Meng Chen,Mingwei Xu,Qing Li,Yuan Yang

DOI: https://doi.org/10.1016/j.comnet.2016.09.018

IF: 5.493

2016-01-01

Computer Networks

Abstract:Measurement on the Border Gateway Protocol (BGP) system is important for understanding the Internet. Many attempts have been made to detect anomalous Internet events through dissecting BGP updates and tables. We notice that most works in this field either deploy/use few monitors or analyze aggregated statistics. Such practices may result in overestimating the impact of monitor-local events, which can be viewed by only a small area.We propose Large-scale BGP Event (LBE), which affects many IP prefixes (high impact) and is widely observable (non-local). To detect LBE, we propose the Update Visibility Matrix (UVM) to record the prefix and monitor related to each update. We formulate the problem of identifying LBE in UVM, which is NP-hard. Then we propose a heuristic algorithm to solve it. We apply the scheme to 2.18 TB of BGP updates and find that the identified LBEs are highly correlated with many well-known disruptive incidents. Besides, we identify 101 LBEs that have never been investigated before. By conducting case studies, we find that the LBEs have high impact and are caused by various reasons. Our work can assist in network/Internet management tasks such as problem prevention, diagnosis, and recovery.

Meng Chen,Mingwei Xu,Xirui Song,Yuan Yang

DOI: https://doi.org/10.1109/LCN.2015.7366297

2015-01-01

Abstract:Anomalous BGP events can deteriorate Internet performance and connectivity thus have always been a research topic. However, most measurement works in this realm are prone to monitor-local events, namely, the events local to only few BGP monitors. Besides, events that are widely observed can also have negligible impact, e.g., prefix-local events. In contrast, a Large-scale BGP Event (LBE) makes a large quantity of prefixes be updated and can be observed by a large portion of monitors. Such events are anomalous even harmful. We formulate the problem of identifying LBEs from BGP updates, then propose the Iterative Cut-off Algorithm to solve it. We apply the method to some famous disruptive events and some `innocent' data, which are collected from more than 400 monitors. The measurement results validate the effectiveness of our method. Moreover, we detect a severe and persistent misconfiguration event that has remained unreported before.

Dejing Dou,Jun Li,Han Qin,Shiwoong Kim,Sheng Zhong

DOI: https://doi.org/10.1137/1.9781611972771.46

2007-01-01

Abstract:Abnormal events, such as security attacks, misconfigurations, or electricity failures, could have severe consequences toward the normal operation of the Border Gateway Protocol (BGP) that is in charge of the delivery of packets between different autonomous domains, a key operation for the Internet to function. Unfortunately, it has been a difficult task for network security researchers and engineers to classify and detect these events. In our previous work, we have shown that with classification (which relies on the labeling with domain knowledge from BGP experts), it is feasible to effectively detect and distinguish some worms and blackouts from normal BGP behaviors. In this paper, we move one important step forward we show that we can automatically detect and classify between different abnormal BGP events based on a hierarchy discovered by clustering. As a systematic application of data mining, we devise a clustering method based on normalized BGP data that forms a tree-like hierarchy of abnormal BGP event classes. We then obtain a set of classification rules for each class (node) in the hierarchy, thus able to label unknown BGP data to a closest class. Our method works even as the BGP dynamics evolve over time, as shown in our experiments with seven different abnormal events during a four-year period. Our work, in a more general context, shows it is promising to conduct an interdisciplinary research between network security and data mining in solving real-world problems.

Songtao Peng,Jiaqi Nie,Xincheng Shu,Zhongyuan Ruan,Lei Wang,Yunxuan Sheng,Qi Xuan

DOI: https://doi.org/10.1016/j.comnet.2022.109129

IF: 5.493

2022-01-01

Computer Networks

Abstract:As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it is long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.

Ben Scott,Michael N. Johnstone,Patryk Szewczyk,Steven Richardson

DOI: https://doi.org/10.1016/j.comnet.2024.110257

IF: 5.493

2024-02-19

Computer Networks

Abstract:The Border Gateway Protocol (BGP), acting as the communication protocol that binds the Internet, remains vulnerable despite Internet security advancements. This is not surprising, as the Internet was not designed to be resilient to cyber-attacks, therefore the detection of anomalous activity was not of prime importance to the Internet creators. Detection of BGP anomalies can potentially provide network operators with an early warning system to focus on protecting networks, systems, and infrastructure from significant impact, improve security posture and resilience, while ultimately contributing to a secure global Internet environment. In this paper, we present a novel technique for the detection of BGP anomalies in different events. This research uses publicly available datasets of BGP messages collected from the repositories, Route Views and Réseaux IP Européens (RIPE). Our contribution is the application of a time series data mining approach, Matrix Profile (MP) , to detect BGP anomalies in all categories of BGP events. Advantages of the MP detection technique compared to extant approaches include that it is domain agnostic, is assumption-free, requires few parameters, does not require training data, and is scalable and storage efficient. The single hyper-parameter analysed in MP shows it is robust to change. Our results indicate the MP detection scheme is competitive against existing detection schemes. A novel BGP anomaly detection scheme is also proposed for further research and validation.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xin Wu,Xia Yin,Zhiliang Wang,Min Tang

DOI: https://doi.org/10.1109/isads.2009.5207350

2009-01-01

Abstract:In order to better understand BGP dynamics, a time-based approach has been developed to cluster BGP updates into routing events. Its basic idea is to cluster consecutive BGP updates of the same prefix into one routing events if the updates are separated by a time interval less than a threshold. Most of static threshold methods might incorrectly group multiple events into one if the threshold is too high, or divide a single event into multiple ones if the threshold is too low. On the other hand, previous dynamic threshold approach did not present a persuasive way to calculate one of its key parameters. In this paper we present a three-step dynamic threshold method to cluster BGP updates into routing events. We evaluate our approach using updates of BGP beacon prefixes downloaded from route views. The experiment result shows that our dynamic threshold approach could cluster updates into routing events more precisely than previous methods, and thus improve the accuracy of the BGP measurement studies.

Meng Chen,Mingwei Xu,Yuan Yang

DOI: https://doi.org/10.1109/noms.2016.7502915

2016-01-01

Abstract:Measuring the instability of IP prefixes in BGP is critical for network operation and management. In particular, identifying and investigating the most active prefixes assist in detecting, analyzing, and understanding network problems. The traditional metric to assess the activeness of a prefix is the quantity of BGP update. However, this metric may be strongly affected by monitor-local events: the large amount of updates for a highly active prefix may be caused by an event with rather limited impact area. To cope with the issue, we propose a two-dimensional method: in addition to the traditional metric, Update Quantity (UQ), we introduce Update Visibility (UV). The key idea is that we mark a prefix as a 'Highly Active Prefix' only when the large number of updates for it are widely observable. We define five types of active prefixes and propose a measurement method. We apply the method to 947 GB updates; the measurement results show that the two-dimensional method provides a more comprehensive picture of the highly active prefixes in the Internet than traditional single-metric schemes, and provides insights into network operations.

Joel Obstfeld,Xiaoyu Chen,Olivier Frebourg,Pavan Sudheendra

DOI: https://doi.org/10.48550/arXiv.1705.08666

2017-05-24

Abstract:BGP (Border Gateway Protocol) serves as the primary routing protocol for the Internet, enabling Autonomous Systems (individual network operators) to exchange network reachability information. Alongside significant on-going research and development efforts, there is a practical need to understand the nature of events that occur on the Internet. Network operators are acutely aware of security-related incidents such as 'Prefix Hijacking' as well as the impact of network instabilities that ripple through the Internet. Recent research focused on the study of BGP anomalies (both network/prefix instability and security-related incidents) has been based on the analysis of historical logs. Further analysis to understand the nature of these anomalous events is not always sufficient to be able to differentiate malicious activities, such as prefix- or sub-prefix- hijacking, from those events caused by inadvertent misconfigurations. In addition, such techniques are challenged by a lack of sufficient resources to store and process data feeds in real-time from multiple BGP Vantage Points (VPs). In this paper, we present a BGP Deep-analysis application developed using the PNDA (Platform for Network Data Analytics) 'Big-Data' platform. PNDA provides a highly scalable environment that enables the ingestion and processing of 'live' BGP feeds from many vantage points in a schema-agnostic manner. The Apache Spark-based application, in conjunction with PNDA's distributed processing capabilities, is able to perform high-level insights as well as near-to-real-time statistical analysis

Networking and Internet Architecture

ST Teoh,KL Ma,SF Wu,D Massey,XL Zhao,D Pei,L Wang,LX Zhang,R Bush

DOI: https://doi.org/10.1007/978-3-540-39671-0_14

2003-01-01

Abstract:To complement machine intelligence in anomaly event analysis and correlation, in this paper, we investigate the possibility of a human-interactive visual-based anomaly detection system for faults and security attacks related to the BGP (Border Gateway Protocol) routing protocol. In particular, we have built and tested a program, based on fairly simple information visualization techniques, to navigate interactively real-life BGP OASC (Origin AS Change) events. Our initial experience demonstrates that the integration of mechanical analysis and human intelligence can effectively improve the performance of anomaly detection and alert correlation. Furthermore, while a traditional representation of OASC events provides either little or no valuable information, our program can accurately identify, correlate previously unknown BGP/OASC problems, and provide network operators with a valuable high-level abstraction about the dynamics of BGP.

Weitao Weng,Kai Lei,Kuai Xu,Xiaoyou Liu,Tao Sun

DOI: https://doi.org/10.1007/978-3-319-39937-9_29

2016-01-01

Abstract:Campus networks consist of a rich diversity of end hosts including wired desktops, servers, and wireless BYOD devices such as laptops and smartphones, which are often compromised in insecure networks. Making sense of traffic behaviors of end hosts in campus networks is a daunting task due to the open nature of the network, heterogeneous devices, high mobility of end users, and a wide range of applications. To address these challenges, this paper applies a combination of graphical approaches and spectral clustering to group the Internet traffic of campus networks into distinctive traffic clusters in a divide-and-conquer manner. Specifically, we first model the data communication between a particular subnet of campus networks and the Internet on a specific application port via bipartite graphs, and subsequently use the one-mode projection to capture behavior similarity of end hosts in the same subnet for the same network applications. Finally we apply a spectral clustering algorithm to explore the behavior similarity to identify distinctive application clusters within each subnet. Our experimental results have demonstrated the benefits of our proposed method for analyzing Internet traffic of a large university town to discover anomalous behaviors and to uncover distinctive temporal and spatial traffic patterns.

Weisong He,Guangmin Hu,Yingjie Zhou

DOI: https://doi.org/10.1007/s11235-010-9384-1

2010-01-01

Telecommunication Systems

Abstract:In this paper, a substructure-based network behavior anomaly detection approach, called WFS (Weighted Frequent Subgraphs), is proposed to detect the anomalies of a large-scale IP networks. With application of WFS, an entire graph is examined, unusual substructures of which are reported. Due to additional information given by the graph, the anomalies are able to be detected more accurately. With multivariate time series motif association rules mining (MTSMARM), the patterns of abnormal traffic behavior are able to be obtained. In order to verify the above proposals, experiments are conducted and, together with application of backbone networks (Internet2) Netflow data, show some positive results.

Xia Yin,Min Tang,Zhiliang Wang

DOI: https://doi.org/10.1109/bcn.2007.372749

2007-01-01

Abstract:To better understand BGP dynamics, a number of previous measurement studies have focused on the convergence time of the routing events in the global routing system. A time-based approach has been developed to cluster BGP updates stream of the same prefix and the same observation point into routing events with threshold value. In practical networks, the same static threshold value, i.e. 4 minutes, can not group updates into events correctly. In this paper, we present an algorithm of dynamic threshold value for per destination network based on the probability method. Our experimental results show that the threshold value is sensitive to prefixes. A threshold value suitable for one prefix is not likely appropriate for another. Therefore, we think the dynamic values are more suitable for prefixes than the static value. With our method, the routing events can be clustered precisely, so that can improve the accuracy of the measurement studies.

Songtao Peng,Yiping Chen,Xincheng Shu,Wu Shuai,Shenhao Fang,Zhongyuan Ruan,Qi Xuan

2023-12-18

Abstract:In recent years, various international security events have occurred frequently and interacted between real society and cyberspace. Traditional traffic monitoring mainly focuses on the local anomalous status of events due to a large amount of data. BGP-based event monitoring makes it possible to perform differential analysis of international events. For many existing traffic anomaly detection methods, we have observed that the window-based noise reduction strategy effectively improves the success rate of time series anomaly detection. Motivated by this observation, we propose an unsupervised anomaly detection model, MAD-MulW, which incorporates a multi-window serial framework. Firstly, we design the W-GAT module to adaptively update the sample weights within the window and retain the updated information of the trailing sample, which not only reduces the outlier samples' noise but also avoids the space consumption of data scale expansion. Then, the W-LAT module based on predictive reconstruction both captures the trend of sample fluctuations over a certain period of time and increases the interclass variation through the reconstruction of the predictive sample. Our model has been experimentally validated on multiple BGP anomalous events with an average F1 score of over 90\%, which demonstrates the significant improvement effect of the stage windows and adaptive strategy on the efficiency and stability of the timing model.

Cryptography and Security

LU Junxiu,CHEN Maoke,LI Xing

DOI: https://doi.org/10.3969/j.issn.1672-9781.2008.02.045

2008-01-01

Abstract:Evaluating the effect of network events on Internet reachability is very important for ISPs. This paper design and implement a real-time tool called BGPSense to evaluate reachability based on BGP updates. BGPSense not only considers the temporal correlation and jitter of BGPupdates from different peers, also takes the importance metric of route into considerations. Using BGPSense, we study the effect of Slammerworm, US/CA blackout and Taiwan Earthquake on Internet reachability and find that BGPSense can clearly show the different effect of thesenetwork events. We believe BGPSense can help network operators and administrators to better understand and diagnose their networks.

Zhichao Hu,Xiangzhan Yu,Jiantao Shi,Lin Ye

DOI: https://doi.org/10.32604/cmc.2021.017574

2021-01-01

Abstract:With the continuous development of network technology, various large-scale cyber-attacks continue to emerge. These attacks pose a severe threat to the security of systems, networks, and data. Therefore, how to mine attack patterns from massive data and detect attacks are urgent problems. In this paper, an approach for attack mining and detection is proposed that performs tasks of alarm correlation, false-positive elimination, attack mining, and attack prediction. Based on the idea of CluStream, the proposed approach implements a flow clustering method and a two-step algorithm that guarantees efficient streaming and clustering. The context of an alarm in the attack chain is analyzed and the LightGBM method is used to perform false-positive recognition with high accuracy. To accelerate the search for the filtered alarm sequence data to mine attack patterns, the PrefixSpan algorithm is also updated in the store strategy. The updated PrefixSpan increases the processing efficiency and achieves a better result than the original one in experiments. With Bayesian theory, the transition probability for the sequence pattern string is calculated and the alarm transition probability table constructed to draw the attack graph. Finally, a long-short-term memory network and embedding word-vector method are used to perform online prediction. Results of numerical experiments show that the method proposed in this paper has a strong practical value for attack detection and prediction.

Yihao Chen,Qilei Yin,Qi Li,Zhuotao Liu,Ke Xu,Yi Xu,Mingwei Xu,Ziqian Liu,Jianping Wu

2024-02-25

Abstract:BGP is the de facto inter-domain routing protocol to ensure global connectivity of the Internet. However, various reasons, such as deliberate attacks or misconfigurations, could cause BGP routing anomalies. Traditional methods for BGP routing anomaly detection require significant manual investigation of routes by network operators. Although machine learning has been applied to automate the process, prior arts typically impose significant training overhead (such as large-scale data labeling and feature crafting), and only produce uninterpretable results. To address these limitations, this paper presents a routing anomaly detection system centering around a novel network representation learning model named BEAM. The core design of BEAM is to accurately learn the unique properties (defined as \emph{routing role}) of each Autonomous System (AS) in the Internet by incorporating BGP semantics. As a result, routing anomaly detection, given BEAM, is reduced to a matter of discovering unexpected routing role churns upon observing new route announcements. We implement a prototype of our routing anomaly detection system and extensively evaluate its performance. The experimental results, based on 18 real-world RouteViews datasets containing over 11 billion route announcement records, demonstrate that our system can detect all previously-confirmed routing anomalies, while only introducing at most five false alarms every 180 million route announcements. We also deploy our system at a large ISP to perform real-world detection for one month. During the course of deployment, our system detects 497 true anomalies in the wild with an average of only 1.65 false alarms per day.

Networking and Internet Architecture

Mengying Xu,Xing Li

DOI: https://doi.org/10.1109/itoec49072.2020.9141762

2020-01-01

Abstract:Being the default inter-domain route protocol in the Internet, the security of BGP has attracted increasing attention. BGP anomaly detection technique aims to detect and alert anomalous events so as to minimize the damage it causes. In the existing related works, manually designed statistical features such as number of BGP update messages and AS-PATH length are commonly used for further anomaly classfication. However, features selected by researchers based on their observations on limited events may have limited generalization. On the other hand, neural networks have the ability to automatically extract features from large-scale raw data. In this work, we propose a novel method using raw BGP update data for both feature extraction and anomaly classification. The experiments on real world BGP data are conducted and the results show that our method has a promising performance compared with previous methods.

Yingjie Zhou,Guangmin Hu,Dapeng Wu

DOI: https://doi.org/10.1002/sec.801

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:ABSTRACTDetecting distributed abnormal events has become an increasingly significant task for efficient network management and operation. However, it is still challenging to uncover these distributed behaviors in backbone networks because of the voluminous amount of noisy, high‐dimensional traffic data. In this paper, we present a novel system for detecting distributed abnormal events in backbone networks. The proposed system emphasizes on detecting distributed correlated abnormal events, which are caused by the same reason. In contrast, existing methods are not able to distinguish correlated abnormal events from the independent abnormal events. In our proposed system, a set of data mining techniques is used for modeling and detecting distributed correlated abnormal events by analyzing the traffic features. Specifically, traffic behavior representation is constructed to define and select traffic features for describing the traffic behaviors of interest, feature clustering is performed to group together similar transformations in each feature, behavioral data mining is employed to discover the most significant patterns in network interactions with respect to typical behavior, and behavior classification is used to expose the behaviors of interest. Experiment results using real traffic data present the effectiveness of our proposed methods for detecting distributed correlated abnormal events in the backbone network. Copyright © 2013 John Wiley & Sons, Ltd.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.