1. Introduction
The contemporary cyber battlefield environment continues to rapidly change around the world and increasingly faces many cyber threats. Cyber powers around the world are conducting cyber information-gathering activities in cyberspace, a global domain within the Internet-based information environment and conducting cyber intelligence preparation of the battlefield (IPB) to prepare for future cyber operations. IPB includes activities to analyze the impact on the operations of both enemy and friendly forces by synthesizing and analyzing information on the expected enemy, terrain, and weather [1]. Such analysis produces various types of information such as cyberspace intelligence (CyberINT), open-source intelligence (OSINT), and geospatial intelligence (GEOINT), and cyber sign information, cyber target information, and judgment information. In cyberspace, ground, air, maritime, and space forces associated with cyber forces must achieve cyber-predominance to ensure safe and reliable operational activities in a given time and space. Through cyber- predominance, uncertainty in a battlefield situation between cyber operations should be minimized, and a commander's prompt and accurate command control and determination should be possible. Research on the battlefield visualization of various cyberspaces is actively being conducted to ensure an effective cyber IPB and cyber situation recognition [2-5].
This paper designed architecture by classifying cyberspace into a physical, logical network layer and cyber persona layer to visualize the cyber battlefield using BGP archive data, which is comprised of BGP connection information data of routers around the world. To implement the architecture, BGP archive data was analyzed and pre-processed, and cyberspace was implemented in the form of a Di-Graph. Through this, we analyzed actual North Korea’s BGP and OSINT data to implement North Korea’s cyber battlefield centered on the Internet network in the form of a prototype. Information products obtained through visualization were classified for each layer of cyberspace, and a visualization method was proposed for performing cyber IPB.
2. Related Work
2.1 Cyber Situation Awareness (Cyber SA) Overviews
The concept of cyber situational awareness in the US joint doctrine refers to the current or predictable knowledge of cyberspace and the operational environment and cyberspace on which cyber operations depend, including all factors that affect cyberspace and allies and enemies [6]. Using the Common Operational Picture (COP), the commander continuously evaluates the operational environment through intelligence on troops in the operating environment, reporting functions, personnel monitoring, threat warning, and various activities. The defense network is the primary means of collecting information used by commanders to recognize the operational environment's situation, including the current system status.
Therefore, managing the collection means, communication channels, information programs (Data Feed), user interfaces, etc., of the defense network is a major activity of the defense network operation [6].
The realm of cyber operations is gradually expanding from domestic to global. It is difficult to identify an enemy that quickly adapts to a constantly changing operational environment. For this reason, commanders must be aware of the situation accurately and comprehensively for rapid decision making. For effective cyber situational awareness, BGP archive data, which is data collected from network collection centers worldwide, is utilized, and OSINT information, which is public source information applying cyber battlefield information analysis theory, must be quickly fused and linked to visualize. A typical case of BGP-based visualization research for cyber situation recognition was analyzed, as shown in Table 1. Through theoretical consideration, each research case was analyzed by visualization technique, core function, level of detail, and use cases.
Table 1. Visualization Works based on BGP for Cyber Situation Awareness
Soon Tee Teoh et al.(2006) [7] proposed a model called BGP Eye, a visualization tool for analyzing the root cause of BGP abnormalities. Unlike the previous approach, BGP Eye analyzed BGP abnormal symptoms in real-time through hierarchical analysis. Also, through several valuable points, it provided the ability to analyze BGP anomalies in the Internet-centric view and the home-centric view of a specific autonomous system. James Shearer et al.(2008) [8] proposed a model called BGPeep that visualizes BGP traffic at a detailed level using a novel depiction of IP-space. This tool highlights aspects of BGP data that have received less attention in previous visualization applications to help form a complete picture of an important part of the Internet communications infrastructure. Ernst Biersack et al.(2012) [9] proposed the VIS-SENSE model for analysts to detect abnormal routing patterns in vast amounts of BGP data through network visualization. We emphasized how to visualize BGP monitoring to identify prefix hijacking attacks through malicious intent. William. Heinbockel et al.(2016)[10] proposed a model called MN CD2-WP2, a hierarchical graph-based tool that shows interdependencies between mission objectives, operations, information, and cyber assets. It was developed based on military scenarios at the strategic level within a structured methodology for cyber resilience analysis. Syamkumar et al.(2016) [11] proposed a model called Bigfoot, a BGP update visualization system designed to highlight and evaluate various actions in an update stream. It is a concept to visualize network prefixes through the geographic location of IP and was developed to filter, organize, analyze and visualize BGP updates so that you can effectively identify the characteristics and behaviors of interest. Alex Ulmer et al.(2018) [12] proposed a model called Global Geo-IP Changes, an interactive visualization system that relies solely on Geo-IP data to raise awareness of data sources. Over time, it was developed to analyze suspicious cases through an IP block owner and location information in Geo-IP data. Paulo Fonseca et al.(2019) [13] proposed a model that can simply observe the volume and AS route functions and BGP traffic changes most commonly used in BGP anomaly detection technology. It was developed to analyze the trend of BGP behavior that can be used to distinguish abnormal behavior and various types of abnormal traffic and general traffic. Syamkumar et al.(2020) [14] proposed a model called BigBen, a network telemetry processing system designed to accurately and timely report Internet events (interruptions, attacks, configuration changes, etc.). It was developed to identify a wide range of Internet events, characterized by location, range, and duration, and to compare detected events with events detected by large active probe-based detection systems..Massimo Candela et al.(2020) [15] proposed a model called Upstream Visibility for scenario-based monitoring of Internet events (interruptions, attacks, configuration changes, etc.). The global view based on the stack area chart provides a high trend for the visibility of IP prefixes and has been developed to provide a local view to check the impact of IP prefixes visibility time.
2.2 Cyber Plan-X Project Overviews
In the United States, DARPA has undertaken a project to develop cyber system frameworks and prototypes to enable the military to intuitively understand, plan, and effectively manage cyber battlefields and cyber operations in broadband, dynamic network environments in real-time. The Plan-X definition of a cyber-battlespace has three main concepts: a network map, operational units, and capability set. Plan-X implemented a cyber-battlespace as a cyber- battlefield map. The cyber battlefield map shows a network map that connects between cyber assets, nodes to nodes, and computers to computers, and uses it to plan and conduct cyberspace operations [3].
2.3 BGP Route View Project Overviews
The border gateway protocol (BGP) is a protocol for exchanging routing information, which is IP Prefix connection information and is a protocol that is the basis for gateway hosts around the world. Oregon University's Route Views Project is the best repository of BGP routing data and plays an important role in understanding the global Internet routing system. Starting with the accumulation of routing information since 2001, BGP routing information transmitted from more than 140 peered observation monitors from a total of 24 collection points has been collected and recorded in the form of BGP archive data [16,17]. Many studies have been done on BGP routing analysis. Among them, CAIDA's AS Core Internet Graph research is representative [16]. BGP routing information analysis produces various information such as topology changes, routing connections, network instability, network threats, and network attributes [16- 20].
2.4 Cyber Intelligence Preparation of the Battlefield (IPB) Overviews
Cyber IPB is an activity that analyzes impacts on operations of an enemy and friendly forces by synthesizing and analyzing intelligence and information on the expected enemy, terrain, and weather in the cyber battlefield area. To define and produce information products that can be obtained by visualizing and implementing cyberspace battlefields, it is necessary to conduct cyberspace IPB. As an essential part of the information environment, there is a massive global dependence on the cyberspace domain for information exchange. However, due to the inherent vulnerabilities associated with these dependencies, the cyberspace domain must be considered at the stage of the IPB process [1,6].
3. Design and Implementation of Cyber IPB Visualization Architecture Using BGP Archive Data
Based on the information generated through BGP archive data analysis and pre-processing, we designed a prototype architecture to support an effective implementation of a cyber IPB. By visualizing and implementing cyber battlefield information that can be obtained through BGP archive data, we studied information products that can be collected for each layer and how to visualize cyber IPB.
3.1 Cyber IPB Visualization Architecture Design Using BGP Archive Data
In our architecture, cyberspace is divided into a physical network layer, logical network layer, and cyber-persona layer, as shown in Fig. 1 [1,6].
Fig. 1. The three interrelated layers of cyberspace [6]
The Although there are many ways to visualize cyberspace, we approached this task by utilizing the method from the NATO Cyber Defense Situational Awareness RFI, as shown in Fig. 2 [10,21].
Fig. 2. Visualization diagram of NATO RFI [21]
Various BGP-related information can be visualized in multiple visualization formats, and the user can select a visualization suitable for indicating the type of information to be viewed. In addition to viewing specific types of data, the provided interfaces can organize and visualize appropriate support information. The data processing process for converting public BGP, OSINT, and IP geolocation data to a GeoJSON format was performed, and an integrated intelligence database for visualization was constructed. It generates visualizations from the data collected by the Logstash tool, treating and manipulating them in the Elasticsearch tool. Kibana tool proves to be robust for performing all kinds of data analysis [22].
Accordingly, this was designed with a structure that is linked with ElasticSearch and ElasticMap of Kibana. The following Fig. 3 shows the architecture of the cyber IPB visualization prototype.
Fig. 3. Architecture of cyber IPB visualization prototype
3.2 Visualization Implementation of BGP AS Network Topology
To visualize a global network based on a Geo Map, BGP archive data must be dumped and pre-processed [4]. The BGP archive data utilized in the research process used the Oregon University's Route Views Project, which regarded as the best in the world [16-18]. The BGP archive data includes various property information for each item, as shown in Table 2.
Table 2. Property information of BGP archive data
To shorten the data preprocessing process, Python-based BGP archive data downloader (Fig. 4(a)), and BGP archive data parser (Fig. 4(b)) programs were created and used in this research process. The execution result of the program (Fig. 4(c)) and the extraction result of the parsing data that was processed before (Fig. 4(d)) are as follows.
Fig. 4. (a) Downloader for BGP archive data
Fig. 4. (b) Parser for BGP archive data
Fig. 4. (c) Output of program execution results
Fig. 4. (d) Extraction of parsing results
The pre-processed information is converted to a GeoJSON format, stored, and built as a DB. The built DB and MaxMind Company’s IP Geolocation ISP & City DB and OSINT DB are interlocked and constructed as an integrated intelligence DB, as shown in Fig. 5.
Fig. 5. Construction of integrated intelligence DB
A BGP AS network topology was visualized and implemented using Tableau, a visualization tool before developing the prototype architecture in order to analyze the visualization method for information that can be produced in each layer of cyberspace, as shown in Fig. 6. Future implementations of a cyber IPB visualization prototype architecture can be developed with a Kibana ElasticMap of Elastic Stack.
Fig. 6. Visualization implementation of Geo Map based on BGP AS network topology
4. Direction of Research Based on Architecture
4.1 Cyber IPB Visualization Plan at the Physical Network Layer
The physical network layer consists of geographical components and physical network components. Geographical components are the locations of the ground, sea, air, and space where network components exist, and the physical network components are H/W, S/W, and infrastructure. Depicting the physical network layer within the area of operation (AO) allows the intelligence staff to analyze the physical network layer as it relates to friendly and threat operations. Analysts derive the physical network layer depiction from single-source reporting, all-source intelligence products, cyber mission forces reporting, and other reporting sources. These products assist in developing the physical network layer [1,6]. When analyzing the physical network layer, the elements should be identified and analyzed, as shown in Table 3.
Table 3. Identification elements for physical network layer analysis
Cyberspace attack capability exerts firepower in cyberspace, but physical destruction rarely occurs [6]. However, if a critical physical node and network infrastructure is destroyed, simultaneous effects can be created in the physical and cyberspace domains [6,20].
Therefore, by visualizing and analyzing network components based on Geo Map, it is possible to create and analyze information for cyber high payoff target (HPT) selection, as shown in Fig. 7.
Fig. 7. Cyber IPB of cyber high payoff target (HPT) associated with physical war domains
4.2 Cyber IPB Visualization Plan at the Logical Network Layer
The logical network layer consists of components of logical networks that are related to each other in an abstracted manner from a physical network and is a virtual space of a cyberspace network. Depicting the logical network layer within the AO discloses how and where it conducts cyberspace operations. It is also useful to understand how and where the population exists, socializes, and communicates within the logical network layer. Additionally, network maps often depict the logical network layer concerning the physical network layer [1,6]. When analyzing the logical network layer, the elements should be identified and analyzed, as shown in Table 4.
Table 4. Identification elements for physical network layer analysis
For example, to analyze the AS path, Di-Graph can be drawn with information extracted from BGP archive data [4, 16, 18]. The BGP AS path map between the countries of Saudi Arabia and Iran can be visualized in Di-Graph form, as shown in Fig. 8(a). From a technical standpoint, Iran and Saudi Arabia presents an interesting BGP architecture. And holds a central position in the connectivity of the Middle East, the region of the world that has seen the largest growth in Internet penetration over the past decade [23]. Also, from a geopolitical point of view, Iran is a major actor in the Middle East and at the center of several ongoing geopolitical rifts [23,24]. The following is the command code for Di-Graph visualization:
| cat rib.20200901.1200.AS39386.tsv | awk ‘$1!= $2{print $2 "\t" $4}' | awk ‘BEGIN{print “digraph{“} {print $0} END{print “}"}’ | dot -T png -o rib.20200401.1200.AS39386.png |
Fig. 8. (a) Di-Graph visualization of country-specific BGP network topology
For a detailed analysis of the AS path between countries, Di-Graph can be visualized in detail as shown in Fig. 8(b). The following is the command code for the detailed visualization of Di-Graph:
| cat rib.20200901.1200.AS39386.tsv | awk ‘$1!= $2{print $2 "\t" $4}' | awk ‘BEGIN{print “digraph{“} {print $0} END{print “}"}’ | dot -T png -o rib.20200401.1200.AS39386.png |
Fig. 8. (b) Di-Graph visualization of AS-specific BGP network topology
Through this process, it is possible to create and analyze information such as ASN, AS detailed path, core node(AS39386, AS49666), and relay node(AS41426) in the global network topology of an AS network unit between Saudi Arabia and Iran. It can be estimated that the node with the greatest possibility of altering the routing path through the BGP hijacking attack is the relay node(AS41426) [19, 25, 26].
Additionally, the same process was carried out to analyze the AS route between North Korea and South Korea through the process previously performed. First of all, information related to North Korea was separately extracted from BGP archive data around the world. Then, the BGP AS path map between the countries of North Korea and South Korea can be visualized in Di-Graph form, as shown in Fig. 9. The following is the command code for the detailed visualization of Di-Graph:
| cat rib.20200901.1200.AS131279.tsv | awk ‘$1!= $2{print $2 "\t" $4}' | awk ‘BEGIN{print “digraph{“} {print $0} END{print “}"}’ | dot -T png -o rib.20200401.1200.AS131279.png |
Fig. 9. Visualization of North Korea’s AS-specific BGP network topology
Analyzing the results, the North Korea’s AS131279 and South Korea’s AS4766 was connected by a single route. Also, the relay node between North Korea and South Korea was passing through AS4837 in china. If a hacking attack targets South Korea from inside North Korea, it can be assumed that the origin of attack lies inside the network connected to North Korea’s AS131279.
4.3 Cyber IPB Visualization Plan at the Cyber-persona Layer
The cyber-persona level represents the abstracted high level of the logical network and includes IP address, personal information, etc. Depicting the threats in a cyber-persona layer begins with understanding the organizational structure. Evaluation of the organizational structure is a task of the all-source intelligence task-force from the information department. Understanding the organizational structure leads to an assessment of the cyber-personas associated with an organization. These include cyber-personas that represent an organization, subordinate elements, and personnel [1,6]. When analyzing the cyber-persona layer, the elements should be identified and analyzed, as shown in Table 5.
Table 5. Identification elements for Cyber-persona layer analysis
For example, the preprocessed BGP Archive Data was used to visualize the network topology in the AS unit. Then, the AS topology object drilled down using Maltego, an OSINT information collection tool, and subsequently, the information for North Korea’s cyber persona layer is extracted and visualized in the form of an object, as shown in Fig. 10.
Fig. 10. Visualization of North Korea’s cyber IPB in the cyber-persona layer related to OSINT
Through this visualization, it is possible to generate and analyze information by extracting various information as shown in Table 6.
Table 6. Results of North Korea’s cyber IPB in the cyber-persona layer
5. Conclusion
This paper designed an architecture by classifying cyberspace into a physical network layer, logical network layer, and cyber persona layer to visualize the cyber battlefield using BGP archive data, which is BGP connection information data of routers from around the world. To implement the architecture, BGP archive data was analyzed and pre-processed. First, a cyberspace was implemented in the form of Di-Graph. Secondly, visualization was implemented based on the Geo Map using Tableau, a visualization tool. Information products that can be obtained through visualization were classified for each layer of cyberspace, and a visualization method for effective cyber IPB was proposed.
In the future, by implementing a prototype architecture based on the Elastic Stack, we will conduct research on IP geolocation, attacker group analysis, time series analysis, and create an association analysis model of the cyberspace domain with the physical domain.
참고문헌
- K. S. Miller, "Intelligence Preparation of the Battlefield," Army Techniques Publication, no. 2-01. 3, 2019.
- S. Liu, W. Cu, Y. Wu, and M. Liu, "A survey on information visualization: recent advances and challenges," The Visual Computer: International Journal of Computer Graphics, vol. 30, no. 12, pp. 1373-1393, Jan. 2014. https://doi.org/10.1007/s00371-013-0892-3
- J. Roberts, "Foundational Cyberwarfare (Plan X)," Defense Advanced Research Projects Agency (DARPA), no. DARPA-BAA-13-02, pp. 5-52, Nov. 2012.
- G. Conti, Security Data Visualization: Graphical Techniques for Network Analysis, 1 st Edition, San Francisco, USA: No Starch Press, pp. 105-124, 2007.
- J. T. Langton, B. Newey, and P. R. Havig, "Visualization for cyber security command and control," Cyber Security, Situation Management, and Impact Assessment II; and Visual Analytics for Homeland Defense and Security II, vol. 7709, no. 11, pp. 1-12, Apr. 2010.
- K. D. Scott, "Cyberspace Operations," US Joint Publication, no. 3-12, pp. 2-12, June 2018.
- S. Teoh, S. Ranjan, A. Nucci, and C. N. Chuah, "BGP eye: A new visualization tool for real-time detection and analysis of BGP anomalies," in Proc. of the 3 rd International Workshop on Visualization for Computer Security (VizSEC), p. 81-90, Nov. 2006.
- J. Shearer, K. L. Ma, and T. Kohlenberg, "BGPeep: An IP-Space Centered View for Internet Routing Data," in Proc. of International Workshop on Visualization for Computer Security (VizSEC), pp. 81-90, Sep. 2006.
- E. Biersack, Q. Jacquemart, F. Fischer, J. Fuchs, O. Thonnard, G. Theodoridis, D. Tzovaras, and P. A. Vervier, "Visual analytics for BGP monitoring and prefix hijacking identification," IEEE Network, vol. 26, no. 6, pp. 33-39, Dec. 2012. https://doi.org/10.1109/MNET.2012.6375891
- W. Heinbockel, S. Noel, and J. Curbo, "Mission Dependency Modeling for Cyber Situational Awareness," in Proc. of NATO IST-148 Symposium on Cyber Defense Situation Awareness, vol. 148, no. 5, pp. 1-14, Oct. 2016.
- M. Syamjumar, R. Durairajan, and P. Barford, "Bigfoot: A geo-based visualization methodology for detecting bgp threats," in Proc. of IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1-8, Oct. 2016.
- A. Ulmer, M. Schufrin, D. Sessler, and J. Kohlhammer, "Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data," in Proc. of IEEE Symposium on Visualization for Cyber Security (VizSec), pp.1-8, Oct. 2018.
- P. Fonseca, E. S. Mota, R. Bennesby, and A. Passito, "BGP Dataset Generation and Feature Extraction for Anomaly Detection," in Proc. of IEEE Symposium on Computers and Communications (ISCC), pp. 1-6, July 2019.
- M. Syamkumar, Y. Gullapalli, W. Tang, P. Barford, and J. Sommers, "BigBen: Telemetry Processing for Internet-wide Event Monitoring," arXiv preprint arXiv, vol. 2011, no. 10911, pp. 1-12, Nov. 2020.
- M. Candela, G. D. Battista, and L. Marzialetti, "Multi-view routing visualization for the identification of BGP issues," Journal of Computer Languages, vol. 58, no. 100966, June 2020.
- Y. Lee and Y. Lee, "Yet Another BGP Archive Forensic Analysis Tool Using Hadoop and Hive," Journal of KIISE, vol. 42, no. 4, pp. 541-549, Apr. 2015. https://doi.org/10.5626/JOK.2015.42.4.541
- O. F. Ozarslan and K. Sarac, "ZIDX: A Generic Framework for Random Access to BGP Records in Compressed MRT Datasets," in Proc. of the 29th International Conference on Computer Communications and Networks (ICCCN), pp. 1-8, Aug. 2020.
- J. Salido, M. Nakahara, and Y. Wang, "An analysis of network reachability using BGP data," in Proc. of the 3rd IEEE Workshop on Internet Applications (WIAPP), pp. 10-18, July 2003.
- C. C. Demchak and Y. Shavitt, "China's Maxim - Leave No Access Point Unexploited: The Hidden Story of China Telecom's BGP Hijacking," Military Cyber Affairs, vol. 3, no. 1, pp. 1-9, 2018.
- F. Douzet, L. Petiniaud, L. Salamatian, K. Limonier, K. Salamatian, and T. Alchus, "Measuring the Fragmentation of the Internet: The Case of the Border Gateway Protocol (BGP) During the Ukrainian Crisis," in Proc. of the 12th International Conference on Cyber Conflict (CyCon), vol. 24, p. 157-182, May 2020.
- T. Moye, R. Sawilla, R. Sullivan, and P. Lagadec, "NATO Request for Information: Cyber Defense Situational Awareness System," NATO Communications and Information Agency (NCI Agency), no. CO-14068-MNCD2, pp. 87-89, May 2015.
- L. F. Camargo, A. Moraes, D. R. C. Dias, and J. R. F. Brega, "Information Visualization Applied to Computer Network Security," in Proc. of International Conference on Computational Science and Its Applications, vol. 12250, pp. 44-59, July 2020.
- L. Salamatian, F. Douzet, K. Limonier, and K. Salamatian, "The geopolitics behind the routes data travels: a case study of Iran," arXiv preprint arXiv, pp. 1-29, Nov. 2019.
- R. Pradeepa and M. Pushpalatha, "A hybrid OpenFlow with intelligent detection and prediction models for preventing BGP path hijack on SDN," Soft Computing, vol. 24, no. 13, pp. 10205-10214, July 2020. https://doi.org/10.1007/s00500-019-04534-x
- P. Sermpezis, V. Kotronis, A. Dainotti, and X. Dimitropoulos, "A survey among network operators on BGP prefix hijacking," ACM SIGCOMM Computer Communication Review, vol. 48, no. 1, pp. 64-69, Jan. 2018. https://doi.org/10.1145/3211852.3211862
- R. A. Clarke and R. Knake, Cyber war: The Next Threat to National Security and What to Do About It, Old Saybrook, CT, USA: Tantor Media, 2020.