Abstract: A method for identifying data exfiltration attempts on a computer network comprising the following steps: identifying malicious data exfiltration behaviors (DEBs) for known adversary tactics in a knowledge base; identifying benign DEBs; comparing the malicious DEBs with the benign DEBs to identify network features that indicate malicious DEB; calculating, with a network analyzer, an entropy value for each identified network feature; establishing a threshold based on the calculated entropy values; building a complete profile of DEB based on the benign and malicious DEBs; adding every network feature having an entropy value greater than the threshold to a model; comparing the model to live network traffic; and flagging behavior in the live network traffic as a malicious DEB if such behavior includes a network feature that has an entropy value greater than the threshold regardless of whether or not the flagged behavior was previously recognized as a malicious DEB.

Abstract: A method for identifying data exfiltration attempts on a computer network comprising the following steps: identifying malicious data exfiltration behaviors (DEBs) for known adversary tactics in a knowledge base; identifying benign DEBs; comparing the malicious DEBs with the benign DEBs to identify network features that indicate malicious DEB; calculating, with a network analyzer, an entropy value for each identified network feature; establishing a threshold based on the calculated entropy values; building a complete profile of DEB based on the benign and malicious DEBs; adding every network feature having an entropy value greater than the threshold to a model; comparing the model to live network traffic; and flagging behavior in the live network traffic as a malicious DEB if such behavior includes a network feature that has an entropy value greater than the threshold regardless of whether or not the flagged behavior was previously recognized as a malicious DEB.