ABSTRACT
This paper presents BGPfuse, a scheme for visualizing and exploring BGP (Border Gateway Protocol) path change anomalies. BGPfuse uses a set of BGP features that are capable of quantifying the degree of anomaly of each path change event. Moreover, visual methods are introduced for performing the efficient fusion of these multiple features. The exploitation of the human perception, allows to overcome the static-nature of the existing weight-based fusion approaches. A Parallel Coordinates approach is used to visualize these features, which is further enhanced with filtering capabilities, so as to discriminate between normal and abnormal events. BGPfuse uses multiple linked graph views so as to represent in depth the relationships among the involved Autonomous Systems (ASes), as well as a combined graph view to highlight structural similarities between all the individual feature graphs. The structural similarities as well as the filtering capabilities provided by BGPfuse, enable the analyst to perform visual fusion of the BGP features, so as to detect any suspicious behavior and focus only in the most interesting cases. Experimental demonstration of BGPfuse, shows the analytical potential of the proposed approach by decisively capturing malicious BGP hijacking events.
- G. J. Briem, J. A. Benediktsson, and J. R. Sveinsson, "Multiple classifiers applied to multisource remote sensing data," Geoscience and Remote Sensing, IEEE Transactions on, vol. 40, no. 10, pp. 2291--2299, 2002.Google ScholarCross Ref
- Q. Tao and R. Veldhuis, "Threshold-optimized decision-level fusion and its application to biometrics," Pattern Recognition, vol. 42, no. 5, pp. 823--836, 2009. Google ScholarDigital Library
- M. Arevalillo-Herráez, J. Domingo, and F. J. Ferri, "Combining similarity measures in content-based image retrieval," Pattern Recognition Letters, vol. 29, no. 16, pp. 2174--2181, 2008. Google ScholarDigital Library
- P. Chowdhury, S. Das, S. Samanta, and U. Mangai, "A Survey of Decision Fusion and Feature Fusion Strategies for Pattern Classification," IETE Technical Review, vol. 27, no. 4, pp. 293--307, 2010.Google ScholarCross Ref
- H. Ballani, P. Francis, and X. Zhang, "A study of prefix hijacking and interception in the internet," ACM SIGCOMM Computer Communication Review, vol. 37, no. 4, p. 265, 2007. Google ScholarDigital Library
- S. Murphy, "BGP security vulnerabilities analysis," RFC 4272, 2006.Google Scholar
- O. Nordström and C. Dovrolis, "Beware of BGP attacks," ACM SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 1--8, 2004. Google ScholarDigital Library
- S. Deshpande, M. Thottan, T. K. Ho, and B. Sikdar, "An online mechanism for BGP instability detection and analysis," Computers, IEEE Transactions on, vol. 58, no. 11, pp. 1470--1484, 2009. Google ScholarDigital Library
- J. Li, D. Dou, Z. Wu, S. Kim, and V. Agarwal, "An Internet routing forensics framework for discovering rules of abnormal BGP events," ACM SIGCOMM Computer Communication Review, vol. 35, no. 5, pp. 55--66, 2005. Google ScholarDigital Library
- K. Zhang, A. Yen, X. Zhao, D. Massey, S. F. Wu, and L. Zhang, "On detection of anomalous routing dynamics in BGP," in NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications, pp. 259--270, Springer, 2004.Google Scholar
- S. T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma, and S. F. Wu, "Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP," Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security VizSECDMSEC 04, p. 35, 2004. Google ScholarDigital Library
- N. M. Al-Rousan, S. Haeri, and L. Trajkovic, "Feature selection for classification of BGP anomalies using Bayesian models.," in ICMLC, pp. 140--147, 2012.Google Scholar
- B. A. Prakash, N. Valler, D. Andersen, M. Faloutsos, and C. Faloutsos, "BGP-lens: Patterns and anomalies in internet routing updates," in Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1315--1324, ACM, 2009. Google ScholarDigital Library
- J. Zhang, J. Rexford, and J. Feigenbaum, "Learning-based anomaly detection in BGP updates," in Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, pp. 219--220, ACM, 2005. Google ScholarDigital Library
- E. Biersack, Q. Jacquemart, F. Fischer, J. Fuchs, O. Thonnard, G. Theodoridis, D. Tzovaras, and P.-A. Vervier, "Visual analytics for BGP monitoring and prefix hijacking identification," Network, IEEE, vol. 26, no. 6, pp. 33--39, 2012.Google ScholarCross Ref
- J. Shearer, K.-L. Ma, and T. Kohlenberg, "BGPeep: An IP-Space Centered View for Internet Routing Data," in Visualization for Computer Security, pp. 95--110, Springer, 2008. Google ScholarDigital Library
- J. S. Yi, Y. Ah Kang, J. Stasko, and J. Jacko, "Toward a Deeper Understanding of the Role of Interaction in Information Visualization," IEEE Transactions on Visualization and Computer Graphics, vol. 13, no. 6, pp. 1224--1231, 2007. Google ScholarDigital Library
- G. Theodoridis, O. Tsigkas, and D. Tzovaras, "A Novel Unsupervised Method for Securing BGP Against Routing Hijacks," in Computer and Information Sciences III, pp. 21--29, Springer, 2013.Google ScholarCross Ref
- A. Inselberg, Parallel Coordinates: Visual Multidimensional Geometry and Its Applications. springer ed., 2009. Google ScholarDigital Library
- H. Siirtola, "Direct manipulation of parallel coordinates," in Information Visualization, 2000. Proceedings. IEEE International Conference on, pp. 373--378, IEEE, 2000. Google ScholarDigital Library
- RIPE Network Coordination Centre (available at http://www.ripe.net), "Routing Information Service project (RIS)."Google Scholar
- CAIDA (available at www.caida.org), "The Cooperative Association for Internet Data Analysis."Google Scholar
Recommendations
Dynamics of hot-potato routing in IP networks
Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, ...
Dynamics of hot-potato routing in IP networks
SIGMETRICS '04/Performance '04: Proceedings of the joint international conference on Measurement and modeling of computer systemsDespite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, ...
Designing optimal iBGP route-reflection topologies
NETWORKING'08: Proceedings of the 7th international IFIP-TC6 networking conference on AdHoc and sensor networks, wireless networks, next generation internetThe Border Gateway Protocol (BGP) is used today by all Autonomous Systems (AS) in the Internet. Inside each AS, iBGP sessions distribute the external routes among the routers. In large ASs, relying on a full-mesh of iBGP sessions between routers is not ...
Comments