Tools & Prior Art
Open-source tools and academic research that informed ExfilGuardian's design
Know What You're Detecting
Understanding the attack tools is essential to building detection for them. These are the most widely used exfiltration tools, each of which ExfilGuardian's signatures target.
DNS Tunneling
| Tool | Description | What to detect |
|---|---|---|
| iodine | Tunnels IPv4 over DNS using NULL, TXT, CNAME, MX records | High-entropy subdomains, high query volume to a single domain, NULL/TXT record abuse |
| dnscat2 | DNS-based C2 channel, encrypted | Periodic DNS queries at fixed intervals (beaconing), CNAME chains, abnormal subdomain length |
| DNSExfiltrator | Data exfil over DNS TXT records | Large TXT responses, Base32/Base64 encoded subdomains |
HTTP/HTTPS Exfiltration
| Tool | Description | What to detect |
|---|---|---|
| Cobalt Strike | Commercial C2 framework with HTTP/HTTPS malleable profiles | JA3 fingerprint, abnormal User-Agent, periodic beaconing, custom headers |
| Meterpreter | Metasploit payload over HTTPS | JA3 fingerprint, session duration anomalies |
| Egress-Assess | Data exfil testing tool (HTTP, HTTPS, FTP, DNS) | Large POST body, Base64 content in unexpected fields |
ICMP / Other Protocols
| Tool | Description | What to detect |
|---|---|---|
| ptunnel-ng | TCP over ICMP tunnel | Oversized ICMP payloads, high ICMP frequency |
| icmptunnel | IP tunnel over ICMP echo | Payload entropy, abnormal echo sequence |
Reference Detection Systems
Projects that pioneered the detection techniques ExfilGuardian builds on.
Zeek (formerly Bro)
zeek.org. The reference network security monitor. Zeek's scripting language and log format are the de facto standard for network behavioral analysis. ExfilGuardian's L4 baseline approach is inspired by Zeek's conn.log and dns.log analysis patterns.
Key Zeek scripts to study
detect-MHR.zeek: malware hash registry checksfind-large-transfers.zeek: volumetric anomaly detection- Community scripts: github.com/zeek/zeek-packages
Suricata
suricata.io. High-performance IDS/IPS/NSM engine. ExfilGuardian's L3 signature format is conceptually similar to Suricata rules, though simplified. Suricata's ruleset (Emerging Threats) is a valuable reference for writing detection signatures.
Relevant Emerging Threats rulesets
emerging-dns.rules: DNS tunneling and DGAemerging-trojan.rules: C2 beacon detection- rules.emergingthreats.net
RITA (Real Intelligence Threat Analytics)
github.com/activecm/rita. Analyzes Zeek logs to detect beaconing, long connections, and DNS anomalies. Its beaconing detection algorithm (scoring connection periodicity) is directly applicable to ExfilGuardian's L4 layer.
Arkime (formerly Moloch)
arkime.com. Full packet capture and indexing at scale. Useful reference for how to handle packet storage, session reconstruction, and metadata indexing efficiently.
Academic Papers
Exfiltration Detection
| Paper | Year | Key contribution |
|---|---|---|
| Borders, K. & Prakash, A. Web Tap: Detecting Covert Web Traffic | 2004 | Early work on HTTP covert channels |
| Nadler, A. et al. Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol | 2019 | Statistical analysis of DNS exfiltration, directly applicable to L4 |
| Buczak, A.L. & Guven, E. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection | 2016 | Survey of anomaly detection approaches for network security |
| Ahmed, M. et al. A Survey of Network Anomaly Detection Techniques | 2016 | Comprehensive survey covering statistical and ML-based approaches |
DNS Tunneling
| Paper | Year | Key contribution |
|---|---|---|
| Ellens, W. et al. Flow-based Detection of DNS Tunnels | 2013 | Feature extraction from DNS flows for ML classification |
| Homem, I. & Papapetrou, P. Towards DNS Tunneling Detection via Encoder-Decoder Network | 2020 | Deep learning approach, reference for future ML layer |
| Born, K. & Gustafson, D. Detecting DNS Tunnels Using Character Frequency Analysis | 2010 | N-gram and character distribution analysis, basis for our entropy approach |
TLS / Encrypted Traffic
| Paper | Year | Key contribution |
|---|---|---|
| Anderson, B. & McGrew, D. TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior | 2019 | TLS metadata analysis without decryption |
| Husák, M. et al. HTTPS Traffic Analysis and Client Identification Using Passive SSL/TLS Fingerprinting | 2016 | Passive fingerprinting techniques, basis for JA3 |
Behavioral Analysis
| Paper | Year | Key contribution |
|---|---|---|
| Sommer, R. & Paxson, V. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection | 2010 | Classic critique of ML for IDS; explains why rule-based + statistical is more reliable in practice |
| Chandola, V. et al. Anomaly Detection: A Survey | 2009 | Comprehensive survey covering all major anomaly detection families |
Books
| Title | Authors | Relevance |
|---|---|---|
| The Practice of Network Security Monitoring | Richard Bejtlich | NSM methodology, Zeek/Bro usage, detection philosophy |
| Practical Packet Analysis | Chris Sanders | libpcap, Wireshark, packet-level analysis |
| The Art of Memory Forensics | Ligh, Case, Levy, Walters | Memory and process-level exfiltration detection |
| Applied Network Security Monitoring | Sanders & Smith | Collection, detection, and analysis methodology |
| Programming Rust | Blandy, Orendorff, Tindall | Rust ownership, concurrency; essential for engine development |
| Rust for Rustaceans | Jon Gjengset | Advanced Rust patterns: FFI, unsafe, async |