or due to application flaws (such as described in [12]).
A supervised network channel could be an unencrypted
channel or an encrypted channel where the content in it
can be extracted and checked by an authority. Such a
channel is widely used for advanced NIDS where MITM
(man-in-the-middle) SSL sessions are established instead
of normal SSL sessions [13].
• Case II Malicious data leak: A rogue insider or a piece of
stealthy software may steal sensitive personal or organizational
data from a host. Because the malicious adversary
can use strong private encryption, steganography or covert
channels to disable content-based traffic inspection, this
type of leaks is out of the scope of our network-based
solution. Host-based defenses (such as detecting the
infection onset [14]) need to be deployed instead.
• Case III Legitimate and intended data transfer: The
sensitive data is sent by a legitimate user intended for
legitimate purposes. In this paper, we assume that the data
owner is aware of legitimate data transfers and permits
such transfers. So the data owner can tell whether a piece
of sensitive data in the network traffic is a leak using
legitimate data transfer policies.