlin Heidelberg.
[35]
Bordia, P., & DiFonzo, N. 2005. "Psychological motivations," in rumor spread. Rumor mills: The social impact of rumor and legend, 87--101.
[36]
Evans, K. M., & Kuenning, G. H. 2002. "A study of irregularities in file-size distributions," In Proceedings of the 2002 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS).
[37]
Scarfo, A. 2012. "New security perspectives around BYOD," In Proceedings of the 2012 Seventh International Conference on Broadband, Wireless Computing, Communication and Applications (pp. 446--451). IEEE Computer Society.
Index Terms
- Limiting access to unintentionally leaked sensitive documents using malware signatures
Recommendations
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion DetectionThe execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceWe present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication ...
Screening smartphone applications using malware family signatures
The sharp increase in smartphone malware has become one of the most serious security problems. Since the Android platform has taken the dominant position in smartphone popularity, the number of Android malware has grown correspondingly and represents ...
Comments
Information & Contributors
Information
Published In
June 2014
234 pages
ISBN:9781450329392
DOI:10.1145/2613087
- General Chair:
- Sylvia Osborn,
- Program Chairs:
- Mahesh V. Tripunitara,
- Ian M. Molloy
Copyright © 2014 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 25 June 2014
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
SACMAT '14
Sponsor:
SACMAT '14: 19th ACM Symposium on Access Control Models and Technologies
June 25 - 27, 2014
Ontario, London, Canada
Acceptance Rates
SACMAT '14 Paper Acceptance Rate 17 of 58 submissions, 29%;
Overall Acceptance Rate 177 of 597 submissions, 30%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 297Total Downloads
- Downloads (Last 12 months)6
- Downloads (Last 6 weeks)0
Reflects downloads up to 12 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in