Advanced cyber attackers often 'pivot' through several devices in such complex infrastructure to obfuscate their footprints and overcome connectivity restrictions. However, prior pivot attack detection strategies present concerning limitations. This paper addresses an improvement of cyber defence with APIVADS, a novel adaptive pivoting detection scheme based on traffic flows to determine cyber adversaries' presence based on their pivoting behaviour in simple and complex interconnected networks. Additionally, APIVADS is agnostic regarding transport and application protocols. The scheme is optimized and tested to cover remotely connected locations beyond a corporate campus's perimeters. The scheme considers a hybrid approach between decentralized host-based detection of pivot attacks and a centralized approach to aggregate the results to achieve scalability. Empirical results from our experiments show the proposed scheme is efficient and feasible. For example, a 98.54% detection accuracy near real-time is achievable by APIVADS differentiating ongoing pivot attacks from regular enterprise traffic as TLS, HTTPS, DNS and P2P over the internet.
|Number of pages
|IEEE Transactions on Information Forensics and Security
|Published - 25 Jan 2022
Bibliographical noteCopyright © 2022 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.”
The work of Carsten Maple was supported in part by UKRI through the Academic Centre of Excellence in Cyber Security Research - University of Warwick under Grant EP/R007195/1, in part by The Alan Turing Institute under Grant EP/N510129/1, and in part by PETRAS, the National Centre of Excellence for IoT Systems Cybersecurity under Grant EP/S035362/1.
- lateral movement
- network flow
- pivot attack