ExfilGuardian
Architecture

Detection Modules

The four parallel detection modules of ExfilGuardian

Architecture

ExfilGuardian does not use sequential layers. Instead, the server runs four detection modules in parallel. The first three (DPI, Signatures, Behavioral) analyze packets independently and produce Detection events. The fourth (Correlation) aggregates those detections into scored Alert objects.

DPI: Deep Packet Inspection

Protocol-aware analysis of packet payloads. Each protocol has a dedicated analyzer.

DNS Analyzer

Detects DNS-based exfiltration techniques:

TechniqueDetection Method
DNS tunnelingShannon entropy of subdomain labels. Encoded data (base32/base64/hex) produces entropy > 3.5 bits/char.
DGA domainsDomain Generation Algorithm detection via label length distribution, consonant ratio, and n-gram frequency analysis.
Exfiltration via TXT recordsAnomalous TXT record sizes (> 255 bytes) or high query frequency to a single domain.

Key file: analysis/src/server/dpi/dns_analyzer.rs

TLS Analyzer

Inspects TLS ClientHello and certificate metadata without decrypting traffic:

TechniqueDetection Method
JA3 fingerprintingHash of TLS version, cipher suites, extensions, elliptic curves, and EC point formats. Known-bad JA3 hashes match C2 frameworks (Cobalt Strike, Metasploit).
Certificate anomaliesSelf-signed certs, short validity periods (< 30 days), mismatched CN/SAN, recently issued certs, free CA abuse.
SNI mismatchServer Name Indication value does not match the destination IP's reverse DNS or known CDN ranges.

Key file: analysis/src/server/dpi/tls_analyzer.rs

ICMP Analyzer

Detects covert channels embedded in ICMP echo/reply payloads:

TechniqueDetection Method
Payload entropyNormal ICMP echo carries zero-filled or sequential padding. High entropy (> 4.0 bits/byte) indicates data encoding.
Oversized payloadsICMP packets > 64 bytes are unusual. Tools like icmpsh and ptunnel use large payloads for data transport.
Frequency analysisSustained high-rate ICMP to a single destination suggests a tunnel rather than diagnostic pings.

Key file: analysis/src/server/dpi/icmp_analyzer.rs

Signatures: Rule-Based Detection

YAML-defined detection rules with hot-reload capability. Rules are organized by protocol in the signatures/ directory.

signatures/
  dns/
    dga.yaml
    exfiltration.yaml
    tunneling.yaml
  http/
    suspicious_headers.yaml
    upload_exfil.yaml
  tls/
    suspicious_cert.yaml

Rule Structure

Each rule specifies conditions that are evaluated against packet fields:

id: dns-tunnel-001
name: "DNS tunneling via high-entropy subdomain"
description: "Detects base64/hex encoded data in DNS subdomain labels"
severity: high
protocol: dns
conditions:
  - field: subdomain_entropy
    operator: gt
    value: 3.5
  - field: label_count
    operator: gt
    value: 4

Condition Evaluator

Conditions support operators: eq, ne, gt, lt, gte, lte, contains, regex, in. Multiple conditions within a rule are combined with AND logic. The condition evaluator (analysis/src/server/signatures/condition.rs) compiles regex patterns once and caches them.

Hot-Reload

The signature loader watches the signatures/ directory for changes. When a YAML file is added, modified, or removed, the rule set is reloaded without restarting the server. This allows SOC operators to deploy new detection rules in real time.

Key files: analysis/src/server/signatures/engine.rs, analysis/src/server/signatures/loader.rs

Behavioral: Statistical Anomaly Detection

Learns normal traffic patterns per flow and detects deviations using statistical methods. No signatures required; this module catches novel exfiltration techniques.

Baseline (Welford's Algorithm)

The baseline module uses Welford's online algorithm to compute running mean and variance of flow metrics (bytes/second, packets/second, payload size distribution) with O(1) memory per flow. After a configurable learning period, the baseline is frozen and used as the reference.

Key file: analysis/src/server/behavioral/baseline.rs

Anomaly Detection

Three complementary statistical tests run on each flow update:

MethodPurposeParameters
Z-scorePoint anomaly detection. Flags individual values that deviate significantly from the baseline mean.Threshold: configurable (default 3.0 sigma)
CUSUM (Cumulative Sum)Drift detection. Detects gradual shifts in mean that Z-score misses (e.g., slow data leak ramping up over hours).Slack: 0.5 sigma, threshold: 5.0
EMA (Exponential Moving Average)Trend smoothing. Provides a noise-filtered signal for the anomaly scorer.Alpha: 0.1

Key file: analysis/src/server/behavioral/anomaly.rs

Beaconing Detection

Detects periodic communication patterns (C2 callback intervals). Computes the coefficient of variation (CV = stddev / mean) of inter-packet arrival times. Beaconing traffic has low CV (regular intervals), while legitimate traffic has high CV (irregular).

CV RangeInterpretation
CV < 0.1Strong beaconing signal (nearly constant interval)
0.1 < CV < 0.3Possible beaconing with jitter
CV > 0.3Normal traffic variability

Key file: analysis/src/server/behavioral/beaconing.rs

Volume Analysis

Tracks cumulative bytes transferred per flow and per destination. Detects:

  • Bulk transfers: sudden large uploads to external IPs
  • Slow drip: sustained small transfers that accumulate over hours/days

Key file: analysis/src/server/behavioral/volume.rs

Correlation: Cross-Module Evidence Aggregation

The correlation module is not a detection engine itself. It aggregates Detection events from DPI, Signatures, and Behavioral, and produces scored Alert objects.

Bayesian Confidence Scoring

Individual detection confidences are combined using Bayesian probability combination:

P(threat | D1, D2, ..., Dn) = 1 - product(1 - P(threat | Di))

This ensures that multiple weak signals from different modules can combine into a strong alert.

Diversity Bonus

Detections from different modules receive a multiplier. The rationale: if DPI, Signatures, and Behavioral all flag the same flow independently, the probability of a false positive drops exponentially.

SourcesBonus
Single module1.0x (no bonus)
Two modules1.2x
Three modules1.5x

Temporal Window

Detections are grouped within a configurable time window (default: 60 seconds). Events outside the window are subject to temporal decay: their confidence contribution decreases exponentially with age. This prevents stale detections from inflating scores.

Key files: analysis/src/server/correlation/scorer.rs, analysis/src/server/correlation/temporal.rs, analysis/src/server/correlation/engine.rs

Alert Severity

The final confidence score maps to a severity level:

Score RangeSeverity
0.0 to 0.3Low
0.3 to 0.6Medium
0.6 to 0.85High
0.85 to 1.0Critical

On this page