1 / 26

ELISHA: A Visual-Based Anomaly Detection System

Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis. Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI. Dan Pei, Lan Wang, Lixia Zhang UCLA. Randy Bush IIJ. ELISHA: A Visual-Based Anomaly Detection System. Outline. Visual-based “Anomaly Detection”

oralee
Download Presentation

ELISHA: A Visual-Based Anomaly Detection System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI Dan Pei, Lan Wang, Lixia Zhang UCLA Randy Bush IIJ ELISHA: A Visual-Based Anomaly Detection System RAID 2002, Zurich

  2. Outline • Visual-based “Anomaly Detection” • The BGP/MOAS Problem • ELISHA and demo • Conclusion/Future Works RAID 2002, Zurich

  3. A Few Research Objectives • Limitations on “Anomaly Detection” • We need to convey the alerts (or their abstraction) to the “human” users or experts • Not only detecting the problem, but also, via an interactive process, finding more details about it • Root cause analysis • Event Correlation • Human versus Machine Intelligence RAID 2002, Zurich

  4. Visual-based “Anomaly Detection” • Utilize human’s cognitive pattern matching capability and techniques from information visualization. • “Visual” Anomalies • Something catches your eyes… RAID 2002, Zurich

  5. Data Collection Filtering Mapping Rendering Viewing An Interactive Process • Methodology • Build an interactive interface between network management and operators, so they can visualize the data • Features help operators quickly perceive anomalies RAID 2002, Zurich

  6. BGP & Autonomous Systems AS6192 (UCDavis) AS11423 (UC) 169.237/16 AS11537 (CENIC) RAID 2002, Zurich

  7. 6192 UCDavis 11423 UC, the origin ID is CENIC 11537 is admined by University Corporation for Advanced Internet Development, origin ID UCAID-1 513 is admined CERN - European Organization for Nuclear Research 3356 is admined by Level 3 Communications, LLC, origin ID is L3CL-1 6461 is admined by Abovenet Communications, Inc 13129 is RIPE Network Coordination Centre 209 is admined by Qwest, origin ID is QWEST-4 3320 is RIPE Network Coordination Centre 9177 is admined by NEXTRANET, T-Systems Multilink AG Switzerland. 4637 , 1221 and 4608 are admined by APNIC , but I can't find who they are in APNIC whois database. 3549 is admined by Global Crossing, it is locate at Phoenix AZ . 3257 and 3333, 1103 are RIPE Network Coordination Centre 2914 is admined by Verio, Inc 7018 is admined by AT&T RAID 2002, Zurich

  8. Origin AS in an AS Path • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • AS Path: 2194209114236192 • 12654 513 11537 11423 6192 • 12654 13129 6461 3356 11423 6192 • 12654 9177 3320 209 11423 6192 • 12654 4608 1221 4637 11423 6192 • 12654 777 2497 209 11423 6192 • 12654 3549 3356 11423 6192 • 12654 3257 3356 11423 6192 • 12654 1103 11537 11423 6192 • 12654 3333 3356 11423 6192 • 12654 7018 209 11423 6192 • 12654 2914 209 11423 6192 • 12654 3549 209 11423 6192 • Observation Points in the Internet collecting BGP AS Path Updates • RIPE: AS-12654 RAID 2002, Zurich

  9. BGP MOAS/OASC Events • Observable Changes in IP Address Ownership • OASC: Origin AS Changes • Example 1: • Multiple ASes announce the same block of IP addresses. • MOAS stands for Multiple Origin AS. • Example 2: • Punch Holes in the Address Space. • AS-7777 announced 169.237.6/24 • Maybe legitimate or faulty. • Many different types of MOAS/OASC events RAID 2002, Zurich

  10. BGP MOAS/OASC Events Max: 10226 (9177 from a single AS) RAID 2002, Zurich

  11. ELISHA/MOAS • Low level events: BGP Route Updates • High level events: MOAS/OASC • Still 1000+ per day and max 10226 per day • IP address blocks • Origin AS in BGP Update Messages • Different Types of MOAS conflicts RAID 2002, Zurich

  12. 01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 AS# Quad-Tree Representation RAID 2002, Zurich

  13. MOAS Event Types • Using different colors to represent types of MOAS events • C type: CSS, CSM, CMS, CMM • H type: H • B type: B • O type: OS, OM RAID 2002, Zurich

  14. 01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 Example: CSM (Change SM) victim one CSM instance suspect RAID 2002, Zurich

  15. AS-7777 Punched a Hole Which AS against which And which address blocks? RAID 2002, Zurich

  16. Interesting ASs to watch • AS7777 • August 14, 2000 H, OS • AS15412 • April 6-19, 2001 CSM, CMS • AS4740 • August 18, 2001 CSM, CMS • September 27, 2001 CSM, CMS • AS701 • May 02, 2001 H (63.0/10) • 00 11 11 11 00 ***** March 1, 2000, July 11, 200, September 26, 2001... • AS64518 • September 18, 2001-Nimda H’ed from many ASes. RAID 2002, Zurich

  17. Demo time!! RAID 2002, Zurich

  18. 08/14/2000 & 04/2001 RAID 2002, Zurich

  19. Remarks • Preliminary but encouraging results • Root cause analysis • Event correlation • Integration of Information Visualization, Interactive Investigation Process, and Data Mining • Examining several other problems: • BGP Route Path Dynamics and Stability • TCP/IP and HTTP Traffic • Availability (source code, papers, ppt) • http://www.cs.ucdavis.edu/~wu/Elisha/ • Sponsored by DARPA and NSF RAID 2002, Zurich

  20. August 14, 2000 (larger) RAID 2002, Zurich

  21. 2-D versus 3-D on August 14, 2000 RAID 2002, Zurich

  22. RAID 2002, Zurich

  23. BGP AS Path Dynamics (1) RAID 2002, Zurich

  24. BGP AS Path Dynamics (2) RAID 2002, Zurich

  25. Address Appearing Frequency Normal RAID 2002, Zurich

  26. DDoS Attack RAID 2002, Zurich

More Related