Mitigating Multi-Stage Attacks in Software Defined Network-Based Distributed Systems

Subramaniyam Kannan, Purdue University


Multi-layer distributed systems, such as those found in enterprise networks, are often the target of multi-stage attacks (MSA). In MSA, an attacker compromises external-facing services and then penetrates progressively into deeper services in a stepping-stone manner, by using elevated privileges at each system component, until finally the attacker gains access to the “crown jewel” of the system (such as, some protected data). Under such attacks, it is difficult to identify the upstream attacker's identity from a downstream victim machine because of the mixing of multiple network flows. This thesis presents TOPHAT, a system that solves such attribution problems for multi-stage attacks. It does this by using Intrusion Detection Sensors (IDS) and moving target defense, i.e., shuffling the assignment of clients to server replicas, which is achieved through Software Defined Networks (SDN). Also, limited resources constrain the number of IDS that can be deployed since IDS processing can be quite computationally expensive. SDN provides network flexibility, and combined with Network Function Virtualization (NFV), it enables agile optimization for the IDS placement throughout the distributed system to counter the MSA. Thus, this work next presents OPTIMISM, a system for placing IDS to maximize network protection and to minimize total deployment costs while adapting in real time to updated intrusion information. Using simulation, this thesis shows that TOPHAT can identify multiple attackers in a variety of systems and OPTIMISM can select IDS placement configurations that are significantly better than the state-of-the-art (Monitor-DSN16). Using a hardware-backed SDN testbed and a distributed onion application, OPTIMISM's feasibility is demonstrated.




Bagchi, Purdue University.

Subject Area

Computer Engineering|Electrical engineering|Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server