Construction of Secure Internal Networks

with Communication Classifying System

Yuya Sato

, Hirokazu Hasegawa

and Hiroki Takakura

Graduate School of Informatics, Nagoya University, Japan

Information Strategy Ofﬁce, Nagoya University, Japan

Center for Cybersecurity Research and Development, National Institute of Informatics, Japan

Keywords:

Targeted Attacks, Network Separation, Access Control.

Abstract:

Recent sophistication of cyber attacks makes us difﬁcult to protect our networks completely. Because dedi-

cated malwares that targeted cyber attacks use may slip through traditional countermeasures like ﬁrewalls or

intrusion detection systems. Separated network (e.g., separating network into several segments and controlling

access among sub-networks.) is one of effective countermeasure against targeted attacks. In order to support

constructing separated networks, we have proposed automated ACL generation system previously. However,

the system may overly permit communication because it focuses on business continuity. In this paper, we

propose a Communication Classifying System for constructing secure internal networks. When a communi-

cation occurs in a section previous system permitted, the proposed system analyzes it. The system evaluates

consistency of communication by comparing communication and reason that previous system permitted such

communication. If a communication which lacks consistency is detected, the system additionally analyzes it.

In this additional analysis, the system checks states of destination terminals. If a destination terminal is liste-

ning port for protocol of occurred communication, the system judges such communication is proper. By using

the result classiﬁcation, we can prohibit the communication section that previous system overly permitted.

1 INTRODUCTION

Recently, cyber attacks aimed at organizations, e.g.,

governments or companies, are conducted frequently.

Such attacks, called targeted attacks, use sophistica-

ted method to achieve purposes. For example, they

use targeted e-mail attacks(Information-technology

Promotion Agency, Japan, 2012) or water hole attacks

for intrusion, and such attacks may slip through tra-

ditional countermeasures, e.g. ﬁrewall, intrusion de-

tection system, and so on. Because of such situation,

recent countermeasures focus on the mitigation of da-

mages like information leakage after intrusion of mal-

wares(P. Cichonski, T. Miller, T. Grance, and K. Scar-

fone, 2012).

Separated network is one of the effective

countermeasure against targeted attacks(Information-

technology Promotion Agency, Japan, 2011). It is a

network design method for separating internal net-

work into several sub-networks and controlling access

among separated sub-networks. It makes us possi-

ble to restrict unnecessary communication. In other

words, we can prevent malware’s activities in the net-

work. In addition, when malwares try to communi-

cate in prohibited section, we can sense the such acti-

vity and specify suspicious terminal rapidly. Howe-

ver, we need a huge amount of cost to construct sepa-

rated network. In order to construct such network, it

is necessary to gather a lot of information, e.g., human

resource information, business content, ﬂow of infor-

mation, and so on, to decide how to separate network

and which communication to be permitted. This con-

struction cost is an obstacle for organization to adopt

separated network.

To solve such problem, we have proposed a sy-

stem that generates an ACL of internal network au-

tomatically. The system uses directory service infor-

mation to collect user’s access authority against ﬁles

in servers. We can prohibit communication between a

user and a server if the user has no access authority to

such server. In addition, the system collects mirrored

trafﬁc to analyze necessity of communication in the

network, and permits communication if it occurs.

This method, e.g., all communication sections are

permitted if communication occurs in it, has two pro-

blems. The ﬁrst is that it may prohibit necessary com-

552

Sato, Y., Hasegawa, H. and Takakura, H.

Construction of Secure Internal Networks with Communication Classifying System.

DOI: 10.5220/0007571905520557

In Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP 2019), pages 552-557

ISBN: 978-989-758-359-9

munication when it does not occur during the system

collects trafﬁc. The second is that it may permits

unintended communication. For example, if malwa-

res perform communication during trafﬁc collection,

such communication section will be permitted.

In this paper, in order to solve above second pro-

blem, we propose communication classifying system

to judge normality of communication. Proposed sy-

stem uses a reason that the previous system permits

communication and a state of destination terminal for

judgement. Result of this judgement makes us pos-

sible to prohibit communication that the previous sy-

stem overly permitted.

2 RELATED WORKS

There are many researches to construct VLAN for the

internal network. Watanabe et al. proposed automati-

cally VLAN construction method focusing on amount

of trafﬁc volume(T. Watanabe, T. Kitazaki, T. Idegu-

chi, and Y. Murata, 2005). In this method, they use

network trafﬁc data to decide network design. When

a certain amount of communication occurs among ter-

minals, such terminals belong to same VLAN. Howe-

ver, from the viewpoint of security, it may not be able

to prevent the malware activities. A terminal with a

small communication volume belongs default VLAN

in this method. This means that if there are inactive

malwares to hide in the network, such infected termi-

nal may belong default VLAN and it can communi-

cation with all terminals in default VLAN. There are

any other researches to support construction or ma-

nagement VLAN(A.K. Nayak, A. Reimers, N. Feam-

ster, and R. Clark, 2009)(T. Miyamoto, T. Tamura, R.

Suzuki, H. Hiraoka, H. Matsuo, M. Izumi, and K. Fu-

kunaga, 2000), however, it is difﬁcult to construct ﬁne

access controls among VLANs.

In addition, there are several products such as

“VLAN .Conﬁg”

to construct VLAN automatically.

Such products make us possible to construct VLAN to

our network, however, it is difﬁcult to generate ACLs

as same as above researches.

http://www.iiga.jp/solution/conﬁg/vlan.html

3 OUR PREVIOUS RESEARCH

3.1 An Automated ACL Generation

System using Directory Service

Information and Network Trafﬁc

Data

In order to support constructing separated network,

we proposed a system which generates ACL automa-

tically by using directory service information and net-

work trafﬁc data(H. HasegawaY. YamaguchiH. Shi-

mada, and H.Takakura, 2017). The system generates

ACL based on access authority. If a user of a host has

access authority to ﬁles in a server, the system judges

communication between the host and the server is ne-

cessary. On the other hand, if the access from a host

to server is prohibited, the communication between

them is judged as unnecessary and the system restricts

such communication. Because directory service ser-

vers generally manage access authorities from hosts

to ﬁles in servers, the system refers directory service

server in organizations.

In addition, the system conﬁrms the effectiveness

of generated ACL by using network trafﬁc data. Be-

fore applying generated ACL, the system collects mir-

rored packets from the network. When communica-

tion prohibited by the ACL is observed, the system

reevaluates that communication is necessary and re-

writes the ACL. By executing these procedures, the

system can generate an ACL, and we can construct a

separated network easily by applying such ACL.

In this paper, we call this system as “Automated

ACL Generation System”.

3.2 Dynamic Access Control Method

with SDN for Practical Network

Separation

The previous system makes us possible to construct a

separated network easily, however, it may prohibit ne-

cessary communication under the following scenario.

Since the system uses mirrored trafﬁc in the network

to judge the necessity of the communication section,

it judges necessary communication as unnecessary if

the communication does not occur during the system

collects mirrored packets.

In order to solve such problem, we proposed a

system that dynamically generates ACL using SDN

(Software Deﬁned Networking)(S. Nakamura, H. Ha-

segawa, Y. Tateiwa, H. Takakura, Y Kim and Y. Ka-

tayama, 2017). Firstly, in this paper, we call this sy-

stem as “Dynamic Access Control System”. Automa-

Construction of Secure Internal Networks with Communication Classifying System

553

ted ACL Generation System generates ACL and ap-

plies it to a network. In this time, we assume that the

network is consist of SDN switches, and Automated

ACL Generation System conﬁgures such SDN swit-

ches for applying ACL. In addition, SDN switches

are conﬁgured that when a prohibited communication

occurs, they inform to Dynamic Access Control Sy-

stem by sending Packet-In message.

When the prohibited communication occurs, Dyn-

amic Access Control System permits such communi-

cation temporarily, and analyzes them. According to

the result of analysis, the system dynamically chan-

ges ACL, e.g., prohibiting the communication section

again or permitting the communication section per-

manently.

3.3 Problems

Our previous researches basically focus on business

continuity. However, this may cause overly permits

of communication. For example, if Automated ACL

Generation System collects mirrored packets which

is caused by malware’s activity and judges the acti-

vity as benign, the system generates ACL that permits

such malicious communication.

In addition, Automated ACL Generation System

system generates ACL that is only based on IP ad-

dress because the system judges necessity of commu-

nication based on “the existence of L3 packets”. If the

system judges that there are any necessary communi-

cation in the communication section, all protocols of

communication is permitted in that section.

4 COMMUNICATION

CLASSIFYING SYSTEM FOR

SECURE INTERNAL

NETWORKS

4.1 Outline of Proposal

In this paper, we propose a method to generate ACL

that prohibits communication sections our previous

systems overly permitted. The proposed system gat-

hers trafﬁc of internal network to investigate them ca-

refully. In this investigation, the system compares

protocols of mirrored trafﬁc and factors the previous

systems permitted communication. In addition, the

system compares such protocols and listening port of

destination terminals. The system judges the rightful-

ness of communication actually occurred in the net-

work by this investigation.

If the illegal communication is detected, the sy-

stem generates new ACL to prohibit such communi-

cation. By this mechanism, only necessary protocols

are permitted. The system recommends new ACL to

administrators, and administrators apply the ACL if

they judged it necessary. This makes us possible to

make the internal network more secure.

4.2 Assumption

The proposed system complements our previous sy-

stems. The system assumes that the ACL generated

by Automated ACL Generation System is already ap-

plied to the network, and Dynamic Access Control

System monitors such network. We assume that the

internal network is roughly divided into several seg-

ments based on the departments.

To make discussion simple, in this paper, it is as-

sumed that all terminals are statically assigned IP ad-

dress and that IP address assignment information is

managed in directory service server. However our

method can be easily applied to dynamic IP address

environment, e.g., DHCP. For example, by using any

authentication mechanism, e.g., IEEE 802.1X, we can

identify whose device is connected to the network.

In this time, there are several ways to control de-

vice’s communication, e.g., assigning the appropri-

ate VLAN the user should belong, updating ACL by

using assigned IP address, and so on.

When the ACL is generated, it is registered to

ACL DB in Automated ACL Generation System.

This database manages only list of source IP address

and destination IP address. In this paper, we extend

this database to have three new columns. The ﬁrst is

“Permitted Reason”. The column stores reason why

communication is permitted, e.g., directory service

information or communication analysis. We revise

Automated ACL Generation System to treat the co-

lumn.

The remaining two columns are “Destination

Port” and “Status”. These columns are used only by

the proposed system. Therefore, Automated ACL Ge-

neration System does not store any value in the co-

lumns.

4.3 Architecture

Figure 1 shows the architecture of the proposed sy-

stem. The system consists of ﬁve modules and the da-

tabase described previously. Details of each module

will be described in below.

ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy

554

Internal Network

Administrator

List of Packet Information

for Permit

List of Packet

Information

Automated ACL

Generation System

ACL DB

(Extended)

Traffic Collector

Management

Monitor

Checklist

Generator

Packet

Information

ACL

Proposed System

Mirrored Packets

DPort

Analysis

Packet

Information

Packet

Information

Update

Check Listening Ports

Permitted Reason,

Destination Port, Status

Approval

Consistency

Judgement

Figure 1: Architecture of a Proposed System.

4.3.1 Trafﬁc Collector

This module receives all mirrored packets generated

in the internal network. We assume the period of col-

lecting packets is statically decided in advance, e.g., 1

day. It generates Packet Information including source

IP addresses, destination IP addresses, and destination

ports extracted from collected packets. List of Packet

Information is sent to Consistency Judgement.

4.3.2 Consistency Judgement

After receiving the list of Packet Information, Con-

sistency Judgement searches records of ACL DB for

each communication section which is speciﬁed by

each pair of source and destination IP addresses.

When Automated ACL Generation System ﬁrstly ge-

nerates ACL, the system registers to ACL DB a record

for permitted communication section with empty sta-

tus ﬁeld. If there is only one record for the pair and

such record’s status ﬁeld is empty, it is the ﬁrst time

for proposed system to analyze the communication

section. Otherwise, one or several records including

destination port are registered.

If a record is registered by proposed system, status

is “analyzed” as discussed in section 4.3.5. When Dy-

namic Access Control System permits several com-

munication protocols in a communication section, it

registers such communication to ACL DB with “not

analyzed” status. When the status of a communica-

tion section is empty, all protocols captured in such

communication section are analyzed. If the status is

not empty, only protocols with “not analyzed” status

are analyzed.

To analyze the consistency of collected communi-

cation protocol, Consistency Judgement ﬁnds the re-

ason of communication permission by checking ACL

DB. There are six combinations of collected packet

and permitted reason as shown in Table 1.

Table 1: Combinations of Permitted Reason and Collected

Packet.

Permitted Reason

Collected Packet DSI DSI+CA CA

SMB 1 2 3

Other Port 4 5 6

There are three patterns of permission reason, Di-

rectory Service Information(DSI), DSI and Commu-

nication Analysis(CA), and CA. In addition, we clas-

sify captured protocols to SMB or Other Port be-

cause Automated ACL Generation System uses direc-

tory service information to check the necessity of ﬁle

sharing communication. In this paper, we assume the

environment where SMB is used for shared access to

ﬁles, printers and so on. SMB uses multiple ports and

protocols, e.g., 445/tcp. This paper uses term “SMB

protocol” to denote the set of all protocols as for sim-

plicity.

1. DSI and SMB:

If the permission reason of a communication

section is DSI and SMB protocol is observed,

this communication has consistency. In this case,

Consistency Judgement sends this Packet Infor-

mation to Check List Generator module.

2. DSI+CA and SMB:

In this case, communication based on the SMB

protocol can be consistency. Consistency Jud-

gement sends this Packet Information same as

the case 1. However, if any other protocols are

not observed, all communication except for SMB

protocol is prohibited by the proposed system

even if the protocols were captured during ana-

lysis phase performed by Automated ACL Gene-

ration System. Against such situation, Dynamic

Access Control System permits such communica-

tion when it is observed.

3. CA and SMB:

In this case, captured SMB packet lacks con-

sistency. However, because Automated ACL

Generation System ignores protocol of captured

communication, captured packet has consistency

if Automated ACL Generation System captured

SMB packet during analysis phase. For example,

when a user shares ﬁle with other person directly,

the directory service server does not take part in

such ﬁle sharing and such communication is per-

mitted by communication analysis of Automated

ACL Generation System. Against such situation,

Consistency Judgement sends Packet Information

to DPort Analysis module not to prohibit such

communication.

4. DSI and Other Port:

Construction of Secure Internal Networks with Communication Classifying System

555

If any protocols other than SMB are observed,

Consistency Judgement sends Packet Information

to DPort Analysis in order to analyze precisely.

However, only about this case, such communica-

tion may be unnecessary, e.g., it is sent by mal-

wares. Based on the security policy of organiza-

tion, if administrator want to take safer, Consis-

tency Judgement does not send Packet Informa-

tion. This restricts such communication section,

and Dynamic Access Control System permits the

communication if it is necessary.

In addition, if SMB protocol is not observed and

there is a record of that communication section

with empty destination port ﬁeld, Consistency

Judgement sends Packet Information including

such communication section and SMB destination

port not to restricts SMB communication.

5. DSI+CA and Other Port:

Because this communication has consistency,

Consistency Judgement sends Packet Information

to DPort Analysis. As same as case 4, it sends

Packet Information concerned with SMB if SMB

communication does not occur.

6. CA and Other Port:

In this case, only Packet Information concerned

with a captured protocol is sent to DPort Analysis.

4.3.3 DPort Analysis

This module analyzes normality of communication

ﬁnely by checking the current standing-by states of

destination terminals. We describe about analyzing

method of this module in section 5.

According to the result of analysis, if DPort Ana-

lysis judges the captured packet is proper, it sends

such Packet Information to Checklist Generator. On

the other hand, when the packet is judged as unneces-

sary, such packet’s Packet Information is deleted by

this module.

4.3.4 Check List Generator

This module receives Packet Informations from Con-

sistency Judgement module or DPort Analysis mo-

dule. All communication sections concerned with

such Packet Information are judged as proper by these

modules. Check List Generator combines these Pac-

ket Informations and generates list of Packet Infor-

mation to check by administrator. The generated list

of Packet Information is sent to Management Monitor

module.

4.3.5 Management Monitor

When receiving the list of Packet Information which

requires permission for each communication section,

Management Monitor represents administrators the

list. Administrators check the destination port of each

communication section. If administrators do not want

to permit a port number in the list, they instruct Mana-

gement Monitor to deny the communication section.

On the other hand, if they want to permit an additional

port, the instruction to add the port is sent to Manage-

ment Monitor. Finally, Management Monitor updates

the ACL DB to register each Packet Information chec-

ked by administrators with “analyzed” value of status

ﬁeld. At this time, if there is a record of that com-

munication section with empty destination port ﬁeld,

this module deletes such record. After updating ACL

DB, Automated ACL Generation System apply it to

the network.

5 COMMUNICATION

CLASSIFICATION BASED ON

LISTENING PORT OF

DESTINATION TERMINALS

Different from Automated ACL Generation System

which permits communication every time when it ob-

serves new communication section, proposed system

analyzes its normality by assessing listening ports of

destination terminals.

5.1 Obtain Terminals States

There are several ways to identify listening ports of

terminals. In this paper, we assume two ways to

obtain them.

5.1.1 Depend on Management Information

If we have a server which manages all terminals in the

network, the proposed system can obtain the informa-

tion of listening ports from the server. In case that

a destination terminal is server, this method is work

effectively. For example, if it is identiﬁed that a ser-

ver provides http service, the system can understand

that the server listens on 80/tcp. However, if private

ports are listened by any services, the system cannot

specify such port number.

5.1.2 Port Scanning

When there is no information of listening ports, the

system performs port-scanning against destination

ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy

556

terminals in the network. The system can gather liste-

ning ports certainly, however, a lot of trafﬁc occurs by

port-scanning. In addition, the system has to be able

to reach all terminals in the network.

5.2 Judgement of Normality

In case of legitimate communication, the destination

terminal has to listen its proper ports of services. Be-

cause of such assumption, if the destination port of

a communication is listened on destination terminal,

proposed system judges the communication is proper.

On the other hand, if the port is blocked, the commu-

nication is judged as unnecessary and to be restricted.

6 CONCLUSION

In this paper, we proposed a system to classify com-

munication captured in the internal network. It jud-

ges normality of communication by comparing it and

reason of it is permitted in ACL or states of destina-

tion terminals. By using this classiﬁcation, we can ex-

clude abnormal or unnecessary communication from

permitted list of access control.

The proposed system is still in a concept level. As

future works, we will implement the proposed system,

and evaluate its effectiveness by applying to real net-

work. In addition, we have to evaluate the accuracy

of classiﬁcation method this paper proposes.

REFERENCES

A.K. Nayak, A. Reimers, N. Feamster, and R. Clark (2009).

Resonance: Dynamic Access Control for Enterprise

Networks, Proceedings of the 1st ACM workshop on

Research on enterprise networking, pp.11–18.

H. HasegawaY. YamaguchiH. Shimada, and H.Takakura

(2017). An Automated ACL Generation System using

Directory Service Information and Network Trafﬁc

Data (in japanese), The IEICE Transactions on In-

formation and Systems(Japanese Edition), Vol.J100D,

No.3, pp.353-364.

Information-technology Promotion Agency, Japan (2011).

Design and Operational Guide to Protect against

“Advanced Persistent Threats” Revised 2nd edition.

https://www.ipa.go.jp/ﬁles/000017299.pdf.

Information-technology Promotion Agency, Japan

(2012). Countermeasures against Targeted Attack

Mail. https://www.ipa.go.jp/security/english/virus/

antivirus/pdf/targeted attack mail measures eng.pdf.

P. Cichonski, T. Miller, T. Grance, and K. Scarfone (2012).

Computer Security Incident Handling Guide, NIST

SP800-61 Rev.2.

S. Nakamura, H. Hasegawa, Y. Tateiwa, H. Takakura, Y

Kim and Y. Katayama (2017). A Proposal of Dynamic

Access Control with SDN for Practical Network Se-

paration, IEICE Technical Report, Vol.117, No.299,

pp.65–69.

T. Miyamoto, T. Tamura, R. Suzuki, H. Hiraoka, H. Matsuo,

M. Izumi, and K. Fukunaga (2000). VLAN Manage-

ment System on Large-scale Network (in Japanese),

IPSJ Journal, Vol.41, No.12, pp.3234-3244.

T. Watanabe, T. Kitazaki, T. Ideguchi, and Y. Murata

(2005). A Proposal of Dinamic VLAN Conﬁgura-

tion with Trafﬁc Analyzation and Its Evaluation Using

a Computer Simulation (in Japanese), IPSJ Journal,

Vol.46No.9, pp. 2196–2204.

Construction of Secure Internal Networks with Communication Classifying System

557