260 likes | 406 Views
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis. Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI. Dan Pei, Lan Wang, Lixia Zhang UCLA. Randy Bush IIJ. ELISHA: A Visual-Based Anomaly Detection System. Outline. Visual-based “Anomaly Detection”
E N D
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI Dan Pei, Lan Wang, Lixia Zhang UCLA Randy Bush IIJ ELISHA: A Visual-Based Anomaly Detection System RAID 2002, Zurich
Outline • Visual-based “Anomaly Detection” • The BGP/MOAS Problem • ELISHA and demo • Conclusion/Future Works RAID 2002, Zurich
A Few Research Objectives • Limitations on “Anomaly Detection” • We need to convey the alerts (or their abstraction) to the “human” users or experts • Not only detecting the problem, but also, via an interactive process, finding more details about it • Root cause analysis • Event Correlation • Human versus Machine Intelligence RAID 2002, Zurich
Visual-based “Anomaly Detection” • Utilize human’s cognitive pattern matching capability and techniques from information visualization. • “Visual” Anomalies • Something catches your eyes… RAID 2002, Zurich
Data Collection Filtering Mapping Rendering Viewing An Interactive Process • Methodology • Build an interactive interface between network management and operators, so they can visualize the data • Features help operators quickly perceive anomalies RAID 2002, Zurich
BGP & Autonomous Systems AS6192 (UCDavis) AS11423 (UC) 169.237/16 AS11537 (CENIC) RAID 2002, Zurich
6192 UCDavis 11423 UC, the origin ID is CENIC 11537 is admined by University Corporation for Advanced Internet Development, origin ID UCAID-1 513 is admined CERN - European Organization for Nuclear Research 3356 is admined by Level 3 Communications, LLC, origin ID is L3CL-1 6461 is admined by Abovenet Communications, Inc 13129 is RIPE Network Coordination Centre 209 is admined by Qwest, origin ID is QWEST-4 3320 is RIPE Network Coordination Centre 9177 is admined by NEXTRANET, T-Systems Multilink AG Switzerland. 4637 , 1221 and 4608 are admined by APNIC , but I can't find who they are in APNIC whois database. 3549 is admined by Global Crossing, it is locate at Phoenix AZ . 3257 and 3333, 1103 are RIPE Network Coordination Centre 2914 is admined by Verio, Inc 7018 is admined by AT&T RAID 2002, Zurich
Origin AS in an AS Path • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • AS Path: 2194209114236192 • 12654 513 11537 11423 6192 • 12654 13129 6461 3356 11423 6192 • 12654 9177 3320 209 11423 6192 • 12654 4608 1221 4637 11423 6192 • 12654 777 2497 209 11423 6192 • 12654 3549 3356 11423 6192 • 12654 3257 3356 11423 6192 • 12654 1103 11537 11423 6192 • 12654 3333 3356 11423 6192 • 12654 7018 209 11423 6192 • 12654 2914 209 11423 6192 • 12654 3549 209 11423 6192 • Observation Points in the Internet collecting BGP AS Path Updates • RIPE: AS-12654 RAID 2002, Zurich
BGP MOAS/OASC Events • Observable Changes in IP Address Ownership • OASC: Origin AS Changes • Example 1: • Multiple ASes announce the same block of IP addresses. • MOAS stands for Multiple Origin AS. • Example 2: • Punch Holes in the Address Space. • AS-7777 announced 169.237.6/24 • Maybe legitimate or faulty. • Many different types of MOAS/OASC events RAID 2002, Zurich
BGP MOAS/OASC Events Max: 10226 (9177 from a single AS) RAID 2002, Zurich
ELISHA/MOAS • Low level events: BGP Route Updates • High level events: MOAS/OASC • Still 1000+ per day and max 10226 per day • IP address blocks • Origin AS in BGP Update Messages • Different Types of MOAS conflicts RAID 2002, Zurich
01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 AS# Quad-Tree Representation RAID 2002, Zurich
MOAS Event Types • Using different colors to represent types of MOAS events • C type: CSS, CSM, CMS, CMM • H type: H • B type: B • O type: OS, OM RAID 2002, Zurich
01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 Example: CSM (Change SM) victim one CSM instance suspect RAID 2002, Zurich
AS-7777 Punched a Hole Which AS against which And which address blocks? RAID 2002, Zurich
Interesting ASs to watch • AS7777 • August 14, 2000 H, OS • AS15412 • April 6-19, 2001 CSM, CMS • AS4740 • August 18, 2001 CSM, CMS • September 27, 2001 CSM, CMS • AS701 • May 02, 2001 H (63.0/10) • 00 11 11 11 00 ***** March 1, 2000, July 11, 200, September 26, 2001... • AS64518 • September 18, 2001-Nimda H’ed from many ASes. RAID 2002, Zurich
Demo time!! RAID 2002, Zurich
08/14/2000 & 04/2001 RAID 2002, Zurich
Remarks • Preliminary but encouraging results • Root cause analysis • Event correlation • Integration of Information Visualization, Interactive Investigation Process, and Data Mining • Examining several other problems: • BGP Route Path Dynamics and Stability • TCP/IP and HTTP Traffic • Availability (source code, papers, ppt) • http://www.cs.ucdavis.edu/~wu/Elisha/ • Sponsored by DARPA and NSF RAID 2002, Zurich
August 14, 2000 (larger) RAID 2002, Zurich
2-D versus 3-D on August 14, 2000 RAID 2002, Zurich
BGP AS Path Dynamics (1) RAID 2002, Zurich
BGP AS Path Dynamics (2) RAID 2002, Zurich
Address Appearing Frequency Normal RAID 2002, Zurich
DDoS Attack RAID 2002, Zurich