TH : Topology-Based Host-Level Attribution for Multi-stage Attacks in Enterprise Systems Using Software Defined Networks

Subramaniyam Kannan; Paul Wood; Larry Deatrick; Patricia Beane; Somali Chaterji; Saurabh Bagchi

Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

TH : Topology-Based Host-Level Attribution for Multi-stage Attacks in Enterprise Systems Using Software Defined Networks

Download

152 downloads

Cite: BibTeX Plain Text

@INPROCEEDINGS{10.1007/978-3-319-78813-5_36,
    author={Subramaniyam Kannan and Paul Wood and Larry Deatrick and Patricia Beane and Somali Chaterji and Saurabh Bagchi},
    title={TH : Topology-Based Host-Level Attribution for Multi-stage Attacks in Enterprise Systems Using Software Defined Networks},
    proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
    proceedings_a={SECURECOMM},
    year={2018},
    month={4},
    keywords={Multi-stage attacks Attack attribution Software defined network Moving target defense},
    doi={10.1007/978-3-319-78813-5_36}
}

Subramaniyam Kannan
Paul Wood
Larry Deatrick
Patricia Beane
Somali Chaterji
Saurabh Bagchi
Year: 2018
TH : Topology-Based Host-Level Attribution for Multi-stage Attacks in Enterprise Systems Using Software Defined Networks
SECURECOMM
Springer
DOI: 10.1007/978-3-319-78813-5_36

Subramaniyam Kannan¹^,*, Paul Wood¹^,*, Larry Deatrick²^,*, Patricia Beane²^,*, Somali Chaterji¹^,*, Saurabh Bagchi¹^,*

1: Purdue University
2: Northrop Grumman

*Contact email: kannan5@purdue.edu, pwood@purdue.edu, larry.deatrick@ngc.com, Patricia.Beane@ngc.com, schaterji@purdue.edu, sbagchi@purdue.edu

Abstract

Multi-layer distributed systems, such as those found in corporate systems, are often the target of multi-stage attacks. Such attacks utilize multiple victim machines, in a series, to compromise a target asset deep inside the corporate network. Under such attacks, it is difficult to identify the upstream attacker’s identity from a downstream victim machine because of the mixing of multiple network flows. This is known as the attribution problem in security domains. We present , a system that solves such attribution problems for multi-stage attacks. It does this by using moving target defense, , shuffling the assignment of clients to server replicas, which is achieved through software defined networking. As alerts are generated, maintains state about the level of risk for each network flow and progressively isolates the malicious flows. Using a simulation, we show that can identify single and multiple attackers in a variety of systems with different numbers of servers, layers, and clients.

Keywords: Multi-stage attacks Attack attribution Software defined network Moving target defense

Published: 2018-04-26
Appears in: SpringerLink

: http://dx.doi.org/10.1007/978-3-319-78813-5_36