Huang Xiaobo,Pan Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.07.059

2007-01-01

Abstract:An algorithm based on SNMP and ICMP to discover topology structure of network and the method of visualizing them are introduced.The experience gained from development is summarized.

Lei Shu,Chun Wu,Yan Zhang,Jiming Chen,Lei Wang,Manfred Hauswirth

DOI: https://doi.org/10.1145/1534490.1534492

2008-01-01

Abstract:Deploying real WSN testbed provides a realistic testing environment, and allows users to get more accurate test results. However, deploying real testbed is highly constrained by the available budget when the test needs a large scale WSN environment. By leveraging the advantages of both simulators and real testbed, an approach that integrates simulation environment and testbed can effectively solve both scalability and accuracy issues. In this paper, we present NetTopo for providing both simulation and visualization functions to assist the investigation of algorithms in WSNs. One case study is described to prove the effectiveness of NetTopo.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Xing Fang,Feiyan Ding,Bang Huang,Ziyi Wang,Gao Han,Rulan Yang,Lizhao You,Qiao Xiang,Linghe Kong,Yutong Liu,Jiwu Shu

DOI: https://doi.org/10.1109/infocom52122.2024.10621215

2024-01-01

Abstract:Satisfiability Modulo Theories (SMT) based network configuration verification tools are powerful tools in preventing network configuration errors. However, their fundamental limitation is efficiency, because they rely on generic SMT solvers to solve SMT problems, which are in general NP-complete. In this paper, we show that by leveraging network domain knowledge, we can substantially accelerate SMT-based network configuration verification. Our key insights are: given a network configuration verification formula, network domain knowledge can (1) guide the search of solutions to the formula by avoiding unnecessary search spaces; and (2) help simplify the formula, reducing the problem scale. We leverage these insights to design a new SMT- based network configuration verification tool called NetSMT. Extensive evaluation using real-world topologies and synthetic network configurations shows that NetSMT achieves orders of magnitude improvements compared to state-of-the-art methods.

Johanna Sepulveda,Damian Aboul-Hassan,Georg Sigl,Bernd Becker,Matthias Sauer

DOI: https://doi.org/10.1109/ets.2018.8400692

2018-05-01

Abstract:Vulnerabilities and design flaws in Network-on-Chip (N oC) routers can be exploited in order to spy, modify and constraint the sensitive communication inside the Multi-Processors Systems-on-Chip (MPSoCs). Although previous works address the N oC threat, finding secure and efficient solutions to verify the security is still a challenge. In this work, we propose for the first time a method to formally verify the correctness and the security properties of a NoC router in order to provide the proper communication functionality and to avoid NoC attacks. We present a generalized-verification flow that proves a wide set of implementation-independent security-related properties to hold. We employ unbounded model checking techniques to account for the highly-sequential behaviour of the NoC systems. The evaluation results demonstrate the feasibility of our approach by presenting verification results of six different N oC routing architectures demonstrating the vulnerabilities of each design.

Zheng,Xu Mingwei,Li Qi,Zhang Yun

DOI: https://doi.org/10.7544/issn1000-1239.2018.20160740

2018-01-01

Journal of Computer Research and Development

Abstract:Software-defined networking (SDN) is a new network paradigm.Unlike the conventional network,SDN separates the control plane from the data plane.The function of the data plane is enabled in switches while only the controller provides the functions of the control plane.The controller learns topologies of the whole networks and makes the traffic forwarding decisions.However,recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs,which mainly exists in host tracking service and link discovery service.Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers.What's more,attackers can even make the whole network down.Fortunately,researchers have paid some attention to this serious problem and proposed their defense solution.However,the existing countermeasures can be easily evaded by the attackers.In this paper,we propose an effective approach called SecTopo,to defend against the network topology poisoning attacks.Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.

Chengze Du,Jibin Shi

2024-12-11

Abstract:Network tomography plays a crucial role in network monitoring and management, where network topology serves as the fundamental basis for various tomography tasks including traffic matrix estimation and link performance inference. The topology information, however, can be inferred through end-to-end measurements using various inference algorithms, posing significant security risks to network infrastructure. While existing protection methods attempt to secure topology information by manipulating end-to-end delay measurements, they often require complex computation and sophisticated modification strategies, making real-time protection challenging. Moreover, these delay-based modifications typically render the measurements unusable for network monitoring, even by trusted users, as the manipulated delays distort the actual network performance characteristics. This paper presents a novel privacy-preserving framework that addresses these limitations. Our approach provides efficient topology protection while maintaining the utility of measurements for authorized network monitoring. Through extensive evaluation on both simulated and real-world networks topology, we demonstrate that our framework achieves superior privacy protection compared to existing methods while enabling trusted users to effectively monitor network performance. Our solution offers a practical approach for organizations to protect sensitive topology information without sacrificing their network monitoring capabilities.

Cryptography and Security

Radu Stoenescu,Matei Popovici,Lorina Negreanu,Costin Raiciu

DOI: https://doi.org/10.48550/arXiv.1604.02847

2016-04-11

Abstract:We present SymNet, a network static analysis tool based on symbolic execution. SymNet quickly analyzes networks by injecting symbolic packets and tracing their path through the network. Our key novelty is SEFL, a language we designed for network processing that is symbolic-execution friendly. SymNet is easy to use: we have developed parsers that automatically generate SEFL models from router and switch tables, firewall configurations and arbitrary Click modular router configurations. Most of our models are exact and have optimal branching factor. Finally, we built a testing tool that checks SEFL models conform to the real implementation. SymNet can check networks containing routers with hundreds of thousands of prefixes and NATs in seconds, while ensuring packet header memory-safety and capturing network functionality such as dynamic tunneling, stateful processing and encryption. We used SymNet to debug middlebox interactions documented in the literature, to check our department's network and the Stanford backbone network. Results show that symbolic execution is fast and more accurate than existing static analysis tools.

Networking and Internet Architecture

Kangfeng Ye,Roberto Metere,Poonam Yadav

2024-10-01

Abstract:Current formal verification of security protocols relies on specialized researchers and complex tools, inaccessible to protocol designers who informally evaluate their work with emulators. This paper addresses this gap by embedding symbolic analysis into the design process. Our approach implements the Dolev-Yao attack model using a variant of CSP based on Interaction Trees (ITrees) to compile protocols into animators -- executable programs that designers can use for debugging and inspection. To guarantee the soundness of our compilation, we mechanised our approach in the theorem prover Isabelle/HOL. As traditionally done with symbolic tools, we refer to the Diffie-Hellman key exchange and the Needham-Schroeder public-key protocol (and Lowe's patched variant). We demonstrate how our animator can easily reveal the mechanics of attacks and verify corrections. This work facilitates security integration at the design level and supports further security property analysis and software-engineered integrations.

Cryptography and Security,Logic in Computer Science

Jonathan Julián Huerta y Munive,Simon Foster,Mario Gleirscher,Georg Struth,Christian Pardillo Laursen,Thomas Hickman

2024-01-22

Abstract:We formally introduce IsaVODEs (Isabelle verification with Ordinary Differential Equations), a framework for the verification of cyber-physical systems. We describe the semantic foundations of the framework's formalisation in the Isabelle/HOL proof assistant. A user-friendly language specification based on a robust state model makes our framework flexible and adaptable to various engineering workflows. New additions to the framework increase both its expressivity and proof automation. Specifically, formalisations related to forward diamond correctness specifications, certification of unique solutions to ordinary differential equations (ODEs) as flows, and invariant reasoning for systems of ODEs contribute to the framework's scalability and usability. Various examples and an evaluation validate the effectiveness of our framework.

Logic in Computer Science,Mathematical Software

Xin-xin Liu,Shao-hua Tang

DOI: https://doi.org/10.3969/j.issn.1000-565X.2013.01.012

2013-01-01

Abstract:In order to implement the formal analysis and verification of the security for automated trust negotiation (ATN), this paper takes the formal analysis methods of security protocols as references and proposes a novel approach to ATN modeling and security verification with the help of the process algebra applied π calculus. In this approach, ATN is formalized as the parallel composition of two processes corresponding to two negotiators, and the process of a negotiator is the static modeling of its certificates and authorization policies. The ATN security is defined as the observational equivalence of the applied π calculus so as to verify not only the security of the authorization policy enforcement but also the privacy of negotiators. With the help of the automatic protocol analyzer ProVerif, the security of ATN is automatically analyzed. Experimental results show that the proposed approach helps to implement automatic security verification with high feasibility and efficiency.

Maximilian A. Köhl,Clemens Dubslaff,Holger Hermanns

2024-08-30

Abstract:The observable behavior of a system usually carries useful information about its internal state, properties, and potential future behaviors. In this paper, we introduce configuration monitoring to determine an unknown configuration of a running system based on observations of its behavior. We develop a modular and generic pipeline to synthesize automata-theoretic configuration monitors from a featured transition system model of the configurable system to be monitored. The pipeline further allows synthesis under partial observability and network-induced losses as well as predictive configuration monitors taking the potential future behavior of a system into account. Beyond the novel application of configuration monitoring, we show that our approach also generalizes and unifies existing work on runtime monitoring and fault diagnosis, which aim at detecting the satisfaction or violation of properties and the occurrence of faults, respectively. We empirically demonstrate the efficacy of our approach with a case study on configuration monitors synthesized from configurable systems community benchmarks.

Formal Languages and Automata Theory,Software Engineering

Jie Fu,Abhishek N. Kulkarni,Huan Luo,Nandi O. Leslie,Charles A. Kamhoua

DOI: https://doi.org/10.48550/arXiv.2002.07025

2020-02-18

Abstract:This paper is concerned with the synthesis of strategies in network systems with active cyber deception. Active deception in a network employs decoy systems and other defenses to conduct defensive planning against the intrusion of malicious attackers who have been confirmed by sensing systems. In this setting, the defender's objective is to ensure the satisfaction of security properties specified in temporal logic formulas. We formulate the problem of deceptive planning with decoy systems and other defenses as a two-player games with asymmetrical information and Boolean payoffs in temporal logic. We use level-2 hypergame with temporal logic objectives to capture the incomplete/incorrect knowledge of the attacker about the network system as a payoff misperception. The true payoff function is private information of the defender. Then, we extend the solution concepts of $omega$-regular games to analyze the attacker's rational strategy given her incomplete information. By generalizing the solution of level-2 hypergame in the normal form to extensive form, we extend the solutions of games with safe temporal logic objectives to decide whether the defender can ensure security properties to be satisfied with probability one, given any possible strategy that is perceived to be rational by the attacker. Further, we use the solution of games with co-safe (reachability) temporal logic objectives to determine whether the defender can engage the attacker, by directing the attacker to a high-fidelity honeypot. The effectiveness of the proposed synthesis methods is illustrated with synthetic network systems with honeypots.

Computer Science and Game Theory,Formal Languages and Automata Theory,Logic in Computer Science

Mahmoud Khaled,Matthias Rungger,Majid Zamani

DOI: https://doi.org/10.4204/EPTCS.272.6

2018-06-26

Abstract:While many studies and tools target the basic stabilizability problem of networked control systems (NCS), nowadays modern systems require more sophisticated objectives such as those expressed as formulae in linear temporal logic or as automata on infinite strings. One general technique to achieve this is based on so-called symbolic models, where complex systems are approximated by finite abstractions, and then, correct-by-construction controllers are automatically synthesized for them. We present tool SENSE for the construction of finite abstractions for NCS and the automated synthesis of controllers. Constructed controllers enforce complex specifications over plants in NCS by taking into account several non-idealities of the communication channels. Given a symbolic model of the plant and network parameters, SENSE can efficiently construct a symbolic model of the NCS, by employing operations on binary decision diagrams (BDDs). Then, it synthesizes symbolic controllers satisfying a class of specifications. It has interfaces for the simulation and the visualization of the resulting closed-loop systems using OMNETPP and MATLAB. Additionally, SENSE can generate ready-to-implement VHDL/Verilog or C/C++ codes from the synthesized controllers.

Systems and Control,Robotics

Xavier Weiss,Lars Nordström,Patrik Hilber,Emre Süren

2024-10-12

Abstract:Power system communication networks enable operators to remotely monitor and control field equipment. The sophistication of these networks is also increasing as operators continue the trend towards digitization, which is beneficial in integrating distributed energy resources. However, as the attack surface increases in size so too does the risk of cyberattacks. The topology, configuration and composition of communication networks is therefore confidential since this can provide information to attackers. As a result, the number of benchmarks available for research purposes is limited. A tool for procedurally generating communication network topologies is therefore proposed. While primarily intended as an enabler for public research into communication networks, this tool also allows general insights to be gained into the effect of communication network design on the vulnerability of networks to cyberattacks. The tool includes the ability to encapsulate network characteristics in JSON specification files, which is demonstrated with example Advanced Metering Infrastructure (AMI), Supervisory Control and Data Acquisition (SCADA) and Wide Area Monitoring (WAM) specification files. The SCADA network generation is then compared to a real-world case. Finally, the effect of network redundancy on the networks cyber resilience is investigated.

Systems and Control

Zixuan Chen,Zhigao Zhao,Zijian Li,Jiang Shao,Sen Liu,Yang Xu

DOI: https://doi.org/10.1109/CLUSTER52292.2023.00036

2023-07-09

Abstract:Network experiments are essential to network-related scientific research (e.g., congestion control, QoS, network topology design, and traffic engineering). However, (re)configuring various topologies on a real testbed is expensive, time-consuming, and error-prone. In this paper, we propose \emph{Software Defined Topology Testbed (SDT)}, a method for constructing a user-defined network topology using a few commodity switches. SDT is low-cost, deployment-friendly, and reconfigurable, which can run multiple sets of experiments under different topologies by simply using different topology configuration files at the controller we designed. We implement a prototype of SDT and conduct numerous experiments. Evaluations show that SDT only introduces at most 2\% extra overhead than full testbeds on multi-hop latency and is far more efficient than software simulators (reducing the evaluation time by up to 2899x). SDT is more cost-effective and scalable than existing Topology Projection (TP) solutions. Further experiments show that SDT can support various network research experiments at a low cost on topics including but not limited to topology design, congestion control, and traffic engineering.

Networking and Internet Architecture,Performance

Caleb Voss,David Heath,William Harris

DOI: https://doi.org/10.48550/arXiv.1710.03357

2017-10-10

Programming Languages

Abstract:The automatic verification of programs that maintain unbounded low-level data structures is a critical and open problem. Analyzers and verifiers developed in previous work can synthesize invariants that only describe data structures of heavily restricted forms, or require an analyst to provide predicates over program data and structure that are used in a synthesized proof of correctness. In this work, we introduce a novel automatic safety verifier of programs that maintain low-level data structures, named LTTP. LTTP synthesizes proofs of program safety represented as a grammar of a given program's control paths, annotated with invariants that relate program state at distinct points within its path of execution. LTTP synthesizes such proofs completely automatically, using a novel inductive-synthesis algorithm. We have implemented LTTP as a verifier for JVM bytecode and applied it to verify the safety of a collection of verification benchmarks. Our results demonstrate that LTTP can be applied to automatically verify the safety of programs that are beyond the scope of previously-developed verifiers.

Thorsten Tarrach,Masoud Ebrahimi,Sandra König,Christoph Schmittner,Roderick Bloem,Dejan Nickovic

DOI: https://doi.org/10.48550/arXiv.2210.03207

2022-10-07

Abstract:We propose a model-based procedure for automatically preventing security threats using formal models. We encode system models and potential threats as satisfiability modulo theory (SMT) formulas. This model allows us to ask security questions as satisfiability queries. We formulate threat prevention as an optimization problem over the same formulas. The outcome of our threat prevention procedure is a suggestion of model attribute repair that eliminates threats. Whenever threat prevention fails, we automatically explain why the threat happens. We implement our approach using the state-of-the-art Z3 SMT solver and interface it with the threat analysis tool THREATGET. We demonstrate the value of our procedure in two case studies from automotive and smart home domains, including an industrial-strength example.

Cryptography and Security,Formal Languages and Automata Theory,Logic in Computer Science

Cornelius Diekmann,Lars Hupel,Georg Carle

DOI: https://doi.org/10.4204/EPTCS.150.3

2014-05-06

Abstract:Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.

Cryptography and Security,Logic in Computer Science

Michael Lambert

DOI: https://doi.org/10.48550/arXiv.2111.07461

2021-11-15

Abstract:This paper presents a reformulation in topos logic of a safety result arising in an abstract presentation of blockchain consensus protocols. That is, in a high-level template for "correct-by-construction" consensus protocols, it is shown that a proposition and its negation cannot both be safe in protocol states that have executions to some common state. This is in fact true for any inconsistent propositions and the proof requires only intuitionistic reasoning. This opens the door for work on consensus protocols in the internal language of a topos. As a first pass on such a program, the main contribution of this paper is the formulation of estimate safety in abstract correct-by-construction protocols as a forcing statement in the internal logic of a given topos. This is illustrated first in the setting of copresheaf toposes. It is also seen there that safety can be viewed as a modal statement. For these interpretations, some extensions and adaptations of results in the literature on modal operators in toposes are presented. The final reformulation of estimate safety is a completely elementary version in the language of an arbitrary topos where it is seen that estimate safety is equivalent to a certain forcing statement.

Category Theory