In network security, anomaly detection and data loss prevention present areas of need for network administrators. While anomaly detection tools may be used to detect attempts to exfiltrate data from a network, many known anomaly detection tools result in false-positive alert rates that are too high.
Our techniques address a need for improved anomaly detection techniques that reliably detect exfiltration attempts while minimizing false-positive alerts.
Network traffic may be monitored to create a model of network traffic over a first period of time. Based on the model of network traffic, one or more inflated files may be created and stored on a system, wherein the inflated files are of a sufficient file size such that attempts to exfiltrate one or more of the files may be detected based by network monitoring tools. The inflated files may further include one or more indicators of sensitivity, including indicators of the presence of sensitive information that is not actually included in the inflated files. Network traffic characteristics may then be repeatedly or continuously monitored to update the size of the one or more inflated files based on changes in network traffic characteristics.
Inventors: Matt Monaco, Daniel Negron