PivotWall:CombiningSDNandHostContextto
DefendAgainstSteppingStoneA;acks
Terrence O’Connor, Akash Verma, William Enck
North Carolina State University
{tjoconno,averma3,whenck}@ncsu.edu
Mo6va6on
A;ackerso?enrelaya;acksthroughlesssensiCvehoststogainunauthorized
accesstoprotectedhostsinanetwork–knownassteppingstonea;acks.
CharacterisCcsofsteppingstonea;acklinks
Vision
• Weseektousetaintanalysistodetectsteppingstone
a;ackswithinenterprisenetworkenvironments
• ThesoluConshoulddetectbothexfiltraCon
(confidenCality)andcorrupCon(integrity)a;acks
• ResearchChallenges:
• WhatgranularityshouldwetrackinformaCon?
(performancevs.precisiontrade-offs)
• Howtoachieveanetwork-wideperspecCve?
• Howtorespondtoana;ack?
AdataexfiltraConsteppingstonea;ackmiCgatedbyPivotWall
NetworkTaintAnalysis
PivotWallusesSo?wareDefinedNetworking(SDN)togainanetworkwideperspecCve
• SDNControlleractsasinglevantagepointwithaglobalviewofthenetwork.
• Tainttrackingbasedonflows(srcIP,srcport,destIP,destport,protocol)
• Challenge:Howtoavoidtaintexplosion?
1. Incorporatehost-levelcontexttoincrease
trackingprecision
2. Definetaintsource/sinktominimizethe
effectoffalsepropagaCons
• TaintSource:protectedhosts
• TaintSink:externalnetwork
NetworkTaint
PropagaCon
FlexibleResponse
SDNprovidesfastandflexibleresponsetoana;ack
• IsolateahostbyrestricCngflowstoandfromits
physicalport
• Restricttraffictoonlyspecificsubnets
(e.g.,togiveCmeforinvesCgaCon)
• Redirecttraffictohoneynetsforanalysis
• Dynamicallygeneratenetworkaccesscontrolrules
toaddresslargerthreats
• Thro;letraffictospecificdesCnaCons(e.g.,for
threatsofexfiltraConoflargeamountsofdata)
ForensicsAnalysis
Provenancelogsmaintainedatnetworkandhostlevelscan
enhanceforensicsshowingthea;ackgraph
• Tracktheprogressofa;acks
throughthenetwork.
• IdenCfyallthehostsusedasthe
partofthea;ackchain.
• ReducefalseposiCves.
AddingHost-levelContext
ThePivotWallhostagentsupplementsthenetworktaintanalysis
byinformingtheSDNcontrollerofdataflowswithinthehost
• SDNcontrollerappinformsahostwhenanewflowistainted
• HostagentinformstheSDNcontrollerappwhenanew
outgoingflowistainted
• Ourcurrentprototypetracksflowsonaprocessandfile
granularitytobalanceprecisionandperformanceoverhead
HostAgenttaintPropagaCon
HostAgentArchitecture
CaseStudies
Evalua6on
ResearchQuesCons
• HowcompleteisPivotWallintermsof
a;ackcoverage?
• HowscalableisthesoluConinvarying
networksizes?
• Whatistheperformanceoverheadof
HostAgent?
• WhatistheaccuracyofPivotWallin
detecCnga;acks?
Results
EnterpriseTopologySetup
• Allthea;acksthatweevaluatedagainstweredetectedbyPivotWall.
• MaximumoverheadonNetworkbandwidthwith100hostsis18.27%
• Onanaverage,lessthan10%performanceoverheadonindividualhosts.
HospitalDataLoss
So?wareRepositoryCompromise
ResultsfortheCase
Studies
• NofalsenegaCvesobservedduringtheexperiments.
• Lessthan0.69%falseposiCvesobserved.
© Copyright 2026 Paperzz