The multilayer complex network design with use of the arbiter

The multilayer complex network design with use of the arbiter 1 Marek Bolanowski, 1 Andrzej Paszkiewicz, 2 Tadeusz Kwater, Bogdan Kwiatkowski 1 Department of Distributed Systems Rzeszow University of Technology marekb@prz.edu.pl 2 Centre of Innovation and Transfer of Natural Sciences and Engineering Knowledge University of Rzeszow {tkwater, bkwiat}@ur.edu.pl Abstract. In the paper the methods and means of designing modern network structures are presented, in the first part the authors shows the classical approach to designing logical and physical topology and introduce a new concept of topology layer defined by routing protocol called the protocol topology. Nowadays, most of the mechanisms and communication paths is determined precisely by routing protocols. The authors propose its own structure with the arbiter that allows to change the protocol topology, reactively, according to the load of each router interfaces. The authors also presents an example of using the proposed model for implementing new functionalities such as: network anomaly traffic detection. The proposed architecture can be considered as a universal framework to implement new algorithms (created and tested by the network administrator) for network management. Is especially important that all of the proposed topology can be implemented using well-known, open network management protocols. Keywords: computer network, protocol layer, routing algorithms, computer network design. 1 Introduction Today's networking systems are becoming more complex environment under which we have to deal with the growing convergence of various services. The size of this class network system forces the use of automated synthesis algorithms to scale systems and algorithms for topology changes (reconfiguration) during normal operation. Currently more and more attention is paid to the efficient management of this class of systems. In the first part of the article a classical approach to the design of physical networks, and logical topology selection method will be presented. In the next part, architecture of the new topology layer will be presented which is created by the traffic routing protocols. Currently this particular layer is in the spotlight because it has influence on the flows in the network and consequently on the network topologies. 116

2 Classic methods and means for physical and logical topology design A modern systems, because of the multiplicity of tasks, are described with the use of hierarchical structures. However, in previous studies [1, 2, 3] considerations are limited to the analysis of two-level hierarchical structures. If the system has a multilevel structure, for the purpose of analysis, it is recommended to decompose it to twolayer structures that will be analyzed using existing methods. Existing models of hierarchical systems have a special character, i.e. are applicable only to specific systems. In addition, the models transforms the solution of the optimal hierarchical structure search to the discrete optimization tasks characterized by a very high computational complexity. There are two main types of hierarchical structures of communication systems: a functional hierarchy and a topological hierarchy of connection network. Using the assumptions of the layer systems theory [4] functional hierarchy can be represented by a system mutually corelated layer [4,5]. With this approach the task of network system synthesis is decomposed into smaller tasks solved in shorter time using dedicated methods and applications. The layered structure is hierarchically associated system of interdependent functional levels. If the level in the stratified system is associated only with the master (up level) and slave (down level), such a system is called layered system. Stratified scheme of complex large-scale communication system is presented in Fig1. Fig. 1. Stratified scheme of complex, large-scale communication system. Decomposition of communication layer into two closely related topological layer: physical topology and logical topology allows the use of new methods of synthesis and topology reconfigurations. However, the current adjustment of logical layer (typically constructed using Frame Relay, etc. WDM.) to the requirements of the communication network is limited because of the technology and administration restriction. The conclusions: one of the methods to improve the capacity of modern communication systems is to improve and reorganize of connection dependence in the protocol topology. 117

In the connection network synthesis the topology, the number of communication channels, their capacity and distribution of the system components are searched. Optimization methods developed for this model, assume the existence of several levels of communication and functional hierarchy [2, 6]. Methods for optimal and accurate network design has been carefully developed, but there is need for constant updating due to the low flexibility of their use in the environment of continually evolving network technologies. Often the algorithms are affected by numerous restrictions and initial assumptions that prevent their use for synthesis of the real connection networks. Often, these methods are characterized by high computational complexity and they are considered as NP-complete problems [7], and ability to parallelize computations is usually impossible. Fig. 2 presents the classification of conventional network design tasks. Fig. 2. The classification of conventional network design tasks. Letter G denotes that the task can be modeled using a graph, and T denotes modeling with a tree. Variable r is a matrix with bandwidth requirements between nodes; c is a matrix determining the unit cost of communication between nodes, wherein r 0 and c 0. The color gray is NP-hard task to solve, while the white color highlights the polynomial complexity of task. In addition, in the figure the names of the selected design tasks was placed: OCSTP (Optimal communication spanning tree problem), OLCSTP (Optimal Link Cost STP), ORSTP (Optimal Route STP) Most of algorithms for design the physical and logical topology is well known. The rest of this article focus on the methods and means to design and reconfiguration the protocol topology with use of routing protocol and arbiter. 118

3 Computer networks in terms of complex systems The most basic and natural classification of complex networks models, is to divide them into deterministic and random networks. Models based on random networks do not apply to any specific network, but to the set of networks with various probability of appear. The edges of random networks are distributed completely random. Therefore, to this type of network can be included the real networks and its theoretical models, in which the randomness factor is their inherent feature in case of creation and evolution processes. In contrast, deterministic network in its evolution and construction procedures do not allow for any randomness. Static nets can be compared to the equilibrium state, as the main characteristics of this type of systems, such as the number of nodes, number of links, the bunch factor and distribution of vertices degrees does not depend on time (are constant). However, in evolving networks characteristics such as number of nodes and edges, or even interconnection patterns are dependent on time although changes over time, usually are stationary processes. Therefore, static and evolutionary networks are also called respectively equilibrium and non-equilibrium networks [8]. In the article [9] a new model of computer networks was proposed, which take into account self-organization and self-adaptation as mechanisms defining network performance. Conclusions of modern research on the computer network, and in particular the phenomena occurring in them, clearly show the need to treat them as complex systems with particular attention to the impact of forwarded traffic on control, threats detection and also the selection of infrastructure elements. This would imply a total redesign of existing network infrastructure with simultaneous change the currently used algorithms. Due to the cost and organizational issues such revolutionary action becomes impossible. Instead, it is necessary to implement evolutionary mechanisms in to the network constructed according to the classical model presented in chapter two. This architecture allows to use of non-extensive statistics, self-adaptation and self-organization to manage networks. In chapter four such a network architecture will be proposed. 4 A new complex network architecture The next layer in the process of creating the network is routing layer. In fact, this layer creates a separate topologies in dimension of routing connection protocol. In this layer the load balancing of routes is the main objective of management. In the article [9] the authors also show that the mismatch between router hardware resources and current task load can lead to critical system organization and consequently to its failure. Currently one of the most widely used open routing protocol is OSPF. Load balancing in OSPF is implemented using trivial algorithm which based on the static metrics and SPF algorithm. Metric determining the cumulative value is mostly determined on the basis of values taken from a static interface parameter called bandwidth. During normal operation of the network, this parameter is not change. Fig. 3a is shown an example of a network with five routers. For simplicity let s assume that the 119

routers R1, R2, R3, R4 have the same network interfaces and its capacity is equal x. Routers R1, R5, R4, on the alternate path have also interface with the same speed equal to y, wherein x > y. Fig. 3. a. Routing without load balancing; b. Routing with load balancing. This configuration is often implemented: Route R1, R2, R3, R4 is considered as the main route and route R1, R5, R4 is considered as an alternative route used only in case of failure. In such a case as a result of the SPF algorithm run for the flow f the OSPF route R1, R2, R3, R4 will be selected. To balance the load between the two routes cumulative cost for R1, R2, R3, R4 and R1, R5, R4 has to be identical. Then the Equal Cost Multipath algorithm would be used. Unfortunately, under normal conditions, this situation is relatively rare. The use of asymmetric load balancing (Fig. 3.b) may be implemented through the OSPF algorithm modification, but in a commercial environment (modification of router firmware) such action is impossible. However, from the viewpoint of complex systems load balancing of resources is a key element. Later the algorithm is proposed to modify the routes in routing table depending on the current flow analysis f. 120

4.1 System architecture As already mentioned, OSPF protocol will be adapt to asymmetric load balancing by introducing arbiter into the network. Architecture arbiter may take various forms. The architecture of arbiter can be different between the specific implementation. Tests that have been made were implemented based on linux system, C++, and scripting language (using commands expect). It is also possible to use Network Management System (e.g. Zabix). Arbiter has the ability to log on to each of the routers in the network and retrieve sample data from: Command Line Interface, sflow and RMON probes. Thus collected data allows arbiter to modify the routes to each network. Diagram of such a network is shown in Fig. 4. Fig. 4. Network with arbiter. Let the flow f consists of n flows addressed according to the network. For the router R1 simplified routing table will look like this: 2 2 2 Where AD OSFP means the administrative distance for a given route installed in the routing table. The arbiter based on flow and load analysis for various routes, transform the routing table of the router R1 to the fallowing sample form: 2 2 5 This can be done by use the static float route mechanism [10], where and AD Static < AD OSFP. This will allow to asymmetric load balance according to a number of parameters including: delay, interface load, routers load, etc. 121

4.2 Load balancing alghoritm As already mentioned, to adapt OSPF network to asymmetric load balancing the new algorithm to switch routes has to be used. In Fig. 5 a diagram of such an algorithm is presented. The authors tested a lot of different boundary conditions for routes exchange. Algorithm diagram shown below is basically an open framework within which administrator can creates its own control algorithms depending on the specifics of the network. Fig. 5. Diagram of the algorithm The algorithm resides in the memory of the arbiter, which connects to the device and in the first step collects statistical data from probes operating on the device interfaces. The system administrator pre-defines the parameters or set of parameters that will be taken into account optimizing (load balance) the flow. The order of their selection is also important. In Fig. 5 first, the load of output router interfaces are tested. If the maximum interface load Ei difference delta C is greater than a specified value (e.g. E1 = 70%, E2 = 20% E3 = 50% then C = 50) then the algorithm searches for a minimum of (x), and maximally loaded (s) interface. The algorithm searches the topology table (not routing tables) to find all the routes that share a common value next hop = x = y. Found routes are saved in the matrix A from which the route is selected (eg. with the maximum or minimum load), and a new static route are created for it with administrative distance equal to AD Static, where AD Static < AD OSFP. Then this route is installed in the router's routing table, and interface load marked u decrease in the value of flow transferred to the interface x. Of course, a decision criteria and the boundary conditions can be chosen in a much more sophisticated way. After checking the condition 1 algorithm goes to check the next condition (2) in an analogous manner. In Fig. 5. next examined parameter is delay on each interface. Off course the number of checked parameters can be larger. It should be noted that this approach to modification of routes does not require from algorithm to start the SPF (placed on 122

each router) for each route exchange, which greatly stabilizes the operation of the network. Earlier attempts, based on OSPF protocol itself led to run the SFP algorithm on routers at intervals and significantly destabilizing (network interruptions, momentary delay) the work of devices. Another problem that has been identified during testing solutions is related to the stability of network flows in the time domain. At this stage, two aspects have been identified: 1. What time tc should the algorithm wait before another iteration, to stabilize the operation of the network before the next step? 2. Some of the flows relevant to the route have significant variation of band saturation during the test and their transfer between interfaces did not give satisfactory results. To estimate the flow characteristics it can be present in the form of time series. Most of the time series structure can be described using two basic classes of components: trend and seasonality. The first represents the long-term tendency to unidirectional changes (increase or decrease) the value of analyzed variable. The second may formally have a similar nature (e.g. the stabilization period, followed by exponential growth), but repeated at regular time intervals. These two general classes of time series data components may coexist in real data series [11, 12]. Particularly important from the point of view of the algorithm stability are stationarity and Hurst exponent. In the Fig. 7 a real computer data network flow was presented. As you can see it is stationary at certain intervals. The average bandwidth usage for all traffic is about 9%. However, there are time periods in which traffic is growing strongly. Measurement the traffic level at this point is not representative for whole traffic. Therefore, advisable is to make measurements of bandwidth saturation in a certain period of time instead in one point of time. H factor for this movement is 0.57 which leads to the conclusion that the time series maintains a positive correlation between a changes (memory effect) and in the long term should behave stably. The coefficients of determination indicate the presence of a weak trend. This flow should be treated as a stable and a good candidate for possible use in load balancing. Unfortunately, the execution of the current statistical analysis on the routers is impossible. However, it is possible to collect data using sflow and RMON protocol and transfer them to arbiter that will perform ongoing analysis and identification of streams dedicated to migration. Determination of the time tc value is possible only during experiments with the current network configuration. If tc will be to short the route can flapping between router interfaces, this results in significantly adversely the performance of computer networks. Too long tc time leads to limiting the impact of the algorithm to improve network performance. Time tc must correlate with the time needed to establish that the time series representing the flow within the route is stable. Load balancing of communication channels is one way that we can use to modify the protocol topology in the proposed architecture. The proposed architecture also allows to implement a number of other algorithms based for example on adjusting the load of network nodes to their hardware resources. This method is described in detail in [13] and algorithms presented there can be implemented in resources of the arbiter. 123

100 Interface utilization % 50 0 90 [minute] Fig. 6. Router interface utilization of real network flow for one of the routes. 5 Possibilities of using the proposed architecture In complex network environments often there is a need to separate data plane of network devices from a control plane. This model is called Software Defined Network and has been dedicated for a complex networks. Unfortunately, support for this type of processing is implemented in new devices and does not include all currently used solutions. The proposed architecture can complement SDN networks and fits in to new philosophy of reactive networks with interface for programmer to develop code directly for the physical network devices control. At present, tests on devices is performed using SSH, sflow, Netflow, RMON but in the long term, a functionality called RestFull API will be used. In this chapter, the example of detecting anomalies in network traffic will be presented as the possibility of using the proposed architecture to implement new, original algorithms. In complex networks because of the large traffic intensity and its complexity it is not possible to perform ongoing analysis of all network traffic (Deep Packet Inspection) to threat detection. The proposed architecture allows rough traffic analysis in order to detect anomalies in traffic and then redirects only suspected flow to DPI. Copy of the traffic from the port of the router is redirected to the arbiter using port mirroring technique (Fig. 7). This does not introduce any delays and does not interfere with traffic sent to the router R2 and R5. After detecting and analyzing anomalies (up to 7 layer ISO/OSI model) flow, which is a potential attack is blocked. 124

To rough detection of anomalies, Anomaly Detection Module uses a statistical signature [14]. Fig. 7. AD module - operating diagram. In Fig. 8 the flow registered in real network was presented (solid line). Then when the traffic was recreated on the router interface (using traffic generator) the attack was performed (Internet Explorer "Aurora exploit) and system compared which traffic statistical values have changed. Table 1. Statisticla parameters changes durign the attack Statistical parameters Before attack Under attack Average 629,37 620,33 Median 352,00 62,00 Standard deviation 632,88 653,73 Kurtosis -1,54-1,60 Slant 0,48 0,50 Table 1 shows a change the statistical parameters for traffic with anomaly. The value of H parameter also change form 0.56 before attack to 0,3 during the attack. Based on the analysis of these parameters, the arbiter may decide to send traffic to the DPI module. 125

15000 10000 p/s 5000 0 0 100 200 Time [s] 300 Fig. 8. Solid line: traffic without attack, dotted line - traffic with Internet Explorer "Aurora exploit. 6 Summary Modern computer networks are multilayer structure. The general classification proposed in the work identifies three main layers: physical topology, logical topology and protocol topology. Methods and means of design the first two layers are known and authors shows them in second section. Physical topology is a static structure within which there no possibility to quick reconfiguration. The logical topology realized with different technology (eg. WDM, MPLS, FR) make reconfiguration possible, but it cannot be proceeded in real time in response to traffic demands. The authors focused on a protocol topology and the possibility of its reconfiguration, in particular on load balancing. The further work will focus on use of policy based routing to implement the holistic approach to manage the traffic and QOS in the network. 7 Bibliography 1. Yang Y., Wang J.: Optimal all-to-all personalized exchange in a class of optical multistage networks; IEEE Computer Society, Parallel and Distributed Systems, IEEE Transactions on, Vol. 12, Issue 6, pp. 567-582, New York 2001 2. Hajder M., Bolanowski M., Paszkiewicz A.: Projektowanie topologiczne sieci WDM; Wydawnictwo Politechniki Łódzkiej, X Konferencja Sieci i Systemy Infor-matyczne, t. 1, ss. 77-89, Łódź 2002 3. Hajder M., Bolanowski M., Paszkiewicz A.: Problems and perspective of telecommunications systems development; Kremenchuk State Polytechnical University, International Con- 126

ference of Science and Technology Scalnet'04, Scalable Systems and Computer Networks Design and Aplications, pp. 66-70, Kremenchuk 2004. 4. Т. Саати: Принятие решений Метод анализа иерархий; Радио и связь, Москва 1993. 5. M.D. Maserovic, D. Macko, Y. Takabara: Theory of hierarchical miltilevel systems; Academic Press, New York and London, 1970. 6. M. Hajder, M. Bolanowski, P. Dymora: Models of designing interconnection systems problem; Wydawnictwo Politechniki Łódzkiej, XII Konferencja Sieci i Systemy Informatyczne, ss. 77-85, Łódź 2004. 7. M. Hajder, M. Bolanowski, A. Hanus: The topological design of optical interconnection systems selected problems; Kremenchuk State Polytechnical University, International Conference of Science and Technology Scalnet'04, Scalable Systems and Computer Networks Design and Aplications, pp. 16-23, Kremenchuk 2004. 8. Fronczak A., Fronczak P.: Świat sieci złożonych Od fizyki do Internetu, Wydawnictwo naukowe PWN 2009. 9. Grabowski F., Paszkiewicz A., Bolanowski M.: Computer networks as complex systems in nonextensive approach t.21, s.31-44, Journal Of Applied Computer Science, z.2, 2013. 10. Wendell O.: CCNA Routing and Switching 200-120 Official Cert Guide Library, Cisco Press 2013. 11. Misiorek A., Weron R.: Modelowanie sezonowości a prognozowanie zapotrzebowania na energię elektryczną, Centrum im. H. Steinhausa, Politechnika Wrocławska, Wrocław 2004. 12. Sobczyk M.: Statystyka: aspekty praktyczne i teoretyczne, Wydawnictwo Uniwersytetu Marii Curie-Skłodowskiej, Lublin 2006 13. Grabowski F., Paszkiewicz A., Bolanowski M.: Load Balncing of Communication Channels with the use of routing protocols t.14, s.77-85, Uniwersytet Marii Curie - Skłodowskiej W Lublinie, Annales Universitatis Mariae Curie-Skłodowska Sectio AI Informatica, z.3, 2014. 14. Bolanowski M., Paszkiewicz A.: Nowy model detekcji zagrożeń w sieci komputerowej t.89, s.308-311, Wydawnictwo Sigma-Not Sp. Z O.O., Przegląd Elektrotechniczny, Z.11, 2013. 127