Detecting Multi-Step Attacks: A Modular Approach for Programmable Data Plane

The increasing sophistication of attacks over the last years such as the proliferation of complex multi-steps attacks, calls for new monitoring models and methods for diagnosing the attacks’ severity and mitigating them in a timely manner. In this paper, we propose an in-network monitoring approach capable of detecting a set of composed behaviors and consequently triggering different levels of alerts and reactions. Our approach is based on a Petri Net model capable of aggregating individual attacks into a multi-step composition. To this end, we propose a method for deriving a Match-Action Table (MAT) abstraction from a Petri net model. MATs can be then deployed on a P4 programmable data plane, enabling flexible re-composition of attack detection steps at runtime. We demonstrate the feasibility of our proposal by modeling the detection of a multi-step DNS cache poisoning attack and implementing the model on a P4 programmable data plane.