Skip to main content
SpringerLink
Log in

Switchwall: Automated Topology Fingerprinting and Behavior Deviation Identification

  • Conference paper
Security and Trust Management (STM 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7783))

Included in the following conference series:

Abstract

The continuous improvement of bandwidth, pervasiveness, and functionality of network switching technologies is deeply changing the Internet landscape. Indeed, it has become tedious and sometimes infeasible to manually assure the network integrity on a regular basis: existing hardware and software can be tampered with and new devices can be connected or become nonoperational without any notification. Moreover, changes in the network topology can be introduced by human error, by hardware or software failures, or even by a malicious adversary (e.g. rogue systems).

In this paper, we introduce Switchwall, an Ethernet-based network fingerprinting technique that detects unauthorized changes to the L2/L3 network topology, the active devices, and the availability of an Enterprise network. The network map is generated at an initial known state and is then periodically verified to detect deviations in a fully automated manner. Switchwall leverages a single vantage point and uses only very common protocols (PING and ARP) without any requirements for new software or hardware. Moreover, no previous knowledge of the topology is required, and our approach works on mixed speed, mixed vendors networks. Switchwall is able to identify a wide-range of changes which are validated by our experimental results on both real and simulated networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Towards the future internet - a european research perspective, Amsterdam (2009), http://oro.open.ac.uk/24440/

  2. Haibo, B., Sohraby, L., Wang, C.: Future internet services and applications. IEEE Network 24(4), 4–5 (2010)

    Article  Google Scholar 

  3. Lin, H.-C., Lai, H.-L., Lai, S.-C.: Automatic link layer topology discovery of ip networks. In: 1999 IEEE International Conference on Communications, ICC 1999, vol. 2, pp. 1034–1038 (1999)

    Google Scholar 

  4. Gobjuka, H., Breitbart, Y.: Ethernet topology discovery for networks with incomplete information. IEEE/ACM Transactions on Networking 18(4), 1220–1233 (2010)

    Article  Google Scholar 

  5. Plummer, D.: Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. RFC 826 (Standard). Updated by RFCs 5227, 5494 (November 1982), http://www.ietf.org/rfc/rfc826.txt

  6. Mininet, http://yuba.stanford.edu/foswiki/bin/view/OpenFlow/Mininet

  7. Donnet, B., Friedman, T.: Internet topology discovery: a survey. IEEE Communications Surveys and Tutorials 9(4), 2–15 (2007)

    Article  Google Scholar 

  8. Rahman, M.A., Paktas, A., Wang, F.Z.: Network topology generation and discovery tools

    Google Scholar 

  9. Ahmat, K.: Ethernet topology discovery: A survey. CoRR, abs/0907.3095 (2009)

    Google Scholar 

  10. Breibart, Y., Garofalakis, M., Jai, B., Martin, C., Rastogi, R., Silberschatz, A.: Topology discovery in heterogeneous ip networks: The netinventory system. IEEE Transactions on Networking 12(3), 401–414 (2004)

    Article  Google Scholar 

  11. Uzair, U., Ahmad, H., Ali, A., Suguri, H.: An efficient algorithm for ethernet topology discovery in large multi-subnet networks. In: IEEE International Conference on System of Systems Engineering, SoSE 2007, pp. 1–7 (April 2007)

    Google Scholar 

  12. Jia, B.: Research of physical topology discovery in heterogeneous ip networks with vlan. In: Innovative Computing Communication, 2010 Intl. Conf. on and Information Technology Ocean Engineering, 2010 Asia-Pacific Conf. on (CICC-ITOE), pp. 244–247 (January 2010)

    Google Scholar 

  13. Bejerano, Y.: Taking the skeletons out of the closets: a simple and efficient topology discovery scheme for large ethernet lans. IEEE/ACM Trans. Netw. 17(5), 1385–1398 (2009)

    Article  Google Scholar 

  14. Mukhtar, H., Ahmad, H., Ki-Hyung Kimand Ali, A., Suguri, H.: Autonomous network topology discovery of large multi-subnet networks using lightweight probing. In: Network Operations and Management Symposium Workshops, NOMS Workshops 2008, pp. 351–356. IEEE (2008)

    Google Scholar 

  15. Cert advisory on snmp vulnerabilities, http://www.cert.org/advisories/CA-2002-03.html

  16. Cert faqs on snmp vulnerabilities, http://www.cert.org/techtips/snmpfaq.html

  17. Rabbat, M., Nowak, R.: Multiple source, multiple destination network tomography. In: Proc. of IEEE Infocom (2004)

    Google Scholar 

  18. Francis, P., Jamin, S., Jin, C., Jin, Y., Raz, D., Shavitt, Y., Zhang, L.: Idmaps: a global internet host distance estimation service. IEEE/ACM Trans. Netw. 9(5), 525–540 (2001)

    Article  Google Scholar 

  19. Ng, T.S.E., Zhang, H.: Predicting internet network distance with coordinates-based approaches. In: INFOCOM, pp. 170–179 (2001)

    Google Scholar 

  20. Black, R., Donnelly, A., Fournet, C.: Ethernet topology discovery without network assistance. In: ICNP (2004)

    Google Scholar 

  21. Cisco catalyst series switches, http://www.cisco.com/en/US/products/hw/switches/ps663/productstechnote09186a0080094713.shtml#cdp

  22. IEEE-Computer-Society. 802.1d ieee standard for local and metropolitan area networks. Technical report, IEEE Computer Society (2004)

    Google Scholar 

  23. Nmap tool for host discovery, http://nmap.org/book/man-host-discovery.html

  24. Hping packet assembler/analyzer tool, http://www.hping.org/

  25. Oissg on network fingerprinting, http://www.oissg.org/wiki/index.php?title=Network_Mapping_%28Scanning%2C_OS_Fingerprinting_and_Enumeration%29#Identify_Live_Hosts

  26. Pgmag switches benchmark, http://www.pcmag.com/imagepopup/0,1871,iid=5847,00.asp

  27. Openflow network research framework, http://www.openow.org/wp/research/

  28. Pfaff, B., Pettit, J., Koponen, T., Amidon, K., Casado, M., Shenker, S.: Extending networking into the virtualization layer. In: Proc. HotNets (October 2009)

    Google Scholar 

  29. Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. ACM SIGCOMM Computer Communication Review 38(3), 105–110 (2008)

    Article  Google Scholar 

  30. Linux tc tool for traffic shaping, http://linux.die.net/man/8/tc

  31. Thomas habets’ arping tool, http://www.habets.pp.se/synscan/programs.php?prog=arping

  32. Eli fulkerson’s tcping for windows, http://www.elifulkerson.com/projects/tcping.php

  33. Richard van den berg’s tcpping tool for gnu/linux, http://www.vdberg.org/~richard/tcpping.html

Download references

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, VA, 22030-4444, USA

    Nelson Nazzicari, Javier Almillategui, Angelos Stavrou & Sushil Jajodia

Authors
  1. Nelson Nazzicari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javier Almillategui
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos Stavrou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Informatics, University of Oslo, P.O.Box 1080, 0316, Blindern, Oslo, Norway

    Audun Jøsang

  2. Dipartimento di Informatica, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, CR, Italy

    Pierangela Samarati

  3. National Research Center(CNR), Institute of Informatics and Telematics(IIT), Via G. Moruzzi, 1, 56124, Pisa, Italy

    Marinella Petrocchi

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nazzicari, N., Almillategui, J., Stavrou, A., Jajodia, S. (2013). Switchwall: Automated Topology Fingerprinting and Behavior Deviation Identification. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds) Security and Trust Management. STM 2012. Lecture Notes in Computer Science, vol 7783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38004-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38004-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38003-7

  • Online ISBN: 978-3-642-38004-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation