PivotWall: SDN-Based Information Flow Control

Advanced Persistent Threats (APTs) commonly use stepping stone attacks that allow the adversary to move laterally undetected within an enterprise network towards a target. Existing network security techniques provide limited protection against such attacks, because they lack intra-network mediation and the context of information semantics. We propose PivotWall, a network security defense that extends information flow tracking on each host into network-level defenses. PivotWall uses a novel combination of information-flow tracking and Software Defined Networking (SDN) to detect a wide range of attacks used by advanced adversaries, including those that abuse both application- and network-layer protocols. It further enables a variety of attack responses including traffic steering, as well as advanced mechanisms for forensic analysis. We show that PivotWall incurs minimal impact on network throughput and latency for untainted traffic and less than 58% overhead for tainted traffic. As such, we demonstrate the utility of information flow tracking as a defense against advanced network-level attacks.