Network Topology Masking in Distributed Information Systems Roman V. Maximov, Ilya I. Ivanov, Sergei R. Sharifullin Shtemenko Krasnodar Higher Military School Krasnodar, Russia rvmaxim@yandex.ru; 7570745@mail.ru; sharifullinsr@mail.ru Abstract—In modern computer networks, it is possible for territorially distributed subnetworks linked over public attackers to determine information about the algorithms of the networks (PN). The modern DIS consists of the following distributed information systems functioning. For this purpose, objects [8]: methods of active and passive network intelligence are used. Therefore, it is necessary to ensure the secure functioning of  End user devices: workstations, software, databases, distributed information systems in public networks. In this work, e-mail. we investigated the full range of threats to which networks are exposed. Then we developed a masker, efficient software for  Communication equipment: access points, hubs, obfuscation the network topology in distributed information gateways. systems. The topology protection of distributed information  Data channels: leased lines, virtual private networks. systems from the abusive and malicious actions with network topology obfuscation is considered to be one of the particular Security of end user devices is implemented using technical tasks while implementing the concept of software-defined measures (anti-virus protection systems, access control networks. In addition, we determined a method for selecting the systems) and organizational measures (security policies, group best-masked topology based on the estimation of efficiency policies). Communication equipment and communication indexes. Our findings suggest a significant increase of the channels are the most vulnerable component of DIS because protection level in masked distributed information system by they have access to both PN and to the internal network. The increasing the resource required for network intelligence to characteristics of the modern DIS are: (1) distributed structure suppress nodes. interconnects remote subnetworks, (2) high-speed transmission based on Ethernet, (3) several external links over public Keywords—cyber-security; security threats; obfuscation; network intelligence; software-defined networks; dynamic topology; networks, (4) increasing users' demands in services. network security management; secure interconnection. The use of the communication channels over PN to provide information interaction leads to the potential security threats. I. INTRODUCTION Common model of information threats (Fig. 1) can be represented as a set of remote control points connected over PN Software solutions for different hardware platforms appear (under the administrative control of service providers) and today to replace hardware solutions providing network attacker's equipment. An attacker is able to connect to PN in interconnection and managing of network infrastructure. This non-controlled area between the protectable subnetworks. The approach reduces the cost of technical solutions and increases integration of DIS with PN increases the capabilities of an the flexibility of distributed network infrastructure. However, attacker to discover a functional and logical structure the technical complexity of software, amount of services and (topology) through monitoring with the use of well-known business processes also increase, which requires the using of methods [9-11]. As a result, the probability of destructive the best practices and public standards [1, 2]. The transparency actions realization on DIS increases. Define the DIS's security and the common architecture of distributed information threats based on analysis of the modern DIS characteristics: systems (DIS) contradict the principles of protection and the attacker’s counteraction. In addition, the concept of software-  Implementation threats: Core elements of DIS often use defined networks (SDN) is being actively developed, providing an unknown technological base; therefore, they contain a separation of control plane and data plane [3-7]. The high embedded undocumented features. level of automation demands the appropriate security level of information technologies being used.  Exploitation threats: the service providers (SP) define routing and switching based on quality of service. SP The core of DIS architecture is TCP/IP protocol stack that provide virtual private network (VPN) services between provides the integration of communication services and high remote subnets without processing at transit level of convergence in all digital communication systems nodes. However, third party SPs can be used. components. The basis of DIS architecture is a set of the 83  Additional threats: there is the possibility of destructive from the customer's network or from the PN may have actions with the use of wide arsenal of methods. an abuse adverse effect on the security or availability.  Denial of service using TTL expiry. Situations of the TTL in customer's packages expiration may occur at the core router. In this case, the router discards the packet with the expired TTL and generates an ICMP response message to the source packet sender.  IP option attacks. Packets with IP options are usually handled by a slow CPU and, therefore, can be used to attack transit routers. A stream of packets that have an alert label can adversely affect the core routers.  Core routers overload. This leads to increased utilization of memory, processor capacity and bandwidth. In addition, an attacker has wide opportunities to implement security threats bypassing protective mechanisms, Fig. 1. Common model of information threats because the fact of transmitting information on a compromised channel is transparent. Modern network intelligence tools allow The security problems that are successfully solved in small to implement real-time traffic selection by defined networks cannot be solved in the networks of a larger size, characteristics (IP addresses of the sender and receiver, ports, because of the high complexity of network designing and wide the protocol used, etc.). Therefore, information about DIS variety of attacks. Define the characteristics of large networks: topology is available to an attacker through the topology states (1) complicated topology, (2) low compatibility of network attributes (TSA) even if there is no possibility to decode the devices, (3) degradation of administrative zones’ responsibility, selected information. In other words, it is possible to discover (4) uncertainty of the source data about topology, (5) remote and build DIS topology model similarly to real DIS. Using this subnetworks. information, an attacker is able to implement abusive and These characteristics ensure a high vulnerability of large malicious actions. networks to various types of attacks (distributed attacks, in particular). Traditional security methods [12-18] are based on II. METHODOLOGY the use of firewalls and network filters, intrusion detection In this section, we analyze performance indexes and systems and security scanners, i.e. on the discovery of the suggest method for the best-masked topology selection. Then, abusive and malicious actions [19-21]. VPN services allow you we define main functions of masker and suggest addresses to build dedicated networks based on a shared network change algorithm. infrastructure and thus implement a proactive security strategy. However, the security level provided by existing VPN To verify our hypotheses, we established masker in protocols is not enough because they are based on link-layer simulation network model and attacked the protected nodes by technologies, which leads to potential security threats [22, 23]: using Kali Linux tools. The experiment completes the evidence (1) VLAN hopping, (2) MAC spoofing, (3) DHCP spoofing, and establishes the validity of hypothesis. (4) ARP spoofing. A. Performance Indexes The widespread use of multiprotocol label switching in VPN implementation expands the potential threats pool: Define the parameters of the topology as the coordinates of a multidimensional space. In this case, the real topology is  Traffic encryption is not used. described by the state vector S ( H1...H N ) , while H1...H N  Inside attacks, including IP and Ethernet threats. It is are the parameters characterizing the properties of the DIS possible to change the configuration of the routers after topology. The state vector S' describes the masked topology. If unauthorized access to equipment. Hi and H'i are the components of topology state vectors then  Attacks through management network: SP often uses the calculation of proximity measures between the real and the management network to remote configuration and masked topologies is carried out using Euclidean distance, monitoring of equipment, which means external since the use of other known proximity measures gives similar availability between control nodes and access nodes. results: Therefore, if the control nodes or the network infrastructure of SP is compromised, an attacker gains   N 2 access to customer nodes. R  H i  H 'i (1) i 1  Indirect attacks. Edge routers usually provide services to several organizations. Therefore, attacks on them 84 Fig. 2. Variants of changed topology For each variant of the masked topology, the following TABLE I. CALCULATION RESULTS FOR PERFORMANCE INDEXES performance indicators exist: (1) correlation index Rv without Variant regard to the intensity of interconnection, (2) correlation index Performance index 1 2 3 R'v with regard to the intensity of interconnection. Rv 0,887 0,481 0,618 When using the masker, a protected DIS topology is R'v 0,736 0,47 0,47 Q 0,9 0,78 0,5 generated, as a result, the attacker will operate with false Z 7830 7820 1830 network nodes. To estimate the effectiveness of malicious attack preventing, we use the accessibility index of the  Reducing the influence of staff in DIS. protected node Q. If hi is the importance factor and ki   0 ,1  Detection and recognition of abusive and malicious is the state factor, then: actions on the DIS.  Reducing the negative impact of the protection system N on the ordinary DIS functioning. Q   k1 ,k2 ,...,k N    hi ki (2) i 1 We developed software (masker) to implement these functions, which ensure masking communication links in If n is the cost for one address, N is the number of nodes, m distributed DIS by obfuscating their topology: is the cost for minimal unit of traffic and M is the intensity of  Neutralization of abusive and malicious actions by interconnection then the total cost Z for the implementation of reducing the availability of edge routers. variant of the topology conversion include the following components:  Hiding the information about DIS topology by reducing TSA quality. Z  nN j  mM j (3)  Misinformation about the priority of communication links. Therefore, in order to choose the most acceptable topology The masker extends the IP-address space by changing the structure (Fig. 2), it is necessary to solve the multicriteria source and destination values in IP-header in each package and optimization problem, which allows selecting the most synchronizes these changes between the routers involved in effective variant of the transformation. The results for the information exchange. Address changing algorithm has several estimation are presented in Table 1. steps:  Reading the required parameters of the configuration B. Masker file. We build software, masker, to prevent network attacks.  Setting up IPTABLES rules. Masker runs on a standard Linux host but needs basic packet manipulation tool from repository: scapy. Scapy is used to  Creating an L3-socket for interaction on the internal capture, rebuild and send generated network packets. interface. Define main functions of system for masking network  Starting a thread for intercepting, changing and topology based on the analysis presented in the previous forwarding IP packets on the internal interface of the sections: masker. 85 Algorithm 1. Address changer Rv 1: F←OpenConfig(FILE); 0,9 2: ConfigParametr P ← ReadNextConfigParametr(F); 0,8 3: while ( P != NULL ) 0,7 0,6 4: SetConfigParametr(P); 0,5 5: P ← ReadNextConfigParametr(F); 0,4 6: SetRules(IptablesComand); 0,3 7: S ← Socket(); 0,2 8: if P→Role == “Server” 0,1 9: SendSynchronizationPacket(S); Z 0 R'v 10: ReceiveСonfirmationPacket(S); 11: else P→Role == “Client” 12: ReceiveSynchronizationPacket(S); 13: SendСonfirmationPacket(S); 14: close(S); 15: S3 ← L3Socket(P→InEth); 16: S2 ← L2Socket(P→OutEth); 17: OpenThread(InterceptChangeResendFromInEth(S3)); 18: OpenThread(InterceptChangeResendFromOutEth(S2)); Q 19: OpenThread(ChangeIpConfig()); Fig. 3. Comparison diagram of masked topologies  Starting a thread responsible for intercepting, changing especially valuable for attacker's network intelligence. and forwarding IP-packets on the external interface of Masker exhibit obfuscated network topology for incorrect the masker. reconstructing the structure of the protection DIS. Thus requires  Synchronization based on sending a sync packet. redundancy in the structure to reduce the informative of real interconnections, since structurally stationary DIS's topology is  Creating an L2-socket for interaction on the external especially valuable for attacker's network intelligence. interface.  Starting a thread for intercepting, changing and REFERENCES forwarding IP packets on the internal interface of the [1] Barabanov A., Markov A., Fadin A., Tsirlov V., Shakhalov I. Synthesis masker. of Secure Software Development Controls. In Proceedings of the 8th International Conference on Security of Information and Networks  Starting a thread responsible for intercepting, changing (Sochi, Russian Federation, September 08-10, 2015). SIN ‘15. ACM and forwarding IP-packets on the external interface of New York, NY, USA, 2015, pp. 93-97 DOI: 10.1145/2799979.2799998. the masker. [2] Opara E. U., Soluade O. A. Straddling the next cyber frontier: The empirical analysis on network security, exploits, and vulnerabilities. In  Synchronization based on sending a sync packet. International Journal of Electronics and Information Engineering, vol. 3, no. 1, pp. 10–18, 2015. DOI: 10.6636/IJEIE.201509.2(3).02. The results can be effectively represented in the form of a [3] Cha, J. H., Han, Y. H., & Min, S. G. Named data networking over a vector diagram comparing the masked topologies (Fig. 3). Software-Defined Network using fixed-size content names. In IEICE Transactions on Communications, Vol. E99B, No. 7, 01.07.2016, p. 1455-1463.. DOI: 10.1587/transcom.2015EBP3464. III. CONCLUSION [4] You, L., Wei, L., Junzhou, L., Jian, J., Nu, X. An inter-domain multi- The results of the work allow us to conclude that there is a path flow transfer mechanism based on SDN and multi-domain significant increase protection level in distributed DIS, collaboration. In in Proceedings of the 14th IFIP/IEEE International Symposium on Integrated Network Management (IM '15), 2017. including the increasing attacker's investigation resources to pp. 758–761. DOI: 10.1109/INM.2015.7140369. implement abusive and malicious actions. For this, we used [5] P. Lin, J. Bi, and H. Hu, BTSDN: BGP-based transition for the existing false network objects in the network structure, which form a networks to SDN. In Proceedings of the 6th International Conference on masked topology. The structure of the masked topology deform Ubiquitous and Future Networks (ICUFN '14), 2014. pp. 419–424. the information received by attacker's network intelligence: (1) DOI: 10.1109/ICUFN.2014.6876826. numbers of hosts, (2) software versions, (3) services, (4) [6] D. Kreutz, F. M. V. Ramos, and P. Verissimo Towards secure and interface identifiers. The masking process does not affect the dependable software-defined networks. In Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking interconnection between end-user nodes: it does not break the (HotSDN '13), 2013. pp. 55–60. DOI: 10.1145/2491185.2491199. established TCP sessions and does not prevent the [7] A. Y. Ding, J. Crowcroft, S. Tarkoma, and H. Flinck Software defined establishment of new ones. networking for security enhancement in wireless mobile networks. In Computer Networks, 2014. pp. .94–101. DOI: 10. 1016/j.comnet. Masker exhibit obfuscated network topology for incorrect 2014.03.009. reconstructing the structure of the protection DIS. Thus requires [8] C. Fung, Y. L. Chen, X. Wang, J. Lee, R. Tarquini, and M. Anderson redundancy in the structure to reduce the informative of real Survivability analysis of distributed systems using attack tree interconnections, since structurally stationary DIS's topology is methodology. In IEEE Military Communications Conference 86 (MILCOM’05), pp. 583–589, 2005. DOI: and decision. In International Journal of Network Security, vol. 19, no.5, 10.1109/MILCOM.2005.1605745. pp. 660–669, 2017. DOI: 10.1145/2448556.2448566. [9] Behal, S., & Kumar, K. Characterization and Comparison of DDoS [17] A. Aziz, A. T. Azar, M. A. Salama, A. E. Hassanien, S. Hanafy Genetic Attack Tools and Traffic Generators: A Review. In International Journal algorithm with different feature selection techniques for anomaly of Network Security, vol.19, no.3, pp.383-393, 2017. DOI: detectors generation. In Proceedings of The Federated Conference on 10.6633/IJNS.201703.19(3).07. Computer Science and Information Systems (FedCSIS’13), pp. 769– [10] Hashemi, S.M. He, J. An Evolutionary Multi-objective Approach for 774, Krakow, Poland, Sept. 2013. Modelling Network Security. In International Journal of Network [18] S. Elsayed, R. Sarker, J. Slay Evaluating the performance of a Security, vol.19, no.4, Pp.528-536, 2017. DOI: differential evolution algorithm in anomaly detection. In Proceedings of 10.6633/IJNS.201707.19(4).05. The Congress on Evolutionary Computation (CEC’15), pp. 2490–2497, [11] A. Behnia, R. A. Rashid, and J. A. Chaudhry A survey of information Sendai, Japan, May 2015. DOI: 10.1109/CEC.2015.7257194. security risk analysis methods. In Smart Computing Review, vol. 2, no. [19] V. Jaganathan, P. Cherurveettil, P. M. Sivashanmugam Using a 1, pp. 79–94, Feb. 2012. DOI: 10.6029/smartcr.2012.01.007. Prediction Model to Manage Cyber Security Threats. In Scientific World [12] F. Amiri, M. M. R. Yousefi, C. Lucas, A. Shakery, and N. Yazdani, Journal, vol. 2015. DOI: 10.1155/2015/703713. Feature selection for intrusion detection system using ant colony [20] E. T. Axelrad, P. J. Sticha, O. Brdiczka, and J. Shen A Bayesian network optimization. In International Journal of Network Security, vol. 18, no. model for predicting insider threats. In Proceedings of the 2nd IEEE 3, pp. 420–432, 2016. DOI: 10.1016/j.jnca.2011.01.002. Security and Privacy Workshops (SPW '13), pp. 82–89, May 2013. DOI: [13] Nezarat, A. Distributed Intrusion Detection System Based on Mixed 10.1109/SPW.2013.35. Cooperative and Non-Cooperative Game Theoretical Model. In [21] J. Wu, L. Yin, and Y. Guo Cyber attacks prediction model based on International Journal of Network Security, vol.20, no.1, pp.56-64, Jan. Bayesian network. In Proceedings of the 18th IEEE International 2018. DOI: 10.6633/IJNS.201801.20(1).07. Conference on Parallel and Distributed Systems (ICPADS '12), pp. 730– [14] D. Singh, D. Patel, B. Borisaniya, and C. Modi Collaborative IDS 731, Singapore, December 2012. DOI: 10.1109/ICPADS.2012.117. framework for cloud. International Journal of Network Security, vol. 18, [22] Sheyner, J. Haines, S. Jha, R. Lippmann, J. M. Wing Automated no. 4, pp. 699–709, 2016. DOI: 10.1007/978-94-007-2911-7_8. generation and analysis of attack graphs. In Proceedings of the IEEE [15] A. Tayal, N. Mishra and S. Sharma Active monitoring & postmortem Symposium on Security and Privacy, pp. 273–284, May 2002. DOI: forensic analysis of network threats: A survey. In International Journal 10.1109/SECPRI.2002.1004377. of Electronics and Information Engineering, vol. 6, no. 1, pp. 49–59, [23] L. Wang, A. Singhal, S. Jajodia Toward measuring network security 2017. DOI: 10.6636/IJEIE.201703.6(1).05. using attack graphs. In Proceedings of the ACM Workshop on Quality [16] E. Popoola, A. O. Adewumi Efficient feature selection technique for of Protection, pp. 49–54, October 2007. DOI: network intrusion detection system using discrete differential evolution 10.1145/1314257.1314273. 87