Data Loss Prevention Using Document Semantic Signature

Abstract

Data protection and insider threat detection and prevention are significant steps that organizations should take to enhance their internal security. Data loss prevention (DLP) is an emerging mechanism that is currently being used by organizations to detect and block unauthorized data transfers. Existing DLP approaches, however, face several practical challenges that limit their effectiveness. In this chapter, by extracting and analyzing document content semantic, we present a new DLP approach that addresses many existing challenges. We introduce the notion of a document semantic signature as a summarized representation of the document semantic. We show that the semantic signature can be used to detect a data leak by experimenting on a public dataset, yielding very encouraging detection effectiveness results including on average a false positive rate (FPR) of 6.71% and on average a detection rate (DR) of 84.47%.

Appendix: Examples

In this section, we illustrate the DSS model through practical examples. Table 7.7 shows the concepts from the partial FIBO ontology graph in Fig. 7.3, along with their node labels and depths.

Table 7.7 Partial FIBO ontology concepts, label, and depth

Fig. 7.3

Partial representation of the FIBO ontology tree

Figure 7.4 shows a sample document, specifically an e-mail from the Enron e-mail dataset; [18, 21] we refer to it as the reference (or sensitive) document d_1

Fig. 7.4

Sample document from the Enron e-mail dataset

The extracted concept file, document concept tree, and document semantic signature from the above e-mail sample are shown in Figs. 7.5 and 7.6.

Fig. 7.5

Extracting concept tree and generating semantic signature for Reference Document d1

Fig. 7.6

Document semantic signature SS(d1)

To illustrate the matching process, assume that we have three sensitive documents in the reference (including the e-mail sample given above, d ₁): M = (d ₁, d ₂, d ₃).

Using the above approach, we can generate the reference signature SS(M) = {SS(d ₁), SS(d ₂), SS(d ₃)}.

Assume that we have two monitored documents, CF₁ and CF₂, that need to be matched against the reference signature. Figure 7.7 shows the matching process of the monitored document CF₁ against the reference signature SS(M).

Fig. 7.7

Matching process of monitored document CF₁ against the reference signature

This figure shows the comparison process of each concept vector in the monitored document CF₁ against all sensitive documents’ semantic signatures. If there is a match between the monitored concept vector and document’s semantic signature, then the frequency will be incremented by one and saved to the frequency matrix and so on. Then, the same steps will be repeated for all concept vectors in the monitored document against the remaining documents’ semantic signatures. As an example, CF₁ has nine matched concepts in sensitive document SS(d1), four matched concepts in SS(d2), and 31 matched concepts in SS(d3).

The two matrices below represent the matching frequencies for the two monitored documents CF₁ and CF₂.

$$ {\displaystyle \begin{array}{cccc}& \mathrm{SS}\left({d}_1\right)& \mathrm{SS}\left({d}_2\right)& \mathrm{SS}\left({d}_3\right)\\ {}{\mathrm{CF}}_1& 9& 4& 31\end{array}} $$

$$ {\displaystyle \begin{array}{cccc}& \mathrm{SS}\left({d}_1\right)& \mathrm{SS}\left({d}_2\right)& \mathrm{SS}\left({d}_3\right)\\ {}{\mathrm{CF}}_2& 3& 2& 6\end{array}} $$

Also, the two matrices below show the frequency percentage for the monitored concept vector files CF₁ and CF₂, which show that the highest percentage of frequency of CF₁ is 91.18% in SS(d ₃), while the lowest frequency percentage is 22.22% in SS(d ₂). For the second monitored file CF₂, the highest frequency percentage is 20% in SS(d ₁), while the lowest is 11.11% in SS(d ₂).

$$ {\displaystyle \begin{array}{cccc}& \mathrm{SS}\left({d}_1\right)& \mathrm{SS}\left({d}_2\right)& \mathrm{SS}\left({d}_3\right)\\ {}F\left({\mathrm{CF}}_1\right)& 60\%& 22.22\%& 91.18\%\end{array}} $$

$$ {\displaystyle \begin{array}{cccc}& \mathrm{SS}\left({d}_1\right)& \mathrm{SS}\left({d}_2\right)& \mathrm{SS}\left({d}_3\right)\\ {}F\left({\mathrm{CF}}_2\right)& 20\%& 11.11\%& 17.65\%\end{array}} $$

In addition, the Jaccard index is calculated below for both monitored documents. The two matrices below show that the highest Jaccard index for CF₁ is 79.49% in SS(d3), while the highest Jaccard index for CF₂ is 42.86% in SS(d1).

$$ {\displaystyle \begin{array}{cccc}& \mathrm{SS}\left({d}_1\right)& \mathrm{SS}\left({d}_2\right)& \mathrm{SS}\left({d}_3\right)\\ {}J\left({\mathrm{CF}}_1\right)& 21.43\%& 8\%& 79.49\%\end{array}} $$

$$ {\displaystyle \begin{array}{cccc}& \mathrm{SS}\left({d}_1\right)& \mathrm{SS}\left({d}_2\right)& \mathrm{SS}\left({d}_3\right)\\ {}J\left({\mathrm{CF}}_2\right)& 42.86\%& 8\%& 16.22\%\end{array}} $$

From the measures above, our model will classify CF₁ as a suspicious file because the Frequency F(CF₁) = 91.18% against SS(d3), which is higher than the threshold value 60%, and the Jaccard index J(CF₁) = 79.49% against SS(d ₃), which is higher than the threshold value 60%, too.