Janus: A dual-purpose analytical model for understanding, characterizing and countermining multi-stage collusive attacks in enterprise networks

摘要

Multi-stage collusive attack (MSCA) covers a large class of attack variants, and commonly refers to an attack consists of several atomic attack stages and is enforced by a number of coordinated attack parties. The rich history of the development of countermeasures for specific MSCA, e.g., DDoS, worms, has shown that it is the special spatio-temporal characteristic that causes the prevention, detection and response of MSCA to be challenging. Instead of focusing on fine-grained specific attack analysis, this paper presents a model from high-level viewpoint, aiming at characterizing the behaviors of MSCA in terms of key spatio-temporal properties for better understanding and more effective design of countermeasures. The model is specifically developed for two purposes: First, it sheds light on the fundamental elements of an MSCA by examining its spatio-temporal related observations, and formulating attacker behavior as a reward-directed Markov decision process; Second, it assists security administrator in identifying the potential causal relationship of system vulnerabilities based on the reports of deployed security tools, so as to suggest appropriate actions. Taking the model as a basis, two meta-heuristic algorithms are designed. Specifically, attackers nondeterministic trail search (ANTS) is developed for approximately searching attack schemes with the minimum attack cost, and attacker's pivots discovery via backward searching (APD-BS) is designed for examining the pivots of attack schemes, namely the key observations associated with system state transitions during an attack. Finally, a proof-of-concept validation is conducted using a simulated enterprise network under DDoS attack, which is a typical MSCA variant.