Optimal Strategies for Detecting Data Exfiltration by Internal and External Attackers

  • Karel DurkotaEmail author
  • Viliam Lisý
  • Christopher Kiekintveld
  • Karel Horák
  • Branislav Bošanský
  • Tomáš Pevný
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10575)


We study the problem of detecting data exfiltration in computer networks. We focus on the performance of optimal defense strategies with respect to an attacker’s knowledge about typical network behavior and his ability to influence the standard traffic. Internal attackers know the typical upload behavior of the compromised host and may be able to discontinue standard uploads in favor of the exfiltration. External attackers do not immediately know the behavior of the compromised host, but they can learn it from observations.

We model the problem as a sequential game of imperfect information, where the network administrator selects the thresholds for the detector, while the attacker chooses how much data to exfiltrate in each time step. We present novel algorithms for approximating the optimal defense strategies in the form of Stackelberg equilibria. We analyze the scalability of the algorithms and efficiency of the produced strategies in a case study based on real-world uploads of almost six thousand users to Google Drive. We show that with the computed defense strategies, the attacker exfiltrates 2–3 times less data than with simple heuristics; randomized defense strategies are up to 30% more effective than deterministic ones, and substantially more effective defense strategies are possible if the defense is customized for groups of hosts with similar behavior.


Data exfiltration detection Game theory Network security 



This research was supported by the Czech Science Foundation (grant no. 15-23235S).


  1. 1.
    Grand theft data data exfiltration study: Actors, tactics, and detection. Technical report, McAfee, Inc. (2015).
  2. 2.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-05284-2_4 CrossRefGoogle Scholar
  3. 3.
    Braziunas, D.: Pomdp solution methods. University of Toronto, Technical Report (2003)Google Scholar
  4. 4.
    Comesana, P., Pérez-Freire, L., Pérez-González, F.: Blind newton sensitivity attack. IEE Proc.-Inf. Secur. 153(3), 115–125 (2006)CrossRefGoogle Scholar
  5. 5.
    Fadolalkarim, D., Sallam, A., Bertino, E.: Pandde: provenance-based anomaly detection of data exfiltration. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 267–276. ACM (2016)Google Scholar
  6. 6.
    Feder, T., Nazerzadeh, H., Saberi, A.: Approximating nash equilibria using small-support strategies. In: Proceedings of the 8th ACM Conference on Electronic Commerce, pp. 352–354. ACM (2007)Google Scholar
  7. 7.
    Wikipedia foundation: List of data breaches.
  8. 8.
    Horák, K., Bošanský, B.: A point-based approximate algorithm for one-sided partially observable pursuit-evasion games. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 435–454. Springer, Cham (2016). doi: 10.1007/978-3-319-47413-7_25 Google Scholar
  9. 9.
    Laszka, A., Abbas, W., Sastry, S.S., Vorobeychik, Y., Koutsoukos, X.: Optimal thresholds for intrusion detection systems. In: Proceedings of the Symposium and Bootcamp on the Science of Security, pp. 72–81. ACM (2016)Google Scholar
  10. 10.
    Lee, S.Y., Low, W.L., Wong, P.Y.: Learning fingerprints for a database intrusion detection system. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–279. Springer, Heidelberg (2002). doi: 10.1007/3-540-45853-0_16 CrossRefGoogle Scholar
  11. 11.
    Lisý, V., Kessl, R., Pevný, T.: Randomized operating point selection in adversarial classification. In: Calders, T., Esposito, F., Hüllermeier, E., Meo, R. (eds.) ECML PKDD 2014. LNCS, vol. 8725, pp. 240–255. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44851-9_16 Google Scholar
  12. 12.
    Liu, D., Wang, X., Camp, J.: Game-theoretic modeling and analysis of insider threats. Int. J. Crit. Infrastruct. Prot. 1, 75–80 (2008)CrossRefGoogle Scholar
  13. 13.
    Liu, S., Kuhn, R.: Data loss prevention. IT Prof. 12(2), 10–13 (2010)CrossRefGoogle Scholar
  14. 14.
    Liu, Y., Corbett, C., Chiang, K., Archibald, R., Mukherjee, B., Ghosal, D.: Sidd: a framework for detecting sensitive data exfiltration by an insider attack. In: 42nd Hawaii International Conference on System Sciences, HICSS 2009, pp. 1–10. IEEE (2009)Google Scholar
  15. 15.
    Mc Carthy, S.M., Sinha, A., Tambe, M., Manadhata, P.: Data exfiltration detection and prevention: virtually distributed POMDPs for practically safer networks. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 39–61. Springer, Cham (2016). doi: 10.1007/978-3-319-47413-7_3 Google Scholar
  16. 16.
    Rubner, Y., Tomasi, C., Guibas, L.J.: The earth mover’s distance as a metric for image retrieval. Int. J. Comput. Vis. 40(2), 99–121 (2000)CrossRefzbMATHGoogle Scholar
  17. 17.
    Shoham, Y., Leyton-Brown, K.: Multiagent Systems: Algorithmic, Game-theoretic, and Logical Foundations. Cambridge University Press (2008)Google Scholar
  18. 18.
    Smith, T., Simmons, R.: Heuristic search value iteration for pomdps. In: Proceedings of the 20th Conference on Uncertainty in Artificial Intelligence, pp. 520–527. AUAI Press (2004)Google Scholar
  19. 19.
    Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutorials 9(3), 44–57 (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Karel Durkota
    • 1
    Email author
  • Viliam Lisý
    • 1
  • Christopher Kiekintveld
    • 2
  • Karel Horák
    • 1
  • Branislav Bošanský
    • 1
  • Tomáš Pevný
    • 1
    • 3
  1. 1.Deptartment of Computer Science, FEECzech Technical University in PraguePragueCzech Republic
  2. 2.Computer Science DepartmentUniversity of Texas at El PasoEl PasoUSA
  3. 3.Cisco Systems, Inc.PragueCzech Republic

Personalised recommendations