对抗多模式网络层析成像的拓扑混淆机制

doi:10.19678/j.issn.1000-3428.0066278

摘要/Abstract

摘要：

网络层析成像技术能通过测量目标网络的端到端性能测度来推断其拓扑结构，进而为攻击者开展更加精准的网络攻击行为提供支持。尽管网络拓扑混淆技术为对抗这类侦察行为提供了一种解决思路，但现有的网络拓扑混淆技术在探测模式识别准确度、对抗行为有效性等方面仍存在不足。为此，提出一种对抗多模式网络层析成像的拓扑混淆机制M2NTO。针对网络层析成像模式多样化的特点，M2NTO基于增量更新的动态决策树分类算法，构建一种能够在线对抗多样化探测行为的端到端性能参数扰动方法，以应对不同模式的层析成像拓扑探测手段。在多种典型真实网络拓扑上的仿真实验表明，M2NTO在多个场景中都能够以在线的方式准确识别不同模式的探测行为，探测流识别准确率在多个场景下都达到了98%以上，误报率维持在2%之内，探测流分类准确率达到95%以上，在此基础上，通过扰动相应的性能测度干扰攻击者的推断结果，使攻击者推断的网络拓扑与真实网络拓扑的相似度下降到60%以下，有效增强混淆拓扑生成的效能。

关键词: 拓扑混淆, 拓扑推断, 网络层析成像, 流量识别, 动态决策树

Abstract:

By performing an end-to-end performance measurement of a target network, the network tomography method can infer its internal topology accurately, which can support attackers in carrying out more effective attacks.Although network topology obfuscation techniques provide a solution to counter such reconnaissance behaviors, they still have shortcomings in the recognition accuracy of the probe pattern as well as the effectiveness of the countermeasures.Therefore, this study proposes a topology obfuscation mechanism for Multi-mode Network Tomography(M2NTO). Based on the characteristics of diverse network tomography modes, M2NTO constructs an end-to-end performance metric dynamic perturbation-based online dynamic decision tree recognition and classification model of probe behaviors to cope with diverse network tomography methods. Simulation results based on several typical real network topologies demonstrate that M2NTO can accurately identify the patterns of different probe behaviors online in multiple scenarios.The detection flow identification accuracy was more than 98% in multiple scenarios, the false positive rate was maintained within 2%, and the detection flow classification accuracy was more than 95%. On this basis, M2NTO interferes with the attacker's inference results by perturbing the corresponding performance metrics.Thus, the similarity between the inferred network topology and the real network topology is reduced to less than 60%, which effectively enhances the obfuscated topology generation efficiency.

Key words: topology obfuscation, topology inference, network tomography, traffic identification, dynamic decision tree

林洪秀, 邢长友, 詹熙. 对抗多模式网络层析成像的拓扑混淆机制[J]. 计算机工程, 2023, 49(12): 282-293, 303.

Hongxiu LIN, Changyou XING, Xi ZHAN. Topology Obfuscation Mechanism Against Multi-mode Network Tomography[J]. Computer Engineering, 2023, 49(12): 282-293, 303.

http://www.ecice06.com/CN/Y2023/V49/I12/282

图/表 16

图1 基于网络层析成像的拓扑推断方法

Fig.1 Topology inference method based on network tomography

图2 基于网络层析成像的拓扑探测方法

Fig.2 Topology probe method based on network tomography

图3 对抗网络层析成像的拓扑混淆模型

Fig.3 Topology obfuscation model against network tomography

图4 端到端性能计算

Fig.4 End-to-end performance calculation

图5 原型系统架构

Fig.5 Prototype system architecture

图6 系统实现

Fig.6 System implementation

图7 流量检测性能

Fig.7 Traffic detection performance

图8 参数

$ \mathit{\alpha } $

和

$ \mathit{\beta } $

对检测性能的影响

Fig.8 Influence of parameters

$ \mathit{\alpha } $

and

$ \mathit{\beta } $

on detection performance

图9 探测流分类准确率与k值的关系

Fig.9 Relation between classification accuracy of probe flow and the value of k

图10 拓扑混淆性能对比

Fig.10 Topology obfuscation performance comparison

图11 探测流检测与模型更新效率

Fig.11 Efficiency of probe flow detection and model update

参考文献 24

1	ANTONATOS S, AKRITIDIS P, MARKATOS E P, et al. Defending against hitlist worms using network address space randomization. Computer Networks, 2007, 51 (12): 3471- 3490. doi: 10.1016/j.comnet.2007.02.006
2	KANG M S, LEE S B, GLIGOR V D. The crossfire attack[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2013: 127-141.
3	LIU Y Q, ZHAO J L, ZHANG G M, et al. NetObfu: a lightweight and efficient network topology obfuscation defense scheme. Computers & Security, 2021, 110, 102447.
4	HOU T, QU Z, WANG T, et al. ProTO: proactive topology obfuscation against adversarial network topology inference[C]//Proceedings of IEEE Conference on Computer Communications. Washington D. C., USA: IEEE Press, 2020: 1598-1607.
5	LIU Y Q, XING C Y, ZHANG G M, et al. AntiTomo: network topology obfuscation against adversarial tomography-based topology inference. Computers & Security, 2022, 113, 102570.
6	LI H K, GAO Y, DONG W, et al. Bound-based network tomography for inferring interesting link metrics[C]//Proceedings of IEEE Conference on Computer Communications. Washington D. C., USA: IEEE Press, 2020: 1588-1597.
7	林洪秀, 邢长友, 刘亚群, 等. AntiMNT: 一种对抗多源网络层析成像的拓扑混淆机制. 计算机应用研究, 2023, 40 (1): 257- 262. URL
	LIN H X, XING C Y, LIU Y Q, et al. AntiMNT: a topological confusion mechanism against multi-source network tomography. Application Research of Computers, 2023, 40 (1): 257- 262. URL
8	FEAMSTER N, REXFORD J, ZEGURA E. The road to SDN. ACM SIGCOMM Computer Communication Review, 2014, 44 (2): 87- 98. doi: 10.1145/2602204.2602219
9	COATES M, CASTRO R, NOWAK R, et al. Maximum likelihood network topology identification from edge-based unicast measurements. ACM SIGMETRICS Performance Evaluation Review, 2002, 30 (1): 11- 20. doi: 10.1145/511399.511337
10	SHIH M F, HERO A O. Hierarchical inference of unicast network topologies based on end-to-end measurements. IEEE Transactions on Signal Processing, 2007, 55 (5): 1708- 1718. doi: 10.1109/TSP.2006.890830
11	NI J, XIE H Y, TATIKONDA S, et al. Efficient and dynamic routing topology inference from end-to-end measurements. IEEE/ACM Transactions on Networking, 2010, 18 (1): 123- 135. doi: 10.1109/TNET.2009.2022538
12	赵洪华, 陈鸣. 基于网络层析成像技术的拓扑推断. 软件学报, 2010, 21 (1): 133- 146. URL
	ZHAO H H, CHEN M. Topology inference based on network tomography. Journal of Software, 2010, 21 (1): 133- 146. URL
13	SHIH M F, HERO A O. Topology discovery on unicast networks: a hierarchical approach based on end-to-end measurements: TR-357[R]. Ann Arbor, USA: University of Michigan, 2005.
14	MOORE A, ZUEV D, CROGAN M. Discriminators for use in flow-based classification[D]. London, UK: University of London, 2013.
15	QAZI Z A, LEE J, JIN T, et al. Application-awareness in SDN[C]//Proceedings of ACM SIGCOMM 2013. New York, USA: ACM Press, 2013: 487-488.
16	HUANG N F, JAI G Y, CHAO H C, et al. Application traffic classification at the early stage by characterizing application rounds. Information Sciences, 2013, 232, 130- 142. doi: 10.1016/j.ins.2012.12.039
17	CHARBUTY B, ABDULAZEEZ A. Classification based on decision tree algorithm for machine learning. Journal of Applied Science and Technology Trends, 2021, 2 (1): 20- 28. doi: 10.38094/jastt20165
18	COPPOCK H W, FREUND J E. All-or-none versus incremental learning of errorless shock escapes by the rat. Science, 1962, 135 (3500): 318- 319. doi: 10.1126/science.135.3500.318
19	刘强, 张颖, 周卫祥, 等. 自适应类增量学习的物联网入侵检测系统. 计算机工程, 2023, 49 (2): 169- 174. URL
	LIU Q, ZHANG Y, ZHOU W X, et al. Adaptive incremental learning intrusion detection system for Internet of Things. Computer Engineering, 2023, 49 (2): 169- 174. URL
20	Welcome to RYU the Network Operating System(NOS)[EB/OL]. [2022-06-22]. https://ryu.readthedocs.io/en/latest/index.html.
21	Mininet[EB/OL]. [2022-06-22]. http://mininet.org/.
22	KNIGHT S, NGUYEN H X, FALKNER N, et al. The Internet topology zoo. IEEE Journal on Selected Areas in Communications, 2011, 29 (9): 1765- 1775. doi: 10.1109/JSAC.2011.111002
23	Scapy[EB/OL]. [2022-06-22]. https://scapy.net/.
24	BRINGMANN K, GAWRYCHOWSKI P, MOZES S, et al. Tree edit distance cannot be computed in strongly subcubic time (unless APSP can). ACM Transactions on Algorithms, 2017, 16 (4): 1- 10.

[1]	邓昕, 刘朝晖, 欧阳燕, 陈建华. 基于CNN CBAM-BiGRU Attention的加密恶意流量识别[J]. 计算机工程, 2023, 49(11): 178-186.
[2]	蒋彤彤, 尹魏昕, 蔡冰, 张琨. 基于层次时空特征与多头注意力的恶意加密流量识别[J]. 计算机工程, 2021, 47(7): 101-108.
[3]	梁晓萌, 严明, 吴杰. 基于人工蜂群算法的Tor流量在线识别方法[J]. 计算机工程, 2021, 47(11): 129-135,143.
[4]	王攀,陈雪娇. 基于堆栈式自动编码器的加密流量识别方法[J]. 计算机工程, 2018, 44(11): 140-147,153.
[5]	马林进,万良,马绍菊,杨婷. 基于词袋模型聚类的异常流量识别方法[J]. 计算机工程, 2017, 43(5): 204-209.
[6]	邢玲, 郑维玮, 马卫东. 基于节点连接度的P2P流量快速识别方法[J]. 计算机工程, 2012, 38(21): 119-122.
[7]	赵金龙, 高仲合, 贾圣文. 基于端到端单播测量的网络拓扑识别方法[J]. 计算机工程, 2012, 38(2): 100-102.
[8]	刘三民, 王彩霞, 孙知信. 一种基于SVM后验概率的网络流量识别方法[J]. 计算机工程, 2012, 38(17): 171-173.
[9]	邬书跃, 余杰, 樊晓平. 基于流量与行为特征的P2P流量识别模型[J]. 计算机工程, 2012, 38(16): 182-184.
[10]	时鸿涛, 盖凌云, 郭忠文. 一种基于小波谱的流量识别方法[J]. 计算机工程, 2012, 38(12): 72-74.
[11]	陈伟, 胡磊, 杨龙. 基于载荷特征的加密流量快速识别方法[J]. 计算机工程, 2012, 38(12): 22-25.
[12]	胡润东, 蔡皖东, 丁军平. 面向BT的特定信息传播监测系统的实现[J]. 计算机工程, 2010, 36(20): 128-130.
[13]	吴文佳;张建中;张元鹏. 基于丢包率的多播网络拓扑推断算法[J]. 计算机工程, 2010, 36(1): 124-126.
[14]	吴震;刘兴彬;童晓民. 基于信息熵的流量识别方法[J]. 计算机工程, 2009, 35(20): 115-116.
[15]	赵洪华;陈鸣PPPP. 基于层析成像技术的拓扑推断[J]. 计算机工程, 2009, 35(2): 92-95.

选择文件类型/文献管理软件名称

选择包含的内容