research-article

BGPfuse: using visual feature fusion for the detection and attribution of BGP anomalies

Authors:
Stavros Papadopoulos

Imperial College London

Imperial College London
View Profile

,
Georgios Theodoridis

Information Technologies Institute, Centre for Research and Technology Hellas

Information Technologies Institute, Centre for Research and Technology Hellas
View Profile

,
Dimitrios Tzovaras

Information Technologies Institute, Centre for Research and Technology Hellas

Information Technologies Institute, Centre for Research and Technology Hellas
View Profile

VizSec '13: Proceedings of the Tenth Workshop on Visualization for Cyber SecurityOctober 2013Pages 57–64https://doi.org/10.1145/2517957.2517965

Published:02 October 2013Publication History

VizSec '13: Proceedings of the Tenth Workshop on Visualization for Cyber Security

Pages 57–64

ABSTRACT

This paper presents BGPfuse, a scheme for visualizing and exploring BGP (Border Gateway Protocol) path change anomalies. BGPfuse uses a set of BGP features that are capable of quantifying the degree of anomaly of each path change event. Moreover, visual methods are introduced for performing the efficient fusion of these multiple features. The exploitation of the human perception, allows to overcome the static-nature of the existing weight-based fusion approaches. A Parallel Coordinates approach is used to visualize these features, which is further enhanced with filtering capabilities, so as to discriminate between normal and abnormal events. BGPfuse uses multiple linked graph views so as to represent in depth the relationships among the involved Autonomous Systems (ASes), as well as a combined graph view to highlight structural similarities between all the individual feature graphs. The structural similarities as well as the filtering capabilities provided by BGPfuse, enable the analyst to perform visual fusion of the BGP features, so as to detect any suspicious behavior and focus only in the most interesting cases. Experimental demonstration of BGPfuse, shows the analytical potential of the proposed approach by decisively capturing malicious BGP hijacking events.

References

G. J. Briem, J. A. Benediktsson, and J. R. Sveinsson, "Multiple classifiers applied to multisource remote sensing data," Geoscience and Remote Sensing, IEEE Transactions on, vol. 40, no. 10, pp. 2291--2299, 2002.Google ScholarCross Ref
Q. Tao and R. Veldhuis, "Threshold-optimized decision-level fusion and its application to biometrics," Pattern Recognition, vol. 42, no. 5, pp. 823--836, 2009. Google ScholarDigital Library
M. Arevalillo-Herráez, J. Domingo, and F. J. Ferri, "Combining similarity measures in content-based image retrieval," Pattern Recognition Letters, vol. 29, no. 16, pp. 2174--2181, 2008. Google ScholarDigital Library
P. Chowdhury, S. Das, S. Samanta, and U. Mangai, "A Survey of Decision Fusion and Feature Fusion Strategies for Pattern Classification," IETE Technical Review, vol. 27, no. 4, pp. 293--307, 2010.Google ScholarCross Ref
H. Ballani, P. Francis, and X. Zhang, "A study of prefix hijacking and interception in the internet," ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, p. 265, 2007. Google ScholarDigital Library
S. Murphy, "BGP security vulnerabilities analysis," RFC 4272, 2006.Google Scholar
O. Nordström and C. Dovrolis, "Beware of BGP attacks," ACM SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 1--8, 2004. Google ScholarDigital Library
S. Deshpande, M. Thottan, T. K. Ho, and B. Sikdar, "An online mechanism for BGP instability detection and analysis," Computers, IEEE Transactions on, vol. 58, no. 11, pp. 1470--1484, 2009. Google ScholarDigital Library
J. Li, D. Dou, Z. Wu, S. Kim, and V. Agarwal, "An Internet routing forensics framework for discovering rules of abnormal BGP events," ACM SIGCOMM Computer Communication Review, vol. 35, no. 5, pp. 55--66, 2005. Google ScholarDigital Library
K. Zhang, A. Yen, X. Zhao, D. Massey, S. F. Wu, and L. Zhang, "On detection of anomalous routing dynamics in BGP," in NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications, pp. 259--270, Springer, 2004.Google Scholar
S. T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma, and S. F. Wu, "Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP," Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security VizSECDMSEC 04, p. 35, 2004. Google ScholarDigital Library
N. M. Al-Rousan, S. Haeri, and L. Trajkovic, "Feature selection for classification of BGP anomalies using Bayesian models.," in ICMLC, pp. 140--147, 2012.Google Scholar
B. A. Prakash, N. Valler, D. Andersen, M. Faloutsos, and C. Faloutsos, "BGP-lens: Patterns and anomalies in internet routing updates," in Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1315--1324, ACM, 2009. Google ScholarDigital Library
J. Zhang, J. Rexford, and J. Feigenbaum, "Learning-based anomaly detection in BGP updates," in Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, pp. 219--220, ACM, 2005. Google ScholarDigital Library
E. Biersack, Q. Jacquemart, F. Fischer, J. Fuchs, O. Thonnard, G. Theodoridis, D. Tzovaras, and P.-A. Vervier, "Visual analytics for BGP monitoring and prefix hijacking identification," Network, IEEE, vol. 26, no. 6, pp. 33--39, 2012.Google ScholarCross Ref
J. Shearer, K.-L. Ma, and T. Kohlenberg, "BGPeep: An IP-Space Centered View for Internet Routing Data," in Visualization for Computer Security, pp. 95--110, Springer, 2008. Google ScholarDigital Library
J. S. Yi, Y. Ah Kang, J. Stasko, and J. Jacko, "Toward a Deeper Understanding of the Role of Interaction in Information Visualization," IEEE Transactions on Visualization and Computer Graphics, vol. 13, no. 6, pp. 1224--1231, 2007. Google ScholarDigital Library
G. Theodoridis, O. Tsigkas, and D. Tzovaras, "A Novel Unsupervised Method for Securing BGP Against Routing Hijacks," in Computer and Information Sciences III, pp. 21--29, Springer, 2013.Google ScholarCross Ref
A. Inselberg, Parallel Coordinates: Visual Multidimensional Geometry and Its Applications. springer ed., 2009. Google ScholarDigital Library
H. Siirtola, "Direct manipulation of parallel coordinates," in Information Visualization, 2000. Proceedings. IEEE International Conference on, pp. 373--378, IEEE, 2000. Google ScholarDigital Library
RIPE Network Coordination Centre (available at http://www.ripe.net), "Routing Information Service project (RIS)."Google Scholar
CAIDA (available at www.caida.org), "The Cooperative Association for Internet Data Analysis."Google Scholar

Recommendations

Dynamics of hot-potato routing in IP networks

Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, ...
Read More
Dynamics of hot-potato routing in IP networks
SIGMETRICS '04/Performance '04: Proceedings of the joint international conference on Measurement and modeling of computer systems

Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, ...
Read More
Designing optimal iBGP route-reflection topologies
NETWORKING'08: Proceedings of the 7th international IFIP-TC6 networking conference on AdHoc and sensor networks, wireless networks, next generation internet

The Border Gateway Protocol (BGP) is used today by all Autonomous Systems (AS) in the Internet. Inside each AS, iBGP sessions distribute the external routes among the routers. In large ASs, relying on a full-mesh of iBGP sessions between routers is not ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
VizSec '13: Proceedings of the Tenth Workshop on Visualization for Cyber Security
October 2013
77 pages
ISBN:9781450321730
DOI:10.1145/2517957
Editors:
John Goodall
Oak Ridge National Laboratory
,
Kwan-Liu Ma
University of California, Davis
,
Sophie Engle
University of San Francisco
,
Fabian Fischer
University of Konstanz, Konstanz, Germany
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 October 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
VizSec '13 Paper Acceptance Rate9of30submissions,30%Overall Acceptance Rate39of111submissions,35%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 463
  Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.