Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Privacy Aware Memory Forensics

Janardhan Kalikiri, Gaurav Varshney, Jaswinder Kour, Tarandeep Singh

TL;DR

The paper tackles insider-threat data leaks over end-to-end encrypted instant messaging by proposing privacy-aware memory forensics that operate on per-process RAM (e.g., WhatsApp) to preserve user privacy. It combines a ProcDump-based memory capture, a Strings-based string extraction pipeline, a Python retrieval stage, and a context-based detection module built on a BERT model to identify sensitive data leaks. Key contributions include per-process RAM capture, context-aware detection, a defense-domain training dataset, and a proof-of-concept in a military-use scenario. The work demonstrates feasible, privacy-preserving insider-threat detection with potential applicability to other IM apps and deployment environments.

Abstract

In recent years, insider threats and attacks have been increasing in terms of frequency and cost to the corporate business. The utilization of end-to-end encrypted instant messaging applications (WhatsApp, Telegram, VPN) by malicious insiders raised data breach incidents exponentially. The Securities and Exchange Board of India (SEBI) investigated reports on such data leak incidents and reported about twelve companies where earnings data and financial information were leaked using WhatsApp messages. Recent surveys indicate that 60% of data breaches are primarily caused by malicious insider threats. Especially, in the case of the defense environment, information leaks by insiders will jeopardize the countrys national security. Sniffing of network and host-based activities will not work in an insider threat detection environment due to end-to-end encryption. Memory forensics allows access to the messages sent or received over an end-to-end encrypted environment but with a total compromise of the users privacy. In this research, we present a novel solution to detect data leakages by insiders in an organization. Our approach captures the RAM of the insiders device and analyses it for sensitive information leaks from a host system while maintaining the users privacy. Sensitive data leaks are identified with context using a deep learning model. The feasibility and effectiveness of the proposed idea have been demonstrated with the help of a military use case. The proposed architecture can however be used across various use cases with minor modifications.

Privacy Aware Memory Forensics

TL;DR

The paper tackles insider-threat data leaks over end-to-end encrypted instant messaging by proposing privacy-aware memory forensics that operate on per-process RAM (e.g., WhatsApp) to preserve user privacy. It combines a ProcDump-based memory capture, a Strings-based string extraction pipeline, a Python retrieval stage, and a context-based detection module built on a BERT model to identify sensitive data leaks. Key contributions include per-process RAM capture, context-aware detection, a defense-domain training dataset, and a proof-of-concept in a military-use scenario. The work demonstrates feasible, privacy-preserving insider-threat detection with potential applicability to other IM apps and deployment environments.

Abstract

In recent years, insider threats and attacks have been increasing in terms of frequency and cost to the corporate business. The utilization of end-to-end encrypted instant messaging applications (WhatsApp, Telegram, VPN) by malicious insiders raised data breach incidents exponentially. The Securities and Exchange Board of India (SEBI) investigated reports on such data leak incidents and reported about twelve companies where earnings data and financial information were leaked using WhatsApp messages. Recent surveys indicate that 60% of data breaches are primarily caused by malicious insider threats. Especially, in the case of the defense environment, information leaks by insiders will jeopardize the countrys national security. Sniffing of network and host-based activities will not work in an insider threat detection environment due to end-to-end encryption. Memory forensics allows access to the messages sent or received over an end-to-end encrypted environment but with a total compromise of the users privacy. In this research, we present a novel solution to detect data leakages by insiders in an organization. Our approach captures the RAM of the insiders device and analyses it for sensitive information leaks from a host system while maintaining the users privacy. Sensitive data leaks are identified with context using a deep learning model. The feasibility and effectiveness of the proposed idea have been demonstrated with the help of a military use case. The proposed architecture can however be used across various use cases with minor modifications.
Paper Structure (14 sections, 3 figures, 3 tables, 2 algorithms)

This paper contains 14 sections, 3 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Proposed Work
  4. Data Set Generation
  5. Live Memory Capturing: Using ProcDump
  6. Extracting UNICODE & ASCII Strings: Using Strings Tool
  7. Chat Messages Retrieval: Using Python Script
  8. Context-based Sensitive Data Detection Model
  9. Experiments, Results and Analysis
  10. Assumptions
  11. Tools Utilised
  12. Implementation and Testing
  13. Results and Analysis
  14. Conclusions, Limitations and Future Scope

Figures (3)

  • Figure 1: Sensitive Data Detection Model
  • Figure 2: Performance of BERT model on test data (1: Sensitive Data; 0: Normal Data)
  • Figure 3: Captured Sensitive Messages