Extrusion Detection

Deployment analysis in Mobile Ad-hoc Networks

Muhammad Ahmed Noor (Author)
Usman Institute of Technology
Karachi, Pakistan
e-mail id : manoorkhihotmail!com
AbstractIn this research paper we will research how the
extrusion detection will prevent the outgoing confidential
information from Manet Networks. This techniques detects
outgoing confidential information at the Gateway andor the
client! although the confidential information may "e encrypted!
compressed or o"fuscated "efore transmitted such as emails or
other porta"le storage media e.g. memory stick.
"! INT#$%&'TI$N (N% )('*G#$&% $+ IN,-NTI$N
Extrusion Detection is the technolo#y that detects the
accidental or$and intentional data leaka#e %orm the network!
&here are two approaches'!one is the extrusion detection at
the #ateway le(el by usin# the so%tware) Extrusion detection
so%tware *ED+, that scans out#oin# web, email, and "M tra%%ic
%or con%idential in%ormation that is send outside the network!
-ne o% the disad(anta#es o% the ED+ is that they do not
encrypted or compressed %iles or contents!
&here%ore i% the attacker compresses or encrypts a %ile or
%ile contents be%ore attachin# it to an email, ED+ will be unable
to detect such sensiti(e data and in this way this sensiti(e data
will be leaked! "n the same way i% a user encrypts a %ile be%ore
copyin# it to .+/ stick, 0D-1-M or other such media, so the
con(entional Desktop ED+ systems will be unable to detect
such trans%er o% such sensiti(e data!
-ne way to sol(e this problem is to simply block all
encrypted$compressed %iles %rom lea(in# the #ateway! &his
solution makes another problem! As it incures a hi#h %alse
positi(e rate and deny access le#itimate out#oin#
encrypted$compressed %iles$contents!
II. .&MM(#/ $+ T0- IN,-NTI$N
Ad(anta#e o% the present in(ention is to pro(ide a computer
implemented methodolo#y %or extrusion detection o%
ob%uscated content! &his method di%%erentiates %iles accessible
%iles either sensiti(e or not sensiti(e by computer the si#nature
to pre(ent extrusion o% ob%uscated contents! &his method also
includes monitorin# e(ents on the local computer *includes the
use o% ob%uscation tools to create such ob%uscated %iles,, and
determine that i% the %ile bein# opened by an ob%uscation tool,
this is classi%ied as sensiti(e! -ne case is, only sensiti(e %iles
output by ob%uscation tools are scan throu#h si#nature
computin# step! "n another case, usin# the si#nature to pre(ent
extrusion o% ob%uscated content includes sendin# the si#nature
to a data leaka#e detection en#ine %or use in extrusion detection
system!
&he extrusion detection can be carried out, %or example, on
the computer and$or #ateway le(el with which the computer is
communicati(ely coupled! "n another case the method may
include monitorin# %or out#oin# data that include one or more
attachments! "n one case the attachment was ob%uscated by
more than one ob%uscation *%or example compressed, encrypted
and then multiple compressions or encryptions! "n this case the
analysis includes computin# a si#nature o% the extracted
attachments and comparin# that si#nature to the si#nature o%
known sensiti(e in%ormation!
Another embodiment o% this in(ention pro(ides a system
%or extrusion detection o% ob%uscated contents! &his
%unctionality can be implemented in di%%erent ways such as
so%tware*e!#! codin#,, 2ardware *%or example #ateway le(el,,
%irmware *%orm example one or more microcontrollers,, or
some combination o% so%tware, hardware, %irmware!

A. Brief Discription of the Drawings
3"4!5 is a block dia#ram o% the Extrusion Detection
+ystem!
3"4!6 is the client system o(er(iew
3"4!7 +ecurity 0lient Module block dia#ram
3"4!8a and 3"4!8b illustrate a method %or extrusion
detection o% ob%uscated contents,
+E0.1"&9 +E1:E1
DA&A ;EAKA4E
DE&E0&"-N EN4"NE
NE&<-1K
0;"EN& 0;"EN& 0;"EN&
+E0."1&9 0;"EN&
M-D.;E
+E0."1&9 0;"EN&
M-D.;E
+E0."1&9 0;"EN&
M-D.;E
III. %-T(I1-% %-.'#I2TI$N $+ T0- IN,-N.I$N
+ystem Architecture
3"4!5 is the block dia#ram o% extrusion detection system!
As we can see that security ser(er is connected to a network!
&he security ser(ers ha(e data leaka#e detection en#ine and
ser(er is connected with the one or more client=s computers
throu#h the network usin# a wide (ariety o% communication
protocols such as &0P$"P, 2&&P, 3&P, +M&P etc! %ormats such
as 2&M; or >M; and protected by :PN, secure 2&&P etc!
&he client computer is a de(ice that can ha(e number o%
applications, -peratin# systems! &he -peratin# +ystem could
Microso%t <indows, Apple -peratin# +ystem or ;inux
Distribution! "n other embodiment, the client computer may be
machine with ha(in# computer %unctionality, such as a Personal
di#ital assistant *PDA,, smartphone, (ideo #ame or cellular
telephone etc! +uch computin# de(ices can send messa#es with
one or more %iles attached to the external networks or
destinations and such de(ice can also recei(e messa#es or
attachment %orm others networks! "n 3"4!5 there are three
clients but likewise there may ha(e thousands or millions o%
such clients!
&he security client module executes on the computer
client ! in one case the security client module is pro#rammed or
con%i#ured %or di%%erentiate %iles as sensiti(e or not sensiti(e,
this module monitors all reads and write to %iles on the system
and which detect any possible data leaka#e! -ne o% the
%unctionality o% our in(ention is to detect when as ob%uscation
tools such as P4P, pk?ip , crypt, etc! is launched on the client
computer! "% such kinds o% ob%uscation tools has been used or
accessed a %ile that is known to contain con%idential contents,
then the resultin# ob%uscated %ile created can be tracked! &his
can be achie(ed by computin# an ob%uscated data hash %or
example MD@ o% the ob%uscated %ile! &his hash or other
si#nature is then %orwarded to ser(er=s data leaka#e detection
en#ine! &he security module can be incorporated into -+ o% the
computer or part o% separate packa#e! &he security client
module may be %urther set to communicate with the security
ser(er (ia network such as wireless! &he security client module
can also report in%ormation re#ardin# a potential in%ormation
leak, and send this in%ormation to the ser(er! &he ser(er can
then pro(ide the recommendation to the client module!
+ecurity product may be pro(ided by a (endor to the security
ser(er! 3or example so%tware, appliances or ser(ices etc! &he
security ser(er may be used as an email ser(er, 2&&P ser(er,
"M ser(er or other such ser(ers like #ateway proxy and may
include on e or more computer systems con%i#ured to
communicate with client computer throu#h wireless network!
"n this case data leaka#e detection en#ine resides on the
security ser(er! +uch a client side data leaka#e detection en#ine
can be used alternati(e to ser(er side data leaka#e detection
en#ine!
3or each extracted %ile, the data leaka#e detection en#ine
computes a si#nature o% that %ile with the help o% e!#! MD@,
1abin %in#erprints or other so%tware and compares this
si#nature a#ainst si#natures computed %or ob%uscated %iles on
the client computers! "% the si#natures match then the data
leaka#e detection system simply blocks that %ile
&he security ser(er may be used or con%i#ured with some other
%unctionalities %or example ser(er may pro(ide si#nature and
code to the client computers %or detectin# malicious so%tware
%or other harm%ul %iles!
+IG.3
Display
Memory 4raphics
Adapter
Network
Adapter
+tora#e
.ser
"nter%ace
+ecurity Module
+ecurity Module
Processor
3"4!6 illustrate a %unctional (iew o% a client computer! A client
computer includes a processor operati(ely coupled (ia a bus to
memory, a stora#e de(ice, #raphics adapter, and connected
throu#h network adapter! A display is operati(ely coupled to
#raphic adapter!
&he processor could be any 0P. that is capable o%
executin# the operatin# system, applications and other
executable %iles! Memory may be 1AM, 1-M or some other
%lash memory! &he memory has the security module that is
connected throu#h the security module o% in the stora#e!
Modules described in this dia#ram represent one embodiment
o% the present in(ention! +ome other embodiments may include
other or di%%erent modules and %unctionality! &he method are
stored on the stora#e de(ice as executable %iles loaded in to the
memory and executed by the processor as one or more
processes!
3"4!7 illustrates the block dia#ram that shows the security
client module con%i#ured in accordance with in the present
in(entions! "t includes the ser(er inter%ace module, %orwardin#
module, reportin# module, si#nature module, classi%ication and
%ile monitorin# module!
Each o% the abo(e modules can be implemented on the
so%tware that can be run on the client computer! 2owe(er some
module reAuires the hardware lo#ic or combination o% so%tware
and hardware!
&he ser(er communication module enable the
communication between the client and security ser(er! &he
si#nature database stores si#natures o% exclusions! &hese
exclusions are the %iles or pro#rams that are trusted pro#ram,
routines, and applications!
+i#nature scannin# module scans the si#nature check in its
database o% exclusions! Exclusions are trusted$allowed
pro#rams, routines, applications etc! that are known identi%yin#
malicious so%tware on the client so%tware %or example (iruses,
malware and other security threats! 3or example si#nature
contains a (alue that is %ound in malicious so%tware! +o its
blocked! &he si#nature are desi#ned to deal with windows exe
%ormat and other known %ormats that mi#ht contain malicious
so%tware or (irus!
&he reportin# module is con%i#ured to pro(ide a user
inter%ace to report any unusual acti(ity or some particular
security e(ents, such as the detection o% (iruses, intrusions and
action taken! "n one particular case the reportin# module
reports presents noti%ication to the user that an extrusion
attempt was detected and stopped! "t has also be con%i#ured to
collect in%ormation and send it an analysis a#ent, such as a
remote security response center!
&he classi%ication module is con%i#ured to (eri%y that
weather the %iles on the client computer is sensiti(e or not
sensiti(e! &his classi%ication can be done in the back#round or
in real time when the %iles are modi%ied, added, created etc!
+IG.4
+i#natures
*E!#!
exclusions$known
attacks,
+er(er "nter%ace
Module
+i#nature
+cannin#
Module
1eportin#
Module
3ile Monitorin#
Module
0lassi%ication
Module
3orwardin#
Module
+IG. 5

&he %ile monitorin# module is pro#rammed to con%i#ure to
monitor all the chan#es to %iles on the system! 3or examples
this module can detects when application / is attemptin# to
open a %ile 3, or Application A/0 is a ob%uscation tool, such as
compression or encryption al#o! And %ile 3 can be con%idential
%ile or %ile 4 is the sa(e as copy o% %ile 3 etc!
&he %orwardin# module is pro#rammed to %orward in%ormation
obtained as a result pro(ided by the monitorin# module to the
data leaka#e detection en#ine! &he %orwardin# module could be
part to the ser(er inter%ace module! &he %unction o% %orwardin#
module will be discussed in more detailed way with re%erence
to 3"4+! 8a-b!
3"4! 8a and 3"4!8b illustrate a process %or extrusion detection
o% the ob%uscated contents!
/y the method shown in 3"4!8 classi%yin# %iles stored on the
client computer as either sensiti(e or not sensiti(e! &he
process o% classi%ication is carried out in the back#round or in
the real time as the %ile makes chan#es or created, added,
copied etc! &he method continues its work by %indin# weather
the client use ob%uscation tools to create ob%uscated %iles! &his
is achie(ed by comparin# the si#nature o% ob%uscated %iles and
the data base o% such si#natures! &hen it determines the names
o% known executable! +uch as win?ip!exe is a known
executable o% compression application! "t can be pro#ramed
that the ob%uscation tools a(ailable to the user can be
pro#rammed or con%i#ured to issue an e(ent or some indicator
to in%orm the method! 3urthermore all the unknown pro#rams
that operates on the client has been classi%ied as sensiti(e and
i% that pro#ram produces some sort o% %ile then it is considered
as a ob%uscation pro#rams!
"% the user has used ob%uscation tool, then the %low continues
with monitorin# %or ob%uscation o% protected content!
-therwise the %ile opened by the ob%uscation tool is
considered as sensiti(e! "% not the method continues to
compute the si#nature e!#! MD@ o% suspect %ile output by the
ob%uscation tools and send that si#nature to a data leaka#e
detection en#ine!
&his method continues to classi%yin#, detectin# ob%uscation o%
protected content and report the contents i% ob%uscation occurs!
3"4! 8b illustrate the method o% detectin# transmission o%
ob%uscation content and blockin# that content %orm lea(in# the
secure area! &he method include i% an out#oin# messa#es,
emails, text messa#es etc! includes attachments , the
attachments could be o% any type! &hen the method includes
extractin# that particular attachment %or analysis! &he process
%urther continues by takin# si#nature o% the attachment and
compares the si#nature to si#natures o% known sensiti(e
in%ormation!
+tart
-ut#oin#
Attachm
ent
Extract Attachment
0ompute si#nature o% extracted
%ile
0ompare si#nature to si#natures
o% known sensiti(e in%ormation
MatchB
/lock extrusion attempt
+top
No
No
+tart
Monitor e(ents on the client
0lassi%y %iles stored on the client as
either sensiti(e or not sensiti(e
2as user
launched an
ob%uscation tool
B
"s tar#et %ile
classi%ied
sensiti(eB
0omputer si#nature o% suspect %iles
output by the ob%uscation tool
+end si#nature o% suspect %ile to
data leaka#e detection en#ine
+top
No
No
+IG.6a
+IG.6"
"% the si#nature matches the si#nature o% the suspect %ile then
the %ile is considered as ob%uscated %ile and system will block
the %ile and mark as sensiti(e! "% not, then the method
continues to monitorin# %or out#oin# communications
includin# protected contents!
-n the other hand, i% the si#nature does match a si#nature o%
known sensiti(e in%ormation, then the method continues with
blockin# the extrusion attempt!
I,. #-.-(#'0 '0(11-NG-.
Problems in deployin# Extrusion Detection in MANE&+
&here are many problems in deployin# 0lient-+er(er based
Extrusion Detection in Mobile Ad-hoc Networks! &he reasons
are as %ollows'!!
1) Deployment of Extrusion Detection Server
"t is (ery di%%icult to deploy Extrusion Detection +er(er
because o% ad-hoc network! &he clients connected throu#h the
network temporarily!
2) lients have limite! processing power
"n Mobile Ad-hoc Networks, the nodes are mostly mobiles,
which ha(e less processin# power and less computin# space!
+o it is (ery di%%icult to deploy security clinet module in
mobile de(ices!
") #ess power Bac$up (Battery life)
Mostly mobile de(ice ha(e less battery backup! +o i% the
mobile de(ices will scan si#natures monitor e(ents on the
cleint*mobile de(ice, then it will reAuire more battery
backup!

,. #-+-#-N'-.
http:$$en!wikipedia!or#$wiki$MobileCadChocCnetwork
http:$$w7!antd!nist!#o($wahnCmahn!shtml
http:$$en!wikipedia!or#$wiki$ExtrusionCdetection
https:$$secdiary!com$article$extrusion-detection$
http:$$www!cl!cam!ac!uk$Drnc5$extrusion!pd%
http:$$www!#oo#le!com$patents$.+E5E5F7G