Combating Adversarial Network Topology Inference by Proactive Topology Obfuscation

The topology of a network is fundamental for building network infrastructure functionalities. In many scenarios, enterprise networks may have no desire to disclose their topology information. In this paper, we aim at preventing attacks that use adversarial, active end-to-end topology inference to obtain the topology information of a target network. To this end, we propose a Proactive Topology Obfuscation (ProTO) system that adopts a detect-then-obfuscate framework: (i) a lightweight probing behavior identification mechanism based on machine learning is designed to detect any probing behavior, and then (ii) a topology obfuscation design is developed to proactively delay all identified probe packets in a way such that the attacker will obtain a structurally accurate yet fake network topology based on the measurements of these delayed probe packets, therefore deceiving the attacker and decreasing its appetency for future inference. We evaluate ProTO under different evaluation scenarios. Experimental results show that ProTO is able to (i) achieve a detection rate of 99.9% with a false alarm of 3%, (ii) effectively disrupt adversarial topology inference and lead to the topology inferred by the attacker close to a fake topology, and (iii) result in an overall network delay performance degradation of 1.3% - 2.0%.

[1]  Paul Barford,et al.  Efficient Network Tomography for Internet Topology Discovery , 2012, IEEE/ACM Transactions on Networking.

[2]  Latifur Khan,et al.  SAND: Semi-Supervised Adaptive Novel Class Detection and Classification over Data Stream , 2016, AAAI.

[3]  Laurent Vanbever,et al.  NetHide: Secure and Practical Network Topology Obfuscation , 2018, USENIX Security Symposium.

[4]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[5]  Hannes Hartenstein,et al.  Timing Analysis for Inferring the Topology of the Bitcoin Peer-to-Peer Network , 2016, 2016 Intl IEEE Conferences on Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld).

[6]  Mounir Ghogho,et al.  Deep Recurrent Neural Network for Intrusion Detection in SDN-based Networks , 2018, 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft).

[7]  Kin K. Leung,et al.  Node Failure Localization via Network Tomography , 2014, Internet Measurement Conference.

[8]  Mauro Conti,et al.  A Survey of Man In The Middle Attacks , 2016, IEEE Communications Surveys & Tutorials.

[9]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[10]  Bhavani M. Thuraisingham,et al.  Adaptive encrypted traffic fingerprinting with bi-directional dependence , 2016, ACSAC.

[11]  Dejan Kostic,et al.  Scalability and accuracy in a large-scale network emulator , 2002, CCRV.

[12]  Cristina L. Abad,et al.  An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks , 2007, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07).

[13]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[14]  Nick G. Duffield,et al.  Simple network performance tomography , 2003, IMC '03.

[15]  Nick G. Duffield,et al.  Network tomography from measured end-to-end delay covariance , 2004, IEEE/ACM Transactions on Networking.

[16]  Antonio Barili,et al.  On the effects of large-scale DNS Poisoning , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[17]  Mauro Conti,et al.  BlockAuth: BlockChain based distributed producer authentication in ICN , 2019, Comput. Networks.

[18]  John Goerzen Domain Name System , 2004 .

[19]  Moshe Sidi,et al.  Estimating one-way delays from cyclic-path delay measurements , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[20]  Imad H. Elhajj,et al.  Network Obfuscation for Net Worth Security , 2020, 2020 Seventh International Conference on Software Defined Systems (SDS).

[21]  Robert Beverly,et al.  A Technique for Network Topology Deception , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[22]  Tao Wang,et al.  ProTO: Proactive Topology Obfuscation Against Adversarial Network Topology Inference , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications.

[23]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[24]  Christina Fragouli,et al.  Active topology inference using network coding , 2010, Phys. Commun..

[25]  Xiapu Luo,et al.  Recursive DNS Architectures and Vulnerability Implications , 2009, NDSS.

[26]  Sambuddho Chakravarty,et al.  Few Throats to Choke: On the Current Structure of the Internet , 2017, 2017 IEEE 42nd Conference on Local Computer Networks (LCN).

[27]  Ting He,et al.  Stealthy DGoS Attack: DeGrading of Service under the Watch of Network Tomography , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications.

[28]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[29]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[30]  Vipin Kumar,et al.  Text Categorization Using Weight Adjusted k-Nearest Neighbor Classification , 2001, PAKDD.

[31]  Minghua Chen,et al.  Network Coding Tomography for Network Failures , 2009, 2010 Proceedings IEEE INFOCOM.

[32]  Kamil Saraç,et al.  Analyzing Router Responsiveness to Active Measurement Probes , 2009, PAM.

[33]  Raouf Boutaba,et al.  Network virtualization: state of the art and research challenges , 2009, IEEE Communications Magazine.

[34]  Nick Duffield,et al.  Optimizing Consistent Merging and Pruning of Subgraphs in Network Tomography , 2019, ArXiv.

[35]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[36]  Robert L. Wolpert,et al.  Statistical Inference , 2019, Encyclopedia of Social Network Analysis and Mining.

[37]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[38]  Samuel T. Trassare,et al.  A Technique for Presenting a Deceptive Dynamic Network , 2013 .

[39]  Srikanth V. Krishnamurthy,et al.  Cyber Deception: Virtual Networks to Defend Insider Reconnaissance , 2016, MIST@CCS.

[40]  Kaizhong Zhang,et al.  Simple Fast Algorithms for the Editing Distance Between Trees and Related Problems , 1989, SIAM J. Comput..

[41]  Lei Li,et al.  Security-oriented DSA for Network Access Control in Cognitive Radio Networks , 2018, 2018 IEEE International Symposium on Technologies for Homeland Security (HST).

[42]  Robert Nowak,et al.  Network Tomography: Recent Developments , 2004 .

[43]  Raouf Boutaba,et al.  Topology-Awareness and Reoptimization Mechanism for Virtual Network Embedding , 2010, Networking.

[44]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[45]  Maurizio Dusi,et al.  Traffic classification through simple statistical fingerprinting , 2007, CCRV.

[46]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[47]  Xuejun Sha,et al.  On Physical Layer Security: Weighted Fractional Fourier Transform Based User Cooperation , 2017, IEEE Transactions on Wireless Communications.

[48]  Mauro Conti,et al.  AppScanner: Automatic Fingerprinting of Smartphone Apps from Encrypted Network Traffic , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[49]  Xian Zhang,et al.  A Survey on Selective Routing Topology Inference Through Active Probing , 2012, IEEE Communications Surveys & Tutorials.

[50]  Zhuo Lu,et al.  When Seeing Isn't Believing: On Feasibility and Detectability of Scapegoating in Network Tomography , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[51]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[52]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[53]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[54]  Xiaofei He Incremental semi-supervised subspace learning for image retrieval , 2004, MULTIMEDIA '04.

[55]  Albert G. Greenberg,et al.  Detection and Localization of Network Black Holes , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[56]  Donald F. Towsley,et al.  Multicast topology inference from measured end-to-end loss , 2002, IEEE Trans. Inf. Theory.

[57]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[58]  Jon Crowcroft,et al.  A survey and comparison of peer-to-peer overlay network schemes , 2005, IEEE Communications Surveys & Tutorials.

[59]  Marco Chiesa,et al.  Analysis of country-wide internet outages caused by censorship , 2011, IMC '11.

[60]  Eytan Modiano,et al.  Topology discovery using path interference , 2019, 2019 IFIP Networking Conference (IFIP Networking).

[61]  Robert D. Nowak,et al.  Maximum likelihood network topology identification from edge-based unicast measurements , 2002, SIGMETRICS '02.

[62]  Paul Barford,et al.  Network Performance Anomaly Detection and Localization , 2009, IEEE INFOCOM 2009.