TOPHAT: Topology-based Host-Level Attribution for Multi-Stage Attacks in Enterprise Systems using Software Defined Networks

Get BibTex-formatted data

Author

Subramaniyam Kannan,Paul Wood, Larry Deatrick, Patricia Beane,Somali Chaterji, and Saurabh Bagchi

Tech report number

CERIAS TR 2017-4

Entry type

article

Abstract

Multi-layer distributed systems, such as those found in corporate systems, are often the target of multi-stage attacks. Such attacks utilize multiple victim machines, in a series, to compromise a target asset deep inside the corporate network. Under such attacks, it is difficult to identify the upstream attacker's identity from a downstream victim machine because of the mixing of multiple network flows. This is known as the attribution problem in security domains. We present TopHat, a system that solves such attribution problems for multi-stage attacks. It does this by using moving target defense, i.e., shuffling the assignment of clients to server replicas, which is achieved through software defined networking. As alerts are generated, TopHat maintains state about the level of risk for each network flow and progressively isolates the malicious flows. Using a simulation, we show that TopHat can identify single and multiple attackers in a variety of systems with different numbers of servers, layers, and clients.

Date

2017 – 10 – 24

Key alpha

Kannan

Publication Date

2017-10-24

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ Kannan,
	title = "TOPHAT: Topology-based Host-Level Attribution for Multi-Stage Attacks in Enterprise Systems using Software Defined Networks",
	author = "Subramaniyam Kannan,Paul Wood, Larry Deatrick, Patricia Beane,Somali Chaterji, and Saurabh Bagchi",
	year = "2017",
	month = "10",
	day = "24",
	abstract = "Multi-layer distributed systems, such as those found in corporate systems, are often the target of multi-stage attacks. Such attacks utilize multiple victim machines, in a series, to compromise a target asset deep inside the corporate network. Under such attacks, it is difficult to identify the upstream attacker's identity from a downstream victim machine because of the mixing of multiple network flows. This is known as the attribution problem in security domains. We present TopHat, a system that solves such attribution problems for multi-stage attacks. It does this by using moving target defense, i.e., shuffling the assignment of clients to server replicas, which is achieved through software defined networking. As alerts are generated, TopHat maintains state about the level of risk for each network  flow and progressively isolates the malicious  flows. Using a simulation, we show that TopHat can identify single and multiple attackers in a variety of systems with different
numbers of servers, layers, and clients.",
}