ExfilGuardian
References

Tools & Prior Art

Open-source tools and academic research that informed ExfilGuardian's design

Know What You're Detecting

Understanding the attack tools is essential to building detection for them. These are the most widely used exfiltration tools, each of which ExfilGuardian's signatures target.

DNS Tunneling

ToolDescriptionWhat to detect
iodineTunnels IPv4 over DNS using NULL, TXT, CNAME, MX recordsHigh-entropy subdomains, high query volume to a single domain, NULL/TXT record abuse
dnscat2DNS-based C2 channel, encryptedPeriodic DNS queries at fixed intervals (beaconing), CNAME chains, abnormal subdomain length
DNSExfiltratorData exfil over DNS TXT recordsLarge TXT responses, Base32/Base64 encoded subdomains

HTTP/HTTPS Exfiltration

ToolDescriptionWhat to detect
Cobalt StrikeCommercial C2 framework with HTTP/HTTPS malleable profilesJA3 fingerprint, abnormal User-Agent, periodic beaconing, custom headers
MeterpreterMetasploit payload over HTTPSJA3 fingerprint, session duration anomalies
Egress-AssessData exfil testing tool (HTTP, HTTPS, FTP, DNS)Large POST body, Base64 content in unexpected fields

ICMP / Other Protocols

ToolDescriptionWhat to detect
ptunnel-ngTCP over ICMP tunnelOversized ICMP payloads, high ICMP frequency
icmptunnelIP tunnel over ICMP echoPayload entropy, abnormal echo sequence

Reference Detection Systems

Projects that pioneered the detection techniques ExfilGuardian builds on.

Zeek (formerly Bro)

zeek.org. The reference network security monitor. Zeek's scripting language and log format are the de facto standard for network behavioral analysis. ExfilGuardian's L4 baseline approach is inspired by Zeek's conn.log and dns.log analysis patterns.

Key Zeek scripts to study

  • detect-MHR.zeek: malware hash registry checks
  • find-large-transfers.zeek: volumetric anomaly detection
  • Community scripts: github.com/zeek/zeek-packages

Suricata

suricata.io. High-performance IDS/IPS/NSM engine. ExfilGuardian's L3 signature format is conceptually similar to Suricata rules, though simplified. Suricata's ruleset (Emerging Threats) is a valuable reference for writing detection signatures.

Relevant Emerging Threats rulesets

RITA (Real Intelligence Threat Analytics)

github.com/activecm/rita. Analyzes Zeek logs to detect beaconing, long connections, and DNS anomalies. Its beaconing detection algorithm (scoring connection periodicity) is directly applicable to ExfilGuardian's L4 layer.

Arkime (formerly Moloch)

arkime.com. Full packet capture and indexing at scale. Useful reference for how to handle packet storage, session reconstruction, and metadata indexing efficiently.


Academic Papers

Exfiltration Detection

PaperYearKey contribution
Borders, K. & Prakash, A. Web Tap: Detecting Covert Web Traffic2004Early work on HTTP covert channels
Nadler, A. et al. Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol2019Statistical analysis of DNS exfiltration, directly applicable to L4
Buczak, A.L. & Guven, E. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection2016Survey of anomaly detection approaches for network security
Ahmed, M. et al. A Survey of Network Anomaly Detection Techniques2016Comprehensive survey covering statistical and ML-based approaches

DNS Tunneling

PaperYearKey contribution
Ellens, W. et al. Flow-based Detection of DNS Tunnels2013Feature extraction from DNS flows for ML classification
Homem, I. & Papapetrou, P. Towards DNS Tunneling Detection via Encoder-Decoder Network2020Deep learning approach, reference for future ML layer
Born, K. & Gustafson, D. Detecting DNS Tunnels Using Character Frequency Analysis2010N-gram and character distribution analysis, basis for our entropy approach

TLS / Encrypted Traffic

PaperYearKey contribution
Anderson, B. & McGrew, D. TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior2019TLS metadata analysis without decryption
Husák, M. et al. HTTPS Traffic Analysis and Client Identification Using Passive SSL/TLS Fingerprinting2016Passive fingerprinting techniques, basis for JA3

Behavioral Analysis

PaperYearKey contribution
Sommer, R. & Paxson, V. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection2010Classic critique of ML for IDS; explains why rule-based + statistical is more reliable in practice
Chandola, V. et al. Anomaly Detection: A Survey2009Comprehensive survey covering all major anomaly detection families

Books

TitleAuthorsRelevance
The Practice of Network Security MonitoringRichard BejtlichNSM methodology, Zeek/Bro usage, detection philosophy
Practical Packet AnalysisChris Sanderslibpcap, Wireshark, packet-level analysis
The Art of Memory ForensicsLigh, Case, Levy, WaltersMemory and process-level exfiltration detection
Applied Network Security MonitoringSanders & SmithCollection, detection, and analysis methodology
Programming RustBlandy, Orendorff, TindallRust ownership, concurrency; essential for engine development
Rust for RustaceansJon GjengsetAdvanced Rust patterns: FFI, unsafe, async

On this page