Detection of malicious exfiltration of data via networks - A systematic literature review
Publish date: 2022-12-22
Report number: FOI-R--5376--SE
Pages: 69
Written in: Swedish
Keywords:
- exfiltration
- data exfiltration
- detection
- cyber
- DNS
- SLR
- systematic literature review
Abstract
This report presents a systematic literature review of the detection of malicious network-based data exfiltration. Such exfiltration consists of attackers' transfer of data from target machine to attacker machine. Since it is not possible to keep all attackers out of networks, the detection of exfiltration is an important part of the defence. The literature review includes 48 research papers that were published in 2012- 2022. The review shows that the papers have clear aims, but, on the other hand, the hypotheses are mostly described vaguely. In addition, it is shown that the papers focus on lab environments that mimic university networks, while only one paper has a military network environment. The articles rarely describe the exfiltrated data, in the form of credit card details, login details and documents. It is also unusual for the articles to describe the supposed threat actors. In exfiltration techniques, data is usually hidden by placing data in packet headers, using protocols that are not normally used for user data transmission, and by encrypting. The protocol usually used for exfiltration is DNS, which has its legitimate use in translating domain names to IP addresses. Exfiltration is usually detected through network-based differences in entropy, time aspects, string lengths, traffic flows, and packet header content. The algorithms are usually based on deep learning, or traditional machine learning. The detection methods are evaluated relatively rarely in the papers. The report's assessment is that more research is needed primarily on the detection of exfiltration that occurs via video conferencing, blockchain networks, DNS over HTTPS, IPv6, and other newer protocols. In addition, there is a need for research that rather than detecting specific techniques, takes a more general approach, with algorithms that can detect more exfiltration techniques.