Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.

中文翻译：

---

一种用于超低延迟网络的基于流的多代理数据泄露检测架构

现代网络基础设施托管融合应用程序，这些应用程序需要快速的服务弹性、更高的安全性和超快的反应时间。触觉互联网承诺促进这些服务的交付，同时实现新的规模经济，实现机器对机器和人机交互的高保真度。不可避免地，触觉互联网服务的关键任务系统不仅对高速和可靠的通信提出了很高的要求，而且同样对快速识别和减轻威胁和漏洞的能力提出了很高的要求。本文提出了一种新颖的多代理数据泄露检测器架构 (MADEX)，其灵感来自人类免疫系统中存在的机制和特征。MADEX 旨在识别由隐蔽性和隐蔽性恶意软件执行的数据泄露活动，这些恶意软件在低延迟网络中隐藏来自受感染主机的恶意流量。我们的方法使用代理收集的跨网络流量信息来有效地识别被颠覆的操作系统的未知非法连接。MADEX 不需要事先了解恶意代码的特征或行为，也不需要专门访问知识库。我们测试了 MADEX 的性能，包括其处理实时数据的能力以及我们的算法在暴露于恶意流量时分类的敏感性。实验评估结果表明，与最佳竞争对手相比，MADEX 的灵敏度为 99.97%，准确率为 98.78%，错误率为 1.21%。我们创建了 MADEX 的第二个版本，称为 MADEX 2 级，它进一步提高了其整体性能，但计算复杂度略有增加。我们主张 MADEX 1 级在非关键环境中的适用性，而 MADEX 2 级可用于避免关键任务系统中的数据泄露。据我们所知，这是文献中的第一篇文章，它使用人工免疫系统方法以不可知的方式实时检测 rootkit，同时满足严格的延迟要求。