Automated Response

1
Automated Response

• Centralized, knowledge based system
• Network topology
• production system encoding of expert strategies
• Distributed, local decisions
• Information limited to
• Log of passing traffic
• communication from neighboring boundary
  controllers

2
Distributed Automated Response

• Logs
• log of all packet header info for pas t seconds
• Messages All messages carry header signature of
  associated attack
• Blocked - controler has seen an attack, believes
  it is the closest attacker, and has blocked
  traffic from attacker to target.
• Not_blocked - controler has decided to take no
  action, but passes on notification of attack
• Not_closest - controler has become aware that it
  is not the closest controller, and has removed
  its block

3
1
A
2
3
B
C
5
D
7
4
6
E
F
1
A
3
2
B
C
4
7
5
F
6
D
E
4
1
A
Target
2
3
B
C
5
D
7
4
6
E
F
1
Attacker
A
3
Target
2
B
C
4
7
5
F
6
D
E
Attacker
5
1
A
Target
2
3
B
C
5
D
7
X
4
X
6
E
F
1
Attacker
A
3
Target
Goal Isolate the Attacker
2
B
C
X
4
7
5
F
6
X
D
E
Attacker
6
State Diagrams Isolating an attacker
Boundary Controller has not seen traffic
blocked
Not_closest
x
not_blocked
not_blocked
not_blocked (attackers interface) not_blocked
(targets interface) blocked (targets
interface) lt send blocked msg to neighbors gt
not_closest
Boundary Controller has seen traffic
x
Blocked (attackers interface) lt send not_closest
msg to neighbors gt
Blocked (attackers interface)
7
1
nb
A
ID
3
Target
2
B
C
nb
4
7
5
nb
F
6
D
E
8
1
A
b
ID
3
Target
2
B
C
b
4
7
5
F
6
D
E
b