Efficient DLP-visor: An efficient hypervisor-based DLP

Abstract

Many organization consider insider threat for data theft to be one of the most severe threats. An insider may also leak sensitive information without malicious intent (as a result of social engineering) Data leakage prevention (DLP) systems attempt to prevent intentional or accidental disclosure of sensitive information by monitoring the content or the context in which the information is transferred, for example, in a file system, an email server, instant messengers. We present a context-sensitive DLP system, called Efficient DLP-Visor. We implemented DLP-visor as a thin hypervisor capable of intercepting system calls in Windows operating systems equipped with Kernel Patch Protection. By intercepting system calls that govern the file system, inter-process communications, networking, system register and system clipboard, DLP-Visor guarantees that sensitive information can never leave a predefined set of directories. The performance overhead of Efficient DLP-Visor (7.2%) allows its deployment in real-world applications. Efficient DLP-visor logs were improved for better detection and logging of a DLP event. On idle time Efficient DLP-visor deletes most of the data log while maintaining the important data of leaks and attack.