short-paper

Horizon extender: long-term preservation of data leakage evidence in web traffic

Authors:

David Gugelmann,

Dominik Schatzmann,

Vincent LendersAuthors Info & Claims

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Pages 499 - 504

https://doi.org/10.1145/2484313.2484378

Published: 08 May 2013 Publication History

Abstract

This paper presents Horizon Extender, a system for long-term preservation of data leakage evidence in enterprise networks. In contrast to classical network intrusion detection systems that keep only packet records of suspicious traffic (black-listing), Horizon Extender reduces the total size of captured network traces by filtering out all records that do not reveal potential evidence about leaked data (white-listing). Horizon Extender has been designed to exploit the inherent redundancy and adherence to protocol specification of general Web traffic. We show in a real-life network including more than 1000 active hosts that Horizon Extender is able to reduce the total HTTP volume by 99.8%, or the outgoing volume by 90.9% to 93.9%, while preserving sufficient evidence to recover retrospectively time, end point identity, and content of information leaked over the HTTP communication channel.

References

[1]

Netwitness - Investigator. http://netwitness.com/. Last visited: 2012-12-03.

[2]

Snort - Network intrusion prevention and detection system. http://www.snort.org/. Last visited: 2012-12-03.

[3]

A. Anand, C. Muthukrishnan, A. Akella, and R. Ramjee. Redundancy in network traffic: findings and implications. In Proc. of ACM SIGMETRICS '09, 2009.

Digital Library

[4]

K. Borders and A. Prakash. Web tap: detecting covert web traffic. In Proc. of ACM CCS '04, 2004.

Digital Library

[5]

K. Borders and A. Prakash. Quantifying information leaks in outbound web traffic. In Proc. of IEEE Symp. on Security and Privacy, 2009.

Digital Library

[6]

A. Broder. Some applications of Rabin's fingerprinting method. In Sequences II: Methods in Communications, Security, and Computer Science, pages 143--152. Springer Verlag, 1993.

[7]

S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. In Proc. of ACM CCS '04, 2004.

Digital Library

[8]

E. Cooke, A. Myrick, D. Rusek, and F. Jahanian. Resource-aware multi-format network security data storage. In Proc. of ACM SIGCOMM workshop on LSAD '06, 2006.

Digital Library

[9]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext transfer protocol -- HTTP/1.1. RFC 2616, 1999.

Digital Library

[10]

Financial Post. Nortel computers breached by hackers for over a decade: WSJ. http://business.financialpost.com/2012/02/14/nortel-computersbreached-by-hackers-for-over-a-decade-wsj/. Last visited: 2012-12-03.

[11]

S. L. Garfinkel. Digital forensics research: The next 10 years. Digital Investigation, 7:S64--S73, Aug. 2010.

Digital Library

[12]

F. Guo and P. Efstathopoulos. Building a high-performance deduplication system. In Proc. of 2011 USENIX, 2011.

Digital Library

[13]

S. Kornexl, V. Paxson, H. Dreger, A. Feldmann, and R. Sommer. Building a time machine for efficient recording and retrieval of high-volume network traffic. In Proc. of ACM SIGCOMM IMC '05, 2005.

Digital Library

[14]

G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider. Enriching network security analysis with time travel. SIGCOMM Comput. Commun. Rev., 38(4):183--194, Aug. 2008.

Digital Library

[15]

A. Papadogiannakis, M. Polychronakis, and E. Markatos. RRDtrace: Long-term Raw Network Traffic Recording using Fixed-size Storage. In 2010 IEEE MASCOTS, 2010.

Digital Library

[16]

N. T. Spring and D. Wetherall. A protocol-independent technique for eliminating redundant network traffic. ACM SIGCOMM Comput. Commun. Rev., 30(4):87--95, 2000.

Digital Library

Cited By

Xu GYang WHuang L(2018)Supervised learning framework for covert channel detection in LTE-AIET Information Security10.1049/iet-ifs.2017.039412:6(534-542)Online publication date: 1-Nov-2018
https://doi.org/10.1049/iet-ifs.2017.0394
Lee JLee SLee JYi YPark KLu SRiedel E(2015)FloSISProceedings of the 2015 USENIX Conference on Usenix Annual Technical Conference10.5555/2813767.2813800(445-457)Online publication date: 8-Jul-2015
https://dl.acm.org/doi/10.5555/2813767.2813800
Rezaei FHempel MShrestha PSharif H(2014)Achieving robustness and capacity gains in covert timing channels2014 IEEE International Conference on Communications (ICC)10.1109/ICC.2014.6883445(969-974)Online publication date: Jun-2014
https://doi.org/10.1109/ICC.2014.6883445
Show More Cited By

Index Terms

Horizon extender: long-term preservation of data leakage evidence in web traffic
1. Security and privacy
  1. Network security

Recommendations

DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication ...
Extending a re-identification risk-based anonymisation framework and evaluating its impact on data mining classifiers

Preserving sensitive information in data mining processes is one of the major issues in the context of big data. Handling huge volumes of data demands techniques to assure that private data is not accessible to non-authorised users. One of these ...
Enterprise extender implementation guide

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

May 2013

574 pages

ISBN:9781450317672

DOI:10.1145/2484313

General Chairs:
Kefei Chen
Shanghai Jiao Tong University, China
,
Qi Xie
Hangzhou Normal University, China
,
Weidong Qiu
Shanghai Jiao Tong University, China
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Wen-Guey Tzeng
National Chiao Tung University, Taiwan

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

ASIA CCS '13

Sponsor:

SIGSAC

ASIA CCS '13: 8th ACM Symposium on Information, Computer and Communications Security

May 8 - 10, 2013

Hangzhou, China

Acceptance Rates

ASIA CCS '13 Paper Acceptance Rate 35 of 216 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
181
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Xu GYang WHuang L(2018)Supervised learning framework for covert channel detection in LTE-AIET Information Security10.1049/iet-ifs.2017.039412:6(534-542)Online publication date: 1-Nov-2018
https://doi.org/10.1049/iet-ifs.2017.0394
Lee JLee SLee JYi YPark KLu SRiedel E(2015)FloSISProceedings of the 2015 USENIX Conference on Usenix Annual Technical Conference10.5555/2813767.2813800(445-457)Online publication date: 8-Jul-2015
https://dl.acm.org/doi/10.5555/2813767.2813800
Rezaei FHempel MShrestha PSharif H(2014)Achieving robustness and capacity gains in covert timing channels2014 IEEE International Conference on Communications (ICC)10.1109/ICC.2014.6883445(969-974)Online publication date: Jun-2014
https://doi.org/10.1109/ICC.2014.6883445
Trammell BGugelmann DBrownlee N(2014)Inline Data Integrity Signals for Passive MeasurementTraffic Monitoring and Analysis10.1007/978-3-642-54999-1_2(15-25)Online publication date: 2014
https://doi.org/10.1007/978-3-642-54999-1_2

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten