Abstract
The continuous improvement of bandwidth, pervasiveness, and functionality of network switching technologies is deeply changing the Internet landscape. Indeed, it has become tedious and sometimes infeasible to manually assure the network integrity on a regular basis: existing hardware and software can be tampered with and new devices can be connected or become nonoperational without any notification. Moreover, changes in the network topology can be introduced by human error, by hardware or software failures, or even by a malicious adversary (e.g. rogue systems).
In this paper, we introduce Switchwall, an Ethernet-based network fingerprinting technique that detects unauthorized changes to the L2/L3 network topology, the active devices, and the availability of an Enterprise network. The network map is generated at an initial known state and is then periodically verified to detect deviations in a fully automated manner. Switchwall leverages a single vantage point and uses only very common protocols (PING and ARP) without any requirements for new software or hardware. Moreover, no previous knowledge of the topology is required, and our approach works on mixed speed, mixed vendors networks. Switchwall is able to identify a wide-range of changes which are validated by our experimental results on both real and simulated networks.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Towards the future internet - a european research perspective, Amsterdam (2009), http://oro.open.ac.uk/24440/
Haibo, B., Sohraby, L., Wang, C.: Future internet services and applications. IEEE Network 24(4), 4–5 (2010)
Lin, H.-C., Lai, H.-L., Lai, S.-C.: Automatic link layer topology discovery of ip networks. In: 1999 IEEE International Conference on Communications, ICC 1999, vol. 2, pp. 1034–1038 (1999)
Gobjuka, H., Breitbart, Y.: Ethernet topology discovery for networks with incomplete information. IEEE/ACM Transactions on Networking 18(4), 1220–1233 (2010)
Plummer, D.: Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. RFC 826 (Standard). Updated by RFCs 5227, 5494 (November 1982), http://www.ietf.org/rfc/rfc826.txt
Mininet, http://yuba.stanford.edu/foswiki/bin/view/OpenFlow/Mininet
Donnet, B., Friedman, T.: Internet topology discovery: a survey. IEEE Communications Surveys and Tutorials 9(4), 2–15 (2007)
Rahman, M.A., Paktas, A., Wang, F.Z.: Network topology generation and discovery tools
Ahmat, K.: Ethernet topology discovery: A survey. CoRR, abs/0907.3095 (2009)
Breibart, Y., Garofalakis, M., Jai, B., Martin, C., Rastogi, R., Silberschatz, A.: Topology discovery in heterogeneous ip networks: The netinventory system. IEEE Transactions on Networking 12(3), 401–414 (2004)
Uzair, U., Ahmad, H., Ali, A., Suguri, H.: An efficient algorithm for ethernet topology discovery in large multi-subnet networks. In: IEEE International Conference on System of Systems Engineering, SoSE 2007, pp. 1–7 (April 2007)
Jia, B.: Research of physical topology discovery in heterogeneous ip networks with vlan. In: Innovative Computing Communication, 2010 Intl. Conf. on and Information Technology Ocean Engineering, 2010 Asia-Pacific Conf. on (CICC-ITOE), pp. 244–247 (January 2010)
Bejerano, Y.: Taking the skeletons out of the closets: a simple and efficient topology discovery scheme for large ethernet lans. IEEE/ACM Trans. Netw. 17(5), 1385–1398 (2009)
Mukhtar, H., Ahmad, H., Ki-Hyung Kimand Ali, A., Suguri, H.: Autonomous network topology discovery of large multi-subnet networks using lightweight probing. In: Network Operations and Management Symposium Workshops, NOMS Workshops 2008, pp. 351–356. IEEE (2008)
Cert advisory on snmp vulnerabilities, http://www.cert.org/advisories/CA-2002-03.html
Cert faqs on snmp vulnerabilities, http://www.cert.org/techtips/snmpfaq.html
Rabbat, M., Nowak, R.: Multiple source, multiple destination network tomography. In: Proc. of IEEE Infocom (2004)
Francis, P., Jamin, S., Jin, C., Jin, Y., Raz, D., Shavitt, Y., Zhang, L.: Idmaps: a global internet host distance estimation service. IEEE/ACM Trans. Netw. 9(5), 525–540 (2001)
Ng, T.S.E., Zhang, H.: Predicting internet network distance with coordinates-based approaches. In: INFOCOM, pp. 170–179 (2001)
Black, R., Donnelly, A., Fournet, C.: Ethernet topology discovery without network assistance. In: ICNP (2004)
Cisco catalyst series switches, http://www.cisco.com/en/US/products/hw/switches/ps663/productstechnote09186a0080094713.shtml#cdp
IEEE-Computer-Society. 802.1d ieee standard for local and metropolitan area networks. Technical report, IEEE Computer Society (2004)
Nmap tool for host discovery, http://nmap.org/book/man-host-discovery.html
Hping packet assembler/analyzer tool, http://www.hping.org/
Oissg on network fingerprinting, http://www.oissg.org/wiki/index.php?title=Network_Mapping_%28Scanning%2C_OS_Fingerprinting_and_Enumeration%29#Identify_Live_Hosts
Pgmag switches benchmark, http://www.pcmag.com/imagepopup/0,1871,iid=5847,00.asp
Openflow network research framework, http://www.openow.org/wp/research/
Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., Shenker, S.: Extending networking into the virtualization layer. In: Proc. HotNets (October 2009)
Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. ACM SIGCOMM Computer Communication Review 38(3), 105–110 (2008)
Linux tc tool for traffic shaping, http://linux.die.net/man/8/tc
Thomas habets’ arping tool, http://www.habets.pp.se/synscan/programs.php?prog=arping
Eli fulkerson’s tcping for windows, http://www.elifulkerson.com/projects/tcping.php
Richard van den berg’s tcpping tool for gnu/linux, http://www.vdberg.org/~richard/tcpping.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nazzicari, N., Almillategui, J., Stavrou, A., Jajodia, S. (2013). Switchwall: Automated Topology Fingerprinting and Behavior Deviation Identification. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds) Security and Trust Management. STM 2012. Lecture Notes in Computer Science, vol 7783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38004-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-38004-4_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38003-7
Online ISBN: 978-3-642-38004-4
eBook Packages: Computer ScienceComputer Science (R0)