Network Attack Strategy by Topological Analysis

Network Attack Strategy by Topological Analysis

Kengo Komoriya Keisuke Iwai Hidema Tanaka Takakazu KurokawaNational Defense Academy

Hashirimizu 1-10-20 Yokosuka-shi, Kanagawa-Pref Japan 239-8686{em53033,iwai,hidema,kuro}@nda.ac.jp

ABSTRACT

In general, Network attack should be prohibited andinformation security technology should contributeto the improvement for trust of network commu-nication. Network communication is based on IPpackets which are standardized by international or-ganization. Therefore, Network attack does notfunction without following the standardized man-ner. Hence, Network attack also leaks adversaries’information in their IP packets. In this paper,we propose a new Network attack strategy whichcounter-attacks adversary. We collect and ana-lyze IP packets from adversary, and derive networktopology of adversary. The characteristics of topol-ogy can be analyzed by the eigenvalue of topologymatrix. We observe the influence by which the at-tack to topology gives it to changes of characteris-tic, and choose most suitable network attack strat-egy. In this paper, we propose two kinds of attackscenarios and three types of tactics. And we showan example attack using actual data of adversary.

KEYWORDS

Network attack, Darknet Monitoring, Topology,Adjacency matrix, Laplacian matrix.

1 INTRODUCTION

Network attack is not special threat today, andits purpose and technologies evolve compli-catedly. APT (Advanced Persistent Threat) isseen frequency now a days, and organization ofadversaries is becoming normality. The organi-zation of adversary disperses worldwide or ismaldistributed in a specific area (such as coun-try). The former has a possibility that it be-longs to the worldwide terrorism organization.On the other hand, the latter has a high possi-bility that the organization gets the governmentsupport. In this paper, we focus on the activityof adversaries who exist in specific country.

In general, we believe that Network attackshould be prohibited action. However, Net-work attack also uses IP packet which isdetermined by the international standardizedgroup (ISO and IETF[1]). as the result, Net-work attack leaks the information concerningto the action of adversary at the same time.So, there are Honey pot project[2] and Dark-net Monitoring[13] in the security technologybased on the fact. These are used for an anal-ysis of Network attack technologies and obser-vation of large scale attacks. So we can seethese security technologies as passive obser-vation of Network attack trend. On the otherhand, in this paper, we also use the informa-tion brought by IP packets, from adversaries tomake strategy for counter-attack.

As already mentioned above, we focus on theactivity of adversaries who exist in specificcountry. The IP packets from adversaries haveinformation of network infrastructure (such astopology) in the specific country. Therefore,we analyze the topology of specific country bycollecting and analyzing IP packets from there.The characteristic of topology can be analyzedby the eigenvalue of matrix which is derivedfrom the topology. The analysis method usingeigenvalue of topology is developing as Net-work Dynamics. By using these eigenvalues,we propose a method of choice of the mostsuitable strategy of counter-attack. In addi-tion, we focus on the fact that Network at-tack changes the topology and its character-istics. In this paper, we propose two kindsof attack scenarios and three types of tactics,and show an example attack. The exampleattack is demonstrated using actual results ofour Darknet Monitoring. Since our proposalscheme and method have some sensitive top-ics, note that the some details of example at-tack are omitted. Some topological analysis

ISBN: 978-1-941968-18-5 ©2015 SDIWC 9

were applied to Network security in previousstudies . But, for example paper[3], all of themrefers to defense technology and there is no re-sult applied to attack technology. In this point,our paper is very epoch-making one since wefocus on the counter-attack using topologicalanalysis.

2 PRELIMINARIES

The characteristics of network can be esti-mated by topological analysis. The topologycan be expressed by some methods. In thispaper, we take two kinds of matrices; Adja-cency matrix[4] and Laplacian matrix[5]. Theeigenvalue of each matrix shows the charac-teristic of topology. In this paper, we fo-cus on two types of characteristics; “Spreadspeed” and “Convergence”. “Spread speed”denotes the characteristic which shows easi-ness of communication. “Convergence” de-notes the characteristic which shows easinessof settling of information. As an example ofprevious works using eigenvalues of topology,there is a chain-reaction bankruptcy analysis ofbank-transaction [14]. In this work, They de-rived some topologies of bank-transactions andcalculate their eigenvalues. Using these eigen-values, they made it clear that only bankruptcyof megabank is not always the cause of the fi-nancial crisis.

2.1 Adjacency matrix

Let G be undirected topology withn nodes.ThenG can be expressed asn × n AdjacencymatrixA. LetAi,j (1 ≤ i, j ≤ n) be an elementof matrixA as follows.

Ai,j =

{1 if i is adjacent to j,0 if i is not adjacent to j,

(1)

note thatAi,i = 0 becauseAi,i denotes link toitself. Let degree of nodei be the Hamming-weight of i-th row (or i-th column). Note thatsinceAi,j = Aj,i, i-th row andi-th column de-note same adjacency ofi-th andj-th node. Wecall node whose degree is large as hub-node.Let λ be the eigenvalue ofA and it is derivedfollowing characteristic equation.

det(λI − A) = 0 (2)

1 2

3

4

5

6

7

Fig1.Example network with seven nodes

Since characteristic equation isn-th degree,eigenvalue can have differentm(1 ≤ m ≤ n)values. Letλmax(A) be the maximum valueof λ. The value ofλmax(A) shows the charac-teristic of the connection density among hub-nodes. Thus it indicates the characteristic of“Spread speed” of topology.

2.2 Laplacian matrix

The topologyG also can be expressed byLaplacian matrixL. Let Li,j(1 ≤ i, j ≤ n)be an element of matrixL.

Li,j =

di if i = j,−1 if i is adjacent to j,0 if i is not adjacent to j,

(3)wheredi denotes the degree ofi-th node. Theeigenvalues ofL is also derived by the sameway of Adjacency matrix shown as eq.(2). Sowe havem(1 ≤ m ≤ n) different values forLas follows.

0 = λ1 ≤ λ2 ≤ . . . ≤ λm (4)

The minimum valueλ1 is always equals tozero. The second minimum valueλ2 > 0 isdetermined as algebraic connectivity. Whenλ2

has large value, the topology has high connec-tivity. The maximum valueλm shows the dif-ficulty caused the connection delay. The syn-chronization of topology can be evaluated bythe ratioR = λ2/λm. WhenR has large value,it indicates the characteristic of “Convergence”of topology.

2.3 Example analysis

We show an example analysis using sevennodes topology shown in Fig1. From this fig-

ISBN: 978-1-941968-18-5 ©2015 SDIWC 10

ure, we have following Adjacency matrixA.

A =

0 0 1 0 0 0 00 0 1 0 0 0 01 1 0 1 0 1 00 0 1 0 1 0 00 0 0 1 0 1 10 0 1 0 1 0 00 0 0 0 1 0 0

(5)

By using eq.(2), we have followings.

λ1(A) = −2.358 λ5(A) = 0.000

λ2(A) = −1.199 λ6(A) = 1.199

λ3(A) = 0.000 λ7(A) = 2.358

λ4(A) = 0.000

As the result, we haveλmax(A) = 2.358. Inthe same way, from Fig1, we have followingLaplacian matrixL.

L =

1 0 −1 0 0 0 00 1 −1 0 0 0 0−1 −1 4 −1 0 −1 00 0 −1 2 −1 0 00 0 0 −1 3 −1 −10 0 −1 0 −1 2 00 0 0 0 −1 0 1

(6)

From this matrix, we have following eigenval-ues.

λ1(L) = 0.000 λ5(L) = 2.000

λ2(L) = 0.514 λ6(L) = 3.836

λ3(L) = 1.000 λ7(L) = 5.314

λ4(L) = 1.336

Then we haveR = λ2(L)/λ7(L) = 0.1237.

3 BASIC IDEA

3.1 Back ground

“Darknet Monitoring” is one of analysis meth-ods for Network attacks. Darknet is the un-used IP address-space among global IP address

that the organization holds. It is abnormal situ-ation that there are accesses to Darknet fromout side, because the IP address of Darknetdoes not execute any network services. Sowe can see the access to Darknet as maliciousact. Therefore the analysis of Darknet access(Darknet Monitoring) is regarded as the detec-tion method for network attacks. There aremany projects of world scale Darknet Monitor-ing, such as Norse[6], Nicter[7], and so on.All network attack is based on IP packets. EachIP packet has many information in its header;protocol, source IP address, destination IP ad-dress, timeout, the parameters decided by OSand so on[1]. Since the packets arrived Darknetalso has such information, we can get informa-tion of adversary by analyzing them. The ac-tual attacks are executed via springboard PCs,it is difficult to specify the adversary’s trueIP address. However, even if springboard PCis intentional or accidental, in this paper, wesuppose that springboard PCs which executepersistent access to Darknet are adversaries.Note that there are many methods which detectspringboard PCs[15][16][17].

3.2 Our strategy

“ traceroute” is the command which shows theroute to given IP address[8][18][9]. As shownabove, IP address and packet have many infor-mation of adversary. Our purpose is to derivenetwork topology attacking us. In our strat-egy, malicious IP addresses monitored in Dark-net are classified adversary group by analyzingtheir packets. As a result, we can collect differ-ent malicious IP addresses from same country.Then we execute “traceroute” them, we esti-mate the topology of the target country. Wecall such topology malicious topology.However, the results of “traceroute” do notshow all IP address on the route. Fig2. showsan example result of “traceroute”. In this fig-ure, “* * *” denotes unknown IP address. Itis occurred when the server exists, but it doesnot open its IP address. To estimate the mali-cious topology, we treat such unknown IP ad-dress as they are, and make temporary topol-ogy. Fig3.(upper) shows an example of tem-

ISBN: 978-1-941968-18-5 ©2015 SDIWC 11

Fig2.Example result of “traceroute”

Fig3.Driving malicious topology

porary topology. Then we delete unknown IPaddress from temporary topology, and we de-rive resultant topology such as Fig3.(lower).We define such resultant topology as malicioustopology. Using methods shown in section 2,we can analyze the characteristics of malicioustopology. Actually, there is an open project toestimate the detailed Internet topology such asCAIDA[10]. However, our purpose does notfollow their term of service. So, note that wederive topology by our own method. If wecan get cooperation of the organization such asCAIDA, it is obvious that we can get precisemalicious topology easily.

3.3 Outline of attack strategy

The threat scenario of Network attack is com-plicated and various, in this paper, we focus onfollowing two.

Scenario-1. Spread of malware and disin-formation

Scenario-2. Concentration and confusionof information sharing

Scenario-1 is generally easy to understand andtypical case of Network attack, so we omit thedetails. The purpose of Scenario-2 is to gener-ate the differentials in information sharing be-tween target area and others and make confu-sion. This scenario is also based on the oneof important characteristics of Internet technol-ogy such as immediacy of information sharing.By using this characteristics, we can generatea threshold of diffusion of information. Thisscenario is similar to spreads of rumor (andmalware such as Scenario-1), but it is differentfrom these scenarios in the point that the dif-ference in the spread of different informationsare generated.

ISBN: 978-1-941968-18-5 ©2015 SDIWC 12

The effectiveness of these attack scenarios canbe decided by the characteristics of target net-work topology. Therefore the effectiveness ofScenario-1 is related to the characteristic of“Spread of speed” and Scenario-2 is relatedto “Convergence” respectively. In the simpleway, the attacker choices whether attack sce-nario is more effective by the analysis of targettopology.On the other hand, Network attack has vari-ous tactics such as DDoS attack, XSS, downof services constructing rogue servers, and soon. These tactics have influence on the topol-ogy and can change its characteristics. There-fore the attacker can choose attack scenario anddiscuss its effectiveness by selecting tactics.In this paper, we consider following three tac-tics and its effectiveness against change oftopological characteristics.

Tactics-1. Down of server

Tactics-2. Construction of agent server

Tactics-3. Combination of Tactics-1 andTactics-2

Tactics-1 can be achieved by the well-know at-tack such as DDoS. Tactics-2 can be achievedby using IP address which are not well-managed.There are some problems such as slow downof communication speed and feasibility withattack execution. These problems influence ef-fectiveness and feasibility of strategy, however,they are individual problems every actual tar-get topology, so we omitted them in this paper.And the choice and location of server have biginfluence on effectiveness of strategy. In thispaper, we analyze the optimal attack effective-ness by brute force search, so, we limits thesize of target topology with in our computercan analyze (maximum100 nodes).

3.4 Example attack

In this section, we show an example attackagainst the topology shown in Fig.1. The initialvalues areλmax(A) = 2.358 andR = 0.1237(see Section 2.2). The conditions of each Tac-tics are as follows.

Tactics-1: The number of attack target server isone.

Tactics-2: The number of agent server is one.And the number of links from agent serveris not restricted.

Tactics-3: The number of attack target nodeand agent server is each one. And thenumber of links from agent server is two.

Fig4. shows the result of Scenario-1. Fromthese results, we can find that Tactics-2 is mosteffective but it is obviously worthless. Tactics-3 is the most realistic case. Tactics-1 shows alittle unexpected result. The value ofλmax(A)of Tactics-1 is smaller than initial value, wecan conclude that Tactics-1 is useless in theattack Scenario-1 against the topology shownin Fig1. In Scenario-1, the best results are de-cided uniquely without Tactics-3. In Tactics-3, ten kinds of best result are derived (total 28patterns). Another three of them are shown inFig5, but all of them has same attack target.Fig6. shows the results of Scenario-2. Fromthese results, we can find that Tactics-3 is mosteffective and realistic case. Tactics-2 which isexpected as most powerful attack is lesser ef-fect than Tactics-3. Tactics-1 can expect moreeffective compared with Scenario-1. Note thatall result is decided uniquely.

4 PROPOSAL ATTACK METHOD

The purpose of our proposal attack method isto derive the most effective attack strategy orto estimate the effectiveness each attack strat-egy. The attack strategy is defined as the com-bination of scenario and tactics shown in Sec-tion 3.3. Since we have two kinds of scenarioand three types of tactics (we have six patternsof attack strategy). The flow of our proposalmethod is as follows.

Step-1. Collect IP addresses from the targetarea (target IP group).

Step-2. Executetraceroute command fortarget IP group.

Step-3. Estimate the topology of target area.

ISBN: 978-1-941968-18-5 ©2015 SDIWC 13

λmax(A) = 2.288 λmax(A) = 3.986 λmax(A) = 3.8618

Fig4.[Scenario-1] Spread of malware and disinformation (7 nodes)


Fig5.[Scenario-1] Other best result in Tactics-3 (7 nodes)

R = 0.2500 R = 0.2586 R = 0.2834

Fig6.[Scenario-2] Concentration and confusion of information sharing (7 nodes)

Step-4. Execute simulation of Tactics-1∼Tactics-3.

Step-5. Choice the scenario and tactics(strategy).

In our experiment (see Section 5), we useDarknet Monitoring for Step-1. It is desirableto execute Step-2 from more than one differentplace. And for even same IP address, it is de-sirable to execute Step-2 changing time and aday of week sometimes. Because the networktraffic will change by time and a day of week,so there is possibility that network routing alsochanges. As a result, it is possible to get morenew different IP address, so deriving of more

precise topology is helped. In Step-3, we takethe method shown in Section 3.2. An exampleexecution of Step-4 and Step-5 are shown inSection 3.4. The computational complexity ofStep-4 is determined by the number of nodes intarget topology (N ), the number of attack tar-get nodes (n), the number of agent servers (m)and the number of links from each agent server(ℓ ). Thus we can calculate computational com-

ISBN: 978-1-941968-18-5 ©2015 SDIWC 14

Fig7.Malicious topology in Country-Q

Fig8.Target topology with 100 nodes in metropolitanarea in Country-Q　

plexity for each tactics as follows.

Tactics-1: C1 = NCn (7)

Tactics-2: C2 =m∑i=1

(N+i−1)Cℓ (8)

Tactics-3: C3 = NCn ×m∑i=1

(N+i−1)Cℓ (9)

Note that we derive computational complexityas the number of calculation of eigenvalues.

5 EXPERIMENTS

In this section, we show our proposal methodbased on the Darknet Monitoring in our orga-nization while March 1st∼ 21st, 2013.

5.1 Step-1:Darknet Monitoring

In the monitoring period, we recorded total1,654,925 of malicious access for our Dark-

Table 1. Access numbers of each countries

Country access number IP addresses

Total 1,654,925 1,093,859Country-A 757,775 553,689Country-B 75,785 53,390Country-C 3,896 2,089Country-Q 8,728 3,674

net. Among these access, there are 1,093,859different IP addresses. Using the country in-formation of IP address, the access numbers ofeach countries are summarized as Table.1.In this paper, we focus on Country-Q. By ourDarknet Monitoring, 3,674 different IP addressare recorded.

5.2 Step-2:Traceroute

We executedtraceroutefor 3,674 different IPaddresses. The parameter oftracerouteis asfollows.

traceroute − I − n −m 30 IP address

Using this command, we can get 30 IP ad-dresses on the route for target IP addresses.Note that we focus on the IP addresses in theCountry-Q. For the restriction in our networkenvironment, we executetraceroutes from onlysingle start point, and we did not execute themchanging time and a day of week. As the result,we got 2,119 of new IP address in Country-Q.We omit IP address which does not exist in re-sult of tracerouteor isolate in resultant of esti-mation of topology. Thus we have 2,119 nodeswhich is smaller than initial recorded 3,674 IPaddresses. We needed about 2 days for this pr-ocess.

5.3 Step-3:Estimation of topology

Using the estimation method shown in section3.2 for the resultants oftraceroute, we havethe topology of 2,119 nodes with 3,819 linksshown in Fig7. But this topology is too largefor our computer environment. Therefore, welimited to the topology in the metropolitan area

ISBN: 978-1-941968-18-5 ©2015 SDIWC 15

Table 2. Computational cost and simulation time

Scenario-1 Scenario-2

computational complexity time (sec) computational complexity time (sec)Tactics-1 100 1.4 100 2.0Tactics-2 4,950 68.0 4,950 100.1Tactics-3 485,100 21,651.9 485,100 7,699.4

Table 3. Specification of our computer environment

OS Windows 7 Professional 64bitCompiler python3.3.5

CPU Intel(R) Core(TM)i7-3770 CPU @ 3.40GHzMemory 16.0GB

in Country-Q using the information of IP loca-tor and whois. As the results, our target topol-ogy is derived as Fig8.

5.4 Simulation of Tactics

The initial values of target topology areλmax(A) = 10.0785 andR = 0.005487. Theparameters of each tactics are as follows.

N = 100, n = 100, m = 1 and ℓ = 2

The computational cost and simulation time forthe each scenario and tactics are summarized inTable2. And the specification of our computerenvironment is shown in Table3.

5.5 Results and evaluations

The attack results show in Fig9, Fig10 and Ta-ble4. We can find following facts from theseresults.

5.5.1 A result of no Tactics becomessmaller than the initial value.

We can conclude that our method againstCountry-Q can guarantee that the attack resultsdo not disadvantageous about attack scenarioexecution. However, note that Scenario-1 withTactics-1 can not be expected as effective at-tack.On the other hand, for example, when two

kinds of attack scenario is executed at once,we can choose the attack target for one sce-nario which will not disturb another scenario.Therefore, from this fact, we can expect choiceof the attack target which can achieve more oneattack scenario at the same time.

5.5.2 Tactics-3 is the most powerful.

It is obvious that the condition of Tactics-3 forattacker is most advantageous. More than 10%of improvement is estimated compared withinitial value of Scenario-2. However, there aresome big problems such as huge computationalcost, feasibility for realistic attack and so on.These problems are discussed in Section 7.

5.5.3 Derivation Tactics-3.

Also mentioned above, the computational costfor deriving Tactics-3 is huge. To solve thisproblem, we try to derive Tactics-3 using theresults of Tactics-1 and -2.In Scenario-1, we will be able to deriveTactics-3 using them. Because the target serveris same as Tactics-1 and the generated links assame as Tactics-2. Our another computer ex-periments also show the same results. So wecan conclude that Tactics-3 for Scenario-1 canbe derived the results of Tactics-1 and -2. But,we can not find out any relations among these

ISBN: 978-1-941968-18-5 ©2015 SDIWC 16


Fig9.[Scenario-1] Spread of malware and disinformation (100 nodes)

R = 0.005950 R = 0.006329 R = 0.0071226

Fig10.[Scenario-2] Concentration and confusion of information sharing (100 nodes)

Table 4. λmax(A) andR of Initial topology and eachTactics

Network λmax(A) R

Initial topology 10.0785 0.005487Tactics-1 10.0785 0.005950Tactics-2 10.1152 0.006329Tactics-3 10.1152 0.007122

results in Scenario-2.We conclude that it is efficient to execute sep-arately in Scenario-2. Development of themethod to reduce the necessary computationalcost for Tactics-3 in Scenario-2 is our futurework.

5.5.4 Choice of attack strategy.

From Table 4, we should take Tactics-3 forboth Scenarios on the attack to Country-Q. InSection 6, we check the effectiveness of eachTactics by computer simulations.

6 EXPERIMENT OF SPREAD OF MAL-WARE AND DISINFORMATION

6.1 Relevance between the eigenvalues andthe information diffusion.

From the view point of analysis of Network dy-namics, the maximum eigenvalue of topologyis determined by the total number of nodes andlinks[19]. Our proposal attack method changesnumber of nodes and links, therefore, the max-imum eigenvalue can be improved to be easy toattack. So, it is necessary to confirm that it be-comes advantageous to attack comparing withthe Initial topology. Note, when the numbersof nodes and links are not changing, it is clearto become aggressive advantage by our strat-egy. In the experiments shown in Section5;

· The condition of Tactics-1 decreases thenumber of nodes one and decrease thenumber of links more than or equal to one.

· The condition of Tactics-2 increases thenumber of nodes one, and increases thenumber of links more than one.

ISBN: 978-1-941968-18-5 ©2015 SDIWC 17

· The condition of Tactics-3 is same num-ber of nodes and changes the number oflinks In the conditions above, we executedthe infection simulation proposed in [19]

The evaluation valueR on Scenario-2, eachvalue of Tactics is increased more than 10% tothe value of Initial topology. On the other hand,the evaluation valueλmax(A) on Scenario-1,the increment is about 1%. Therefore wechecked such effectiveness of Scenario-1, us-ing infection simulation following the paper[20]. We observed the number of spread stepswith 50% of infection probability. We executedexhaustive search for the start points whichmakes the least number of steps (best-target)and the maximum ones (worst target). The stopcondition of experiment is 90% of infection. Inthe search, we take average of 100 times of ex-periment for each node.

6.2 Experimental result

The result of infection simulation is summa-rized in Table5. The node 20 is chosen as thebest-target by all result of simulation exceptTactics-2. In fact, the node 20 has 19 linksin Initial topology and Tactics-1, and it is themaximum order node. Note that the same node20 has 20 links in Tactics-2 and Tactics-3 sincethe attack of setting of agent server generatesone new link on the node 20. From these re-sults, we can confirm that Tactics-3 is the mostpowerful and the resultant topology of Tactics-3 has the second most number of links. There-fore, we can expect that the resultant topologywhich has more links is effective for Scenario-1.In the result of Tactics-2, the resultant topologyhas most links and nodes among all simulation.It results second best steps (7.10), it has somefollowing interest features.

• Average number of links in Tactics-3 is al-most same as Initial topology.

• Node 20 has the most links (20). This isthe same result as Tactics-3.

• Best-target is node 19 whose number of

links is 17. It is the third node with a lotof links.

From above, we conclude that it is not appro-priate to compare the result of Tactics-2 andothers simply. Our proposal method concludethat Tactics-3 is the best, however, we need toanalyze the relation between evaluation valueof λmax and the number of links and nodes.This is our future works.In the case of worst-target, Tactics-3 is mosteffective. Thus, the validity of our conclusioncould be confirmed.

7 DISCUSSION AND CONCLUSION

In this paper, we propose a Network attackmethod using topological analysis and showan example derivation of attack strategy us-ing Country-Q. Since Network attack bothersusual operation, we think such action shouldbe stopped complicatedly. However, Networkattack also brings adversary’s information, sowe should observe them effectively. Our pro-posal method is based on these facts.In this paper, we can only derive the choice ofattack target and effective attack scenario. Ourproposal method does not enable to make anestimation of the actual attack effect. To makeproposal method a practical strategy, we needto solve following problems.

Problem1. Parameterization of attack toler-ance of each nodes.In our method, the security level of all nodesis same. In particular, we do not set any at-tack method (such as DDoS, XSS and so on),so the security level is set zero. But in thereal network operation, each node has own role(such as router, Web server, Mail server, clientsand so on). Therefore each node has own se-curity level according to its role. In addition,even if same role, the security level is differ-ent whether it is located in backborn networkor end point. As a result, security level is var-ious and it is not realistic to set in unifyingway. To solve this problem, we expect anal-ysis methods of virus infection and Networkdynamics[11]. And IP locater and geopolitical

ISBN: 978-1-941968-18-5 ©2015 SDIWC 18

Table 5.λmax(A) and number of spread steps of Initial topology and each Tactics

Network Node Link λmax(A) step(best-target) step(worst-target)

Initial topology 100 187 10.0785 7.13(20) 13.38(64)Tactics-1 99 186 10.0785 7.24(20) 12.92(39)Tactics-2 101 189 10.1152 7.10(19) 13.39(64)Tactics-3 100 188 10.1152 7.05(20) 12.89(75)

Table 6. The number of links of target nodes of Initial topology and each Tactics

Network node(links) node(links) average

Initial topology 20(19) 64(1) 1.870Tactics-1 20(19) 39(1) 1.879Tactics-2 19(17) 64(1) 1.871Tactics-3 20(20) 75(1) 1.880

scheme will help the settings of parameteriza-tion of security level of each nodes. These areour future works.

Problem2. Analysis of actual attack resultsand optimum values ofλmax(A) andR.A relation between attack result and value ofλmax(A) and R should be analyzed. Sincethe maximum values of them are determinedby the number of nodes and links, they decidetopology definitely. Thus, we can also deriveTactics from the difference between the Ini-tial topology and resultant topology with max-imum values. So we can derive an optimumvalue ofλmax(A) andR theoretically, however,there is no realistic meaning. Because, it iseasy to see from the result of example anal-ysis shown in Fig4. Tactics-2, to achieve theoptimum values is to give the infinite powerfulcondition for the attacker. So we conclude thatthe estimation of optimum values ofλmax(A)andR is useless in realistic network attack. Inthis paper, we estimate attack effect comparingwith the initial value ofλmax(A) andR. But itis not clear how increase from initial value iscontributing to the attack result. The analysisof it is also our future work.

Problem3. Analysis of feasibility of Tactics-2 and -3 in real network environment.

We face two problems in Tactics-2 and -3; 1)setting of agent server and 2) generation oflinks.

1) Setting of agent serverThere are many un-managed IP addresses suchas Darknet. In particular, the cases which stu-dent group use IP address without notice, andmanage phishing servers are reported much atsome Universities that has many IP addresses[12]. From this fact, it will be easy to setagent servers if we do not specify the location.Therefore a set at the most effective locationmay be impossible, but we can conclude that1) can be solved easily.

2) Generation of linksAfter the set of agent server, we need to gener-ate links. There are two ways to realize it. Oneis to establish physical communication lines orconstruct new network infrastructure. Anotheris to forge routing tables. The former way ispowerful but we can not expect its feasibility.The latter way is realistic. Though we willneed to forge many routers and their tables, thefeasibility will be high by the same reason of1). In particular, when attack scenario and tac-tics are decided beforehand, the execution willbe easy.

ISBN: 978-1-941968-18-5 ©2015 SDIWC 19

REFERENCES

[1] Internet Engineering Task ForceRFC:791 INTERNET PROTOCOL,https://www.ietf.org/rfc/rfc791.txt

[2] H. Artail, H. Safa, M. Sraj, L. Kuwatly, Z. Al-Masri,“A hybrid honeypot framework for improving intru-sion detection systems in protecting organizationalnetworks”, Journal Computers and Security, Vol.25,No.4, Page.274-288, (2006)

[3] L. K. Gallos, R. Cohen, P. Argyrakis, A. Bunde, S.Havlin, “Stability and Topology of Scale-Free Net-works under Attack and Strategies”, Phys Rev Lett,Vol.94, No.18, Page.188701.1-188701.4, (2005)

[4] Rojo. O, Soto. R, “The spectra of the adjacency ma-trix and Laplacian matrix for some balanced trees”,Linear Algebra and Its Applications, Vol.401, No.1-3, Page.97-117, (2005)

[5] Wu. C. W, “On Rayleigh-Ritz ratios of a gener-alized Laplacian matrix of directed graphs”, Lin-ear Algebra and Its Applications, Vol.402, No.1-3,Page.207-227, (2005)

[6] U.S.A, Norse corporation, http://www.norse-corp.com/

[7] Japan, National Institute of Information andCommunications Technology, nicterweb,http://www.nicter.jp/

[8] L. Dall’ Asta, L. Alvarez-Hamelin, A. Barrat, A.Vazquez, A. Vespignani, “Traceroute-Like Explo-ration of Unknown Networks: A Statistical Anal-ysis”, Lect Notes Comput Sci, Vol.3405, Page.140-153, (2005)

[9] D. Bilo, L. Guala, S. Leucci, G. Proietti, “NetworkCreation Games with Traceroute-Based Strategies”,Lect Notes Comput Sci, Vol.8576, Page.210-223,(2014)

[10] Center for Applied Internet Data Analysis,http://www.caida.org/

[11] F. Luca, B. Paolo, G. Mario, “Interplay of networkdynamics and heterogeneity of ties on spreadingdynamics” , Phys Rev E Stat Nonlinear Soft Mat-ter Phys, Vol.90, No.1, Page.012812.1-012812.9,(2011)

[12] Private discussion with security vendors

[13] D. Inoue, M. Eto, K. Yoshioka, S. Baba, K. Suzuki,J. Nakazono, K. Ohtaka, K. Nakao, “Nicter: An

incident analysis system toward binding networkmonitoring with malware analysis”, InformationSecurity Threats Data Collection and Sharing, 2008.WISTDCS ’08. WOMBAT Workshop on ,Page.58-66, (2008)

[14] A. Namatame, R. Zamami, “Systemic Risk onleast susceptible network”, Artificial Economicsand Self-organization, LNEMS Vol 669, Springer,Page.245-256, (2013)

[15] D. Takeo, M. Ito, H. Suzuki, N. Okazaki, A.Watanabe, “A Proposal of a Detection Technique onStepping-stone Attacks Using” Connection-basedMethod , IPSJ Journal, Vol.48, No.2, Page.644-655,(2007)

[16] K. Kisamori, A. Shimoda, T. Mori, S. Goto, “Anal-ysis of Malicious Traffic Based on TCP Fingerprint-ing” , IPSJ Journal, Vol.52, No.6, Page.2009-20018,(2011)

[17] R. Yokota, R. Okubo, N. Sone, M. Morii, “Theaffect of the honeypot on the darknet observation,part 2” , IEICE technical report, Vol.2013-GN-88,No.16, Page.1-4, (2013)

[18] Y. Tomita, A. Nakao, “Inferring an AS Path froman incomplete Traceroute”, The Journal of the In-stitute of Electronics, Information and Communi-cation Engineers, Vol.109, No.273(NS2009 103－119), Page.17-22, (2009)

[19] T. Komatsu, A. Namatame, “Dynamic diffusion inevolutionary optimized networks ”, Int. Journal ofBio-Inspired Computation, Vol.3, No.6, Page. 384-392, (2011) ,

[20] E. Kito, S. Matubara, Y. Yamauchi, “Simulation ofcomputer virus infection model” , Nanzan univer-sity, (2012)

ISBN: 978-1-941968-18-5 ©2015 SDIWC 20

Network Attack Strategy by Topological Analysis

Documents