Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
44 lines (28 sloc) 1.79 KB

#Producer-Consumer Ratio for Detecting Data Exfiltration

Purpose: Find changes in traffic flows that indicate exfil

Data Required: session data (argus, netflow/ipfix, or bro-logs)

Collection Considerations:

Analysis Techniques: Identify changes in host roles, and investigate. PCR is a normalized metric of traffic ratios and from a host ranging from -1 to 1.

PCR host role
1.0 pure push - FTP upload, multicast, beaconing
0.4 70:30 export - Sending Email
0.0 Balanced Exchange - NTP, ARP probe
-0.5 3:1 import - HTTP Browsing
-1.0 pure pull - HTTP Download


The Producer-Consumer Ratio metric introduced at FlowCON by Carter Bullard and John Gerth is defined as:

      ( SrcApplicationBytes - DstApplicationBytes )
PCR = ---------------------------------------------
      ( SrcApplicationBytes + DstApplicationBytes )


Application Bytes = (Total Bytes ⎼ Sum( L[2,3,4] Headers )) - Retrans Bytes

DNS is less noisy than HTTP for this metric, and is a possible exfil channel. A positive shift in PCR for DNS traffic may indicate DNS Exfil.

Other Notes

More Info