Switchwall: Automated Topology Fingerprinting and Behavior Deviation Identification

The continuous improvement of bandwidth, pervasiveness, and functionality of network switching technologies is deeply changing the Internet landscape. Indeed, it has become tedious and sometimes infeasible to manually assure the network integrity on a regular basis: existing hardware and software can be tampered with and new devices can be connected or become nonoperational without any notification. Moreover, changes in the network topology can be introduced by human error, by hardware or software failures, or even by a malicious adversary (e.g. rogue systems).

In this paper, we introduce Switchwall, an Ethernet-based network fingerprinting technique that detects unauthorized changes to the L2/L3 network topology, the active devices, and the availability of an Enterprise network. The network map is generated at an initial known state and is then periodically verified to detect deviations in a fully automated manner. Switchwall leverages a single vantage point and uses only very common protocols (PING and ARP) without any requirements for new software or hardware. Moreover, no previous knowledge of the topology is required, and our approach works on mixed speed, mixed vendors networks. Switchwall is able to identify a wide-range of changes which are validated by our experimental results on both real and simulated networks.