In a multi-tier network topology, it is a dilemma for security administrators to identify attack flows where multiple connections are involved. Typical responses to attacks, which can include dropping packets or resetting connections, cannot aid the administrators in tracing the attacks back to the source of penetration, but instead can only stop the attack at its final stages. Security information and event management (SIEM) products may help to correlate connections based on their timestamp, but this requires the administrator to log all traffic inside the environment, then filter large amounts of background traffic to find the relationship between connections, a resource-consuming processes which ultimately is not sustainable.
FIG. 1 illustrates the classic inability to identify the whole situation of an east-west attack. As shown, a hacker can send a malicious payload with SQL injection to a web site via TLS protocol. Since the traffic is encrypted, the attack will not be able to be found and blocked until the application server (APP Server) attempts to query the database server (DB Server). Prior art security systems would prompt an event and erroneously identify the attack was generated from an internal application server to another database server. However, the system administrator would not know where the attack originates from, and would not be able to trace back to the source of the penetration.
Existing solutions either add a special signature in an L3/L4 header or depend entirely on the application framework. These methods are not practical in the real world once any node on the path establishes a new connection to the next entity. Due to the sophistication of cyber-attacks, propagation of the indicator of attacks (IOA) must be independent from the application layer, otherwise the information will likely be stripped in the middle and identification of the source will be impossible.