Digital Forensics and Cyber Crime. First International ICST Conference, ICDF2C 2009, Albany, NY, USA, September 30-October 2, 2009, Revised Selected Papers

Research Article

A Discretionary Access Control Method for Preventing Data Exfiltration (DE) via Removable Devices

Download
550 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-11534-9_15,
        author={Duane Wilson and Michael Lavine},
        title={A Discretionary Access Control Method for Preventing Data Exfiltration (DE) via Removable Devices},
        proceedings={Digital Forensics and Cyber Crime. First International ICST Conference, ICDF2C 2009, Albany, NY, USA, September 30-October 2, 2009, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={5},
        keywords={Data exfiltration extended file attributes alternate data streams},
        doi={10.1007/978-3-642-11534-9_15}
    }
    
  • Duane Wilson
    Michael Lavine
    Year: 2012
    A Discretionary Access Control Method for Preventing Data Exfiltration (DE) via Removable Devices
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-11534-9_15
Duane Wilson1,*, Michael Lavine2,*
  • 1: U.S. Army Research Laboratory
  • 2: John Hopkins University
*Contact email: dwilson@arl.army.mil, mlavine@jhu.edu

Abstract

One of the major challenges facing the security community today is how to prevent DE. DE is the unauthorized release of information from a computer system or network of systems. Current methods attempt to address this issue by controlling the information that is released over the Internet. In this paper, we present a host-level discretionary access control method that focuses on exfiltration via removable devices (e.g. thumb drives or external hard drives). Using XML to store extended file attributes, we classify files based on user-defined distribution levels and the community of interest to which they belong. Files are classified with a distribution statement upon creation and re-classified (if necessary) when modified. By monitoring the access to all classified files present on a file system, we allow or prevent release of this information based on predefined policies. With this approach, we show that the unauthorized release of information can be prevented by using a system of accounting that is tied to access control policies. Users are given the authority to transfer files to a removable device according to their current access rights. As a proof of concept, our method demonstrates the value of using accounting as a means of preventing data loss or theft. Our approach can be applied to a variety of data types found on a file system including: executables, archived files, images, and even audio or video files.