Network Description Scheme
As the number of nodes in a network increases, so does the complexity of analyzing the impact of an attack on the network. Part of the reason for this lies in the fact that describing the live network (including nodes, traffic flows, routes, etc.) quickly leads to state-space explosion.
Figure 3 Attacker-centric flow descriptions.
To avoid this, instead of describing the network as a collection of source and destination IP addresses, a set of parameters (based on attacker proximity) are used to describe traffic flows. Figure 3 shows an example where n1 is sending packets to n3 and n5 (denoted as n1/n3 and n1/n5); n3 is sending packets to n4 (n3/n4).
The network is defined as the collection of flow descriptions over an entire emulation instance. Figure 3 demonstrates how both flows n1/n5 and n1/n3 can be described with the same flow description (helping to avoid state space explosion). Flow descriptions are composed of the parameters in Table 2.
Table 2 Flow description parameters
# | Parameter | Description |
---|---|---|
1 | fromHop | Hops from the attacker node to the source. |
2 | toHop | Hops from the attacker node to the destination. |
3 | dataType | Data packet type. |
4 | distanceTraveled | Hops from source to destination. |
5 | passThrough | Whether this flow hops through the attacker. |
6 | beforeStats | Packets statistics collected before an attack. |
7 | attackName | Spoofing or forwarding attack. |
8 | hijackable | Whether a flow is successfully hijacked during an attack. |
9 | srcIsSpoofed | Whether the source address is spoofed. |
10 | destIsSpoofed | Whether the destination address is spoofed. |
11 | hopsSpoofedToDest | Hops from the spoofed to the destination. |
12 | spoofedBetweenAttacker | Whether the spoofed is between the attacker and the destination. |
13 | spoofedBetweenAttackerGW | Whether the spoofed is a gateway (directly connected) node on the path to the destination. |
14 | destBetween SpoofedAndAttacker | Whether the destination is between the spoofed and the attacker. |
15 | destBetween SpoofedAndAttackerGW | Whether the destination is a gateway node on the path to the attacker. |
16 | attackerBetween SpoofedAndDest | Whether the destination is between the spoofed and the attacker. |
17 | attackerBetween SpoofedAndDestGW | Whether the destination is a gateway node on the path to the attacker. |
18 | srcBetweenSpoofedAndDest | Whether the destination is between the spoofed and the attacker. |
19 | srcBetween SpoofedAndDestGW | Whether the destination is a gateway node on the path to the attacker. |
20 | altPathWithoutAttacker | Whether an alternate path between source and destination exists without the attacker. |
Defining parameters was an iterative process. Initially only parameters 1–8 were extracted from the dataset, but after a deeper analysis, it became clear that additional parameters were necessary (9–20) to improve network description accuracy. This deeper analysis consisted of the several steps. First, the data were captured and represented using the initial parameters. A python script generated a hash table (or dictionary) using all parameters, except hijackable, as keys in the key/value pair. The boolean parameter (taking on either true or false) hijackable was the value in the key/value pair. The python script went through each network description. If a collision was found and hijackable differed, these were considered conflicting flows.
For each conflicting flow, the number of times that the hijackable parameter resulted as true and false was stored. In the case where there was an equal amount of true and false counts, the emulation instances associated with the flows were run again. In the case where the counts were not equal, the emulation instances associated with the minority were run again. Sometimes the emulation instance encountered an unknown error and all links randomly disconnected.
More often, the reason for the conflicts resulted due to a lack of description of some network characteristic. Analysis of these cases led to the additional parameters. The network description was used to train a classifier to predict the hijackable parameter.