A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

Rafael Salema Marques; Gregory Epiphaniou; Haider Al-Khateeb; Carsten Maple; Mohammad Hammoudeh; Paulo Andre Lima De Castro; Ali Dehghantanha; Kim Kwang Raymond Choo

doi:10.1145/3419103

A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

Rafael Salema Marques, Gregory Epiphaniou, Haider Al-Khateeb, Carsten Maple, Mohammad Hammoudeh, Paulo Andre Lima De Castro, Ali Dehghantanha, Kim Kwang Raymond Choo

Operations & Information Management

Research output: Contribution to journal › Article › peer-review

Abstract

Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.

Original language	English
Article number	103
Pages (from-to)	1-30
Number of pages	30
Journal	ACM Transactions on Internet Technology
Volume	21
Issue number	4
Early online date	16 Jul 2021
DOIs	https://doi.org/10.1145/3419103
Publication status	Published - Nov 2021

Bibliographical note

© ACM, 2021. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Internet Technology, {VOL 21, ISS 4, November 2021} http://doi.acm.org/10.1145/3419103.

Keywords

Tactile Internet
Multi-agent systems
Artificial immune systems
rookits
flow-based analysis

Access to Document

10.1145/3419103

http://wrap.warwick.ac.uk/140722/

Cite this

@article{ce58337847ed439684e3466190c26182,

title = "A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks",

abstract = "Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm{\textquoteright}s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.",

keywords = "Tactile Internet, Multi-agent systems, Artificial immune systems, rookits, flow-based analysis",

author = "Marques, {Rafael Salema} and Gregory Epiphaniou and Haider Al-Khateeb and Carsten Maple and Mohammad Hammoudeh and {De Castro}, {Paulo Andre Lima} and Ali Dehghantanha and Choo, {Kim Kwang Raymond}",

note = "{\textcopyright} ACM, 2021. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Internet Technology, {VOL 21, ISS 4, November 2021} http://doi.acm.org/10.1145/3419103.",

year = "2021",

month = nov,

doi = "10.1145/3419103",

language = "English",

volume = "21",

pages = "1--30",

journal = "ACM Transactions on Internet Technology",

issn = "1533-5399",

publisher = "ACM",

number = "4",

}

TY - JOUR

T1 - A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

AU - Marques, Rafael Salema

AU - Epiphaniou, Gregory

AU - Al-Khateeb, Haider

AU - Maple, Carsten

AU - Hammoudeh, Mohammad

AU - De Castro, Paulo Andre Lima

AU - Dehghantanha, Ali

AU - Choo, Kim Kwang Raymond

N1 - © ACM, 2021. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Internet Technology, {VOL 21, ISS 4, November 2021} http://doi.acm.org/10.1145/3419103.

PY - 2021/11

Y1 - 2021/11

N2 - Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.

AB - Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.

KW - Tactile Internet

KW - Multi-agent systems

KW - Artificial immune systems

KW - rookits

KW - flow-based analysis

UR - https://dl.acm.org/doi/10.1145/3419103

U2 - 10.1145/3419103

DO - 10.1145/3419103

M3 - Article

SN - 1533-5399

VL - 21

SP - 1

EP - 30

JO - ACM Transactions on Internet Technology

JF - ACM Transactions on Internet Technology

IS - 4

M1 - 103

ER -

A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this