Muhammad Ahmed Noor (Author) Usman Institute of Technology Karachi, Pakistan e-mail id : manoorkhihotmail!com AbstractIn this research paper we will research how the extrusion detection will prevent the outgoing confidential information from Manet Networks. This techniques detects outgoing confidential information at the Gateway andor the client! although the confidential information may "e encrypted! compressed or o"fuscated "efore transmitted such as emails or other porta"le storage media e.g. memory stick. "! INT#$%&'TI$N (N% )('*G#$&% $+ IN,-NTI$N Extrusion Detection is the technolo#y that detects the accidental or$and intentional data leaka#e %orm the network! &here are two approaches'!one is the extrusion detection at the #ateway le(el by usin# the so%tware) Extrusion detection so%tware *ED+, that scans out#oin# web, email, and "M tra%%ic %or con%idential in%ormation that is send outside the network! -ne o% the disad(anta#es o% the ED+ is that they do not encrypted or compressed %iles or contents! &here%ore i% the attacker compresses or encrypts a %ile or %ile contents be%ore attachin# it to an email, ED+ will be unable to detect such sensiti(e data and in this way this sensiti(e data will be leaked! "n the same way i% a user encrypts a %ile be%ore copyin# it to .+/ stick, 0D-1-M or other such media, so the con(entional Desktop ED+ systems will be unable to detect such trans%er o% such sensiti(e data! -ne way to sol(e this problem is to simply block all encrypted$compressed %iles %rom lea(in# the #ateway! &his solution makes another problem! As it incures a hi#h %alse positi(e rate and deny access le#itimate out#oin# encrypted$compressed %iles$contents! II. .&MM(#/ $+ T0- IN,-NTI$N Ad(anta#e o% the present in(ention is to pro(ide a computer implemented methodolo#y %or extrusion detection o% ob%uscated content! &his method di%%erentiates %iles accessible %iles either sensiti(e or not sensiti(e by computer the si#nature to pre(ent extrusion o% ob%uscated contents! &his method also includes monitorin# e(ents on the local computer *includes the use o% ob%uscation tools to create such ob%uscated %iles,, and determine that i% the %ile bein# opened by an ob%uscation tool, this is classi%ied as sensiti(e! -ne case is, only sensiti(e %iles output by ob%uscation tools are scan throu#h si#nature computin# step! "n another case, usin# the si#nature to pre(ent extrusion o% ob%uscated content includes sendin# the si#nature to a data leaka#e detection en#ine %or use in extrusion detection system! &he extrusion detection can be carried out, %or example, on the computer and$or #ateway le(el with which the computer is communicati(ely coupled! "n another case the method may include monitorin# %or out#oin# data that include one or more attachments! "n one case the attachment was ob%uscated by more than one ob%uscation *%or example compressed, encrypted and then multiple compressions or encryptions! "n this case the analysis includes computin# a si#nature o% the extracted attachments and comparin# that si#nature to the si#nature o% known sensiti(e in%ormation! Another embodiment o% this in(ention pro(ides a system %or extrusion detection o% ob%uscated contents! &his %unctionality can be implemented in di%%erent ways such as so%tware*e!#! codin#,, 2ardware *%or example #ateway le(el,, %irmware *%orm example one or more microcontrollers,, or some combination o% so%tware, hardware, %irmware!
A. Brief Discription of the Drawings 3"4!5 is a block dia#ram o% the Extrusion Detection +ystem! 3"4!6 is the client system o(er(iew 3"4!7 +ecurity 0lient Module block dia#ram 3"4!8a and 3"4!8b illustrate a method %or extrusion detection o% ob%uscated contents, +E0.1"&9 +E1:E1 DA&A ;EAKA4E DE&E0&"-N EN4"NE NE&<-1K 0;"EN& 0;"EN& 0;"EN& +E0."1&9 0;"EN& M-D.;E +E0."1&9 0;"EN& M-D.;E +E0."1&9 0;"EN& M-D.;E III. %-T(I1-% %-.'#I2TI$N $+ T0- IN,-N.I$N +ystem Architecture 3"4!5 is the block dia#ram o% extrusion detection system! As we can see that security ser(er is connected to a network! &he security ser(ers ha(e data leaka#e detection en#ine and ser(er is connected with the one or more client=s computers throu#h the network usin# a wide (ariety o% communication protocols such as &0P$"P, 2&&P, 3&P, +M&P etc! %ormats such as 2&M; or >M; and protected by :PN, secure 2&&P etc! &he client computer is a de(ice that can ha(e number o% applications, -peratin# systems! &he -peratin# +ystem could Microso%t <indows, Apple -peratin# +ystem or ;inux Distribution! "n other embodiment, the client computer may be machine with ha(in# computer %unctionality, such as a Personal di#ital assistant *PDA,, smartphone, (ideo #ame or cellular telephone etc! +uch computin# de(ices can send messa#es with one or more %iles attached to the external networks or destinations and such de(ice can also recei(e messa#es or attachment %orm others networks! "n 3"4!5 there are three clients but likewise there may ha(e thousands or millions o% such clients! &he security client module executes on the computer client ! in one case the security client module is pro#rammed or con%i#ured %or di%%erentiate %iles as sensiti(e or not sensiti(e, this module monitors all reads and write to %iles on the system and which detect any possible data leaka#e! -ne o% the %unctionality o% our in(ention is to detect when as ob%uscation tools such as P4P, pk?ip , crypt, etc! is launched on the client computer! "% such kinds o% ob%uscation tools has been used or accessed a %ile that is known to contain con%idential contents, then the resultin# ob%uscated %ile created can be tracked! &his can be achie(ed by computin# an ob%uscated data hash %or example MD@ o% the ob%uscated %ile! &his hash or other si#nature is then %orwarded to ser(er=s data leaka#e detection en#ine! &he security module can be incorporated into -+ o% the computer or part o% separate packa#e! &he security client module may be %urther set to communicate with the security ser(er (ia network such as wireless! &he security client module can also report in%ormation re#ardin# a potential in%ormation leak, and send this in%ormation to the ser(er! &he ser(er can then pro(ide the recommendation to the client module! +ecurity product may be pro(ided by a (endor to the security ser(er! 3or example so%tware, appliances or ser(ices etc! &he security ser(er may be used as an email ser(er, 2&&P ser(er, "M ser(er or other such ser(ers like #ateway proxy and may include on e or more computer systems con%i#ured to communicate with client computer throu#h wireless network! "n this case data leaka#e detection en#ine resides on the security ser(er! +uch a client side data leaka#e detection en#ine can be used alternati(e to ser(er side data leaka#e detection en#ine! 3or each extracted %ile, the data leaka#e detection en#ine computes a si#nature o% that %ile with the help o% e!#! MD@, 1abin %in#erprints or other so%tware and compares this si#nature a#ainst si#natures computed %or ob%uscated %iles on the client computers! "% the si#natures match then the data leaka#e detection system simply blocks that %ile &he security ser(er may be used or con%i#ured with some other %unctionalities %or example ser(er may pro(ide si#nature and code to the client computers %or detectin# malicious so%tware %or other harm%ul %iles! +IG.3 Display Memory 4raphics Adapter Network Adapter +tora#e .ser "nter%ace +ecurity Module +ecurity Module Processor 3"4!6 illustrate a %unctional (iew o% a client computer! A client computer includes a processor operati(ely coupled (ia a bus to memory, a stora#e de(ice, #raphics adapter, and connected throu#h network adapter! A display is operati(ely coupled to #raphic adapter! &he processor could be any 0P. that is capable o% executin# the operatin# system, applications and other executable %iles! Memory may be 1AM, 1-M or some other %lash memory! &he memory has the security module that is connected throu#h the security module o% in the stora#e! Modules described in this dia#ram represent one embodiment o% the present in(ention! +ome other embodiments may include other or di%%erent modules and %unctionality! &he method are stored on the stora#e de(ice as executable %iles loaded in to the memory and executed by the processor as one or more processes! 3"4!7 illustrates the block dia#ram that shows the security client module con%i#ured in accordance with in the present in(entions! "t includes the ser(er inter%ace module, %orwardin# module, reportin# module, si#nature module, classi%ication and %ile monitorin# module! Each o% the abo(e modules can be implemented on the so%tware that can be run on the client computer! 2owe(er some module reAuires the hardware lo#ic or combination o% so%tware and hardware! &he ser(er communication module enable the communication between the client and security ser(er! &he si#nature database stores si#natures o% exclusions! &hese exclusions are the %iles or pro#rams that are trusted pro#ram, routines, and applications! +i#nature scannin# module scans the si#nature check in its database o% exclusions! Exclusions are trusted$allowed pro#rams, routines, applications etc! that are known identi%yin# malicious so%tware on the client so%tware %or example (iruses, malware and other security threats! 3or example si#nature contains a (alue that is %ound in malicious so%tware! +o its blocked! &he si#nature are desi#ned to deal with windows exe %ormat and other known %ormats that mi#ht contain malicious so%tware or (irus! &he reportin# module is con%i#ured to pro(ide a user inter%ace to report any unusual acti(ity or some particular security e(ents, such as the detection o% (iruses, intrusions and action taken! "n one particular case the reportin# module reports presents noti%ication to the user that an extrusion attempt was detected and stopped! "t has also be con%i#ured to collect in%ormation and send it an analysis a#ent, such as a remote security response center! &he classi%ication module is con%i#ured to (eri%y that weather the %iles on the client computer is sensiti(e or not sensiti(e! &his classi%ication can be done in the back#round or in real time when the %iles are modi%ied, added, created etc! +IG.4 +i#natures *E!#! exclusions$known attacks, +er(er "nter%ace Module +i#nature +cannin# Module 1eportin# Module 3ile Monitorin# Module 0lassi%ication Module 3orwardin# Module +IG. 5
&he %ile monitorin# module is pro#rammed to con%i#ure to monitor all the chan#es to %iles on the system! 3or examples this module can detects when application / is attemptin# to open a %ile 3, or Application A/0 is a ob%uscation tool, such as compression or encryption al#o! And %ile 3 can be con%idential %ile or %ile 4 is the sa(e as copy o% %ile 3 etc! &he %orwardin# module is pro#rammed to %orward in%ormation obtained as a result pro(ided by the monitorin# module to the data leaka#e detection en#ine! &he %orwardin# module could be part to the ser(er inter%ace module! &he %unction o% %orwardin# module will be discussed in more detailed way with re%erence to 3"4+! 8a-b! 3"4! 8a and 3"4!8b illustrate a process %or extrusion detection o% the ob%uscated contents! /y the method shown in 3"4!8 classi%yin# %iles stored on the client computer as either sensiti(e or not sensiti(e! &he process o% classi%ication is carried out in the back#round or in the real time as the %ile makes chan#es or created, added, copied etc! &he method continues its work by %indin# weather the client use ob%uscation tools to create ob%uscated %iles! &his is achie(ed by comparin# the si#nature o% ob%uscated %iles and the data base o% such si#natures! &hen it determines the names o% known executable! +uch as win?ip!exe is a known executable o% compression application! "t can be pro#ramed that the ob%uscation tools a(ailable to the user can be pro#rammed or con%i#ured to issue an e(ent or some indicator to in%orm the method! 3urthermore all the unknown pro#rams that operates on the client has been classi%ied as sensiti(e and i% that pro#ram produces some sort o% %ile then it is considered as a ob%uscation pro#rams! "% the user has used ob%uscation tool, then the %low continues with monitorin# %or ob%uscation o% protected content! -therwise the %ile opened by the ob%uscation tool is considered as sensiti(e! "% not the method continues to compute the si#nature e!#! MD@ o% suspect %ile output by the ob%uscation tools and send that si#nature to a data leaka#e detection en#ine! &his method continues to classi%yin#, detectin# ob%uscation o% protected content and report the contents i% ob%uscation occurs! 3"4! 8b illustrate the method o% detectin# transmission o% ob%uscation content and blockin# that content %orm lea(in# the secure area! &he method include i% an out#oin# messa#es, emails, text messa#es etc! includes attachments , the attachments could be o% any type! &hen the method includes extractin# that particular attachment %or analysis! &he process %urther continues by takin# si#nature o% the attachment and compares the si#nature to si#natures o% known sensiti(e in%ormation! +tart -ut#oin# Attachm ent Extract Attachment 0ompute si#nature o% extracted %ile 0ompare si#nature to si#natures o% known sensiti(e in%ormation MatchB /lock extrusion attempt +top No No +tart Monitor e(ents on the client 0lassi%y %iles stored on the client as either sensiti(e or not sensiti(e 2as user launched an ob%uscation tool B "s tar#et %ile classi%ied sensiti(eB 0omputer si#nature o% suspect %iles output by the ob%uscation tool +end si#nature o% suspect %ile to data leaka#e detection en#ine +top No No +IG.6a +IG.6" "% the si#nature matches the si#nature o% the suspect %ile then the %ile is considered as ob%uscated %ile and system will block the %ile and mark as sensiti(e! "% not, then the method continues to monitorin# %or out#oin# communications includin# protected contents! -n the other hand, i% the si#nature does match a si#nature o% known sensiti(e in%ormation, then the method continues with blockin# the extrusion attempt! I,. #-.-(#'0 '0(11-NG-. Problems in deployin# Extrusion Detection in MANE&+ &here are many problems in deployin# 0lient-+er(er based Extrusion Detection in Mobile Ad-hoc Networks! &he reasons are as %ollows'!! 1) Deployment of Extrusion Detection Server "t is (ery di%%icult to deploy Extrusion Detection +er(er because o% ad-hoc network! &he clients connected throu#h the network temporarily! 2) lients have limite! processing power "n Mobile Ad-hoc Networks, the nodes are mostly mobiles, which ha(e less processin# power and less computin# space! +o it is (ery di%%icult to deploy security clinet module in mobile de(ices! ") #ess power Bac$up (Battery life) Mostly mobile de(ice ha(e less battery backup! +o i% the mobile de(ices will scan si#natures monitor e(ents on the cleint*mobile de(ice, then it will reAuire more battery backup!