PivotWall: SDN-Based Information Flow Control

Advanced Persistent Threats (APTs) commonly use stepping stone attacks that allow the adversary to move laterally undetected within an enterprise network towards a target. Existing network security techniques provide limited protection against such attacks, because they lack intra-network mediation and the context of information semantics. We propose PivotWall, a network security defense that extends information flow tracking on each host into network-level defenses. PivotWall uses a novel combination of information-flow tracking and Software Defined Networking (SDN) to detect a wide range of attacks used by advanced adversaries, including those that abuse both application- and network-layer protocols. It further enables a variety of attack responses including traffic steering, as well as advanced mechanisms for forensic analysis. We show that PivotWall incurs minimal impact on network throughput and latency for untainted traffic and less than 58% overhead for tainted traffic. As such, we demonstrate the utility of information flow tracking as a defense against advanced network-level attacks.

[1]  Nick Feamster,et al.  Packets with Provenance , 2008 .

[2]  Angelos D. Keromytis,et al.  CloudFence: Data Flow Tracking as a Cloud Service , 2013, RAID.

[3]  Katsuyoshi Iida,et al.  Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection , 2018, IEICE Trans. Commun..

[4]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[5]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[6]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[7]  Doug Kilpatrick,et al.  Securing The X Window System With SELinux , 2003 .

[8]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[9]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[10]  Sanjay Jha,et al.  MalwareMonitor: An SDN-based Framework for Securing Large Networks , 2014, CoNEXT Student Workshop '14.

[11]  Steven M. Bellovin,et al.  The Security Flag in the IPv4 Header , 2003, RFC.

[12]  Weifeng Chen,et al.  A SURVEY OF RESEARCH IN STEPPING-STONE DETECTION , 2011 .

[13]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[14]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[15]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[16]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[17]  Xiangyu Zhang,et al.  LogGC: garbage collecting audit log , 2013, CCS.

[18]  Vyas Sekar,et al.  SNIPS: A Software-Defined Approach for Scaling Intrusion Prevention Systems via Offloading , 2014, ICISS.

[19]  Nasir D. Memon,et al.  Efficient Detection of Delay-Constrained Relay Nodes , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[20]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[21]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[22]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[23]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[24]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[25]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[26]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[27]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[28]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[29]  Craig A. Shue,et al.  The SDN Shuffle: Creating a Moving-Target Defense using Host-based Software-Defined Networking , 2015, MTD@CCS.

[30]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .

[31]  Katsuyoshi Iida,et al.  Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[32]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[33]  Peter R. Pietzuch,et al.  CloudFilter: practical control of sensitive data propagation to the cloud , 2012, CCSW '12.

[34]  Seungwon Shin,et al.  Network Iron Curtain: Hide Enterprise Networks with OpenFlow , 2013, WISA.

[35]  Nick Feamster,et al.  The road to SDN: an intellectual history of programmable networks , 2014, CCRV.

[36]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[37]  David M. Eyers,et al.  Information Flow Control for Secure Cloud Computing , 2014, IEEE Transactions on Network and Service Management.

[38]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[39]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[40]  Katsuyoshi Iida,et al.  Detection Method of DNS-based Botnet Communication Using Obtained NS Record History , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[41]  Have You Driven an SELinux Lately? , 2010 .

[42]  Pooja Sharma,et al.  BotMAD: Botnet malicious activity detector based on DNS traffic analysis , 2016, 2016 2nd International Conference on Next Generation Computing Technologies (NGCT).

[43]  David Erickson,et al.  The beacon openflow controller , 2013, HotSDN '13.

[44]  Nick Feamster,et al.  Improving network management with software defined networking , 2013, IEEE Commun. Mag..

[45]  Amr M. Youssef,et al.  Detection of malicious payload distribution channels in DNS , 2014, 2014 IEEE International Conference on Communications (ICC).

[46]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[47]  Peng Ning,et al.  Robust network-based attack attribution through probabilistic watermarking of packet flows , 2005 .

[48]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.

[49]  W. Michael Petullo,et al.  Studying Naive Users and the Insider Threat with SimpleFlow , 2016, MIST@CCS.

[50]  Nick Feamster,et al.  Securing Enterprise Networks Using Traffic Tainting , 2009 .

[51]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[52]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[53]  Randy H. Katz,et al.  IP Options are not an option , 2005 .

[54]  Yuqiong Sun,et al.  Pileus: protecting user resources from vulnerable cloud services , 2016, ACSAC.

[55]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[56]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[57]  Peng Ning,et al.  Active timing-based correlation of perturbed traffic flows with chaff packets , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[58]  Nikita Borisov,et al.  SWIRL: A Scalable Watermark to Detect Correlated Network Flows , 2011, NDSS.

[59]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[60]  Stefano Paraboschi,et al.  SeSQLite: Security Enhanced SQLite: Mandatory Access Control for Android databases , 2015, ACSAC 2015.

[61]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.