Using Properties of Network Topology to Detect Malicious Routing Behavior

Given the growth in network usage in recent years, the secure operation of network routing protocols is becoming critically important. Networks are designed to deal with simple network failures such as links going up and down or hosts crashing and restarting. They may have serious vulnerabilities when facing a malicious intruder, such as when compromised routers actively attempt to disrupt the global routing behavior by influencing the routing table information that is distributed around the network. When considering the secure performance of complex networks, much effort has been placed on developing authentication and cryptographic protections that are essential for such operation. But these approaches are not sufficient, especially in the case of compromised routers. It is also important to examine the routing processes at the core of these networks for their inherent properties in controlling and dispersing information.
The process of routing involves the exchange of routing information within the network; this exchange both reflects the existing network routing topology as well as enforces changes in this topology. A goal of this study is to identify characteristics in the routing that might render some routers more in control of the network, or conversely, more susceptible to degraded performance due to congestion. We present a methodology to abstract an intrinsic feature of computer network topology, i.e., the centrality of any one node and the centrality of the parts of the network as a snapshot of the dynamic behavior. Centrality may be defined as capturing the structurally central part of a network. The analysis is inspired from network studies from the field of social network analysis that describe the nature of centrality within social networks. In these studies, the relationship between structural centrality in network topology and influence in group processes is studied.
We believe that capturing the changing centrality description of the routing topology will enable detection of some large-scale network wide routing attacks, such as may be wrought by compromised routers. We believe that this detection can occur early, even before the changed forwarding tables are in place and data packet forwarding occurs. A goal of centrality-based intrusion monitoring is to abstract global network behavior locally at a router.
Subverting such monitoring, while causing a network-wide attack, is harder because of this abstraction. Given the nature of the information being abstracted, centrality-based monitoring might not detect attacks where the compromised routers are selectively misrouting packets; such attacks would typically not have a disruptive effect on the network.
We study the role of centrality analysis in abstracting characteristics of network behavior, and employ the results of this study in intra-domain link state routing protocols such as OSPF. We believe that this study will suggest abstract specifications of router behavior that are monitorable by individual routers, and which capture expected behavior of routers in a given protocol; these specifications can detect rogue router behavior without requiring prior knowledge of a router compromise. Preliminary simulations have been conducted employing ns-2 with the link state protocol.