Accession Number:



Detecting Target Data in Network Traffic

Descriptive Note:

Technical Report,29 Sep 2014,21 Mar 2017

Corporate Author:

Naval Postgraduate School Monterey United States

Personal Author(s):

Report Date:


Pagination or Media Count:



Data exfiltration over a network poses a threat to confidential information. Due to the possibility of malicious insiders, this threat is especially difficult to mitigate. Our goal is to contribute to the development of a method to detect exfiltration of many targeted files without incurring the full cost of reassembling flows. One strategy for accomplishing this would be to implement an approximate matching scheme that attempts to determine whether a file is being transmitted over the network by analyzing the quantity of payload data that matches fragments of the targeted file. Our work establishes the basic feasibility of such an approach by matching Transmission Control Protocol TCP payloads of traffic containing exfiltrated data against a database of MD5 hashes, each representing a fragment of our target data. We tested against a database of 415 million fragment hashes, where the length of the fragments was chosen to be smaller than the payload size expected for most common Maximum Transmission Units MTUs, and we simulated exfiltration by sending a sample of our targeted data across the network along with other non-target files representing noise. We demonstrate that under these conditions, we are able to detect the targeted content with a recall of 98.3 percent and precision of 99.1 percent

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement: