Mitigation of Multi-vector Network Attacks via Orchestration of Distributed Rule Placement.

In this paper we propose a framework for mitigating detected multi-vector anomalies in typical enterprise networks via the distribution of Access Control Rules. Our distributed, non-proprietary approach takes advantage of the capabilities offered by all devices along an attack path enhancing their mitigation potential. These devices are organized into distinct defense stages and network operators express their defense preferences for specific attack types. Our mechanism automatically assigns generic mitigation rules to each stage. Subsequently, device-specific access control rules are generated and seamlessly distributed to the corresponding defense stages of the network substrate via commonly used protocols. The proposed mitigation schema models the rule assignment to defense stages as a Generalized Assignment Problem. Items, i.e. generic mitigation rules, are assigned to bins, i.e. defense stages, based on capacity constraints and reward values guided by operator policies. Our approach considers reducing the GAP input size to enable reasonable execution of the resulting integer programming formulation. This is accomplished by aggregating malicious IP sources into prefixes and organizing rules into groups. The proposed mechanism is validated in a proof of concept prototype, used to mitigate realistic multi-vector attack scenarios.