DOI QR코드

DOI QR Code

Comparison and Analysis of Anomaly Detection Methods for Detecting Data Exfiltration

데이터 유출 탐지를 위한 이상 행위 탐지 방법의 비교 및 분석

  • Lim, Wongi (The 2nd Institute 3rd Directorate, Agency for Defense Development) ;
  • Kwon, Koohyung (The 2nd Institute 3rd Directorate, Agency for Defense Development) ;
  • Kim, Jung-Jae (Dept. of Computer Science, Kwangwoon University) ;
  • Lee, Jong-Eon (Tactical Communication Team, Hanwha Systems) ;
  • Cha, Si-Ho (Dept. of Multimedia Science, Chungwoon University)
  • 임원기 (국방과학연구소 2본부 3부) ;
  • 권구형 (국방과학연구소 2본부 3부) ;
  • 김정재 (광운대학교 컴퓨터과학과) ;
  • 이종언 (한화시스템 전술통신팀) ;
  • 차시호 (청운대학교 멀티미디어학과)
  • Received : 2016.08.08
  • Accepted : 2016.09.09
  • Published : 2016.09.30

Abstract

Military secrets or confidential data of any organization are extremely important assets. They must be discluded from outside. To do this, methods for detecting anomalous attacks and intrusions inside the network have been proposed. However, most anomaly-detection methods only cover aspects of intrusion from outside and do not deal with internal leakage of data, inflicting greater damage than intrusions and attacks from outside. In addition, applying conventional anomaly-detection methods to data exfiltration creates many problems, because the methods do not consider a number of variables or the internal network environment. In this paper, we describe issues considered in data exfiltration detection for anomaly detection (DEDfAD) to improve the accuracy of the methods, classify the methods as profile-based detection or machine learning-based detection, and analyze their advantages and disadvantages. We also suggest future research challenges through comparative analysis of the issues with classification of the detection methods.

군사 비밀이나 조직의 기밀 데이터는 그 조직의 매우 중요한 자원이며 외부로부터의 접근이 차단되어야 한다. 그러나 최근 인터넷의 접근성이 높아짐으로써 보안이 중요한 이슈로 부상하고 있다. 이를 위해 네트워크 내부에 대한 공격이나 침입행위를 탐지하는 이상 행위 탐지 방법이 제안되었다. 그러나 대부분의 이상 행위 탐지는 외부로부터의 침입에 대한 측면만 다루고 있으며, 공격이나 침입보다 더 큰 피해를 입히는 내부 데이터의 유출에 대해서는 다루고 있지 않다. 또한 기존의 이상 행위 탐지 방법을 데이터 유출 탐지에 적용할 경우 네트워크 내부의 환경과 여러 가지 변수들이 고려되어 있지 않기 때문에 많은 문제점들이 발생한다. 따라서 본 논문에서는 데이터 유출 탐지를 위한 이상 행위 탐지(Data Exfiltrating Detection for Anomaly Detection : DEDfAD) 방법의 정확도 향상을 위하여 DEDfAD에서 고려되어야 하는 이슈 사항들에 대하여 기술하고, 프로파일 기반의 탐지 방법과 머신러닝 기반의 탐지 방법으로 분류하여 이들의 장단점을 분석한다. 또한 분류된 접근 방법을 중심으로 이슈들과의 비교분석을 통해 향후 연구 방향을 제시한다.

Keywords

References

  1. B. J. Lee, H. S. Jeon, H. Y. Song, "Information-Centric Networking Research Trend", Electronics and Telecommunications Trends, 2012.
  2. S. J. Oh, "An Anomaly Detection Method for the Security of VANETs", The Journal of The Institute of Internet, Broadcasting and Communication, vol. 14, no. 6, pp. 175-185, 2014. https://doi.org/10.7236/JIIBC.2014.14.6.175
  3. S. J. Oh, "Design and Evaluation of a Weighted Intrusion Detection Method for VANETs", The Journal of The Institute of Webcasting, Internet and Telecommunication, vol. 11, no. 3, pp. 181-188, 2011.
  4. S. Kim, S.-J. Oh, "A Big Data Application for Anomaly Detection in VANETs", The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), vol. 14, no. 6, pp. 175-181, Dec. 2014. DOI: http://dx.doi.org/10.7236/JIIBC.2014.14.6.175
  5. V. J. Hodge, J. Austin, "A Survey of Outlier Detection Methologies", Artificial Intelligence Review, vol. 22, no. 2, pp. 85-126, 2004. DOI: http://dx.doi.org/10.1023/B:AIRE.0000045502.10941.a9
  6. W.-S. Kim, S. Kim, "A Study on Information Effluence State and Measure by Peer-to-Peer Programs in Korea and Japan", The Journal of The Institute of Webcasting, Internet Television and Telecommunication, vol. 9 no. 1, pp. 67-74, 2009.
  7. V. Chandola, A. Banerjee, Vipin Kumar, "Anomaly detection : A survey", ACM Computing Surveys(CSUR), vol. 41 no. 3, 2009. DOI: http://dx.doi.org/10.1145/1541880.1541882
  8. F. Sabahi, A. Movaghar, "Intrusion Detection : A Survey", The Third International Conference on Systems and Networks Communications, pp. 23-26, 2008. DOI: http://dx.doi.org/10.1109/icsnc.2008.44
  9. Monowar H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, "Network Anomaly Detection : Methods, Systems and Tools", IEEE Communications Surveys & Tutorials, vol. 16, no. 1, 2014. DOI: http://dx.doi.org/10.1109/SURV.2013.052213.00046
  10. M. R. Randazzo, M. Keeney, E. Kowalski, D. Cappelli, and A. Moore, "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector", CERT and the National Threat Assessment Center, Aug. 2004.
  11. E. D. Shaw, K. G. Ruby, and J. M. Post, "The insider threat to information systems: The psychology of the dangerous insider", Security Awareness Bulletin, vol. 2-98, pp. 27-46, Sept. 1998.
  12. L. Spitzner, "Honeypots: catching the insider threat", Proceedings of 19th Annual Computer Security Applications Conference, pp. 170-179, Dec. 2003. DOI: http://dx.doi.org/10.1109/csac.2003.1254322
  13. M. B. Salem, S. Hershkop, S. J. Stoplfo, "A Survey of Insider Attack Detection Research", Insider Attack and Cyber Security, vol. 39, pp. 69-90, 2008. DOI: http://dx.doi.org/10.1007/978-0-387-77322-3_5
  14. S. Y. Lim, A. Jones, "Network Anomaly Detection System : The State of art of Network Behaviour Analysis", International Conference on Convergence and Hybrid Information Technology, 2008. DOI: http://dx.doi.org/10.1109/ichit.2008.249
  15. V. Chandola, A. Banerjee, V. Kumar, "Anomaly Detection for Discrete Sequences: A Survey", IEEE Transactions on Knowledge and Data Engineering, vol. 24, no. 5, May 2012. DOI: http://dx.doi.org/10.1109/TKDE.2010.235
  16. G. B. Magklaras, "Insider Threat Prediction Tool: Evaluating the probability of IT misuse", Elsevier Science C&C, 2002.
  17. Y. Liu, "SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack ", IEEE HICSS, 2009. DOI: http://dx.doi.org/10.1109/HICSS.2009.390
  18. A. Al-Bataineh, "Analysis and Detection of Malicious Data Exfiltration in Web Traffic", IEEE Malicious and Unwanted Software, 2012. DOI: http://dx.doi.org/10.1109/malware.2012.6461004
  19. R. Ramachandran, "Behavior model for Detecting data Exfiltration in Network Environment", IEEE, 2011. DOI: http://dx.doi.org/10.1109/imsaa.2011.6156340
  20. P. Parveen, "Insider Threat Detection using Stream Mining and Graph Mining", IEEE ICSC, 2012.