Detection Modules
The four parallel detection modules of ExfilGuardian
Architecture
ExfilGuardian does not use sequential layers. Instead, the server runs four detection modules in parallel. The first three (DPI, Signatures, Behavioral) analyze packets independently and produce Detection events. The fourth (Correlation) aggregates those detections into scored Alert objects.
DPI: Deep Packet Inspection
Protocol-aware analysis of packet payloads. Each protocol has a dedicated analyzer.
DNS Analyzer
Detects DNS-based exfiltration techniques:
| Technique | Detection Method |
|---|---|
| DNS tunneling | Shannon entropy of subdomain labels. Encoded data (base32/base64/hex) produces entropy > 3.5 bits/char. |
| DGA domains | Domain Generation Algorithm detection via label length distribution, consonant ratio, and n-gram frequency analysis. |
| Exfiltration via TXT records | Anomalous TXT record sizes (> 255 bytes) or high query frequency to a single domain. |
Key file: analysis/src/server/dpi/dns_analyzer.rs
TLS Analyzer
Inspects TLS ClientHello and certificate metadata without decrypting traffic:
| Technique | Detection Method |
|---|---|
| JA3 fingerprinting | Hash of TLS version, cipher suites, extensions, elliptic curves, and EC point formats. Known-bad JA3 hashes match C2 frameworks (Cobalt Strike, Metasploit). |
| Certificate anomalies | Self-signed certs, short validity periods (< 30 days), mismatched CN/SAN, recently issued certs, free CA abuse. |
| SNI mismatch | Server Name Indication value does not match the destination IP's reverse DNS or known CDN ranges. |
Key file: analysis/src/server/dpi/tls_analyzer.rs
ICMP Analyzer
Detects covert channels embedded in ICMP echo/reply payloads:
| Technique | Detection Method |
|---|---|
| Payload entropy | Normal ICMP echo carries zero-filled or sequential padding. High entropy (> 4.0 bits/byte) indicates data encoding. |
| Oversized payloads | ICMP packets > 64 bytes are unusual. Tools like icmpsh and ptunnel use large payloads for data transport. |
| Frequency analysis | Sustained high-rate ICMP to a single destination suggests a tunnel rather than diagnostic pings. |
Key file: analysis/src/server/dpi/icmp_analyzer.rs
Signatures: Rule-Based Detection
YAML-defined detection rules with hot-reload capability. Rules are organized by protocol in the signatures/ directory.
signatures/
dns/
dga.yaml
exfiltration.yaml
tunneling.yaml
http/
suspicious_headers.yaml
upload_exfil.yaml
tls/
suspicious_cert.yamlRule Structure
Each rule specifies conditions that are evaluated against packet fields:
id: dns-tunnel-001
name: "DNS tunneling via high-entropy subdomain"
description: "Detects base64/hex encoded data in DNS subdomain labels"
severity: high
protocol: dns
conditions:
- field: subdomain_entropy
operator: gt
value: 3.5
- field: label_count
operator: gt
value: 4Condition Evaluator
Conditions support operators: eq, ne, gt, lt, gte, lte, contains, regex, in. Multiple conditions within a rule are combined with AND logic. The condition evaluator (analysis/src/server/signatures/condition.rs) compiles regex patterns once and caches them.
Hot-Reload
The signature loader watches the signatures/ directory for changes. When a YAML file is added, modified, or removed, the rule set is reloaded without restarting the server. This allows SOC operators to deploy new detection rules in real time.
Key files: analysis/src/server/signatures/engine.rs, analysis/src/server/signatures/loader.rs
Behavioral: Statistical Anomaly Detection
Learns normal traffic patterns per flow and detects deviations using statistical methods. No signatures required; this module catches novel exfiltration techniques.
Baseline (Welford's Algorithm)
The baseline module uses Welford's online algorithm to compute running mean and variance of flow metrics (bytes/second, packets/second, payload size distribution) with O(1) memory per flow. After a configurable learning period, the baseline is frozen and used as the reference.
Key file: analysis/src/server/behavioral/baseline.rs
Anomaly Detection
Three complementary statistical tests run on each flow update:
| Method | Purpose | Parameters |
|---|---|---|
| Z-score | Point anomaly detection. Flags individual values that deviate significantly from the baseline mean. | Threshold: configurable (default 3.0 sigma) |
| CUSUM (Cumulative Sum) | Drift detection. Detects gradual shifts in mean that Z-score misses (e.g., slow data leak ramping up over hours). | Slack: 0.5 sigma, threshold: 5.0 |
| EMA (Exponential Moving Average) | Trend smoothing. Provides a noise-filtered signal for the anomaly scorer. | Alpha: 0.1 |
Key file: analysis/src/server/behavioral/anomaly.rs
Beaconing Detection
Detects periodic communication patterns (C2 callback intervals). Computes the coefficient of variation (CV = stddev / mean) of inter-packet arrival times. Beaconing traffic has low CV (regular intervals), while legitimate traffic has high CV (irregular).
| CV Range | Interpretation |
|---|---|
| CV < 0.1 | Strong beaconing signal (nearly constant interval) |
| 0.1 < CV < 0.3 | Possible beaconing with jitter |
| CV > 0.3 | Normal traffic variability |
Key file: analysis/src/server/behavioral/beaconing.rs
Volume Analysis
Tracks cumulative bytes transferred per flow and per destination. Detects:
- Bulk transfers: sudden large uploads to external IPs
- Slow drip: sustained small transfers that accumulate over hours/days
Key file: analysis/src/server/behavioral/volume.rs
Correlation: Cross-Module Evidence Aggregation
The correlation module is not a detection engine itself. It aggregates Detection events from DPI, Signatures, and Behavioral, and produces scored Alert objects.
Bayesian Confidence Scoring
Individual detection confidences are combined using Bayesian probability combination:
P(threat | D1, D2, ..., Dn) = 1 - product(1 - P(threat | Di))This ensures that multiple weak signals from different modules can combine into a strong alert.
Diversity Bonus
Detections from different modules receive a multiplier. The rationale: if DPI, Signatures, and Behavioral all flag the same flow independently, the probability of a false positive drops exponentially.
| Sources | Bonus |
|---|---|
| Single module | 1.0x (no bonus) |
| Two modules | 1.2x |
| Three modules | 1.5x |
Temporal Window
Detections are grouped within a configurable time window (default: 60 seconds). Events outside the window are subject to temporal decay: their confidence contribution decreases exponentially with age. This prevents stale detections from inflating scores.
Key files: analysis/src/server/correlation/scorer.rs, analysis/src/server/correlation/temporal.rs, analysis/src/server/correlation/engine.rs
Alert Severity
The final confidence score maps to a severity level:
| Score Range | Severity |
|---|---|
| 0.0 to 0.3 | Low |
| 0.3 to 0.6 | Medium |
| 0.6 to 0.85 | High |
| 0.85 to 1.0 | Critical |