sesa 17(11): e4

Research Article

MAAT: Multi-Stage Attack Attribution in Enterprise Systems using Software Defined Networks

Download892 downloads
Cite
BibTeX Plain Text
  • @ARTICLE{10.4108/eai.7-12-2017.153396,
    author={Subramaniyam Kannan and Paul Wood and Somali  Chaterji and Saurabh Bagchi and Larry Deatrick and Patricia Beane},
    title={MAAT: Multi-Stage Attack Attribution in Enterprise Systems using Software Defined Networks},
    journal={EAI Endorsed Transactions on Security and Safety},
    volume={4},
    number={11},
    publisher={EAI},
    journal_a={SESA},
    year={2017},
    month={12},
    keywords={multi-stage attacks, attack attribution, software defined network, moving target defense},
    doi={10.4108/eai.7-12-2017.153396}
}
  • Subramaniyam Kannan
    Paul Wood
    Somali Chaterji
    Saurabh Bagchi
    Larry Deatrick
    Patricia Beane
    Year: 2017
    MAAT: Multi-Stage Attack Attribution in Enterprise Systems using Software Defined Networks
    SESA
    EAI
    DOI: 10.4108/eai.7-12-2017.153396
Subramaniyam Kannan1,*, Paul Wood1, Somali Chaterji1, Saurabh Bagchi1, Larry Deatrick2, Patricia Beane2
  • 1: Purdue University, West Lafayette, USA
  • 2: Northrop Grumman, USA
*Contact email: kannan5@purdue.edu

Abstract

Multi-layer distributed systems, such as those found in corporate systems, are often the target of multi- stage attacks. Such attacks utilize multiple victim machines, in a series, to compromise a target asset deep inside the corporate network. Under such attacks, it is difficult to identify the upstream attacker’s identity from a downstream victim machine because of the mixing of multiple network flows. This is known as the attribution problem in security domains. We present MAAT, a system that solves such attribution problems for multi-stage attacks. It does this by using moving target defense, ie, shuffling the assignment of clients to server replicas, which is achieved through software defined networking. As alerts are generated, MAAT maintains state about the level of risk for each network flow and progressively isolates the malicious flows. Using a simulation, we show that MAAT can identify single and multiple attackers in a variety of systems with different numbers of servers, layers, and clients.

Keywords
multi-stage attacks, attack attribution, software defined network, moving target defense
Received
2017-11-10
Accepted
2017-11-13
Published
2017-12-07
Publisher
EAI
http://dx.doi.org/10.4108/eai.7-12-2017.153396

Copyright © 2017 Subramaniyam Kannan et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.