Enhancing Exfiltration Path Analysis Using Reinforcement Learning

TL;DR

This paper extends reinforcement learning techniques for exfiltration path analysis by incorporating protocol and payload details, enabling more realistic modeling of adversarial exfiltration behaviors over networks.

Contribution

It introduces a novel RL-based approach that includes payload and protocol considerations into the exfiltration path detection process, improving realism and detection capabilities.

Findings

Enhanced exfiltration path analysis with protocol and payload modeling

Better emulation of adversarial behaviors over time and protocols

Improved identification of complex exfiltration strategies

Abstract

Building on previous work using reinforcement learning (RL) focused on identification of exfiltration paths, this work expands the methodology to include protocol and payload considerations. The former approach to exfiltration path discovery, where reward and state are associated specifically with the determination of optimal paths, are presented with these additional realistic characteristics to account for nuances in adversarial behavior. The paths generated are enhanced by including communication payload and protocol into the Markov decision process (MDP) in order to more realistically emulate attributes of network based exfiltration events. The proposed method will help emulate complex adversarial considerations such as the size of a payload being exported over time or the protocol on which it occurs, as is the case where threat actors steal data over long periods of time using system native ports or protocols to avoid detection. As such, practitioners will be able to improve identification of expected adversary behavior under various payload and protocol assumptions more comprehensively.