220 likes | 336 Views
Visual-based Anomaly Detection for BGP Origin AS Change (OASC). Soon-Tee Teoh 1 , Kwan-Liu Ma 1 , S. Felix Wu 1 , Dan Massey 2 , Xiao-Liang Zhao 2 , Dan Pei 3 , Lan Wang 3 , Lixia Zhang 3 , Randy Bush 4 UC Davis, USC/ISI , UCLA , IIJ. Elisha : the long-term goal.
E N D
Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh1, Kwan-Liu Ma1, S. Felix Wu1, Dan Massey2, Xiao-Liang Zhao2, Dan Pei3, Lan Wang3, Lixia Zhang3, Randy Bush4 UC Davis, USC/ISI, UCLA, IIJ DSOM'2003, Heidelberg, Germany
Elisha: the long-term goal • Monitoring and management of a large-scale complex system that we do not fully understand its behavior. • Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system. DSOM'2003, Heidelberg, Germany
In this talk… • Knowledge Acquisition via Visualization • cognitive pattern matching • event correlation and explanation • Outline • Background: Origin AS in BGP • The Elisha/OASC tool • One example and demo DSOM'2003, Heidelberg, Germany
Autonomous Systems (ASes) AS6192 AS11423 (UC) AS11537 (CENIC) AS513 UCDavis: 169.237/16 an AS Path: 169.237/1651311537114236192 DSOM'2003, Heidelberg, Germany
Origin AS in an AS Path 12654 3333 3549 7018 2914 4637 3356 11537 209 11423 6192 • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • AS Path: 51311537114236192 • 12654 13129 6461 3356 11423 6192 • 12654 9177 3320 209 11423 6192 • 12654 4608 1221 4637 11423 6192 • 12654 777 2497 209 11423 6192 • 12654 3549 3356 11423 6192 • 12654 3257 3356 11423 6192 • 12654 1103 11537 11423 6192 • 12654 3333 3356 11423 6192 • 12654 7018 209 11423 6192 • 12654 2914 209 11423 6192 • 12654 3549 209 11423 6192 • Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS-12654 DSOM'2003, Heidelberg, Germany
Origin AS Changes (OASC) 12654 • Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • Current • AS Path: 2914209114236192 • for prefix: 169.237/16 • New • AS Path: 2914301127381 • even worse: 169.237.6/24 • Which route path to use? • Legitimate or not?? 2914 3011 209 273 11423 81 6192 169.237/16 169.237.6/24 DSOM'2003, Heidelberg, Germany
BGP OASC Events (one type only) Max: 10226 (9177 from a single AS) DSOM'2003, Heidelberg, Germany
Data from BGP Observation Points DSOM'2003, Heidelberg, Germany
Anomaly Detection • False positive versus false negative • Anomaly analysis: • To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies DSOM'2003, Heidelberg, Germany
Visual-based Anomaly Detection • “Visual” Anomalies • Something catches your eyes… • Mental/Cognitive “long-term” profile or normal behavior • We build the “long-term” profile in your mind. • Human experts can incorporate “domain knowledge” about the target system/protocol. DSOM'2003, Heidelberg, Germany
Visual-based Anomaly Detection raw events Information Visualization Toolkit update decay clean cognitive profile cognitively identify the deviation alarm identification DSOM'2003, Heidelberg, Germany
ELISHA/OASC • Events: • Low level events: BGP Route Updates • High level events: OASC • Still 1000+ per day and max 10226 per day for the whole Internet • Information to represent visually: • IP address blocks • Origin AS in BGP Update Messages • Different Types of OASC Events DSOM'2003, Heidelberg, Germany
Qua-Tree Representation of IP Address Prefixes 01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 169.237/16 10101001.11101101/16 DSOM'2003, Heidelberg, Germany
AS# Representation AS-7777 01 11 110001 110011 111001 111011 110000 110010 111000 111010 AS# 00110110 1001 00 10 AS-1 AS-15412 DSOM'2003, Heidelberg, Germany
AS81 punched a “hole” on 169.237/16 yesterday AS-6192 victim yesterday 169.237/16 today 169.237/16 169.237.6/24 offender today AS-81 DSOM'2003, Heidelberg, Germany
8 OASC Event Types • Using different colors to represent types of OASC events • C type: CSS, CSM, CMS, CMM • H type: H • B type: B • O type: OS, OM DSOM'2003, Heidelberg, Germany
August 14, 2000 AS-7777 punched hundreds of holes. DSOM'2003, Heidelberg, Germany
April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks… DSOM'2003, Heidelberg, Germany
April 7-10, 2001 04/07/2001 all 04/07/2001 15412 04/08/2001 all 04/08/2001 15412 04/09/2001 all 04/09/2001 15412 04/10/2001 all 04/10/2001 15412 DSOM'2003, Heidelberg, Germany
April 11-14, 2001 04/11/2001 all 04/11/2001 15412 04/12/2001 all 04/12/2001 15412 04/13/2001 all 04/13/2001 15412 04/14/2001 all 04/14/2001 15412 DSOM'2003, Heidelberg, Germany
April 18-19, 2001 – Again?? 04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412 DSOM'2003, Heidelberg, Germany
Remarks • The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies. • Integration with Statistical approaches. • Elisha: open source available • http://www.cs.ucdavis.edu/~wu/Elisha/ • Linux/Windows DSOM'2003, Heidelberg, Germany