GAT-LA: Graph Attention-Based Locality-Aware Sampling for Modeling the Dynamic Evolution of I2P Routing Topologies

Abstract

Anonymous communication networks such as the Invisible Internet Project (I2P) are essential for safeguarding privacy and ensuring freedom of expression, necessitating robust performance and security evaluation in controlled environments. Network testbeds offer a reliable alternative to real-world testing. This paper proposes a dynamic modeling framework based on Graph Attention Network (GAT). We introduce a Region-Centric Initialization (RCI) strategy to establish an initial observation anchor, followed by a GAT-based Locality-Aware (GAT-LA) sampling mechanism that treats representative node selection as a dynamic learning task. Experimental results demonstrate that the GAT-LA mechanism significantly outperforms static methods in maintaining long-term similarity to real-world I2P performance metrics. The integrated stability penalty mechanism effectively suppresses excessive topological fluctuations, ensuring temporal smoothness across evolutionary cycles. Furthermore, the RCI strategy provides high engineering flexibility by supporting both automated scoring and target-oriented manual configuration. This paper presents a scalable methodology for dynamic network simulation with enhanced statistical alignment, providing a practical reference for security research within resource-constrained anonymous network ranges or testbeds.

1. Introduction

Anonymous communication networks (ACNs) employ mechanisms such as layered encryption and multi-hop forwarding to protect the identities and relationships of communicating parties, which is essential for safeguarding user privacy and promoting freedom of expression [1]. Currently, The Onion Router (Tor) and the Invisible Internet Project (I2P) represent the most prevalent anonymous networks [2]. While the increasing demand for robust anonymity drives the continuous evolution of novel protocols and cryptographic mechanisms [3,4], adversaries are persistently attempting to breach existing defense boundaries through traffic analysis, timing correlation, and de-anonymization [5]. Consequently, security assessment and the verification of offensive and defensive capabilities for anonymous networks have become critical components of contemporary research.

However, the infeasibility of conducting direct technical assessments and offensive-defensive drills within real-world anonymous networks has become increasingly prominent [6]. First, the validation of novel protocols often requires large-scale software updates by users to observe network effects, resulting in a protracted and complex experimental process. Second, the inherent openness and uncontrollability of live anonymous networks make it difficult to establish uniform experimental conditions, leading to poor reproducibility and undermining scientific rigor. Furthermore, conducting offensive testing in live environments inevitably risks the collection of actual user data, thereby violating ethical guidelines and privacy protection requirements. Additionally, aggressive testing may significantly impair overall network performance, potentially leading to service disruptions or systemic collapse.

Developing simulated experimental platforms, such as cyber ranges, has emerged as an effective alternative to direct experimentation in real-world environments [7,8,9,10,11,12,13,14]. These platforms support diverse research areas, including path selection optimization [15,16,17], load balancing [18,19], and Denial-of-Service (DoS) attacks [20,21,22,23]. For simulations to be valid, the modeled networks within the cyber range must maintain high fidelity to their real-world counterparts. However, due to hardware resource constraints, simulated environments are typically operated at a significantly reduced scale. Consequently, a robust modeling strategy is required to ensure that the downscaled topology retains the essential characteristics and behavioral patterns of the target network [24], such as topological properties, performance metrics, and traffic patterns.

Currently, network structure modeling methods for anonymous network cyber ranges can be categorized by their simulation fidelity into three levels: those based on basic network topologies [25,26], those utilizing darknet resource crawling [12], and specialized Tor network modeling [24]. In contrast, structural modeling techniques for I2P focus primarily on obtaining netDb information through node measurements—RouterInfos for I2P routers contact information [27,28,29,30] and LeaseSets for hidden services (Eepsites) [31,32]—and conducting in-depth analyses of I2P characteristics from diverse perspectives to enhance the understanding of its operational mechanisms. Although these studies have revealed the highly dynamic nature of the I2P network driven by frequent node churn, which manifests as continuous structural drift and evolution at both macroscopic and microscopic levels, current measurement findings have not yet been fully integrated into reproducible and time-varying modeling schemes suitable for simulated environments such as cyber ranges.

Therefore, leveraging measurement data from the real I2P network to construct representative structural models capable of reflecting its dynamic evolution is crucial for providing a reliable environment for subsequent experimental validation. Such modeling efforts not only enhance the scientific rigor of anonymous network research, but also strengthen the credibility of empirical findings, thereby ensuring the validity of research outcomes in real-world scenarios.

Against this backdrop, this paper adopts a local-view modeling perspective and proposes a Graph Attention Network [33] (GAT)-based locality-aware sampling strategy (GAT-LA). The global modeling of I2P is significantly hindered by technical complexities, as full-network topology mapping incurs prohibitive resource overhead and poses significant risks regarding the large-scale collection of sensitive data. By focusing on a specific observation domain, local modeling substantially reduces computational requirements. This approach maintains favorable precision and controllability within the target scope, aligning more closely with the ethical imperatives of research and privacy protection.

This paper proposes a dynamic local network structure modeling method for I2P cyber ranges, designed to generate a simulated target network that reflects the temporal evolution of network structures under the constraint of reduced node scales. The design philosophy draws inspiration from the adaptive zooming and regional focusing mechanisms of digital maps, supporting refined modeling of specific areas within a limited observational scope. Specifically, centering on a designated observation domain, the method performs targeted screening of anchor points within this domain and critical nodes within their topological neighborhoods; this captures and characterizes the key network structural and dynamic evolution features of the domain, thereby maintaining the representativeness of the simulated environment under a controlled experimental scale.

We describe the measurement data encompassing network nodes and logical topology obtained from the real I2P network in Section 3.1 and introduce a region center initialization (RCI) strategy in Section 3.3 to identify optimal entry points within the acquired local observation domain via two modes: performance-aware and manual-configuration. Then, we describe GAT-LA in Section 3.4, which governs the process of dynamic evolution and the screening of representative nodes. In Section 4, we instantiate the proposed model within the cyber range utilizing the P-I2Prange [34] method, an automated framework for constructing I2P application scenarios, and compare its network performance characteristics with data collected from the real I2P network. Experimental results demonstrate that our approach successfully models representative node selection as a dynamic learning task. This method effectively preserves the performance distribution of the target network throughout the modeling cycle.

Our contributions are listed as follows:

• We propose a dynamic network modeling framework specifically for I2P cyber ranges. By formulating the selection of representative nodes within a localized observation domain as an adaptive learning task, this framework provides a structured approach to capturing the temporal evolution manifested in the localized observation domain.
• We design a region center initialization strategy that implements a cold-start for local modeling through an automated scoring mechanism for representative anchors. This strategy further supports a manual configuration mode to accommodate diverse research requirements such as goal-oriented optimization for regional performance.
• We implement a locality-aware sampling mechanism, termed GAT-LA, which integrates multi-head attention with stability constraints to enhance the approximation of the observed local network characteristics and temporal smoothness within a downscaled simulation domain.

2. Related Work

In the field of cyber range research, the construction of representative experimental environments is fundamental to ensuring the reliability and generalizability of empirical findings. By systematically measuring and analyzing the topological structures of the real I2P network, researchers can construct experimental substrates that approximate real-world performance for rigorous evaluation and security verification. Currently, modeling methodologies for anonymous network cyber ranges primarily encompass the construction of fundamental topologies, the reconnaissance of application-layer resources, and the systematic emulation of Tor.

2.1. Modeling of Fundamental Topologies and Resource Reconnaissance

Methodologies for fundamental network topology modeling typically involve the construction of simplified, small-scale target networks using standard components provided by simulation platforms, tailored to specific experimental objectives. This approach remains the most prevalent and accessible strategy for generating synthetic network environments, primarily due to its ease of deployment.

Such methodologies are frequently employed to validate the efficacy of specific attack vectors. For instance, Chakravarty et al. [25] utilized the DETER platform to construct a localized private Tor network comprising three subnets and eleven nodes, thereby demonstrating the feasibility of a specialized traffic analysis attack aginst Tor. Similarly, X. Zheng et al. [26] categorized prevailing attack-defense scenarios within anonymous networks and formalized a set of constitutive rules to satisfy these experimental requirements. By designing ring and star topological structures, they claimed to preserve the essential network characteristics necessary for diverse experimental scenarios, allowing for the projection of various simulation contexts onto these underlying topologies.

While these approaches offer operational flexibility, their reliance on static and small-scale structures often results in a discrepancy between simulated environments and the empirical statistical properties of distributed anonymous networks. Specifically, these simplified models struggle to accurately approximate the dynamic distributions of network parameters, including nodal performance and connectivity variations, which reflect the evolving state of the real I2P network.

Resource reconnaissance modeling prioritizes the acquisition of application-layer content within anonymous networks. Specifically, P. Wang et al. [12] developed two distinct strategies, namely a Scrapy-based darknet crawler and an HTTrack-based rapid retrieval method, to extract service resources from darknet environments for subsequent migration and deployment within simulated infrastructures.

While such studies prioritize enhancing the richness of the application environment, their capacity to characterize the underlying logical topology and the dynamic interactions between nodes remains relatively constrained.

Such limitations are often inevitable due to the trade-offs between computational overhead and modeling granularity, leaving a gap in representing the continuous fluctuations of network states.

2.2. Systematic Modeling and Simulation of Tor

Systematic modeling of the Tor network has achieved significant maturity through extensive research. Shadow [13] has emerged as the most prevalent tool for conducting Tor simulation experiments, primarily due to its capability to construct customized virtual network topologies on local hardware while facilitating granular data logging. Recognizing the necessity for representative simulation environments, the Shadow development team has consistently advanced Tor network modeling methodologies over the past decade. Their contributions encompass static structural modeling [6], empirical security measurements of authentic Tor nodes and traffic [35,36], and the generation of synthetic simulation traffic [37]. These iterative advancements have culminated in the ability to simulate the Tor network at 100% scale—encompassing nodes, traffic, and performance metrics [24]—thereby solidifying Shadow’s preeminent position in the field of Tor simulation.

In summary, the construction of modeling methodologies with high representative fidelity is essential for ensuring the real-world credibility and validity of experimental conclusions derived from cyber ranges. However, existing modeling techniques remain subject to critical limitations. Fundamental topology-based methods struggle to evaluate the practical impact of emerging technologies within large-scale networks, while resource-crawling approaches are primarily restricted to static content detection and fail to guarantee the dynamic fidelity of network structures. Furthermore, although simulation modeling for Tor has reached significant maturity, the fundamental architectural discrepancies between I2P and Tor—most notably the decentralized netDb mechanism of I2P in contrast to the centralized directory services of Tor—preclude the direct migration of existing Tor modeling frameworks to the I2P environment.

Modeling the I2P network presents distinct complexities. The implicit routing mechanism within I2P results in logical connectivity that relies heavily on the dynamically updated and concealed netDb, rendering the topology generation process more intricate and less observable than the explicit routing tables utilized by the Tor network. Simultaneously, the nodal admission and route discovery processes exhibit heightened stochasticity, complicating the characterization of topological evolution through conventional methodologies. While current research has utilized measurement-based analysis to investigate localized features, such as RouterInfos [27,28,29,30] and LeaseSets [31,32], there remains a need for specialized frameworks that can systematically represent these dynamics within a controlled environment.

2.3. Preliminary: Overview of I2P

The I2P network is composed of peers (commonly referred to as clients, nodes, or routers) that run the I2P software, enabling applications to communicate securely through the network [38]. A RouterInfo file provides contact information for a specific router, including its identity, IP address, port number, and other relevant metadata. For nodes situated within complex network environments or those with stringent privacy requirements, I2P facilitates a dedicated introduction mechanism. This process involves the selection of specific routers from the local netDb to serve as introducers, thereby enabling interconnectivity across firewalls [39].

Figure 1 illustrates a representative communication process within the I2P network. During data transmission, network traffic is carried by unidirectional encrypted tunnels constructed from multiple tiers of nodes, which are categorized into inbound and outbound tunnels according to the direction of flow. A complete bidirectional communication session typically involves four independent tunnels. Throughout the entire communication process, Alice and Bob remain cognizant only of the gateway nodes of each party, while the actual underlying network addresses and internal tunnel structures remain obscured; such restricted visibility effectively facilitates the decoupling of identity from network routing, thereby ensuring the anonymity of the interaction.

The node discovery and selection mechanism serves as the core driving force for the dynamic evolution of the I2P network and forms the foundation of the dynamic model proposed in this paper. Newly joining nodes obtain an initial network view via I2P’s built-in reseed servers and synchronize their status with high-capacity Floodfill nodes. Floodfill nodes constitute the core of the netDb, where each node maintains a local netDb replica as a subset of the global network information. In cases of insufficient local information, nodes request additional RouterInfos by sending a DatabaseLookupMessage to Floodfill nodes; furthermore, the process of tunnel construction enables nodes to discover new active neighbors and update their local netDb accordingly.

During the tunnel construction process, nodes filter candidate nodes based on locally maintained performance profiles. The selection criteria are primarily based on two core metrics: $Speed$ and $Capacity$. The $Speed$ metric characterizes the throughput potential of a node per unit of time, typically represented by the average bandwidth of the three fastest tunnels through the node within the last minute. $Capacity$ refers to the number of tunnels that a specific node has successfully participated in establishing over a given period. An I2P router’s current $Capacity$ estimation is formulated as shown in Equation (1).

$${\mathrm{capcity}}_p=0.4{\mathrm{cap}}_{10\min }+0.3{\mathrm{cap}}_{30\min }+0.2{\mathrm{cap}}_{60\min }+0.1{\mathrm{cap}}_{24\mathrm{h}}$$

(1)

where $cap$ denotes the $Capacity$ value of a node within a given time span, and the subscript indicates the specific time window (e.g., 10 min). Such performance-based selection preferences lead to the non-homogeneous evolution of the network’s logical topology over time. Therefore, in cyber range modeling, characterizing the dynamic interaction processes of nodes based on performance feedback is essential for enhancing the convergence between simulation environments and real-world network characteristics.

3. Methodology

Given the decentralized nature of the I2P network and the technical complexity of full-network topology mapping, this section describes a dynamic local network modeling method based on GAT, leveraging local network data obtained from the real I2P network. The method aims to characterize the key structural and dynamic evolution features of the actual local I2P network within a cyber range simulation environment, specifically at a reduced node scale. Its design philosophy draws inspiration from the adaptive zooming and regional focusing mechanisms found in digital maps. Figure 2 illustrates the overall framework of the proposed method.

3.1. Data Preparation from the Real I2P Network

To ensure that the modeled I2P network preserves the statistical characteristics of the real I2P network, this section first acquires local topology data from the real I2P network through passive measurement techniques. Since the I2P netDb aggregates fragmented global views from individual routers, we leverage controlled probes to collect local netDb data, enabling an incremental and localized characterization of the I2P topology.

As illustrated in the data preparation module in Figure 2, the measurement process leverages the I2P node discovery mechanism by employing a passive probing strategy characterized as Breadth-First Search (BFS)-like. Specifically, the probe node R extracts routerHash, the unique identifier of each router, from its local storage to define a vertex set V. Let $V_{local}$ denote the local netDb peer list; for each $v_i\in V_{local}$, we construct a logical edge $(R,v_i)\in E$. To ensure computational efficiency and mitigate redundancy, we introduced an edge filtering mechanism based on a generic hashing strategy. This mechanism computes MD5 digests of edge identifiers and queries a global edge hash table, thereby enabling efficient deduplication and rapid insertion of newly discovered topological edges into the dataset.

Throughout this process, the probe nodes strictly adhere to the principle of passive observation, merely recording the natural diffusion of netDb entries without initiating active queries to external nodes. This non-intrusive approach ensures that the measurement avoids interference with the neighbor selection decisions of read nodes. The measurement task terminates when the observation process no longer yields new logical edges. The resulting undirected topological graph $G=(V,E)$ characterizes the logical adjacency relationships within the local I2P network, providing a foundational dataset for subsequent modeling of dynamic evolution.

3.2. Problem Definition

Building upon the local topological observations obtained in Section 3.1, we define the representative structure modeling of the I2P network as a Dynamic Representative Node Selection (DRNS) problem over spatio-temporal graphs. Specifically, the primary objective of dynamic modeling is to derive a representative topology sequence for the target environment from the locally observed graph sequence $\mathcal{G}=\{G^{\left(1\right)},G^{\left(2\right)},\dots ,G^{\left(t\right)},\dots ,G^{\left(T\right)}\}$, where T denotes the total number of observation intervals encompassed in the modeling scope. Each time step t is configured with a default granularity of a 24-h observation cycle.

For each $G^{\left(t\right)}=(V^{\left(t\right)},E^{\left(t\right)})$ at time step t, $V^{\left(t\right)}$ represents the set of N routerHashes observed locally during this interval, and $E^{\left(t\right)}$ is the set of logical topological edges derived via the methodology described in Section 3.1. Each node $v\in V^{\left(t\right)}$ is associated with a d-dimensional normalized feature vector ${\mathbf{x}}_v^{\left(t\right)}\in {[0,1]}^5$, which integrates the critical performance metrics summarized in

Table 1. Critical performance metrics and their descriptions for I2P nodes.

Metric	Description	Data Source/Path
router_bandwidth	Indicates the shared bandwidth capability of the node.	routerInfo Caps: K, L, M, N, O, P, X
tunnel_create_time	The average response time required for tunnel establishment.	viewprofile: tunnelCreateResponseTime (TotalTime/EventCount)
capacity	Maximum number of tunnels the node can participate in per hour under ideal conditions.	viewprofile: Capacity
speed	The sustained peak throughput achieved by the node over the last 60 s.	viewprofile: Speed
integration	The number of newly discovered peers actively reported by this node recently.	viewprofile: Integration

. These metrics are extracted from the I2P local management interface, named viewprofile, which provides real-time performance statistics and peer profiling data.

The objective of the proposed method is to learn a time-varying mapping function $f:\{G^{\left(1\right)},\dots ,G^{\left(t\right)},\dots ,G^{\left(T\right)}\}\to \{S^{\left(1\right)},\dots ,S^{\left(t\right)},\dots ,S^{\left(T\right)}\}$, where $S^{\left(t\right)}\subset V^{\left(t\right)}$ denotes a subset of K representative nodes to be instantiated within the cyber range ($K\ll N$). To ensure simulation fidelity, the ideal optimization objective of the mapping function f is to minimize the cumulative discrepancy in performance distributions between the modeled environment and the live network, as formulated in Equation (2).

$$\underset{f}{\min }\sum _{t=1}^T\mathrm{Dist}\left(\mathcal{P}\left(S^{\left(t\right)}\right),\mathcal{P}\left(V^{\left(t\right)}\right)\right)+\lambda ·\Omega (S^{\left(t\right)},S^{(t-1)})$$

(2)

where $\mathcal{P}(·)$ denotes the distribution of performance metrics, such as average Time-to-Last-Byte (TTLB). $\mathrm{Dist}(·)$ represents a distance metric used to quantify the divergence between distributions. $\Omega (·)$ serves as a stability constraint weighted by the penalty coefficient $\lambda$, which is specifically designed to suppress excessive topological fluctuations between consecutive simulation cycles. In practice, since subset selection $S^{\left(t\right)}$ is a discrete combinatorial process, we decompose this global objective into a supervised node-level regression task. By accurately predicting individual node scores, as detailed in Section 3.4, the model facilitates the selection of a representative subset $S^{\left(t\right)}$ that satisfies these distributional and stability constraints.

3.3. Region-Centric Initialization

In the modeling of I2P networks, defining the spatial scope involves a strategic trade-off between technical feasibility, computational efficiency, and research ethics. Rather than pursuing global modeling at a network-wide scale, this study deliberately focuses on a specific observation domain. This localized observation paradigm significantly mitigates redundant demands for computational complexity and storage resources inherent in large-scale anonymous network mapping, while effectively minimizing unnecessary interference with irrelevant nodes. From an ethical perspective, localized modeling maximizes the avoidance of privacy leakage risks associated with network-wide probing, thereby aligning with the compliance requirements of anonymity research.

Against this backdrop, we propose the region-centric initialization (RCI) strategy to establish a robust topological reference frame within the defined observation domain. By establishing representative anchor points, RCI fixes the modeling focus, ensuring that when structures are mapped to a further downscaled simulation domain, the topological evolution patterns of the target region can be characterized.

The RCI strategy supports two modes: a manual configuration mode guided by specific research objectives, and a default representative scoring mechanism as described in this section.

By default, the RCI strategy implements an anchor importance scoring mechanism to identify nodes that exert significant structural influence within the observation domain. The selection of anchor points is contingent upon the entire observed sequence $\mathcal{G}$, i.e., $c\in {\bigcup }_{t=1}^T{V}^{\left(t\right)}$. For any candidate node v, its importance score, $\mathrm{score}\left(v\right)$, is defined in Equation (3), where each constituent parameter represents the time-averaged value of the node’s metrics across the entire duration T.

$$\mathrm{score}\left(v\right)={\widehat{\overline{r}}}_v+{\widehat{\overline{c}}}_v+{\widehat{\overline{s}}}_v+{\widehat{\overline{i}}}_v+{\widehat{\overline{b}}}_v+f_v+u_v$$

(3)

where $r_v={\displaystyle \frac{1}{1+\mathtt{tunnel}\_\mathtt{create}\_{\mathtt{time}}_v}}$, $c_v={\mathtt{capacity}}_v$, $s_v={\mathtt{speed}}_v$, $i_v={\mathtt{integration}}_v$, $b_v\in \{1,2,\dots ,7\}$ denotes the ordinal mapping value of the node’s $\mathtt{router}\_{\mathtt{bandwidth}}_v$, and $f_v\in \{0,1\}$ is a binary indicator signifying whether node v functions as a Floodfill router. The stability metric $u_v$ is quantified as the reachability frequency, defined as the proportion of successful observations of node v across all measurement sub-steps within the duration T. $\overline{·}$ denotes the arithmetic mean calculated across all measurement sub-steps, while $\widehat{·}$ signifies the Min-Max normalization applied over the vertex set to ensure all metrics are commensurable within the range $[0,1]$.

The node achieving the highest $\mathrm{score}\left(v\right)$ is designated as the anchor point c, which is identified at the initialization of each modeling process based on performance data across the duration T. Once designated, this anchor remains invariant throughout the subsequent dynamic evolution period T and is not subject to re-selection despite state transitions of other nodes. This fixed topological reference frame is critical for quantifying structural drift and precisely characterizing performance fluctuations within the target region. The anchor is re-evaluated and updated at the commencement of each new modeling cycle T using updated performance metrics.

To enable the subsequent Graph Neural Network (GNN) to distinguish this focal center, a binary indicator variable $z_v={\mathbb{I}}_{v=c}$, $f_v$ and $u_v$ are appended to the tail of each node v’s feature vector, forming a concatenated input for the Graph Attention (GAT) model detailed in Section 3.4. This architectural design allows the model to implicitly capture the structural and functional centrality of the anchor point c, thereby bypassing the high computational overhead associated with explicit topological distance calculations.

Although a multi-center configuration could be considered for broader regions, this study adopts a single-center initialization mode as the default setting to ensure the controllability and interpretability of the evaluation framework.

3.4. GAT-Based Locality-Aware Sampling Strategy

To construct the simulation domain $S^{\left(t\right)}$ from the observation domain, the node selection process must evolve from static heuristic evaluation toward a dynamic, performance-oriented modeling approach. This section introduces the GAT-based locality-aware sampling strategy (GAT-LA), which employs GAT as a learnable feature aggregator to synthesize multi-dimensional health metrics and spatial constraints. By leveraging the attention mechanism, GAT-LA can adaptively weigh the importance of individual nodes, ensuring that the resulting simulation domain $S^{\left(t\right)}$ is structurally representative.

The GAT-LA strategy is executed iteratively at each time step $t\in T$ to generate a sequence of simulation domains $\{S^{\left(1\right)},S^{\left(2\right)},\dots ,S^{\left(T\right)}\}$. The objective of GAT-LA is to map the raw observational data of candidate nodes into a set of performance-based sampling probabilities. This mapping ensures that the transition from observation to simulation is guided by learned node importance rather than static rules. The input and output definitions of GAT-LA are detailed as follows:

• Input: A graph $G^{\left(t\right)}=(V^{\left(t\right)},E^{\left(t\right)})$ representing the network topology at time t, and an augmented feature vector ${\mathbf{x}}_v^{\left(t\right)}\in {\mathbb{R}}^8$ for each node $v\in V^{\left(t\right)}$. The vector is constructed as ${\mathbf{x}}_v^{\left(t\right)}=[x_1,\dots ,x_5,f_v,u_v,z_v]$, where the first five dimensions correspond to the normalized metrics listed in Table 1, while $f_v$, $u_v$, and $z_v$ are the node-specific indicators derived in Section 3.3.
• Output: A scalar performance score $s_v^{\left(t\right)}\in [0,1]$ for each node $v\in V^{\left(t\right)}$, representing its predicted service efficacy within the current observation cycle. This score quantifies the relative capability of each node in maintaining stable service delivery, thereby providing the probabilistic basis for the subsequent sampling process.

A two-layer multi-head Graph Attention Network (GAT) was implemented to capture structural interdependencies. Let ${\mathbf{h}}_v^{\left(l\right)}$ denote the embedding of node v at the l-th layer, where ${\mathbf{h}}_v^{\left(0\right)}={\mathbf{x}}_v^{\left(t\right)}$ represents the initial state. The output embedding ${\mathbf{h}}_v^{\left(l\right)}$ for node v at layer l is formulated as Equation (4).

$${\mathbf{h}}_v^{\left(l\right)}=\sigma \left(\sum _{u\in \mathcal{N}\left(v\right)\cup \left\{v\right\}}{\alpha }_{vu}^{\left(l\right)}{\mathbf{W}}^{\left(l\right)}{\mathbf{h}}_u^{(l-1)}\right)$$

(4)

where $\sigma$ denotes the Exponential Linear Unit (ELU) adopted as the non-linear activation function. ${\mathbf{W}}^{\left(l\right)}\in {\mathbb{R}}^{d\times d_{in}}$ is the weight matrix used to transform input features into d-dimensional embeddings, where d is set to 64 by default. For the initial layer ($l=1$), $d_{in}=8$ corresponds to the dimension of the augmented feature vector ${\mathbf{x}}_v^{\left(t\right)}$. ${\alpha }_{vu}^{\left(l\right)}$ represents the attention weight normalized via the Softmax function, as formulated in Equations (5) and (6).

$${\alpha }_{vu}^{\left(l\right)}={\displaystyle \frac{\exp \left(e_{vu}^{\left(l\right)}\right)}{{\sum }_{k\in \mathcal{N}\left(v\right)}\exp \left(e_{vk}^{\left(l\right)}\right)}}$$

(5)

$$e_{vu}^{\left(l\right)}=\mathrm{LeakyReLU}\left({\mathbf{a}}^{\left(l\right)T}\left[{\mathbf{W}}^{\left(l\right)}{\mathbf{h}}_v^{(l-1)}\Vert {\mathbf{W}}^{\left(l\right)}{\mathbf{h}}_u^{(l-1)}\right]\right)$$

(6)

where $e_{vu}^{\left(l\right)}$ represents the attention coefficient that quantifies the importance of neighbor u to node v in the l-th layer. ${\mathbf{a}}^{\left(l\right)}$ denotes the learnable attention weight vector of the l-th layer, and ‖ symbolizes the concatenation operation.

The final node embedding is defined as ${\mathbf{z}}_v^{\left(t\right)}={\mathbf{h}}_v^{\left(2\right)}\in {\mathbb{R}}^d$, which is generated by aggregating neighborhood information across multiple layers to capture high-order structural dependencies.

To map the high-dimensional latent embedding ${\mathbf{z}}_v^{\left(t\right)}$ into a scalar sampling metric, a lightweight Multi-Layer Perceptron (MLP) is employed as a scorer. The embedding vector ${\mathbf{z}}_v^{\left(t\right)}$ is mapped to a raw efficiency score $s_v^{\left(t\right)}\in [0,1]$ via a two-layer MLP, which transforms the 64-dimensional input into a 32-dimensional hidden representation with ReLU activation, followed by a linear projection and a Sigmoid output function. This score serves to quantify the predicted service effectiveness of the node within the current simulation window. All weights and biases involved in this mapping process are integrated into the comprehensive parameter set $\Theta$ for subsequent joint training and optimization.

Subsequently, at the onset of each time step t, GAT-LA undergoes a weakly supervised training phase to align the model with the most recent network state. Specifically, the model employs an incremental update strategy: for $t=1$, the parameter set $\Theta$ is initialized randomly; for all subsequent steps $t>1$, the model inherits the optimized parameters from the previous step $t-1$ and performs local fine-tuning. We define the training label $y_v^{\left(t\right)}$ as the instantaneous vitality score. While its underlying calculation logic remains consistent with Equation (3) in Section 3.3, it is specifically applied to the real-time health metrics observed at the current time step t.

The training objective is to minimize the Mean Squared Error (MSE) between the predicted score $s_v^{\left(t\right)}$ and the ground-truth label $y_v^{\left(t\right)}$, as formulated in Equation (7). This optimization process ensures that the model captures the instantaneous network dynamics by aligning the predicted efficiency with the observed vitality indicators.

$$\mathcal{L}(\Theta )={\displaystyle \frac{1}{\left|V\right|}}\sum _{v\in V}{(s_v^{\left(t\right)}-y_v^{\left(t\right)})}^2+\gamma {\parallel \Theta \parallel }_2^2$$

(7)

where $\Theta$ denotes the comprehensive set of model parameters, encompassing the weight matrices ${\mathbf{W}}^{\left(l\right)}$ and attention vectors ${\mathbf{a}}^{\left(l\right)}$ of the GAT, as well as all weights and biases within the MLP. The parameter $\gamma$ serves as the regularization coefficient to prevent overfitting. By minimizing $\mathcal{L}(\Theta )$, the model effectively learns the optimal attention weights and feature mappings required to accurately predict service effectiveness.

To ensure the statistical validity and temporal smoothness of the modeling process, GAT-LA incorporates a stability penalty mechanism to refine the raw scores. The adjusted importance score ${\widehat{s}}_v^{\left(t\right)}$ is defined as formulated in Equation (8).

$${\widehat{s}}_v^{\left(t\right)}=s_v^{\left(t\right)}·\left(1-\lambda ·{\mathbf{1}}_{S^{(t-1)}}\left(v\right)\right)$$

(8)

where ${\mathbf{1}}_{S^{(t-1)}}\left(v\right)$ denotes the indicator function that represents the node selection status in the previous cycle, and $\lambda$ is the penalty coefficient. This mechanism effectively penalizes previously selected nodes, thereby encouraging the model to explore new high-utility nodes and ensuring temporal diversity in the sampling process.

Finally, based on the selection probability $P_v^{\left(t\right)}=\mathrm{Softmax}\left({\widehat{s}}_v^{\left(t\right)}\right)$, K nodes are selected through weighted sampling without replacement to constitute the simulation domain $S^{\left(t\right)}$ for the current cycle. This probabilistic selection mechanism ensures that nodes with higher adjusted importance scores are prioritized while maintaining a degree of stochastic exploration.

By integrating the aforementioned components, the GAT-LA strategy operates as a cohesive, iterative pipeline. At each time step t, the model first calibrates its internal parameters via weakly supervised learning to match the evolving network dynamics. Subsequently, it reconciles instantaneous performance prediction with temporal stability constraints to yield the refined importance scores. This process culminates in the probabilistic sampling of K nodes, effectively generating a sequence of simulation domains $\{S^{\left(1\right)},\dots ,S^{\left(T\right)}\}$ that are both statistically representative and topologically stable.

Conceptually, the design of GAT-LA is inspired by the adaptive zooming and region-focusing mechanisms in digital mapping applications. In this paradigm, the model centers on a designated anchor and selectively prioritizes key nodes within its topological neighborhood to sustain a high-fidelity structural representation. Unlike stochastic sampling methods such as Random Walk or Forest Fire—which may fail to maintain local focus or overlook structural importance—GAT-LA functions as a targeted filtering process. By focusing on nodes that define the core structural characteristics and dynamic evolution of the observation domain, GAT-LA ensures that the downscaled simulation environment remains structurally representative while operating within a controlled experimental scale.

4. Experimental Results

We instantiate the proposed dynamic modeling method within the cyber range environment of Pengcheng Laboratory (PCL). This section evaluates the effectiveness of the dynamic evolution modeling approach by quantitatively comparing the performance consistency between the ground-truth I2P network observation domain and various controlled simulation instances.

4.1. Experiment Setup

To obtain empirical performance data, three controlled nodes were deployed within the live I2P network to serve as performance monitoring probes. These probes initiated continuous, serial download requests for a 5 MB static payload hosted on a dedicated eepsite server, thereby emulating representative user access patterns. This setup ensures that the gathered metrics, such as throughput and latency, reflect the actual network conditions encountered by users in I2P.

We instantiated the I2P network model within the PCL environment, utilizing alpine:3.17.1 Docker images to configure the I2P routers. To ensure parity with the live network, we replicated the deployment strategy by designating three virtualized nodes as monitoring probes and one eepsite as a file server hosting an identical 5 MB payload. Each modeling window t corresponds to a 24-h duration. To allow the network to reach a steady state—specifically for the I2P bootstrapping and NetDb exploration processes—a 30-min warm-up period was implemented at the onset of each experiment. Performance metrics collected during this interval were discarded, with analysis focusing exclusively on data from the subsequent operational phase.

Automated measurement scripts were developed to collect the performance metrics from the monitoring probes, as detailed in

Table 2. Definition of Performance Metrics for Monitoring Probes.

Metric	Description	Acquisition Method
$P_{\mathrm{TTFB}}$	Time to receive the first byte of the response (s)	Automated browser script
$P_{\mathrm{TTLB}}$	Time to complete the 5 MB file download (s)	Automated browser script
$P_{\mathrm{PLT}}$	Total duration for full page and resource loading (s)	Automated browser script
$P_{\mathrm{SR}}$	Percentage of successfully completed requests (%)	Script-based statistics
$P_{\mathrm{TSR}}$	Ratio of successful internal tunnel creations (%)	I2P local API: /stats
$P_{\mathrm{TH}}$	Average data transfer rate during the cycle (KB/s)	I2P local API: /stats

, to evaluate and validate the proposed method. During the experimental process, the modeling instances underwent high-frequency sampling with a 5-min granularity, whereas the real-world network was sampled at 1-h intervals. To mitigate the impact of instantaneous stochastic fluctuations and achieve temporal alignment, all metric values involved in the subsequent analysis were calculated as the arithmetic mean of the observations recorded within each time step t.

The total modeling duration T is set to 7 days to encompass a full weekly cycle, capturing potential periodic variations in node behavior between weekdays and weekends. This duration is partitioned into consecutive 24-h modeling windows $t\in \{1,2,\dots ,7\}$ to capture the temporal dynamics of the network. To ensure statistical reliability, each simulation group consists of multiple independent trials, and the results are reported as ensemble averages. The experimental groups are defined as follows:

• Reference Group (Ground Truth): Consists of the ground-truth data collected directly from the monitoring probes in the real I2P network.
• GAT-LA: The proposed approach that executes daily iterative evolution using the methodology described in Section 3.
• Static GAT-LA (Baseline I): This group is initialized on the first day using the RCI strategy and GAT-based feature fusion but maintains a static topology for the remainder of the period. It is designed to illustrate the performance degradation of static modeling over time.
• Heuristic-Dynamic (Baseline II): A model that performs daily resampling based exclusively on the heuristic scoring formula discussed in Section 3.3, without GAT-based feature fusion. This baseline verifies the superiority and necessity of the learned attention mechanism in the proposed framework.

The GAT-LA model is configured with two layers and a hidden dimension of 64. The stability penalty coefficient $\lambda$ is set to 0.2 to prevent the premature eviction of high-performance backbone nodes, thereby ensuring topological continuity throughout the evolution process.

The default sampling scale K is set to 200 nodes, representing a specific local subset within the observational domain. The experiments were deployed within the cyber range environment of PCL. To maximize the simulation scale under constrained hardware resources, we utilized customized Docker containers to construct the I2P nodes. The experimental environment consists of 15 virtual user nodes, each allocated 8 GB of RAM and 40 GB of disk storage. To strike a balance between system load and interactive response speed, each virtual node hosts between 22 and 25 containerized I2P instances. Facilitated by this distributed container architecture, the simulation environment provides stable support for network evolution experiments at a scale of $K=200$, ensuring high data collection precision for the monitoring probes.

4.2. Evaluation Metrics

To quantitatively evaluate the fidelity of the dynamic simulation domain relative to the live I2P network, we define three high-order evaluation metrics based on the raw performance data collected in Section 4.1.

Performance Deviation ($PD$). The primary objective of the cyber range is to minimize the numerical discrepancy between the simulated environment and the real network. For a specific metric m in Table 2, the performance deviation at time step t, denoted as $P{D}_m^{\left(t\right)}$, is defined as Equation (9).

$$P{D}_m^{\left(t\right)}={\displaystyle \frac{1}{N}}\sum _{i=1}^N|P_{m,sim}^{(t,i)}-P_{m,ref}^{\left(t\right)}|$$

(9)

where $P_{m,ref}^{\left(t\right)}$ denotes the hourly mean of the reference group at time step t, while $P_{m,sim}^{(t,i)}$ represents the corresponding mean observed in the i-th independent simulation trial. N signifies the total number of independent trials within the simulation group. A smaller $P{D}_m^{\left(t\right)}$ value indicates higher numerical fidelity, demonstrating that the simulation environment more closely approximates the performance levels of the real network.

Trend Consistency ($TC$). This metric evaluates whether the modeled network effectively captures the temporal fluctuation characteristics of the live network. For a specific metric m, the trend consistency $T{C}_m$ throughout the observation period is formulated as shown in Equation (10).

$$T{C}_m={\displaystyle \frac{\mathrm{cov}({\mathbf{P}}_{m,sim},{\mathbf{P}}_{m,ref})}{{\sigma }_{{\mathbf{P}}_{m,sim}}{\sigma }_{{\mathbf{P}}_{m,ref}}}}$$

(10)

where ${\mathbf{P}}_{m,\mathrm{sim}}$ and ${\mathbf{P}}_{m,\mathrm{ref}}$ represent the mean performance vectors of the simulation group and the reference group, respectively, over the seven-day observation period. This metric employs the Pearson correlation coefficient to quantify the consistency between the evolutionary trends of the simulation domain and the live network. A $T{C}_m$ value closer to 1 signifies that the simulation domain successfully tracks real-world network performance fluctuations, demonstrating high temporal fidelity in capturing the dynamic nature of the environment.

Selection Stability Score ($SS$). To evaluate the impact of the stability penalty mechanism introduced in Section 3.4 on topological evolution, we define the selection stability score $S{S}^{\left(t\right)}$ at time step t as shown in Equation (11).

$$S{S}^{\left(t\right)}={\displaystyle \frac{|S^{\left(t\right)}\cap S^{(t-1)}|}{|S^{\left(t\right)}\cup S^{(t-1)}|}}$$

(11)

where $S^{\left(t\right)}$ and $S^{(t-1)}$ represent the sets of modeled nodes in two adjacent modeling cycles. A stable $SS$ value ensures that while the cyber range adapts to network dynamics, it simultaneously maintains the stability of backbone service nodes, thereby preventing unrealistic routing oscillations during the evolutionary process.

4.3. Experiment Results

Following the experimental setup detailed in Section 4.1 and the evaluation metrics defined in Section 4.2, this section presents a quantitative evaluation of the fidelity performance of the GAT-LA strategy.

During the 7-day experimental observation, a total of 13,807 observed nodes were identified. Among these, 2993 were transient nodes with a lifespan of only one day, whereas 5937 nodes remained active throughout the entire seven-day duration. Figure 1 illustrates the dynamic evolution trends of the $P_{TTLB}$ metric for each experimental group during this period.

As illustrated in Figure 3a, the GAT-LA group successfully tracked the performance fluctuations of the Reference group throughout the 7-day observation period. The $TC$ of GAT-LA reached 0.81, significantly outperforming the other baseline groups. In contrast, Baseline I exhibited a continuous escalation in $P_{\mathrm{TTLB}}$ values over time. This performance degradation stems from its inability to dynamically update the simulation domain as nodes leave the network. Although Baseline II performs daily re-sampling, its fluctuation magnitude is considerably larger than that of the reference group due to the lack of deep feature fusion of neighborhood characteristics via GAT. Furthermore, Baseline II demonstrates significant latency and bias during peak performance periods, such as Day 4, reflecting the limitations of purely heuristic-based sampling in capturing complex network dynamics.

To verify the capability of the simulation domain to reconstruct the performance distribution of the live network, Figure 3b depicts the Cumulative Distribution Function (CDF) curves of $P_{\mathrm{TTLB}}$ over the entire observation period.

Figure 3b illustrates that the CDF curve of GAT-LA is in close proximity to that of the reference group. Within the interval of 1.4 s to 1.8 s, the slope of the GAT-LA CDF closely resembles the reference group’s profile, indicating that by aggregating neighborhood features through the attention mechanism, the model effectively reconstructs the performance distribution characteristics of pivot nodes in the live network. In contrast, Baseline I exhibits a significant rightward shift in its distribution curve, as it is unable to capture the dynamic evolution of node states during the observation period. This divergence underscores that static sampling strategies struggle to maintain the statistical validity of the simulation domain over extended durations.

Regarding the slight rightward shift observed in all simulation curves beyond the 2.2 s threshold, we posit that this deviation reflects the inherent limitations of localized modeling environments in reproducing the heavy-tailed latency distributions. Throughout the 7-day observation, 13,807 unique nodes were recorded, of which 2993 were identified as transient nodes with a survival duration of only one day. These transient nodes introduce significant stochastic uncertainty and extreme latency variance within the live network. Quantitatively, the controlled range environment introduces specific computational overheads: the high-density deployment of 22–25 containers per virtual host leads to CPU scheduling contention and increased I/O virtualization latency. Internal profiling indicates that the Docker network stack and context switching between numerous instances add an estimated 5–8% processing overhead per cryptographic operation. Furthermore, the limited memory allocation per container (approx. 320 MB) triggers more frequent JVM garbage collection cycles during peak loads, contributing an additional 15–30 ms of jitter. Consequently, without the stochastic smoothing effect naturally provided by the massive routing nodes in the global network, the simulation environment exhibits slightly higher latencies than the live network during extreme congestion scenarios.

Although it is technically feasible to remove transient nodes during the pre-processing phase to achieve a closer numerical fit, we deliberately retained them to preserve the original stochastic characteristics of the live I2P network. From a practical standpoint, rather than relying on the idealized removal of nodes, GAT-LA addresses this challenge through its stability-aware sampling mechanism. This ensures that nodes exhibiting high-variance or short-term behavior are progressively assigned lower selection probabilities. Consequently, the framework achieves a robust trade-off: it remains grounded in real-world noise while ensuring the core simulation domain is not destabilized by transient anomalies.

Table 3. $PD$ of simulation strategies relative to the reference group across multiple metrics.

Group	${\mathit{PD}}_{\mathbf{TTFB}}$ (s)	${\mathit{PD}}_{\mathbf{TTLB}}$ (s)	${\mathit{PD}}_{\mathbf{SR}}$ (%)	${\mathit{PD}}_{\mathbf{TH}}$ (KB/s)
GAT-LA	0.15	0.22	2.10	14.2
Baseline I	0.65	1.24	14.20	88.5
Baseline II	0.32	0.48	5.80	35.6

summarizes the $PD$ for each experimental group relative to the reference group across the observation period. As indicated, the GAT-LA strategy achieves the minimum deviation in every dimension. Specifically, for the $P{D}_{SR}$, GAT-LA restricts the error to within 2.1%, significantly outperforming the Heuristic-Dynamic approach (Baseline II) which lacks feature fusion.

Table 4. $P{D}_{\mathrm{TTLB}}$ values under different K sampling scales.

K	50	100	150	200	250	300	350
$\left(PD\right)$	0.85	0.52	0.35	0.24	0.22	0.21	0.2

illustrates the influence of the sampling scale K on the $P{D}_{\mathrm{TTLB}}$ of GAT-LA. Experimental results demonstrate that the simulation fidelity improves non-linearly as K increases. Specifically, once K reaches a threshold of 200, the reduction in $P{D}_{\mathrm{TTLB}}$ begins to plateau, indicating diminishing returns in accuracy for further scale expansions. In resource-constrained cyber range environments, increasing the node scale significantly intensifies the computational burden on the underlying hardware infrastructure. Therefore, guided by the experimental constraints outlined in Section 4.1, we selected a sampling scale of $K=200$ to achieve an optimal trade-off between modeling fidelity and computational overhead.

Table 5. Impact of the stability penalty coefficient $\lambda$ on GAT-LA simulation continuity.

Configuration	$\mathit{SS}$	${\mathit{P}}_{\mathbf{TSR}}$ (%)
$\lambda =0.2$	0.78	$65.1\pm 8.2$
$\lambda =0$	0.42	$52.8\pm 11.5$

evaluates the influence of the stability penalty coefficient $\lambda$ on the continuity of the GAT-LA simulation domain. While $\lambda$ is designed to encourage exploration by penalizing previously selected nodes, it paradoxically enhances Selection Stability ($SS$) at moderate levels (e.g., $\lambda =0.2$). As shown in Table 5, with $\lambda =0.2$, GAT-LA sustains a higher average success rate of 65.1% with markedly lower fluctuations ($SS=0.78$). This is attributed to the fact that $\lambda$ mitigates the rank-oscillation effect, where minor performance fluctuations in the live I2P network cause nodes to frequently enter and exit the Top-K set. Conversely, without the penalty ($\lambda =0$), the model over-optimizes for instantaneous gains, resulting in a chaotic “churn” and severe jitters in $P_{\mathrm{TSR}}$ ($SS=0.42$). By diversifying the selection, $\lambda$ acts as a temporal buffer that smooths the evolutionary trajectory. However, an excessively high $\lambda$ would eventually risk a “stale” or forced-turnover topology; thus, $\lambda =0.2$ is optimized to maintain high fidelity while preventing unrealistic routing oscillations.

5. Conclusions

To mitigate the limitations of static modeling in capturing network dynamics, we proposed a dynamic modeling approach utilizing Graph Attention Network (GAT). The methodology consists of a Region-Centric Initialization (RCI) strategy for establishing an initial observation anchor and a GAT-based locality-aware sampling strategy (GAT-LA) that treats node selection as a dynamic learning task. The primary results and contributions of this work are summarized as follows. First, the RCI strategy provides a practical solution for local modeling initialization by supporting both automated scoring and manual configuration based on research needs. Second, experimental evaluations indicate that the GAT-LA mechanism improves the similarity between simulated and real-world performance distributions over extended periods compared to static sampling methods. Third, the stability penalty mechanism contributes to mitigating excessive topological fluctuations, thereby improving the temporal consistency of the simulation domain.

These findings suggest the feasibility of employing graph-based learning methods to handle node selection in dynamic anonymous networks. By considering both node health indicators and neighborhood structures, the proposed approach offers an alternative to traditional heuristic sampling, particularly for scenarios requiring long-term performance observation.

In terms of practical application, the results provide a more realistic baseline for evaluating network protocols in a testbed environment. Specifically, the framework can be used to benchmark the performance of path selection algorithms under simulated node churn. Additionally, it offers a controlled platform for analyzing localized network characteristics while adhering to ethical standards regarding user privacy.

The paper has certain limitations, as it primarily focuses on topological evolution and does not yet integrate flow-level traffic modeling. The accuracy of the model is also contingent on the quality of the initial netDb measurements.

Future research could explore several directions. One objective is to incorporate traffic-level characteristics to provide a more comprehensive simulation environment. Another direction involves investigating multi-center initialization to represent broader segments of the network. Furthermore, considering the inherent diversity of node attributes in I2P, future work will specifically investigate heterophilic graph learning architectures, such as ACM-GCN [40], to further enhance model adaptability to dissimilar node interconnections. Additionally, integrating simple adversarial behaviors into the selection process could help evaluate network resilience. Finally, improving the synchronization efficiency between the live network state and the simulation domain remains a subject for further investigation.