对抗多模式网络层析成像的拓扑混淆机制  

作　　者：林洪秀 邢长友 詹熙 LIN Hongxiu;XING Changyou;ZHAN Xi(College of Command and Control Engineering,The Army Engineering University of PLA,Nanjing 210007,China)

机构地区：[1]中国人民解放军陆军工程大学指挥控制工程学院,南京210007

出　　处：《计算机工程》2023年第12期282-293,303,共13页Computer Engineering

基　　金：国家自然科学基金(62172432)。

摘　　要：网络层析成像技术能通过测量目标网络的端到端性能测度来推断其拓扑结构,进而为攻击者开展更加精准的网络攻击行为提供支持。尽管网络拓扑混淆技术为对抗这类侦察行为提供了一种解决思路,但现有的网络拓扑混淆技术在探测模式识别准确度、对抗行为有效性等方面仍存在不足。为此,提出一种对抗多模式网络层析成像的拓扑混淆机制M2NTO。针对网络层析成像模式多样化的特点,M2NTO基于增量更新的动态决策树分类算法,构建一种能够在线对抗多样化探测行为的端到端性能参数扰动方法,以应对不同模式的层析成像拓扑探测手段。在多种典型真实网络拓扑上的仿真实验表明,M2NTO在多个场景中都能够以在线的方式准确识别不同模式的探测行为,探测流识别准确率在多个场景下都达到了98%以上,误报率维持在2%之内,探测流分类准确率达到95%以上,在此基础上,通过扰动相应的性能测度干扰攻击者的推断结果,使攻击者推断的网络拓扑与真实网络拓扑的相似度下降到60%以下,有效增强混淆拓扑生成的效能。By performing an end-to-end performance measurement of a target network,the network tomography method can infer its internal topology accurately,which can support attackers in carrying out more effective attacks.Although network topology obfuscation techniques provide a solution to counter such reconnaissance behaviors,they still have shortcomings in the recognition accuracy of the probe pattern as well as the effectiveness of the countermeasures.Therefore,this study proposes a topology obfuscation mechanism for Multi-mode Network Tomography(M2NTO).Based on the characteristics of diverse network tomography modes,M2NTO constructs an end-to-end performance metric dynamic perturbation-based online dynamic decision tree recognition and classification model of probe behaviors to cope with diverse network tomography methods.Simulation results based on several typical real network topologies demonstrate that M2NTO can accurately identify the patterns of different probe behaviors online in multiple scenarios.The detection flow identification accuracy was more than 98%in multiple scenarios,the false positive rate was maintained within 2%,and the detection flow classification accuracy was more than 95%.On this basis,M2NTO interferes with the attacker's inference results by perturbing the corresponding performance metrics.Thus,the similarity between the inferred network topology and the real network topology is reduced to less than 60%,which effectively enhances the obfuscated topology generation efficiency.

关 键 词：拓扑混淆 拓扑推断 网络层析成像 流量识别 动态决策树 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]