
ISSN 12149675 Server vznikl za podpory Grantové agentury ČR. 18. ročník 
Témata
Doporučujeme
Kontakt

Network Tomography Overview and Botnet Network Estimation, Part I.Vydáno dne 23. 06. 2015 (6131 přečtení)This article discusses about network tomography technology and intention to use such methods in combination with other techniques to estimate the appearance of a botnet network. Abstract: The control of network availability uses a lot of technical methods to provide an overview about the security and quality of services. This article discusses about network tomography technology and intention to use such methods in combination with other techniques to estimate the appearance of a botnet network. This paper’s concept presents a shortened first part of research writing and proposes and brings an idea. The second part with practical tests will follow. Keywords: botnet; genetics; measurement; network tomography; optimization. INTRODUCTIONNetwork behavior and adaptability to a demanded data transfer is under the focus of institutions which provide connectivity, security and also services to maintain almost 99,99% network usability. As the Internet of Everything (IoE), Internet of Things (IoT), Software Defined Network (SDN), other sophisticated platforms, protocols and, of course new cyber security laws are coming, the field of Network Tomography (NT) is growing. In addition, the computing power of equipment continues to increase, along with the development of new storage devices. The first significant mention of Network Tomography was in 1996. This term was used by Vardi [1]. His intention was to capture the relationship between origin destination matrix (OD) estimation through link counts IIA.This article has also been inspired by examples and online tools; such as The Center for Applied Internet Data Analysis (CAIDA) [2], which collects a lot of tools provided by researchers or RIPE Labs [3]; to analyze which techniques and algorithms are mostly used to recognize a network flow, bottlenecks etc. Generally, all of them use passive or active access to measure, parse and evaluate data flow. Modern techniques add methods such as Symbolic Regression, Bayesian Networks, SVN and Gene Algorithms. OD estimation uses techniques as are Gaussian Model, Maximum Likelihood Estimation (MLE), Iterative Proportional Fitting (IPF), Maximum PseudoLikelihood Estimation (MPLE) or Partial Measurement (PM). NETWORK TOMOGRAPHY OVERVIEWNetwork Tomography is a discipline that studies the internal behavior and characteristics of a network by external sources. These sources include endpoints, edge nodes and network probes, computers, mobiles, routers and other specialized equipment. All of these can provide data to use for analysis. For an example, an illustration of a network is shown in Fig. 1. The blue nodes cooperate and can provide some data to analyze it. The red nodes cannot be set up to estimate some data for various reason. NT proclaims that it is possible to effectively map the data path, capacity, quality, attacks, outward and so on by using this data information, if they are passively stored or actively realtime examined. For example, when generating certain selected probe traffic. We can say that these endpoints are kind of traffic monitors. What the proper monitors are able to do and what they are able to implement is another question. The basic classes of NT can be considered as loss and delay tomography. The extended classes are behavior, typification, matrices representation.
Fig. 1: Network Ilustration. A. Graph Theorem in Network TomographyThe bases of the NT theorem is given by the widely knowing graph theorem. Let graph G_{i} = (ν, ε), where the nodes ν represent equipment, with vertex set ν = {1, 2, 3,...ν} and ε represent the links among those equipment, edge from set ε ⊆ ν × ν. Then, (ν,ν') ∈ ε denotes a directed edge P_{G} and δ_{G}(ν,ν') the shortest edge P_{δG} from ν to ν'. Let be assumed connected graph, not incoherent. The graph, as is shown in Fig. 2, contain one edge for each node to node communication and one vertex for each node.
Fig. 2: NT graph representation. For example, let multicast delay estimation, when a tested frame is sent from node ν_{4} to node ν_{1} and ν_{3}, where the delay is observed at the receivers only,the problem to infer the distribution of the internal links delay ε_{1}, ε_{2}, ε_{3} be as is shown in Equation (1),
where numbers 1 in matrix M express the path of probes. MULTIOBJECTIVE OPTIMIZATION QUICK OVERVIEWMultiObjective Optimization (MOO) given the multiple fitness function (objectives) or goals, is able to find optimal solutions with respect to all criteria simultaneously, as discussed by Riccardo Poli et al. [4], for example. This article describes many examples of MOO usage. Generally, optimization operated such that if a problem is optimized, finds a set of decision variables. Those variables satisfied constraints and a vector function is optimized simultaneously. Such vector, which include elements, express the objective function of all decision and it leads to a non unique solution. DISCUSSION OF INTENT AND PROBLEMOur aim is to use the knowledge of network tomography, in combination with multiobjective optimization in order to detect the appearance of a botnet network. We are doing this in such a context that after knowing this type of network it would be possible to isolate the reproductive behavior of a botnet code into small areas, without the possibility of further spread^{1}. It means that the network probes will be used in real time as the monitors of patterns, and based on the NT identification and prediction of a botnet network would to isolation operation such blockage on predicted network elements. ^{1}The two basic types of botnet network exists. Centralized and peertopeer (P2P) botnet. As is the first type more controllable, the second is not. The first is created by a root and spreads or connect contested node by a tree connection. The second type creates a mash topology, it means, it doesn’t use a centralized rootserver. Every node in P2P can act as a root. From such point of view it is a lot harder to stop this kind of botnet. A. Proposed intention of use the graph theory Be graph theory adopted by NT and used in its simple form. For our intention let lists Y = {y^{(1)}, ..., y^{(N)}}, where N = {G_{1}, G_{2}, ..., G_{i}  G_{i} ≈ G_{i+1}} and y^{(n)} = {y_{1}^{(n)}, ..., y_{ν}^{(n)}} associated with the coefficients a_{i} = {0, 1}^{ν} . Let for first use, N = {G_{1}, G_{2}  G_{1} ≈ G_{2}} ∈ a_{i} then, the element y_{i}^{(g1)} is the occurrence of a node i∈P_{G1} and y_{i}^{(g2)} will express demanded attributes of G1. Generally, NT aims to infer certain properties on ε of the total value found on node list y^{ν}. NT approach can observe the occurring probability of data pattern clusters, if be observed on the node ν^{ε} data pattern presence D. And because it is a location problem, it leads to a combinatorial problem. And as such, it is NPhard problem and requires heuristics to solve. We strive to test it with the multiobjective optimization to infer clusters probability of D from discussed Y. We take over the idea presented by GEN et. al. [5], where authors discussed the whole problematic of network model and optimization. Minarik et. al. [6] discuss about set of weight rules. Further, we simplify it on our intention. B. Summary steps
To start with, we used knowing node ν as a origin of the
outgoing flow to the rest of the network. In the figure 3 this
node is expressed by the label “source”. Also the appearance
of the network is known. (It is possible for an internetservice
provider (ISP) to have such overview), then;
Follow the steps declared in summary section;
2) Incidence matrix: incidence matrix D is composed in the same way. It express relation R as the D estimation as is shown in Equation (3). We end up with two matrices. The matrix of lists adjacency and occur.
3) Flow subweights: let computed flow 𝔽, for our theoretical purpose predefined. To compute proper set of 𝔽^{̂}_{ε} consider Equation (4):
Matrix in Equation (4) is the opposite of an adjacency matrix,
because it monitors the quantity of incoming traffic to a node
(vector) not an outgoing traffic and is predicted that a Botnet
network will generate some overhead traffic from each node.
Each node in a P2P Botnet network is both a server and
endpoint. It is possible to compute flows as an increasing flow
in each transfer point. Practically, it is expected that we will
know only 𝔽 which comes from “some source” to the each
endpoint.
Fig. 3: Graph N.
4) Probability: as a weight let the probability ℘ of a occurrence 𝒟. For this calculation, we selected the Bayesian network approach and Markov’s analysis. Assume only two states:
Parallel is defined as only:
Let us consider at the same time t as a constraint and that each node in N represents subinput flow from G and is assigned in list Y, may be considered an idea, that the connection between each individual node ν_{ij} is a twosubsystem and they have in start time t transition function h(t) = λto be contested. For example, take from the figure 3 node 2, which will be detected as contested by D in start time occurrence t, then is λ_{2,5}< λ_{2,6}. If the intensity of “contagion” is constant in time (t1; t2) between any two points, is solved differential equation in condition and the distribution is exponential F(t) = 1−e^{−λt} and let set for the graph N global virtual time T, it can represent proper amount of cycles, then for selected node ν_{(i,j)} with h(𝒟) ↣ ν_{(i,j)}: λ(t)_{h(𝒟)} = t∈ TT^{−1}. Summary, BN network is created, as is shown in Fig. 4, by lists of node ν, observability O = h(𝒟) of edge " and residual r(Contested; NotContested). If the node is not connected to edge ε, is not connected ε_{i} to the residual r_{j}. The probability is set by p(ε_{i}  r_{1}, ..., r_{n}).
Fig. 4: Bayesian Network Model. Is computed and then created matrix of probabilities p(t) on a space and for the MOO is selected:
5) Constraints and Objectives: The right computing of constraints is assumed to clear up after correction of mathematical formulas in the sections above. The first constraints to be defined are:
CONCLUSIONThe focus of this paper is on “Botnet Network”. The main objective is to propose steps to find appearances of a botnet network and illustrate how the NT can be potentially useful, nay, to measure the behavior of a network, but also for other activities such as botnet research and implement multiobjective algorithm to generate an efficient solution. These steps were defined in section A and are part of the mathematical formulas in section C. In a nutshell, two main weights for the calculation are defined. The first weight is the amount of excess flows with the NT combination and a second weight is selected the probability of “spreading” with exponential distribution. Than their costs (minimum) is proposed to search by MOO regards to two main objectives from equation of steps 3 and 4 and the solution is then intentioned to explicitly putt it in the NT. We still have to properly define the limits for multiobjective algorithm. Practical testing will follow. Finally, it would be interesting for further research to test a series of different systems and network form in order to see the efficiency and results between them and improve methods to predict the scope of contested nodes in a network. After this paper’s publishing, we hope to receive more ideas, and corrections from others to improve our conclusion on this subject. Research described in this paper was financed by the National Sustainability Program under grant LO1401. For the research, infrastructure of the SIX Center was used. REFERENCES [1] VARDI, Y. Network Tomography: Estimating SourceDestination Traffic
Intensities from Link Data. Journal of the American Statistical Association.
1996, vol. 91, issue 433. DOI: 10.2307/2291416. Autor: V. Oujezský, V. Škorpil, M. Jurčík Pracoviště: Vysoké učení technické v Brně 
Projekty a aktuality
01.03.2012: PROJEKT
Výzkum a vývoj nového komunikačního systému s vícekanálovým přístupem a mezivrstvovou spoluprací pro průmyslové aplikace TA02011015
01.01.2012: PROJEKT Vývoj adaptabilních datových a procesních systémů pro vysokorychlostní, bezpečnou a spolehlivou komunikaci v extrémních podmínkách VG20122014095
09.10.2010: PROJEKT Výzkum a vývoj datového modulu 10 Gbit/s pro optické a mikrovlnné bezdrátové spoje, FRTI2/621
09.01.2010: PROJEKT Sítě s femtobuňkami rozšířené o řízení interference a koordinaci informací pro bezproblémovou konektivitu, FP7ICT20094 248891
09.11.2008: PROJEKT Ochrana člověka a techniky před vysokofrekvenčním zářením, FIIM5/202
20.06.2008: Schválení Radou pro výzkum a vývoj jako recenzovaný časopis
01.04.2007: PROJEKT Pokročilá optimalizace návrhu komunikačních systémů pomocí neuronových sítí, GA102/07/1503
01.07.2006: Doplnění sekce pro registrované 12.04.2005: Zavedeno recenzování článků 30.03.2005: Výzkumný záměr Výzkum perspektivních informačních a komunikačních technologií MSM6840770014
29.11.2004: Přiděleno ISSN 04.11.2004: Spuštění nové podoby Access serveru 18.10.2004: PROJEKT Optimalizace přenosu dat rychlostí 10 Gbit/s, GA102/04/0773
04.09.2004: PROJEKT Specifikace kvalitativních kritérií a optimalizace prostředků pro vysokorychlostní přístupové sítě, NPV 1ET300750402
04.06.2004: PROJEKT Omezující faktory při širokopásmovém přenosu signálu po metalických párech a vzájemná koexistence s dalšími systémy, GA102/03/0434

Tento web site byl vytvořen prostřednictvím phpRS  redakčního systému napsaného v PHP jazyce.
Na této stránce použité názvy programových produktů, firem apod. mohou být ochrannými známkami
nebo registrovanými ochrannými známkami příslušných vlastníků.