Extrusion Detection System

Problem statement:
The world is becoming more interconnected with the advent of the Internet and new networking
technology. There is a large amount of personal, commercial, military, and government information on
networking infrastructures worldwide. Network security is becoming of great importance because of
intellectual property that can be easily acquired through the internet. So there should be some technology
that detects the accidental or/and intentional data leakage form the network.
Extrusion detection or outbound intrusion detection is a branch of intrusion detection aimed at
developing mechanisms to identify successful and unsuccessful attempts to use the resources of
a computer system to compromise other systems. Extrusion detection techniques focus primarily on the
analysis of system activity and outbound traffic in order to detect malicious users, malware or network
traffic that may pose a threat to the security of neighboring systems.
Strong Points:
Advantage of the present invention is to provide a computer implemented methodology for extrusion
detection of obfuscated content. This method differentiates files accessible files either sensitive or not
sensitive by computer the signature to prevent extrusion of obfuscated contents. This method also
includes monitoring events on the local computer (includes the use of obfuscation tools to create such
obfuscated files), and determine that if the file being opened by an obfuscation tool, this is classified as
sensitive. One case is, only sensitive files output by obfuscation tools are scan through signature
computing step. In another case, using the signature to prevent extrusion of obfuscated content includes
sending the signature to a data leakage detection engine for use in extrusion detection system.
The extrusion detection can be carried out, for example, on the computer and/or gateway level with which
the computer is communicatively coupled. In another case the method may include monitoring for
outgoing data that include one or more attachments. In one case the attachment was obfuscated by more
than one obfuscation (for example compressed, encrypted and then multiple compressions or encryptions.
In this case the analysis includes computing a signature of the extracted attachments and comparing that
signature to the signature of known sensitive information.
Another embodiment of this invention provides a system for extrusion detection of obfuscated contents.
This functionality can be implemented in different ways such as software(e.g. coding), Hardware (for
example gateway level), firmware (form example one or more microcontrollers), or some combination of
software, hardware, firmware.



















FIG.1
FIG.1 is the block diagram of extrusion detection system. As we can see that security server is connected
to a network. The security servers have data leakage detection engine and server is connected with the one
or more clients computers through the network using a wide variety of communication protocols such as
TCP/IP, HTTP, FTP, SMTP etc. formats such as HTML or XML and protected by VPN, secure HTTP
etc.
The client computer is a device that can have number of applications, Operating systems. The Operating
System could Microsoft Windows, Apple Operating System or Linux Distribution. In other embodiment,
the client computer may be machine with having computer functionality, such as a Personal digital
assistant (PDA), smartphone, video game or cellular telephone etc. Such computing devices can send
messages with one or more files attached to the external networks or destinations and such device can
also receive messages or attachment form others networks. In FIG.1 there are three clients but likewise
there may have thousands or millions of such clients.
The security client module executes on the computer client. In one case the security client module is
programmed or configured for differentiate files as sensitive or not sensitive, this module monitors all
reads and write to files on the system and which detect any possible data leakage. One of the functionality
of our invention is to detect when as obfuscation tools such as PGP, pkzip, crypt, etc. is launched on the
client computer. If such kinds of obfuscation tools have been used or accessed a file that is known to
contain confidential contents, then the resulting obfuscated file created can be tracked. This can be
achieved by computing an obfuscated data hash for example MD5 of the obfuscated file. This hash or
other signature is then forwarded to servers data leakage detection engine. The security module can be
incorporated into OS of the computer or part of separate package. The security client module may be
further set to communicate with the security server via network such as wireless. The security client
SECURITY SERVER
DATA LEAKAGE
DETECTION ENGINE
NETWORK

CLIENT CLIENT

CLIENT

SECUIRTY CLIENT
MODULE
SECUIRTY CLIENT
MODULE
SECUIRTY CLIENT
MODULE
module can also report information regarding a potential information leak, and send this information to
the server. The server can then provide the recommendation to the client module
Weak Points:
Problems in deploying Extrusion Detection in MANETS
There are many problems in deploying Client-Server based Extrusion Detection in Mobile Ad-hoc
Networks. The reasons are as follows..
1) Deployment of Extrusion Detection Server

It is very difficult to deploy Extrusion Detection Server because of ad-hoc network. The clients connected
through the network temporarily.
2) Clients have limited processing power

In Mobile Ad-hoc Networks, the nodes are mostly mobiles, which have less processing power and less computing
space. So it is very difficult to deploy security clinet module in mobile devices.

3) Less power Backup (Battery life)

Mostly mobile device have less battery backup. So if the mobile devices will scan signatures monitor events on
the cleint(mobile device) then it will require more battery backup.

Summary:
Advantage of the present invention is to provide a computer implemented methodology for extrusion
detection of obfuscated content. This method differentiates files accessible files either sensitive or not
sensitive by computer the signature to prevent extrusion of obfuscated contents. This method also
includes monitoring events on the local computer (includes the use of obfuscation tools to create such
obfuscated files), and determine that if the file being opened by an obfuscation tool, this is classified as
sensitive. One case is, only sensitive files output by obfuscation tools are scan through signature
computing step. In another case, using the signature to prevent extrusion of obfuscated content includes
sending the signature to a data leakage detection engine for use in extrusion detection system.
The extrusion detection can be carried out, for example, on the computer and/or gateway level with which
the computer is communicatively coupled. In another case the method may include monitoring for
outgoing data that include one or more attachments. In one case the attachment was obfuscated by more
than one obfuscation (for example compressed, encrypted and then multiple compressions or encryptions.
In this case the analysis includes computing a signature of the extracted attachments and comparing that
signature to the signature of known sensitive information.
Another embodiment of this invention provides a system for extrusion detection of obfuscated contents.
This functionality can be implemented in different ways such as software (e.g. coding), Hardware (for
example gateway level), firmware (form example one or more microcontrollers), or some combination of
software, hardware, firmware.