1 / 22

Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

Visual-based Anomaly Detection for BGP Origin AS Change (OASC). Soon-Tee Teoh 1 , Kwan-Liu Ma 1 , S. Felix Wu 1 , Dan Massey 2 , Xiao-Liang Zhao 2 , Dan Pei 3 , Lan Wang 3 , Lixia Zhang 3 , Randy Bush 4 UC Davis, USC/ISI , UCLA , IIJ. Elisha : the long-term goal.

reese-byers
Download Presentation

Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh1, Kwan-Liu Ma1, S. Felix Wu1, Dan Massey2, Xiao-Liang Zhao2, Dan Pei3, Lan Wang3, Lixia Zhang3, Randy Bush4 UC Davis, USC/ISI, UCLA, IIJ DSOM'2003, Heidelberg, Germany

  2. Elisha: the long-term goal • Monitoring and management of a large-scale complex system that we do not fully understand its behavior. • Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system. DSOM'2003, Heidelberg, Germany

  3. In this talk… • Knowledge Acquisition via Visualization • cognitive pattern matching • event correlation and explanation • Outline • Background: Origin AS in BGP • The Elisha/OASC tool • One example and demo DSOM'2003, Heidelberg, Germany

  4. Autonomous Systems (ASes) AS6192 AS11423 (UC) AS11537 (CENIC) AS513 UCDavis: 169.237/16 an AS Path: 169.237/1651311537114236192 DSOM'2003, Heidelberg, Germany

  5. Origin AS in an AS Path 12654 3333 3549 7018 2914 4637 3356 11537 209 11423 6192 • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • AS Path: 51311537114236192 • 12654 13129 6461 3356 11423 6192 • 12654 9177 3320 209 11423 6192 • 12654 4608 1221 4637 11423 6192 • 12654 777 2497 209 11423 6192 • 12654 3549 3356 11423 6192 • 12654 3257 3356 11423 6192 • 12654 1103 11537 11423 6192 • 12654 3333 3356 11423 6192 • 12654 7018 209 11423 6192 • 12654 2914 209 11423 6192 • 12654 3549 209 11423 6192 • Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS-12654 DSOM'2003, Heidelberg, Germany

  6. Origin AS Changes (OASC) 12654 • Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • Current • AS Path: 2914209114236192 • for prefix: 169.237/16 • New • AS Path: 2914301127381 • even worse: 169.237.6/24 • Which route path to use? • Legitimate or not?? 2914 3011 209 273 11423 81 6192 169.237/16 169.237.6/24 DSOM'2003, Heidelberg, Germany

  7. BGP OASC Events (one type only) Max: 10226 (9177 from a single AS) DSOM'2003, Heidelberg, Germany

  8. Data from BGP Observation Points DSOM'2003, Heidelberg, Germany

  9. Anomaly Detection • False positive versus false negative • Anomaly analysis: • To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies DSOM'2003, Heidelberg, Germany

  10. Visual-based Anomaly Detection • “Visual” Anomalies • Something catches your eyes… • Mental/Cognitive “long-term” profile or normal behavior • We build the “long-term” profile in your mind. • Human experts can incorporate “domain knowledge” about the target system/protocol. DSOM'2003, Heidelberg, Germany

  11. Visual-based Anomaly Detection raw events Information Visualization Toolkit update decay clean cognitive profile cognitively identify the deviation alarm identification DSOM'2003, Heidelberg, Germany

  12. ELISHA/OASC • Events: • Low level events: BGP Route Updates • High level events: OASC • Still 1000+ per day and max 10226 per day for the whole Internet • Information to represent visually: • IP address blocks • Origin AS in BGP Update Messages • Different Types of OASC Events DSOM'2003, Heidelberg, Germany

  13. Qua-Tree Representation of IP Address Prefixes 01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 00 10 169.237/16 10101001.11101101/16 DSOM'2003, Heidelberg, Germany

  14. AS# Representation AS-7777 01 11 110001 110011 111001 111011 110000 110010 111000 111010 AS# 00110110 1001 00 10 AS-1 AS-15412 DSOM'2003, Heidelberg, Germany

  15. AS81 punched a “hole” on 169.237/16 yesterday AS-6192 victim yesterday 169.237/16 today 169.237/16 169.237.6/24 offender today AS-81 DSOM'2003, Heidelberg, Germany

  16. 8 OASC Event Types • Using different colors to represent types of OASC events • C type: CSS, CSM, CMS, CMM • H type: H • B type: B • O type: OS, OM DSOM'2003, Heidelberg, Germany

  17. August 14, 2000 AS-7777 punched hundreds of holes. DSOM'2003, Heidelberg, Germany

  18. April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks… DSOM'2003, Heidelberg, Germany

  19. April 7-10, 2001 04/07/2001 all 04/07/2001 15412 04/08/2001 all 04/08/2001 15412 04/09/2001 all 04/09/2001 15412 04/10/2001 all 04/10/2001 15412 DSOM'2003, Heidelberg, Germany

  20. April 11-14, 2001 04/11/2001 all 04/11/2001 15412 04/12/2001 all 04/12/2001 15412 04/13/2001 all 04/13/2001 15412 04/14/2001 all 04/14/2001 15412 DSOM'2003, Heidelberg, Germany

  21. April 18-19, 2001 – Again?? 04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412 DSOM'2003, Heidelberg, Germany

  22. Remarks • The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies. • Integration with Statistical approaches. • Elisha: open source available • http://www.cs.ucdavis.edu/~wu/Elisha/ • Linux/Windows DSOM'2003, Heidelberg, Germany

More Related