A novel classification model for data theft detection using advanced pattern mining

One of the challenges in data theft detection is the difficulty to classify copy operation from other type of access (non-copy) operations. Existing work in this area focuses on the stochastic model of filesystem behavior to identify emergent patterns in MAC timestamps unique to copying. Such an approach produces lot of false positives because of the fact that patterns emerging due to copying are similar to other access operations like searching a file in folder, compressing a folder, scanning a folder by antivirus software and recursive listing of directory entries from a command prompt. A novel classification model is proposed for detection of data theft by means of copy operation. Experiments were conducted by making use of advanced pattern mining algorithms such as ANFIS (Adaptive Network-based Fuzzy Inference System), ANN (Artificial Neural Networks) and C&RT (Classification & Regression Trees). All the experiments were conducted on three different operating systems i.e. Windows XP, Ubuntu and Windows 7. Henceforth the approach is validated against a simulated data theft event and analysis of the results revealed that C&RT based approach is most appropriate for data theft detection. The proposed classification model can be used by digital forensic investigators to filter out the most important artefacts and prioritize their investigation while investigating a data theft case.