Adversarial topology discovery in network virtualization environments: a threat for ISPs?

Yvonne Anne Pignolet; Stefan Schmid; Gilles Tredan

doi:10.1007/s00446-014-0217-4

Distributed Computing

April 2015, Volume 28, Issue 2, pp 91–109 | Cite as

Adversarial topology discovery in network virtualization environments: a threat for ISPs?

Authors
Authors and affiliations

Yvonne Anne Pignolet
Stefan Schmid
Gilles Tredan

Article

First Online: 23 April 2014

Received: 23 April 2013

Accepted: 09 April 2014

209 Downloads
4 Citations

Abstract

Network virtualization is a new Internet paradigm which allows multiple virtual networks (VNets) to share the resources of a given physical infrastructure. The virtualization of entire networks is the natural next step after the virtualization of nodes and links. While the problem of how to embed a VNet (“guest network”) on a given resource network (“host network”) is algorithmically well-understood, much less is known about the security implications of this new technology. This paper introduces a new model to reason about one particular security threat: the leakage of information about the physical infrastructure—often a business secret. We initiate the study of this new problem and introduce the notion of request complexity which describes the number of VNet requests needed to fully disclose the substrate topology. We derive lower bounds and present algorithms achieving an asymptotically optimal request complexity for important graph classes such as trees, cactus graphs (complexity \(O(n)\)) as well as arbitrary graphs (complexity \(O(n^2)\)). Moreover, a general motif-based topology discovery framework is described which exploits the poset structure of the VNet embedding relation.

This is a preview of subscription content, to check access.

Notes

Acknowledgments

We would like to thank Georgios Smaragdakis from Telekom Innovation Laboratories for interesting discussions. Part of this work was performed within the Virtu project, funded by NTT DOCOMO Euro-Labs, and the Collaborative Networking project, funded by Deutsche Telekom AG. We would like to thank all our colleagues in these projects

Appendix 1: Proof of Lemma 1

We prove the lemma for undirected graphs. The extension to directed graphs is straight-forward.

A poset structure \((S,\preceq )\) over a set \(S\) requires that \(\preceq \) is a (reflexive, transitive, and antisymmetric) order which may or may not be partial. To show that \((\mathcal {G},\mapsto )\), the embedding order defined over a given set of graphs \(\mathcal {G}\), is a poset, we examine the three properties in turn.

Reflexivity (for each \(G\in \mathcal {G}\), \(G \mapsto G\)): By using the identity mapping \(\pi : G=(V,E) \rightarrow G=(V,E)\) which embeds each node and link to itself, the claim is proved.

Transitivity (for all \(A,B,C \in \mathcal {G}\), if \(A \mapsto B\) and \(B \mapsto C\) then \(A\mapsto C\)): Let \(\pi _1\) denote the embedding function for \(A \mapsto B\) and let \(\pi _2\) denote the embedding function for \(B \mapsto C\), which must exist by our assumptions. We will show that then also a valid embedding function \(\pi \) exists to map \(A\) to \(C\). Regarding the node mapping, we define \(\pi _V\) as \(\pi _V:=\pi _{1V} \circ \pi _{2V}\), i.e., the result of first mapping the nodes according to \(\pi _{1V}\) and subsequently according to \(\pi _{2V}\). We first show that \(\pi _V\) is a valid mapping from \(A\) to \(C\) as well. First, for all \(v_A \in V_A\), \(\pi (v_A)\) maps \(v_A\) to a single node in \(V_C\), fulfilling the first condition of the embedding (see Definition 1). Ignoring relay capacities (which is studied together with the conditions on the links below), Condition (\(ii\)) of Definition 1 is also fulfilled since the mapping \(\pi _{1V}\) ensures that no node in \(V_B\) exceeds its capacity, and can hence safely be mapped to \(V_C\). Let us now turn our attention to the links. We use the following mapping \(\pi _E\) for the edges. Note that \(\pi _{1E}\) maps a single link \(e\) to an entire (but possibly empty) path in \(B\) and \(\pi _{2E}\) then maps the corresponding links \(e'\) in \(B\) to a walk in \(C\). We can transform any of these walks into paths by removing cycles; this can only lower the resource costs. Since \(\pi _{1E}\) maps to a subset of \(E_B\) only and since \(\pi _{2E}\) can embed all edges of \(B\), all link capacities are respected up to relay costs. However, note also that by the mapping \(\pi _1\) and for relay costs \(\epsilon >0\), each node \(v_B\in V_B\) can either not be used at all, be fully used as a single endpoint of a link \(e_A\in E_A\), or serve as a relay for one or more links. Since both end-nodes and relay nodes are mapped to separate nodes in \(C\), capacities are respected as well. Conditions (\(iii\)) and (\(iv\)) hold as well.

Antisymmetry (for all \(A,B \in \mathcal {G}\), \(A \mapsto B\) and \(B \mapsto A\) implies \(A=B\), i.e., \(A\) and \(B\) are isomorphic): First observe that if the two networks differ in size, i.e., \(|V_A|\ne |V_B|\) or \(|E_A|\ne |E_B|\), then they cannot be embedded to each other: Without loss of generality, assume \(|V_A|>|V_B|\), then since nodes of \(V_A\) of cannot be split into multiple nodes of \(V_B\) (cf Definition 1), there exists a node \(v_A\in V_A\) to which no node from \(V_B\) is mapped. This however implies that node \(\pi _1(v_A)\in V_B\) must have available capacities to host also \(v_A\), contradicting our assumption that nodes cannot be split in the embedding. Similarly, if \(|E_A|\ne |E_B|\), we can obtain a contradiction with the single path argument. Thus, not only the total number of nodes and links in \(A\) and \(B\) must be equivalent but also the total amount of node and link resources. So consider a valid embedding \(\pi _1\) for \(A \mapsto B\) and a valid embedding \(\pi _2\) for \(B \mapsto A \), and assume \(|V_A|=|V_B|\) and \(|E_A|=|E_B|\). It holds that \(\pi _1\) and \(\pi _2\) define an isomorphism between \(A\) and \(B\): Clearly, since \(|V_A|=|V_B|\), \(\pi _1\) and \(\pi _2\) define a permutation on the vertices. Without loss of generality, consider any link \(\{v_A,v_A'\}\in E_A\). Then, also \(\{\pi _{1}(v_A), \pi _{1}(v_A')\}\in E_B\): \(|\{\pi _{1}(v_A),\pi _{1}(v_1')\}|=0\) would violate the node capacity constraints in \(B\), and \(|\{\pi _{1}(v_A),\pi _{1}(v_A')\}|>1\) requires \(|E_B|>|E_A|\).

Appendix 2: Proof of Lemma 2

(\(i\)) From Definition 1, \(A \mapsto B\) defines a mapping \(\pi \) from \(V_A\) to \(V_B\) and from \(E_A\) to \(E_B\), which implies that the subgraph where \(A\) is embedded on \(B\) constitutes a minor of \(B\). Since \(\epsilon >0.5\) every node of \(V_B\) in \(\pi (A)\) is used exactly once. Contracting the edges on paths of \(\pi (e)\) for each \(e\in E_A\) thus results in \(A\) which proves the claim. (\(ii\)) For smaller \(\epsilon \) there are graphs which can be embedded into other graphs \(H\) although they are not minors of \(H\), e.g., the forbidden minor \(K_5\) (i.e., the clique with five nodes) can be embedded in some planar graphs, see Fig. 8 for an example. (\(iii\)) The opposite direction of (\(i\)) does not hold, as can be seen in the following example demonstrating that not all minors of a substrate are embeddable. Given \(\epsilon \), let \(r=\lceil 1/\epsilon \rceil +1\) and consider a \(r\)-ary tree of height 2 with \(r^2\) leaves. A star graph with \(r^2\) leaves is a minor of this tree, however, it cannot be embedded in the tree because the relay nodes cannot support \(r\) paths without exceeding their capacities and hence there are not enough paths to all leaves.

Fig. 8
Planar graphs are \(K_5\) minor free, but the planar substrate \(H\) depicted in this figure a \(K_5\) can be embedded if \(\epsilon \le 0.5\)

Appendix 5: Proof of Lemma 6

We present a procedure to construct such a dictionary \(D\). Let \(\mathcal {M}_n\) be the set of all motifs with \(n\) nodes of the graph family \(\mathcal {H}\). For each motif \(m\in \mathcal {M}_n\) with \(x\) possible attachment point pairs (up to isomorphisms), we add \(x\) dictionary words to \(V_D\), one for each attachment point pair. The resulting set is denoted by \(V_M\). For each sequence of \(V_M^\star \) with at most \(n\) nodes, we add another word to \(V_D\) (with the un-used attachment points of the first and the last subword). There is an edge \(e\in E_D\) if the transitive reduction of the embedding relation with context includes an edge between two words. We now prove that \(D\) is a dictionary, i.e., it is robust to composition. Let \(i \in V_D\). Observe that \(R_i\) contains all compositions of words with at most \(n\) nodes in which \(i\) can be embedded. Consequently, no matter which sequences are in \(\overline{R}_i^\star \), it holds that \(v_i\) cannot be embedded in sequences in \(Q_i\), and the robustness condition is satisfied. Since \(H\) has \(n\) vertices, and since \(D\) contains all possible motifs of at most \(n\) vertices, \(D\) covers \(H\).

Appendix 6: Proof of Theorem 3

We first prove that the claim is true if \(H\) forms a motif sequence (without edge expansion). Subsequently, we study the case where the motif sequence is expanded by Rule 2, and finally tackle the general composition case.

Discovery of motif sequences: Due to Lemma 5, it holds that for \(w\) chosen when Line 1 of \(findMotifSequence ()\) is executed for the first time, \(S\) is partitioned into three subsequences \(S_1\), \(w\) and \(S_2\). Subsequently \(findMotifSequence ()\) is executed on each of the subsequences \(S'\in \{S_1, S_2\}\) recursively if \(C\mapsto S'\), i.e., if the subsequences are not empty. Thus \(findMotifSequence ()\) computes a decomposition as described in Corollary 3 recursively. As each of the words used in the decomposition is a subsequence of \(S\), and as \(findMotifSequence ()\) does not stop until no more words can be added to any subsequence, it holds that all nodes of \(S\) will be discovered eventually. In other words, \(\pi ^{-1}(u)\) is defined for all \(u\in S\).

As a next step we assume \(S' \ne S\) to be the sequence of words obtained by \(\textsc {Dict}\) to derive a contradiction. Since \(S':=H'\) is the output of algorithm \(\textsc {Dict}\) and is hence embeddable in \(H\): \(S'\mapsto S\), there exists a valid embedding mapping \(\pi \). Given \(u, v\in V(S)\), we denote by \(E^{\pi ^{-1}}(S')\) the set of pairs \(\{u,v\}\) for which \(\{\pi ^{-1}(u),\pi ^{-1}(v)\} \in E(S')\). Now assume that \(S\) and \(S'\) do not lead to the same resource reservations. Hence there are some inconsistencies between the substrate and the output of algorithm \(\textsc {Dict}: \varPhi =\{\{u,v\} \in E(S)\backslash E^{\pi ^{-1}}(S') \cup E^{\pi ^{-1}}(S') \backslash E(S)\}\). With each of these “conflict” edges, one can associate the corresponding word \(W_{u,v}\) (resp. \(W_{u,v}'\)) in \(S\) (resp. \(S'\)). If a given conflict edge spans multiple words, we only consider the words with the highest index as defined by \(\textsc {Dict}\). We also define \(i_{u,v}=r(W_{u,v})\) (resp. \(i_{u,v}'=r(W_{u,v}'\))). Since \(S'\) and \(S\) are by definition not isomorphic, \(i_{u,v}' \ne i_{u,v}\).

Let \(j = \max _{(u,v) \in \varPhi }( i_{u,v})\) be the index of the greatest word embeddable on the substrate containing an inconsistency, and \(j'\) be the index of the corresponding word detected by \(\textsc {Dict}\).

(\(i\)) Assume \(j>j'\): a lower order motif was erroneously detected. Let \(J^+\) (and \(J^-\)) be the set of dictionary entries that are detected before (after) \(D[j]\) (if any) in \(S\) by \(\textsc {Dict}\). Observe that the words in \(J^+\) were perfectly detected by \(\textsc {Dict}\), otherwise we are in Case (\(ii\)). We can decompose \(S\) as an alternating sequence of words of \(J^+\) and other words using Corollary 3 : \(S=T_1 J_1(a_1) T_2 \ldots T_k\) with \(J_i(a_i)\in (J^+)^\star \) and attachment points \(a_i\) and \(T_i \in (J^-)^\star \). As the words in \(J^+\) are the same in \(S'\), we can write \(S'=T_1' J_1 T_2' \ldots T_k'\) (using Corollary 3 as well).

Let \(T\) be the sequence among \(T_{1}, \ldots , T_k\) that contains our misdetected word \(D[j]\), and \(T'\) the corresponding sequence in \(S'\). Observe that \(T' \mapsto T\) since the words \(J_i\) cut the sequences of \(S\) and \(S'\) into subsequences \(T_i, ~T_i'\) that are embeddable. Observe that \(D[j] \mapsto T\) since \(T\) contains it. Note that in the execution of \(findMotifSequence ()\) when \(D[j']\) was detected the higher indexed words had been detected correctly by \(\textsc {Dict}\) in previous executions of this subroutine. Hence, \(T_<\) and \(T_>\) cannot contain any words leading to edges in \(\varPhi \). We deduce that \(j' \ne \arg \max _x(D[x] \mapsto T)\) since \(j = \arg \max _x(D[x] \mapsto T)\) and \(j'<j\) which contradicts Line \(1\) of \(findMotifSequence ()\).

(\(ii\)) Now assume \(j'>j\): a higher order motif was erroneously detected. Using the same decomposition as step (\(i\)), we define \(J'^+\) as the set of words perfectly detected, and therefore decompose \(S\) and \(S'\) as sequences \(S=T_1J_1'T_2\ldots J_{k-1}'T_k\) and \(S'=T_1'J_1'T_2'\ldots J_{k-1}'T_k'\) with \(J_i'\in (J'^+)^\star \) and the property that each \(T_i' \mapsto T_i \).

Let \(T'\) be the sequence among \(T_{1}', \ldots , T_k'\) that contains our misdetected word \(D[j']\), and \(T\) the corresponding sequence in \(S\). Since \(D[j'] \prec T'\), \(D[j'] \mapsto T'\). Recall that \(T\in V_D^\star \backslash (J'^+)^\star \). We again consider two subcases: \(D[j'] \prec T\): \(T\) contains some occurrences of the word \(D[j']\), but \(\textsc {Dict}\) detected a wrong number of such occurrences. Using Corollary 3, we again decompose \(T\) as \(T=R_1D[j']R_2\ldots R_k\) with \(R_i\in (J'^-)^\star \). Let \(R\) be the sequence \(R_{1}, \ldots , R_k\) containing \(D[j]\). We have \(D[j'] \mapsto R\) and \(R\in (J'^-)^\star \), which contradicts the robustness property of \(D\). Now, consider that \(T\) has no occurrences of the word \(D[j']\): \(T \in V_D^\star \backslash (J'^+ \cup \{ D[j']\})^\star \), that is \(T\in (J'^-)^\star \) and \(D[j']\mapsto T\), which again contradicts the robustness property of \(D\).

The same arguments can be applied recursively to show that conflicts in \(\phi \) of smaller indices cannot exist either.

Expanded motif sequences As a next step, we consider graphs that have been extended by applying node insertions (Rule 2) to motif sequences, so-called expanded motif sequences: we prove that if \(H\) is an expanded motif sequence \(S\), then algorithm \(\textsc {Dict}\) correctly discovers \(S\). Given an expanded motif sequence \(S\), replacing all degree-2 nodes with an edge connecting their neighbors unless a cycle of length three would be destroyed, leads to a unique pure motif sequence \(T\), \(T\mapsto S\). For the corresponding embedding mapping \(\pi \) it holds that \(V(S){\setminus } \pi (T)\) is exactly the set \(\mathcal {R}\) of removed nodes. Applying \(findMotifSequence ()\) to an expanded motif sequence discovers this pure motif sequence \(T\) by using the nodes in \(\mathcal {R}\) as relay nodes. All nodes in \(\mathcal {R}\) are then discovered in \(edgeExpansion ()\) where the reverse operation node insertion is carried out as often as possible. It follows that each node in \(S\) is either discovered in \(findMotifSequence ()\) if it occurs in a motif or in \(edgeExpansion ()\) otherwise.

Combining expanded sequences Finally, it remains to combine the expanded sequences. Clearly, since motifs describe all parts of the graph which are at least 2-connected, the graph remaining after collapsing motifs cannot contain any cycles: it is a tree. However, on this graph \(\textsc {Dict}\) behaves like \(\textsc {Tree}\), but instead of attaching chains, entire sequences are attached to different nodes. Along the unique sequence paths between two nodes, \(\textsc {Dict}\) fixes the largest words first, and the claim follows by the same arguments as used in the proofs for tree and cactus graphs.

Appendix 8: Proof of Theorem 4

Each time Line 2 of findMotifSequence \(()\) is called, either at least one new node is found or no other node can be embedded between the current sequences (one request is necessary for the latter result). If one or more new nodes are discovered, the request complexity can be amortized by the number of nodes found: If \(v\) is the maximal word found in Line 1 of findMotifSequence \(()\), then \(v\) is responsible for at most \(cost(v)\) requests due to Lemma 7. If it occurs more than once at this position, only one additional request is necessary to discover even more nodes (plus one superfluous request if no more occurrences of \(v\) can be embedded there). Amortizing the request number over the number of discovered nodes results in \(\varDelta \) requests. All other requests are due to \(edgeExpansion (e)\) where additional nodes are placed along edges. Clearly, these costs can be amortized by the number of edges in \(H\): for each edge \(e\in E(H)\), at most two embedding requests are performed (including a “superfluous” request which is needed for termination when no additional nodes can be added).

References

1.
Acharya, H., Gouda, M.: On the hardness of topology inference. In: Proceedings of ICDCN, pp. 251–262 (2011)Google Scholar
2.
Achlioptas, D., Clauset, A., Kempe, D., Moore, C.: On the bias of traceroute sampling: or, power-law degree distributions in regular graphs. In: Proceedings of 37th Annual ACM Symposium on Theory of Computing (STOC), pp. 694–703 (2005)Google Scholar
3.
Ambühl, C., Mastrolilli, M., Svensson, O.: Inapproximability results for maximum edge biclique, minimum linear arrangement, and sparsest cut. SIAM J. Comput. 40(2), 567–596 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
4.
Anandkumar, A., Hassidim, A., Kelner, J.: Topology discovery of sparse random graphs with few participants. In: Proceedings of SIGMETRICS (2011)Google Scholar
5.
Bansal, N., Lee, K.-W., Nagarajan, V., Zafer, M.: Minimum congestion mapping in a cloud. In: Proceedings of 30th PODC, pp. 267–276 (2011)Google Scholar
6.
Caucal, D.: Deterministic graph grammars. In: Logic and Automata, pp. 169–250 (2008)Google Scholar
7.
Cheswick, B., Burch, H., Branigan, S.: Mapping and visualizing the internet. In: Proceedings of USENIX Annual Technical Conference (ATEC) (2000)Google Scholar
8.
Chowdhury, N.M.M.K., Boutaba, R.: A survey of network virtualization. Comput. Netw. 54(5), 862–876 (2010). doi: 10.1016/j.comnet.2009.10.017 Google Scholar
9.
Cook, D.J., Holder, L.B.: Substructure discovery using minimum description length and background knowledge. J. Artif. Intell. Res. 1, 231–255 (1994)Google Scholar
10.
Díaz, J., Petit, J., Serna, M.: A survey of graph layout problems. ACM Comput. Surv. 34(3), 313–356 (2002)CrossRefGoogle Scholar
11.
Even, G., Medina, M., Schaffrath, G., Schmid, S.: Competitive and deterministic embeddings of virtual networks. In: Proceedings of ICDCN (2012)Google Scholar
12.
Faloutsos, M., Faloutsos, P., Faloutsos, C.: On power-law relationships of the internet topology. In: Proceedings of SIGCOMM, pp. 251–262 (1999)Google Scholar
13.
Fan, J., Ammar, M.H.: Dynamic topology configuration in service overlay networks: a study of reconfiguration policies. In: Proceedings of IEEE INFOCOM (2006) Google Scholar
14.
Fuerst, C., Schmid, S., Feldmann, A.: Virtual network embedding with collocation: benefits and limitations of pre-clustering. In: Proceedings of 2nd IEEE International Conference on Cloud Networking (CLOUDNET) (2013)Google Scholar
15.
Haider, A., Potter, R., Nakao, A.: Challenges in resource allocation in network virtualization. In: Proceedings of ITC Specialist Seminar on Network Virtualization (2009)Google Scholar
16.
Houidi, I., Louati, W., Zeghlache, D.: A distributed virtual network mapping algorithm. In: Proceedings of IEEE ICC (2008)Google Scholar
17.
Lakhina, A., Byers, J., Crovella, M., Xie, P.: Sampling biases in ip topology measurements. In: Proceedings of IEEE INFOCOM (2003)Google Scholar
18.
Lischka, J., Karl, H.: A virtual network mapping algorithm based on subgraph isomorphism detection. In: Proceedings of ACM SIGCOMM VISA (2009)Google Scholar
19.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38, 69–74 (2008)CrossRefGoogle Scholar
20.
Pignolet, Y.A., Schmid, S., Tredan, G.: Brief announcement: Do vnet embeddings reveal isp topology? In: Proceedings of 26th International Symposium on Distributed Computing (DISC) (2012)Google Scholar
21.
Pignolet, Y.-A., Schmid, S., Tredan, G.: Adversarial VNet embeddings: a threat for ISPs? In: IEEE INFOCOM (2013)Google Scholar
22.
Pignolet, Y.A., Schmid, S., Tredan, G.: Request complexity of vnet topology extraction: dictionary-based attacks. In: International Conference on Networked Systems (NETYS) (2013)Google Scholar
23.
Pignolet, Y.A., Tredan, G., Schmid, S.: Misleading stars: what cannot be measured in the internet?. In: Proceedings of DISC (2011)Google Scholar
24.
Plotkin, J.M., Rosenthal, J.W.: How to obtain an asymptotic expansion of a sequence from an analytic identity satisfied by its generating function. J. Aust. Math. Soc. Ser. A (1994)Google Scholar
25.
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of 16th ACM CCS, pp. 199–212 (2009)Google Scholar
26.
Schaffrath, G., Schmid, S., Feldmann, A.: Optimizing long-lived cloudnets with migrations. In: Proceedings of IEEE/ACM UCC (2012)Google Scholar
27.
Schaffrath, G., Werle, C., Papadimitriou, P., Feldmann, A., Bless, R., Greenhalgh, A., Wundsam, A., Kind, M., Maennel, O., Mathy, L.: Network virtualization architecture: proposal and initial prototype. In: Proceedings of ACM SIGCOMM VISA (2009)Google Scholar
28.
Spring, N., Mahajan, R., Wetherall, D., Anderson, T.: Measuring isp topologies with rocketfuel. IEEE/ACM Trans. Netw. 12(1), 2–16 (2004)CrossRefGoogle Scholar
29.
Washio, T., Motoda, H.: State of the art of graph-based data mining. SIGKDD Explor. Newsl. 5, 59–68 (2003)CrossRefGoogle Scholar
30.
Yao, B., Viswanathan, R., Chang, F., Waddington, D.: Topology inference in the presence of anonymous routers. In: Proceedings of IEEE INFOCOM, pp. 353–363 (2003)Google Scholar
31.
Zhang, S., Qian, Z., Wu, J., Lu, S.: An opportunistic resource sharing and topology-aware mapping framework for virtual networks. In: Proceedings of IEEE INFOCOM (2012)Google Scholar

Copyright information

Authors and Affiliations

Yvonne Anne Pignolet
- 1
Stefan Schmid
- 2
Email author
Gilles Tredan
- 3

1.ABB Corporate ResearchDättwilSwitzerland
2.Telekom Innovation Laboratories and TU BerlinBerlinGermany
3.LAAS-CNRSToulouseFrance

Adversarial topology discovery in network virtualization environments: a threat for ISPs?

Abstract

Notes

Acknowledgments

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite article