WO2019073232A1 - A security system and method - Google Patents

Abstract

A data security system and method for identifying attempted unauthorised data transfer from a computer system, the computer system having: one or more components for conducting normal operation of the computer system; an exfiltration data modulator to modulate exfiltration data, comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data, wherein the data security system comprises: a detector to detect one or more of: a) operation of the exfiltration data modulator to modulate data with the modulation technique; b) data on the computer system modulated with the modulation technique; c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system.

Description

Title: A Security System and Method This invention relates to a security system and method for monitoring and/or detecting and/or preventing data security breaches in a computer system.

Background Security conscious organisations provide a controlled environment for their computer systems and make it as difficult as possible to prevent data from leaving their carefully controlled environment.

Such organisations invest heavily in processes and systems to stop

employees/consultants/contractors from removing data, data exfiltration.

Examples of sensitive data include but are not limited to confidential information, client contact lists, engineering designs, know-how

documentation, regulatory and compliance information, business

documentation, intellectual property, proprietary trading algorithms and many other forms of data.

Known security solutions have focussed on protecting conventional data storage and data transfer media through which corporate data can be extracted such as USB drives, disk drives, email scanning, web traffic monitoring, securing and locking down remote access and mobile

communication sandboxes, monitoring printing, network firewalls and content tagging & tracking. Data Leakage Prevention software has been established and protects against data transfer over and from computer end-points such as USB, network, disk drives and communication ports. These end-points are digital in nature and offer native data transfer. Data Leakage Prevention software can operate to disable the data transfer at the end-points: for example, in response to inappropriate accessing of a USB drive, the USB drive is disabled.

The above described systems do not prevent other data transfer channels which can be exploited by unauthorised personnel. Examples of the claimed invention seek to guard against unauthorised personnel exploiting other data channels.

Accordingly, one aspect of the present invention provides a data security system for identifying attempted unauthorised data transfer from a computer system, the computer system having:

one or more components for conducting normal operation of the computer system;

an exfiltration data modulator to modulate exfiltration data, comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and

a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data, wherein the data security system comprises:

a detector to detect one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system.

Preferably, the detector is implemented as a software service installed on the computer system.

Another aspect of the present invention provides a computer system in combination with a data security system for identifying attempted unauthorised data transfer from the computer system, the computer system having:

one or more components for conducting normal operation of the computer system;

an exfiltration data modulator to modulate exfiltration data, comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and

a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data, wherein the data security system comprises:

a detector to detect one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system.

Another aspect of the present invention provides a method of monitoring the functionality of a computer system to identify attempted unauthorised data transfer from the computer system, the computer system comprising: one or more components for conducting normal operation of the computer system;

an exfiltration data modulator to modulate, exfiltration data comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and

a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data, the method comprising: detecting one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system. A further aspect of the present invention provides a machine-accessible medium having instructions stored thereon that, when executed, cause a machine to:

monitor the functionality of a computer system to identify attempted

unauthorised data transfer from the computer system, the computer system comprising: one or more components for conducting normal operation of the computer system; an exfiltration data modulator to modulate, exfiltration data comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data; and

detect one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system.

These aspects of the invention, including a data security system embodying the present invention, seek to protect a computer system against data loss / leakage / exfiltration from the protected computer system through one or more of: encoded sound output; encoded screen output; and/or manipulation of system components to output encoded data.

Brief description of the drawings:

In order that the present invention may be more readily understood, embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings, in which: Figure 1 is a schematic diagram illustrating data transfer or data channel air- gap weaknesses being exploited in a computer system;

Figure 2 is a schematic representation of a computer system with audio and video output channels which the system protects from digital data leakage highlighted. Figure 3 is a sequence diagram showing an audio process involved in extracting data from an unprotected computer system, without an embodiment of the invention; Figure 4 is a sequence diagram showing a video process involved in extracting data from an unprotected computer system, without an embodiment of the invention

Figure 5 is a sequence diagram showing a system component process involved in extracting data from an unprotected computer system, without an embodiment of the invention

Figure 5 is a sequence diagram showing a system component process involved in extracting data from an unprotected computer system, without an embodiment of the invention

Figure 7 is a sequence diagram showing an audio process involved in extracting data from a computer system protected with an embodiment of the invention;

Figure 8 illustrates an exemplary spectrogram to highlight and detect risk- associated exfiltration data modulation in examples of the invention;

Figure 9 illustrates examples of detectable PSK modulation;

Figure 10 illustrates a mechanism for sending data as sound (either to provide data transfer or to create samples including data encoded as audio);

Figure 10 illustrates a mechanism for sending data as sound (either to provide data transfer or to create samples including data encoded as audio); Figure 10 illustrates a mechanism for sending data as sound (either to provide data transfer or to create samples including data encoded as audio);

Figures 19-24 illustrate examples of data exfiltration by video:

Figure 19 illustrates a text message being encoded as a QR code;

Figure 20 illustrates a data file being encoded into a series of QR codes; Figure 21 illustrates a sequence of QR codes which are displayed on a computer system for sequential image capture;

Figure 22 illustrates the capturing of an image displayed on a computer system's display screen;

Figure 23 illustrates the capturing of a sequence of images displayed on a computer system's display screen;

Figure 24 illustrates the capturing of a sequence of images displayed on a computer system's display screen;

Figure 25 is a sequence diagram showing a system process involved in extracting data from a computer system protected with an embodiment of the invention;

Figure 26 illustrates a 'data-transfer suite' to exfiltrate data by audio or video data transfer;

Figure 27 illustrates a data security system embodying the present invention implemented as a desktop process running on a computer system being protected;

Figures 28 and 29 illustrate the system of Figure 27 viewable by a system administrator;

Figures 30-34 illustrate examples of setting menus which can be tailored to alter the detection / action / alert functions of security systems embodying the invention; Figure 35 illustrates an attempted video data transfer below a threshold;

Figure 36 illustrates an attempted video data transfer above the threshold;

Figure 37 illustrates a security alert being written to an event log maintained by a security system embodying the present invention;

Figure 38 illustrates an attempted data transfer by video being blocked;

Figure 39 illustrates "Normal" sound being analysed (bottom right corner) by a security system embodying the present invention;

Figure 40 illustrates a security system embodying the present invention detecting encoded data being attempted to be output as audio and blocking said attempt;

Figure 41 illustrates a security alert being written to an event log maintained by a security system embodying the present invention;

Figure 42 illustrates a sound analysis screen implemented in a security system embodying the present invention; Figure 43 illustrates a system-wide mute of audio output applied by a security system embodying the present invention;

Figures 44 and 45 illustrate system component monitoring implemented by a security system embodying the present invention; and

Figure 46 illustrates a high level status of the protections enabled/disabled and a summary of the alerts and warnings raised as implemented by a security system embodying the present invention.

Description of examples of the invention

Examples of the invention are set out below. The examples relate to a data security system for identifying attempted unauthorised data transfers from a protected computer system. The computer system is a conventional computer Examples of the invention are set out below. The examples relate to a data security system for identifying attempted unauthorised data transfers from a protected computer system. The computer system is a conventional computer system such as a desktop PC which may or may not be networked. A mechanism is required to prevent unauthorised digital data leakage and theft of sensitive data such as intellectual property or transaction information from the corporate computer environment without disrupting usage of the computer system's functionality for legitimate and authorised business purposes. The term computer system relates to an otherwise conventional computing device which typically has a case housing internal components such as power supply unit, processors, communication buses, hard drive or solid state drive, memory devices, graphics cards, cooling fan, heat sinks, wire loom and other components which may be integral with the casing or external of the casing such as computer peripherals which connect (wired or wirelessly: WiFi,

Bluetooth, RF, Induction, optically connected) to the device such as screen, keyboard, mouse, USB ports, speakers, headset, microphone, telephone headset and a printer, for example. The computing device may also be connected to one or more further displays, a trackpad, drafting tablet, network router, network switch, WiFi extender. This is not an exclusive list of the components of a computer system. The components of the computer system give the computer system functionality and allow it to operate normally.

Large corporate organisations and enterprises [Banks, Insurance, Healthcare, Industrials...] want to prevent their data from leaving the controlled

environment of their computer systems. These entities invest heavily in processes and systems to stop staff or unauthorised personnel from removing sensitive data, be it client contact lists, designs, proprietary trading algorithms or any other IP - this is data exfiltration. To date security solutions have focussed on protecting clear data channels through which sensitive data can be exfiltrated such as USB drives, removable/external disk drives, email scanning, web traffic monitoring, securing and locking down remote access and mobile communication sandboxes, monitoring printing, network firewalls and content tagging & tracking.

Such computer end-points (USB, network, disk drives and ports) are designed to transfer digital data over but have become protected as enterprises have rolled out Data Leakage Prevention software. These "other" end-points are digital in nature and support more straightforward native data transfer, the audio and screen approach represents a shift to more involved data encoding and usage of channels intended for other legitimate means which cannot simply be disabled as for example accessing a USB drive is typically disabled. Figure 1 is a schematic diagram illustrating data transfer or data channel air- gap weaknesses being exploited in a computer system. There are data transfer mechanisms available to bridge "air-gaps" to exfiltrate secure corporate data from systems without connecting to them through traditional user interfaces or data communication channels.

Examples of genres of computer system outputs, interfaces or states which remain open as potential data transfer channels, unmonitored and available for staff or unauthorised personnel to exfiltrate digital data from the corporate computer system are:

1 ) Sound - audio signals or audio-like signals (vibration/mechanical);

2) Screen - video/image/light/optical signals; and

3) System - System-generated signals (e.g. fan speed modulation). Data security systems embodying the present invention detect, alert and take action to protect against each of these risk-associated unauthorised data channels. These data security systems are known as, respectively:

1 ) SoundSafe for tackling audio and audio-like signals;

2) ScreenSafe for tackling video and video-like signals;

3) SystemSafe for tackling system-generated signals which may be audio or audio-like signals or video or video-like signals;

Figure 2 is a schematic representation of a computer system with audio and video output channels which the system protects from digital data leakage highlighted. The computer system of Figure 2 has a data security system embodying the present invention. A data security system embodying the present invention such as shown in Figure 2 protects against data loss through one or more of audio, screen or system channels. More particularly, a data security system embodying the present invention protects against data loss / leakage / exfiltration from a protected computer system through one or more of: encoded sound output; encoded screen output; and/or manipulation of system components to output encoded data. 1 ) Sound - Audio signal data exfiltration:

One example - Sensitive data for exfiltration is encoded or modulated as an audio signal which is then played (transmitted or communicated) on a computer system speaker (or component of a computer system operating as a speaker). This audio data output is then external of the computer system and can be captured by a device external to the computer system having a microphone or other suitable sensor. A laptop or smartphone can capture and record the audio data output and demodulate the output to reconstruct the sensitive data. The sensitive data has been exfiltrated from the computer system via sound.

2) Screen - Video signal data exfiltration:

One example - Sensitive data for exfiltration is encoded or modulated as a visual pattern such as a line barcode or more efficiently as a QR "Quick-Read" code and displaying it on the screen of their computer from where it can be captured by another device with a camera (again such as a laptop or smartphone) where it can be decoded to reconstruct the sensitive data. The sensitive data has been exfiltrated from the computer system via the screen. Video and audio signals (screen and sound) offer a readily exploitable data leakage channel to exfiltrate sensitive data because of a number of factors which include:

• Advances in computer monitor resolution (more data per square inch of display)

• Development and widespread availability (phone Apps) of visual data encoding methods such as the 2D QR code approach to encoding data Advances in smartphone technology with powerful CPUs, sensitive microphones and high-resolution cameras

· The widespread usage of corporate PCs for audio: softphones,

conference calling and training material • IT Security systems fuelling complacency that all data leakage channels are plugged by protecting the simpler Other' end-points such as locking down USB ports. 3) System - repurposing computer system components for data exfiltration: Examples of the repurposing of one or more computer system components for data exfiltration, preferably by forms of video or audio signal data exfiltration:

Data can be exfiltrated by controlling components of the computer system in such a way as to emit encoded digital data on unorthodox data transfer channels. Examples include modulating the temperature of the machine or points on the machine, modulating vibrations caused by the speed of CPU, modulating the rotation speed or other parameters of a power supply fan [e.g. "Fansmitter"], modulating vibrations caused by accessing the hard-drive in patterns. Modulating the controlled flashing/strobing of optical sources to encode exfiltration data can include controlling LEDs such as the caps-lock LED indicator on a keyboard, network status LEDs on LAN/WAN ports, other status indicators like the computer/display power ON/OFF light, charge status lights on computer and peripherals, the laser or optical source in an optical or laser mouse (which offer a high frequency output which can be readily modulated), and controlling flashing of screen icons or GUIs or specific areas of the screen.

Other examples include controlling computer system components such as semiconductors to emit modulated RF frequency signals so as to encode exfiltration data in electromagnetic radiation produced from them.

Some of these unorthodox data channels sit neatly in the audio signal category, like the "Fansmitter" which outputs an audio signal and the vibration data channel using mechanical impulses to modulate the exfiltration data. Likewise data channels which modulate the exfiltration data using an optical mechanism, the flashing LED examples, sit neatly in the optical/video category. Some examples like chipset heat/temperature modulation and modulating RF signals sit on the extremes of the audio and optical signal spectrums.

Sensitive data may also be encoded for exfiltration as a digital signature or watermark in audio or video. The signature or watermark may be repeated throughout the audio or video and may or may not be perceptible by the human ear or human eye and may or may not be steganographic. The modulation which is detectable is the encoding of the data into the signature or watermark.

Figures 3 and 4 are sequence diagrams showing respectively the audio and video processes involved in extracting data from a corporate computer system by exploiting the sound and screen data transfer weaknesses. Figure 5 is a sequence diagram showing a system component process involved in extracting data from an unprotected computer system. Figures 3, 4 and 5 are sequence diagrams for a computer system which is not provided with a data security system embodying the invention.

The majority of employee-facing corporate computer systems with data leakage concerns are on a Microsoft Windows based platform. Even where linux / unix are used, these are typically accessed from via a Microsoft

Windows desktop PC connecting to a datacentre linux / unix server. The examples of the present invention are made with reference to a Microsoft

Windows platform. Apple iMac desktops and MacBook laptops are emerging in corporate ecosystems but tend to be in more creative industries. The concepts of the invention are platform and operating system independent. As such, examples of the invention are applicable to protect computer systems on any platforms or operating systems including Apple OS, Apple iOS. Examples of the present invention provide a data security system for identifying attempted unauthorised data transfer from a computer system, the computer system having: one or more components for operation of the computer system; exfiltration data which is sensitive data not intended for unauthorised transfer external of the computer system; and an exfiltration data modulator to modulate the exfiltration data into a form suitable for

unauthorised transfer external of the computer system and suitable for machine-based demodulation to reconstruct the exfiltration data; and a data transfer mechanism to generate a data output from the computer system, which output comprises a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a data signal suitable for machine-based demodulation to reconstruct the exfiltration data, wherein the data security system comprises: a detector to detect one or more of: data modulated with a risk-associated modulation technique; operation of the exfiltration data modulator to modulate data with a risk-associated modulation technique; transmission of modulated exfiltration data from the computer system by a data transfer mechanism.

Examples of a data security system embodying the present invention are implemented in software or hardware and are resident on a computer system to protect that computer system from having its data exfiltrated external of the computer system. An important part of a data security system embodying the present invention is a detector which identifies data which is encoded for data transfer by an audio signal, a video signal or by a system-generated signal.

Examples of the invention implement a data security system for identifying attempted unauthorised data transfer from a computer system in which the security system is resident, the computer system having: one or more components for conducting normal operation of the computer system;

exfiltration data comprising data not authorised for transfer external of the computer system; and an exfiltration data modulator to modulate the

exfiltration data with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data. The data security system comprises: a detector to detect one or more of: a) operation of the exfiltration data modulator to modulate data with the

modulation technique; b) data on the computer system modulated with the modulation technique; and c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system. Data security systems embodying the present invention include an alert manager to alert the user, an administrator and/or create a system log of detected events, which events may correspond to an attempt to exfiltrate data from a computer system. Data security systems embodying the present invention include an action manager to take action to hinder an attempt to exfiltrate data from a computer system.

The transfer of exfiltration data external of the computer system is not a normal operation of the computer system but is undertaken by unauthorised personnel who are attempting to circumvent safeguards put in place by the administrator or other entity to prevent data exfiltration. Embodiments of the claimed invention detect such unauthorised attempts at data exfiltration - attempts to transfer data in an unauthorised manner. The mechanism of exfiltration, the exfiltration data modulator, is an element of the computer system which is being used in an unauthorised manner to facilitate data transfer external of the computer system.

The exfiltration data modulator may be software or hardware resident on, or accessed from the computer system. A computer system which is protected by a data security system embodying the present invention will be monitored to detect operation of the computer system components as an exfiltration data modulator.

Figure 6 is a schematic diagram illustrating use cases for embodiments of the invention. Data security systems embodying the invention alert attempted data leakage and prevent data leakage from the corporate computer environment via audio and screen based data transfers, without disrupting normal usage of screen and audio for legitimate business purposes. Embodiments of the invention which prevent the exfiltration of digital data from a corporate computer system via an audio/sound output which is suitable for machine based re-composition of the digital data can operate outside the normal human hearing frequency spectrum so are not detectable by humans. Audio outputs within the normal human hearing frequency spectrum are also possible.

An audio signal or audio-like signal is any signal which is detectable by microphones, sensors, transducers or other sensing devices in the frequency range of: below 20Hz, infrasonics; human perceptible frequencies from around 20Hz to 20kHz; and ultrasonics, above 20kHz. The range is not limited to the human-audible spectrum of the electromagnetic spectrum. Data transfer mechanisms operating at frequencies either side of the human-audible spectrum and beyond may also be implemented to attempt to exfiltrate data. Vibration or mechanical contact devices such as telegraph keys (e.g. a mechanical device operable to tap out a signal in Morse code) may also be implemented in or attached to a computer system to attempt to exfiltrate data. Embodiments of the invention include detectors to detect such mechanical signals. Sound signals not only pass through air but also through other media such as the materials from which a computer system is constructed.

Monitoring for vibrations of computer system components is a further detection mechanism embodying the present invention.

Audio-based embodiments can detect suspected data transfer using audio modulated exfiltration data by identifying audio signals having particular forms of modulation:

a. Identify regular patterns of modulated signal attempting to establish a data communication handshake

b. Identify data encoded with amplitude modulation, frequency modulation and/or phase shift keying modulation across the set of sound

frequencies the system components are capable of outputting c. Identify attempts to extract data using other known encoding techniques (text to speech / phonetic alphabet / Morse code etc)

d. Use stream analysis, analytic techniques (e.g. Fourier Transform) and machine learning to identify other data encoding patterns or modulation techniques suitable for outputting digital data over audio

An additional technique to detect suspected data transfer using audio modulated exfiltration data is to identify audio signals from a suspect computer system and conduct a comparative analysis with the audio output of peer computer systems, thereby detecting audio signals which are modulated differently to peer computer systems and identifying anomalous and therefore suspect audio modulated data. Such anomalous data transfer may be logged for review by the alert manager and/or passed to the action manager to take action to disable the entire system or part of the computer system. Detection here is by comparison with peer computer systems.

Figure 7 is a sequence diagram showing an audio process involved in extracting data from a computer system protected with an embodiment of the invention.

Embodiments of the invention allow the normal output of sound as useful and appropriate in a corporate environment (e.g. as needed for training videos, presentations, conference calls over Skype, Webex or GoToMeeting) but alert and/or inhibit any attempt to subvert the audio channel to modulate and transfer sensitive digital data. Embodiments of the invention can advantageously record the details surrounding suspected breaches attempting to output digital data encoded as audio from a protected computer and retain the recording of any suspected breach for later review, further analysis, action and as evidence. Logged data can be: a record of the sound being output, explanations of which audio protection analysis rules were fired and analysis documentation such as graphic equaliser visualisations; track which running applications / programs are producing sound; track other actions on the computer system, particularly which files have been recently accessed to identify the data which the employee is attempting to extract; take screen-captures from the computer system and automatically annotate with the actions the user was taking at the time of the suspected data leakage breach such as mouse movement and key-strokes.

Embodiments of the invention can instantaneously act to produce a real-time alert to the Information Security Team / management team and if configured to do so, take inhibiting actions to block sound output completely, selectively mute the offending audio output or smother the suspect audio output with white noise to render the suspect output non-identifiable. Examples of the invention are implemented with one or more of the following functionalities: Audio Detection

• analyse for known audio signal data encoding patterns - frequency/amplitude modulation

o (amplitude and frequency spectrum analysis with Fourier

transform)

• signal processing to detect subversive data (unknown patterns):

o (analysis, machine learning, windowing,

o (linear prediction modelling and the general difference equation for linear systems to calculate a set of coefficients which provide an estimate - or a prediction - for a forthcoming output sample based on sampling audio output so far - correct predictions [i.e. a low prediction error] identifying a data encoding signalling pattern is in use.)

Audio Prevention - action manager

• (pro-active) audio frequency filtering - details

o (Kaiser windowing to build a non-recursive (low-pass) filter from specifications of the stop-band ripple and the width of the transition region. Use of the Butterworth formulae to design recursive filtering using cascaded second-order sections, transformation into high-pass and band-pass filters)

• (pro-active) Play a dynamic audio jamming pattern

o (output disruptive noise across frequency range, varying amplitude and phasing)

• prevent audio output of offenders (selective / fully mute)

Sampled sound data is represented in examples of the invention as a spectrogram of amplitude per frequency which can be visualised and analysed for indications of encoded digital data intended for machine reconstruction. Time-sliced sections of captured sound can visualise the audio data and analysis is used to find patterns. Figure 8 illustrates an exemplary

spectrogram to highlight and detect risk-associated exfiltration data modulation in examples of the invention.

The security system embodying the present invention can use one or more methods for detecting exfiltration data or data being exfiltrated. Examples of detecting data and/or modulation of data for sending as audio (but may also be applicable for system-generated signals and/or analogous video signals):

Frequency Modulated Data Sound Detection Logic

In a worker thread, sample the sound being output by the computer via a loop- back from the sound-card output device. Take the samples at a sufficiently granular period so as to capture the full range of frequencies to be analysed (up to 20000Hz for example). Produce a frequency mapping with a fast Fourier transform to provide a spectrum of frequency buckets each with an amplitude. (100 buckets for example). Using a square root scaling

methodology for boosting, determine the peak bucket index which is above a prescribed amplitude threshold.

If there is a single hot-spot in the frequency range as other parts of the spectrum are at fairly low levels, this is indicative of a single

observation/occurrence of a controlled frequency peak. The system keeps track of previous peaks and tracks how close this peak is to previous frequency peak buckets. Peaks very close are determined to be part of the same signal peak as out sampling granularity of 100 buckets is typically much more granular than can be reliable ready with commodity speaker /

microphone equipment across this frequency range. The system counts the number of occurrences of the same or similar peaks which are observed in sequence between successive samples. When the number of occurrences reaches a predetermined level or threshold, this is classified as an observed intended control of the output frequency.

When a peak of a different frequency is observed, the same rules for background noise / other hot-spots in the frequency range and number of occurrences apply and are tracked. The time between multiple controlled frequency peaks with sufficient continuous observations and sufficiently different frequencies is also observed. With this time chaining the tones below the prescribed threshold and all of the above rules satisfied, we can raise an alert that the system has identified frequency modulation based data encoding without raising false positives for normal audio activity intended for human reception which would not meet the above rules.

Amplitude Modulated Data Sound Detection Logic

In a worker thread, sample the sound being output by the computer via a loop- back from the sound-card output device.

Instead of processing the sound being output into strength by frequency range, process the raw samples of immediate amplitude into a total volume level sample and track this value over time. Each sampled amplitude value is grouped into binned values (1 -4 low to high) and a history maintained in memory. The detection algorithm loops back over the sample history to detect if the same binned amplitude value is set for a relatively consistent amount of time (i.e. number of samples) fairly regularly over the recent history. So the history is aggregated to count the number of identical amplitude value bin

observances, then when the amplitude changes that group is closed. When more than a set proportion of constant amplitude observances fall within a small (say 6) group of broadly similar observance lengths, we alert that amplitude modulation has been detected.

Phase Shift Key Modulated Data Sound Detection Logic

In a worker thread, sample the sound being output by the computer via a loop- back from the sound-card output device. The raw output is monitored before analysing for waveforms by frequency or binning for amplitude modulation. A short history of say 20 samples is tracked in their raw sample form. Using extrapolation techniques, particularly polynomial, attempt to estimate the value the sample would be expected to have were a normal audio waveform to continue playing.

When an abrupt difference between the correctness of previous predictions and this prediction is observed, record the event as an instance of suspected phase shift keying, tracking its timing marking the abrupt shift validated if a similarly matching waveform (i.e. polynomial coefficients) can be produced with data sampled after the abrupt shift in isolation from the samples preceding the abrupt shift. If it can, mark the shift as a validated phase shift.

When a significant number of validated phase shifts are observed over a pre- determined period of time, we can alert that we have identified PSK modulation based data encoding. Figure 9 illustrates examples of detectable PSK modulation.

This technique can be used to detect binary phase shift keying (e.g.

Manchester Code) and higher order phase shift keying without needing to know the clock / transmission speed or phasing used.

Data Encoded As Sound Detection With Linear Prediction Modelling

Here we are analysing for an abstract encoded signal rather than the signature based algorithmic detection techniques described above. To do this the system uses a form of DCT-based spectral interpolation. Signal analysis is performed on the sound being output using linear prediction modelling and the general difference equation for linear systems to calculate a set of coefficients which provide an estimate - or a prediction - for a

forthcoming output sample based on sampling audio output so far - correct predictions [i.e. a low prediction error] identifying a data encoding signalling pattern is in use.

Specifically, a least-squares minimisation approach is used to solve for the predictor coefficient values (i.e. a covariance formulation), simplifying to an autocorrelation function to solve with Gaussian elimination or "Levinson / Durbin" recursion (which solves more efficiently) in which each predictor coefficient is derived in turn to calculate the next coefficient if needed based on CPU usage / signal detections to reduce impact and to selectively rotate the algorithm used so as to make signal encoding designed to circumvent detection much more difficult.

Data Encoded As Sound Detection With A Neural Network

Using a recurrent neural network to allow feedback and short-term memories of previous sound events, train with a broad corpus of known samples which do not include data encoded as audio and a selection of examples which exhibit amplitude modulated data, frequency modulated data and phase shift keyed data. The 'good' samples are taken from a range of ambient office noise recordings, output from voice-to-text, audio-books and recorded conference calls, conversations, audio from TV and radio broadcasts. The bad samples are taken from implementations of existing known data encoding techniques from research into data transfer over sound and by manipulating data encoding from other platforms / frequencies / carriers into the audio frequency range (e.g. AM radio, FM radio, Wifi, RFID and Bluetooth communication). The output is a classification of whether the sampled sound constitutes an expected instance of data encoded over sound or not, and like the above detection techniques a number of suspected instances in a period of time warrant the raising of an alert.

Data Encoded As Sound Detection With Probabilistic Classifiers And Statistical Learning Methods

A set of Classifiers functions are trained with a broad corpus of samples:

1 ) known to not include data encoded as audio (conversational speech, music, training material, audio books, presentations and conference calls); and

2) known to include data encoded as audio, e.g. amplitude modulated data, frequency modulated data and phase shift keyed data as the positive training set.

The samples can be created on the computer system which will be secured by the security system embodying the present invention or can be a corpus of samples created on other computer systems. The set of classifiers are a neural network, a support vector machine, the k- nearest neighbour algorithm, a Gaussian mixture model, a naive Bayes classifier and a decision tree.

Each classifier then pattern matches against the sampled audio output by the computer to determine a closest match to positive (i.e. contains encoded data) versus negative (i.e. doesn't contain encoded data). A majority vote is taken across the set of classifier detection techniques to give the overall decision. Positive detections result in an alert being raised to the alert manager framework which in turn will follow its settings driven user warning, taking protection actions (e.g. muting sound, locking the computer..), notification and escalation. Figure 10 illustrates a mechanism for sending data as sound (either to provide data transfer or to provide samples including data encoded as audio). Simple text data is encoded and broadcast from the sound sending page via the sound card to the computer system's audio speaker / headphones / aux jack. This helps to quickly gauge what frequencies can be sent / received with the current hardware of the computer system with the current levels of ambient

background noise. Several presets are provided with varying speed, human audible / inaudible frequencies, susceptibility to background noise and requiring the speaker and microphone to output / receive those frequencies.

When a reliable / desired set of frequencies has been chosen according to speed, the environmental noise, audio hardware capabilities and if ultra-sonic non-detectability is desired, a larger file based payload can be sent. Figure 1 1 illustrates a larger data payload being encoded as audio and Figure 12 shows that encoded data being sent from a computer system (the sender). Simply select the file and it will be output.

Figure 13 shows the sent signals from the sender computer system being received on a different computer which is connected to a different network, the sound receiver webpage is loaded and set to listen to the same frequency range as the sender computer system is broadcasting on. The same pre-sets are available to quickly set the frequency.

As a sound encoded message is received, the frequency peaks can be seen on the graphic equalizer and are decoded to the message. Text based messages are shown in the "received message history".

As a message is being received containing an encoded file, a status message is shown above the graphic equalizer showing the filename and percentage received so far - see Figure 14. Figure 14 illustrates encoded data being received by another computer system. Figure 15 illustrates a complete file message has been fully received from the sender computer system. The file contents are decoded and saved as a normal browser download (to the downloads folder) but without the file having passed over any network. A security system embodying the present invention can implement various safeguards to mitigate the risk of data being encoded as audio and data being transferred external of the computer system by audio for subsequent reception and reconstruction. Configurable proactive sound processing designed to prevent digital data encoded as audio from being output can be set-up

Examples of protection systems embodying the present invention include filtering and disrupting techniques. Examples of disruption techniques which may be employed by the action manager are to disable the audio card of a computer system or to mute the audio signal. Audio Frequency Filtering:

The security system pre-filters frequencies outside the normal human speech / hearing range making the system less adept at playing music for example, but perfectly adequate for corporate environments. This prevents any data exfiltration over sound which uses frequencies outside the normal human speech / hearing range.

Audio Jamming:

Audio pre-processing also modulates the amplitude of certain select frequencies with a changing sequence of equalizer patterns so as to disrupt the audio output in a way that any encoding of digital data as audio designed for re-composition of the digital message would be rendered corrupted and unusable. This approach acts as a "jammer" by changing the sound being output subtly. Additionally, a jamming sound can be played on top of output from other programs running on the computer to further disrupt subversive data transfers.

Much of the previous description relates to a data security system embodying the invention which prevents data being transferred by an audio signal external of the computer system. This next section of the description concentrates on a data security system embodying the invention which prevents data being transferred by a video signal or video-like signal external of the computer system.

Embodiments of the invention which prevent the exfiltration of digital data from a corporate computer system via an optical/video/image/light output which is suitable for machine based re-composition of the digital data can operate outside the visible light spectrum so as not to be detectable by humans. Optical outputs perceptible to humans are also possible.

A video signal is any signal which is detectable by image capture devices, sensors, ultraviolet sensors, infrared sensors, transducers or other light or radiation sensing devices, photodetectors such as a charge coupled device (CCD), which devices operate in the wavelength range of: wavelengths below 390 nm; visible light, wavelengths from about 390 to 700 nm; and wavelengths above 700 nm. The range is not limited to the human-visible spectrum of the electromagnetic spectrum. Data transfer mechanisms operating at radio frequencies either side of the light spectrum and beyond may also be

implemented to attempt to exfiltrate data. Embodiments of the invention include detectors to detect such video signals. Prevent the extraction of controlled digital data from a corporate computer system via on-screen output in a manner intended for machine based re- composition of the digital data rather than human visualisation

Identify and prevent the display of QR codes on the screen - optionally allow up to a configurable maximum 'approved' payload data size to be shown to support use-cases such as QR based ticketing, authorisation and sharing of web-links

b. Identify and prevent the display of barcodes on the screen

c. Identify and prevent the approach of flashing the brightness / blinking of the screen (or subsection of the screen) to transfer encoded digital data such as for example Morse-code signalling or the technique used by Electric-Imp)

d. Identify and prevent the transfer of encoded digital data by modulating the colour of the screen or a portion of the screen

2. Allow the normal visual presentation of data: text, graphs, visualisations and videos, but alert on any attempt to subvert the on-screen channel to transfer digital data

3. Record the details surrounding suspected breaches attempting to output digital data encoded on-screen from a protected computer and retain the recording of any suspected breach for later review and further analysis and as evidence

a. Record the explanations of which on-screen protection analysis rules were fired and analysis documentation such interim screen processing artefacts

b. Track which running applications / programs are showing data on the screen

c. Track other actions on the computer system, particularly which files have been recently accessed to identify the data which the employee is attempting to extract

d. Take screen-captures of the computer and automatically annotate

with the actions the user was taking at the time of the suspected data leakage breach such as mouse movement and key-strokes.

4. Instantaneously act to produce a real-time alert to the Information Security Team / management team and if configured to do so block screen output completely or selectively over the affected portion of the screen

5. Optionally lock-out the user from the computer after a

configurable number of breaches

6. Optionally allow the user to provide an explanation of any on- screen breaches identified

7. Show a status window to the user notifying them that the screen output from their computer is being monitored (e.g. system tray). Figure 16 is a sequence diagram showing a video process involved in extracting data from a computer system protected with an embodiment of the invention.

Examples of the invention are implemented with one or more of the following functionalities:

Video Detection

• scanning screen visual output for QR codes or similar

o (full screen scans and partial scan of areas of the screen that have updated)

o (image manipulation, downscaling, perspective

transformations, pixel by pixel comparison)

• visual colour modulation or brightness modulation / blinking detection o (data structures maintaining comparison of displayed colour / brightness in segmented sections of the screen over time and applying signal analysis as per the sound approach to detect modulation indicating encoding for data transfer)

Video Prevention - action manager

• Mask screen (full/area) when codes are detected

o block the portion of the screen displaying a code / blinking with a 'this content is blocked' message; continue to scan screen notwithstanding this message)

• Mask screen when blinking / colour-shifting is detected

o (as point above) The security system embodying the present invention can use one or more methods for detecting exfiltration data or data being exfiltrated. Examples of detecting data and/or modulation of data for sending as video signals (but may also be applicable for system-generated signals and/or analogous audio signals):

Screen Based Breach Protection

The screen is frequently sampled as a graphical screenshot of the image actually visible to the user. This is late-on in the process of graphics preparation to ensure that all manipulations of content shown on screen are included. Intercepting the graphics any earlier presents the threat of postprocessing or direct memory manipulation such as used by full-screen games showing encoded digital data on the screen after the sampling.

The sample rate is controlled to minimise impact to the user based on the performance of their system (CPU clock speed, CPU utilisation etc).

Sampled screenshots are pre-processed to reduce their size by manipulating brightness, contrast and colour depth. Pre-processed images are analysed for the existence of graphically encoded digital data intended for machine reading and re-composition back to digital form.

Video signal or video-like signals include image modulation (modulating a signal to display a video signal on the screen or from a graphics card and prior to display). Video signal or video-like signals also include display parameter modulation.

This analysis searches for barcodes, QR codes, colour modulation and brightness / blink encoding over a sequence of screen captures. Other parameters of a video signal may be modulated to encode data. For example, one or more of the RGB components may be modulated as a mechanism for transferring data.

Examples of data exfiltration by video signals

QR - Screen Based Data Exfiltration. A computer system which has the capability to send a text message encoded as a QR code, which is updated as the message is typed, provides an exfiltration data transfer channel using video signals - see Figure 19.

A file can also be encoded into a series of QR codes by simply selecting the file to be read in by the browser. The QR code is generated dynamically within the webpage so the file it not transferred over the network - see Figure 20.

The output of the file encoding is displayed as a sequence of QR codes.

Figure 21 illustrates a sequence of QR codes which are displayed on a computer system for sequential image capture. The sequence of QR codes can then be scrolled through as they are scanned into the receiver. A file of 500Kb takes around 400 QR codes, but an automatic scroll is provided to sequence through them in the same region of the screen to allow

straightforward capture of the QR codes by the receiver.

Receiving - image capture. To complete the data exfiltration, another computer system is operable to capture the images displayed on the computer system's display screen - see Figure 22. The QR receiver webpage uses the camera of a smartphone simply pointed at the "sending" computer's display screen to capture the QR code. As multiple codes are scanned - see Figure 23, the codes are retained until all of the file parts have been received. This has the effect of a data-blast which is digitally recorded in the receiving browser.

When all of the parts of a file have been received - see Figure 24, the message can be reassembled and decoded to reconstruct the original data then saved as a normal browser download into the Downloads folder on the receiving computer but without the file having been transferred over the network - data has been exfiltrated by video.

QR Code Screen Encoded Data Detection Logic

QR codes have a number of features which are intended to aid their detection and identifying their orientation for successful decoding. Figure 17 illustrates a QR code and components thereof.

The first stage identifies the three fixed corner 'position finders' of the QR code. The system scans the image with a cascade classifier to detect these parts of the QR code. The classifier is trained using the Viola-Jones rapid object detection technique which is fast and relatively resistant to the variable scale or size of QR codes. The position finders are a fixed shape: A feature of the corner position finder patterns (see Figure 18) is that there is a ratio in the size of the

black/white/black/white/black sections irrespective of the angle at which you sample it. Each of the sample angles through this example position identifier pattern have the same ratio. The system can cycle through each pixel in the captured image of the screen (or a sub-screen section) searching for a sequence of black and white pixels which have this proportionality by keeping track of our prior pixel colour and count. Candidates can then be verified in a

perpendicular direction to the direction originally found in (i.e. vertical vs horizontal) The position finder results from the cascade classifier and the proportionality search are combined to cross-check and identify the coordinates of the edges of the QR code(s). These can then be processed to determine if they are consistent with the geometry that is required to form a valid QR code.

To form a valid QR code, the position finders must form three corners of a square. Since the two lines formed joining the three corners must form either a 45 or 90 degree angle checking this is relatively straightforward. Of the set of position finder candidates found in the first stage, sets of three candidates are looped over and tested for meeting these criteria.

Upon meeting this test, a further validation using simple trigonometry

(Pythagoras) on the points is performed. The lines between these points must be of the appropriate size for a right angled triangle, which eliminates false positives or interference from multiple QR codes displayed on the screen in close proximity.

Colour / Brightness Modulation Screen Encoded Data Detection Logic The system takes regular screen captures of the computer screen and analyse each screenshot. Using a proximity search / comparison technique, identify any sections of the screen which are showing a solid block of colour in a square above a minimum configured size in pixels. When a solid block is found, its position and colour is tracked over time across each screenshot. When the same sized and position block is detected across multiple screenshots but with a different solid colour it can be said to be an observation of a potential colour change encoding data. Over more screenshots the process is repeated and a number of colour changes for each block of solid colour whose size and position remain constant is tracked.

Once a threshold count of repeated colour shifts for the block of the screen has been reached, a screen colour / brightness modulation alert can be raised and escalated through the alert manager.

If the areas around the block where we have observed a shift from one solid colour to another remain unchanged, then our confidence that this represents data being encoded is higher so the threshold number of observations of colour modulation to be reached before raising an alert can be reduced.

The security system embodying the present invention can use one or more methods for detecting exfiltration data or data being exfiltrated. Examples of detecting data and/or modulation of data for sending as system-generated signals (but may also be applicable for analogous audio signals and/or analogous video signals):

System-Safe

1 . Prevent the extraction of controlled digital data from a corporate

computer system via control of computer components in a manner intended for data exfiltration.

a. Identify potential data exfiltration signals coming from unusual control patterns of computer components: Fans, Temperatures, Hard-Drives, LEDs

2. Produce a real-time alert to the Information Security Team /

management team

3. If configured to do so, take protective action such as controlling the component directly or optionally shutting down the computer System Component Based Breach Protection

Computer components are monitored and analysed over time to detect subversive data transfer attempts by controlling their state / output.

Parameters of their state or output can be modulated to transfer or exfiltrate data. The same approaches to system component signal detection are used as to identify sound based data encoding but with a longer wavelength / time- window to since the bandwidth is much reduced by the relative lack of depth of input variance from each component. A further approach which can also be used for audio or video signal detection is a least-squares minimisation approach to solve for the predictor coefficient values (i.e. a covariance formulation), simplifying to an autocorrelation function to solve with Gaussian elimination or "Levinson / Durbin" recursion (which solves more efficiently) in which each predictor coefficient is derived in turn to calculate the next coefficient. For example, inputs can be based on CPU usage / signal detections to reduce impact and to selectively rotate the algorithm used.

As with the sound approach: positive detection is passed to the alert manager for onward notification & escalation. The action manager is also operable to hinder the attempt to exfiltrate data.

Examples of the invention are implemented with one or more of the following functionalities:

Generic Detection

• monitoring computer (internal) hardware for signs of subversive data leakage

o (using same approaches of signal analysis as sound data leakage detection). Generic Prevention/Actions - action manager

• Optionally Lock PC/account when leakage detected

• Optionally Shutdown PC when (internal) hardware leakage detected Embodiments of the invention allow optional lock-out of a user from the computer system or entire network after a configurable number of breaches.

The user may be allowed to provide an explanation of any on-screen breaches identified and may be advised by a status window or other alert to the user notifying them that the audio output from their computer is being monitored (e.g. system tray flags).

Ancillary

• Show user warnings / status, send notifications, report users activity · Prevent user circumvention

Activity Tracking Overview

The system records the steps the user took prior and up to the potential breach, dropping older steps as time progresses so as to keep track of recent activity only. Along with screenshots showing what the user was doing, mouse and keyboard input are also tracked and used to annotate the screenshots with mouse-cursor trails and text annotation of the typing the user did when there's a potential breach, these steps are logged with the submission to the

Information Security Team.

Counter Circumvention

Embodiments of the invention operate as a service which runs as a privileged / system account on the user's computer. The user has no capability to interact with this service. They cannot stop the service or change its automatic start-up configuration. A directory of the filesystem dedicated to examples of the invention program files is secured for read-write access by the service account and read-only access to other users - particularly the user account used by the employee. Another directory sharing the same permissions is dedicated to storing interim detection output and logging suspected breaches. This location is

configurable by the installing security team.

Examples of the invention use a system tray app which executes as the user logs in and shows status information from the data security system service embodying the invention to the end user. Terminating or otherwise interfering with this process has no impact on the protection of the system - this merely provides awareness to the user that the system is operating and provides information to the employee. Breach Prevention and alert manager

The security system administrators have the capability to configure several optional responses which are automatically triggered when a potential data leakage event is identified. The system is capable of locking the workstation and/or locking the OS user account to immediately preserve the session and prevent the user from trying to cover their trails in any way, such as closing windows, deleting data, disconnecting their PC from the network or performing any other destructive action.

The system can optionally notify the user that a suspected breach has been identified, giving the user details of what activity triggered a breach rule and asking them to explain their actions with a justification. This will be used to augment the alert sent to the Information Security Team for review should the user enter one. In the case of an on-screen data leakage breach, the security team can optionally configure Screen Safe to mask / obscure the offending portion of the screen. Screen Safe watches for an attempt to display encoded digital data (intended for capture and re-composition) on the screen, it incorporates fast screen capture and analysis to identify the potential data extraction attempt. Screen safe then masks the section of the screen before any leakage can occur. In the case of an audio output data leakage breach the information security team has the option to disable sound output completely or filter the portions of the sound spectrum that are carrying the encoded digital data signal. This is in addition to configurable proactive sound processing designed to prevent digital data encoded as audio from being output. A 'data-transfer suite' provides a working sample generator (and

demonstrator) to exfiltrate data by audio or video data transfer. The suite demonstrates the vulnerabilities using web hosted javascript which runs a normal browser with no unusual, admin or elevated permissions - it acts just like a normal webpage - see Figure 26. Software similar to the Data Transfer Suite can be resident on a computer system and operable to exfiltrate data. When operating (modulating data into audio or video or sending modulated data by audio or video) such software, the modulation, the modulated data and/or the sending of the modulated data is detectable by security systems embodying the present invention.

Software Architecture

Sub-components of examples of the invention are organised in the following package / namespace structure:

• com.databorder

o windowsservice

o systray circumventionprotection breachreaction

^■ accountlockout

^■ historytracking

^■ screenmasking

^■ soundfiltering

alerting-reporting

^■ interfaces

email

• popup

sms

eventlog splunk logging

^■ falsepositivereporting

^■ breachdetailsconsolidation prevention

^■ sound

• frequencyfiltering detection

^■ interfaces

• sound

• screen

analysis

^■ sound

• datamanipulation

• frequencymodulation

• amplitudemodulation

• unknownpatterns

^■ screen qrcode

brightnessblinking

• colormodulatioN

activitytracking

• screencapture

• usersteprecording

• userstepannotation

o utilities

Examples of implementing the data security system embodying the present invention on workstation PCs

The data security system is installed on workstation PCs by an Information Security Team Administrator or an automated packaging process. It runs a service - "Data Border Service" - whose role is to oversee the data security system embodying the invention.

The Service starts a DataBorderDesktop process in the session of anyone who logs onto the machine - see Figure 27. This process is the only process the user can see - i.e. they cannot see DataBorderDesktop processes running in other sessions or the service process. Should the desktop process be stopped, the service will automatically restart it.

Viewing as an administrator both the Service and Desktop process can be observed - see Figures 28 and 29. Both processes are lightweight in terms of CPU, memory usage and IO.

The user has access to a tray icon showing them the system is operational and providing a link to a website for example which may have more information. Settings

Settings screens provide a way for Information Security Team administrators to control the precise behaviour of Examples of the invention monitoring, blocking and alert escalation. These are locked down for only administrators to configure. Examples are shown in Figures 30 to 34.

Screen-Safe

The screen safe feature sets a threshold which allows codes containing only a small amount of data to be optionally shown untouched - see Figure 35.

Codes containing more data than the predetermined threshold are blocked and an alert raised. The Information Security team is notified and optionally a warning can be displayed to the user - see Figure 36. The details of the security alert are written to a security system event log - see Figure 37.

The details of the security alert are written to a security system event log - see Figure 37.

Sound-Safe

"Normal" sound is analysed as seen in the bottom right corner and allowed through as normal as shown in Figure 39. But when encoded data is attempted to be output, this is detected and blocked - see Figure 40.

An alert is raised to the information security team, according to the settings the security event is written to the windows event log, a Splunk aggregator log and/or a warning shown to the user if desired. The windows event log entry includes details of the alert - see Figure 41 .

The sound output is prevented instantaneously as can be seen in the sound analysis screen - see Figure 42.

According to the Sound-Safe settings, either a system-wide mute of an selective mute of the application outputting sound can be applied - see Figure 43. System-Safe

System components such as temperatures, fan speed, clock speed and power levels are monitored for signs of data leakage by modulation based encoding of their normal operation - see Figures 44 and 45 Status Summary

A status of the protections enabled/disabled and a summary of the alerts and warnings raised is available - see Figure 46.

Features from any one example or generic disclosure of the invention discussed above can be implemented in combination with any one or more features of other examples or generic disclosures of the invention discussed above.

When used in this specification and claims, the terms "comprises" and "comprising" and variations thereof mean that the specified features, steps or integers are included. The terms are not to be interpreted to exclude the presence of other features, steps or components.

The features disclosed in the foregoing description, or the following claims, or the accompanying drawings, expressed in their specific forms or in terms of a means for performing the disclosed function, or a method or process for attaining the disclosed result, as appropriate, may, separately, or in any combination of such features, be utilised for realising the invention in diverse forms thereof.

Claims

CLAIMS:

1 A data security system for identifying attempted unauthorised data transfer from a computer system, the computer system having:

one or more components for conducting normal operation of the computer system;

an exfiltration data modulator to modulate exfiltration data, comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and

a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data, wherein the data security system comprises:

a detector to detect one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system. 2 The system of claim 1 , wherein the detector comprises one or more of: a modulation technique detector;

a modulation detector utilising one or more of: linear prediction

modelling, neural network, probabilistic classifiers and statistical learning methods; and

a digital watermark or digital signature detector. 3 The system of claim 2, wherein the modulation technique detector comprises one or more of:

a frequency modulation detector;

an amplitude modulation detector;

a phase shift key modulation detector; and a code detector.

4 The system of claim 3, wherein the code detector is operable to detect one or more of:

data encoded as a visual pattern;

an encoded signal.

5 The system of any preceding claim, wherein the modulation technique is classified as a risk-associated modulation technique. 6 The system of any preceding claim, wherein the data modulator modulates a parameter of an audio signal and the data transducer is operable to deliver the modulated audio signal external of the computer system.

7 The system of any preceding claim, wherein the data modulator modulates a parameter of a video signal and the data transducer is operable to deliver the modulated video signal external of the computer system.

8 The system of any preceding claim, further comprising a classifier operable to categorise data and/or operation of the one or more components of the computer system as risk-associated data and/or risk-associated operation.

9 The system of claim 5, wherein the detector is operable to detect a component of the computer system operating at a frequency outside the normal range of human hearing. 10 The system of any preceding claim, wherein the detector is operable to detect one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system, by comparing operation of components of the computer system with operation of analogous components of peer computer systems.

1 1 The system of any preceding claim, wherein the detector is operable to detect potential exfiltration data using a signal processing technique 12 The system of any preceding claim, wherein the system further comprises an alert manager operable: to alert a user of the computer system and/or an administrator of the computer system; and/or to log one or more events comprising potential attempts to exfiltrate data. 13 The system of any preceding claim further comprising an action manager to hinder transmission of detected modulated data from the computer system.

14 The system according to claim 8, wherein the action manager disables disrupts or blocks the transmission.

15 The system of any preceding claim, wherein the detector resides within the computer system as software, firmware or hardware 16. The system of any preceding claim, wherein the detector is implemented as a software service installed on the computer system.

17. The system of any preceding claim in combination with the computer system. 18 A method of monitoring the functionality of a computer system to identify attempted unauthorised data transfer from the computer system, the computer system comprising:

one or more components for conducting normal operation of the computer system;

an exfiltration data modulator to modulate, exfiltration data comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and

a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data, the method comprising: detecting one or more of:

a) operation of the exfiltration data modulator to modulate

data with the modulation technique;

b) b) data on the computer system modulated with the

modulation

c) technique;

d) c) operation of the data transducer to transmit data

modulated with the modulation technique from the computer system.

19 The method of claim 18, further comprising:

alerting a user of the computer system and/or an administrator of the computer system of a potential attempt to exfiltrate data; and/or logging an event comprising a potential attempt to exfiltrate data from the computer system.

20 The method of claim 18 or 19, further comprising:

hindering a potential attempt to exfiltrate data from the computer system.

21 A machine-accessible medium having instructions stored thereon that when executed, cause a machine to:

monitor the functionality of a computer system to identify attempted unauthorised data transfer from the computer system, the computer system comprising: one or more components for conducting normal operation of the computer system; an exfiltration data modulator to modulate, exfiltration data comprising data not authorised for transfer external of the computer system, with a modulation technique into a data output suitable for transfer external of the computer system, said modulated data being suitable for machine-based demodulation to reconstruct the previously modulated data; and a data transducer to convert the data output from the exfiltration data modulator to a measurable signal output to transfer modulated exfiltration data external of the computer system, wherein the signal output is structured as a signal suitable for machine-based demodulation to reconstruct digital data; and

detect one or more of:

a) operation of the exfiltration data modulator to modulate data with the modulation technique;

b) data on the computer system modulated with the modulation technique;

c) operation of the data transducer to transmit data modulated with the modulation technique from the computer system.