Mining Windows Registry for Data Exfiltration Detection

Yi Hu, Rubaiyat Hossain, Papa Seye, Sri Vasireddy

2012

Abstract

This paper illustrates a novel approach for identifying data exfiltration activities by mining Microsoft Windows Registry. It often takes outsider attackers a significant amount of efforts to identify the vulnerabilities in the system or applications and launch the exploit payloads to compromise a system. However insider attackers with legitimate access control privileges can easily steal data and sell data to a third party. Many companies spend lots of money defending network perimeters and applications from outsider attacks but only pay little attention to the insider threat. Although there are existing research efforts ad-dressing various aspects of insider attacks, little research focuses on data exfil-tration detection. The proposed model in this paper employs a data mining method to profile USB device usage patterns and uses various statistical methods to identify anomalous USB device usages. The effectiveness of the model was tested with USB access history extracted from the Windows Registry.

References

  1. InformationWeek,http://www.informationweek.com/news/storage/security/231300434 (2011).
  2. Randazzo, M., Keeney, M., Kowalski, E., Cappelli, D. and Moore, A.: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, CERT and the National Threat Assessment Center (2004).
  3. Cappelli,D.: Risk mitigation strategies: lessons learned from actual insider attacks, In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (2010).
  4. Cole, E., Ring, S.: Insider Threat, Protecting the Enterprise from Sabotage, Spying, and Theft, 1st edition. Syngress (2005).
  5. Gandhi, M.: Data Profiling and the Access Path Model, A Step Towards Addressing Insider Misuse in Database Systems, Dissertation, University of California Davis (2005).
  6. Carvey, H.: Windows Forensic Analysis DVD Toolkit, 2nd Edn, Syngress (2009).
  7. Financial Soundness Indicators: Compilation Guide, International Monetary Fund, http://www.imf.org/external/pubs/ft/fsi/guide/2006/.
  8. USB History, http://nabiy.sdf1.org/index.php?work=usbHistory.
  9. Arning, A., Agrawal, R., Raghavan, P.:A linear method for deviation detection in large database, In the Proceedings of 1996 International Conference on Knowledge Discovery and Data Mining (1996).
Download


Paper Citation


in Harvard Style

Hu Y., Hossain R., Seye P. and Vasireddy S. (2012). Mining Windows Registry for Data Exfiltration Detection . In Proceedings of the 9th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2012) ISBN 978-989-8565-15-0, pages 101-108. DOI: 10.5220/0004100101010108


in Bibtex Style

@conference{wosis12,
author={Yi Hu and Rubaiyat Hossain and Papa Seye and Sri Vasireddy},
title={Mining Windows Registry for Data Exfiltration Detection},
booktitle={Proceedings of the 9th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2012)},
year={2012},
pages={101-108},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004100101010108},
isbn={978-989-8565-15-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 9th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2012)
TI - Mining Windows Registry for Data Exfiltration Detection
SN - 978-989-8565-15-0
AU - Hu Y.
AU - Hossain R.
AU - Seye P.
AU - Vasireddy S.
PY - 2012
SP - 101
EP - 108
DO - 10.5220/0004100101010108