MAAT: Multi-Stage Attack Attribution in Enterprise Systems using Software Defined Networks

Subramaniyam Kannan,Somali Chaterji,Saurabh Bakchi,Larry Deatrick,Patricia Beane,Paul Wood

doi:10.4108/eai.7-12-2017.153396

Abstract

Multi-layer distributed systems, such as those found in corporate systems, are often the target of multi- stage attacks. Such attacks utilize multiple victim machines, in a series, to compromise a target asset deep inside the corporate network. Under such attacks, it is difficult to identify the upstream attacker’s identity from a downstream victim machine because of the mixing of multiple network flows. This is known as the attribution problem in security domains. We present MAAT, a system that solves such attribution problems for multi-stage attacks. It does this by using moving target defense, ie, shuffling the assignment of clients to server replicas, which is achieved through software defined networking. As alerts are generated, MAAT maintains state about the level of risk for each network flow and progressively isolates the malicious flows. Using a simulation, we show that MAAT can identify single and multiple attackers in a variety of systems with different numbers of servers, layers, and clients.

Highlights

Multi-stage attacks (MSA) have plagued distributed system administrators for decades
Probability of Attacker found (PA) This is the probability of attacker being identified correctly as an attacker given by equation 1
Percentage of Failed Transactions (PFT) This parameter indicates the number of client disruptions during the time of attacker identification

Summary

Introduction

Multi-stage attacks (MSA) have plagued distributed system administrators for decades. In these attacks, multiple computers are used simultaneously to breach a particular target, and attackers often rely on a series of privilege escalation attacks to circumvent access controls protecting assets. In this paper we present MAAT (Multi-stage Attack ATtribution), a technique for identifying malicious users and their network traffic. In layer 3, a corporate reporting server analyzes the database to create sales reports, track hot products, and manage inventory at a macro level. It interfaces with the database layer and stores reports on layer 4, the corporate file servers. The protected system may comprise an arbitrary number of layers and each layer may have none, one, or more server replicas

Results

Discussion

Conclusion