Meng Chen,Mingwei Xu,Qing Li,Yuan Yang

DOI: https://doi.org/10.1016/j.comnet.2016.09.018

IF: 5.493

2016-01-01

Computer Networks

Abstract:Measurement on the Border Gateway Protocol (BGP) system is important for understanding the Internet. Many attempts have been made to detect anomalous Internet events through dissecting BGP updates and tables. We notice that most works in this field either deploy/use few monitors or analyze aggregated statistics. Such practices may result in overestimating the impact of monitor-local events, which can be viewed by only a small area.We propose Large-scale BGP Event (LBE), which affects many IP prefixes (high impact) and is widely observable (non-local). To detect LBE, we propose the Update Visibility Matrix (UVM) to record the prefix and monitor related to each update. We formulate the problem of identifying LBE in UVM, which is NP-hard. Then we propose a heuristic algorithm to solve it. We apply the scheme to 2.18 TB of BGP updates and find that the identified LBEs are highly correlated with many well-known disruptive incidents. Besides, we identify 101 LBEs that have never been investigated before. By conducting case studies, we find that the LBEs have high impact and are caused by various reasons. Our work can assist in network/Internet management tasks such as problem prevention, diagnosis, and recovery.

Meng Chen,Mingwei Xu,Qing Li,Xirui Song,Yuan Yang

DOI: https://doi.org/10.1109/PCCC.2015.7410284

2015-01-01

Abstract:Many attempts have been made to detect and analyze anomalous Internet events through dissecting BGP updates and tables, and substantial progress has been made in detecting and quantifying the impact of major Internet disruptions. However, we notice that most works in this realm either deploy/use a limited quantity of monitors or analyze aggregated statistics, and such practice may result in overestimating the impact of monitor-local events, which can be viewed only by a rather small portion of the Internet. To eliminate the impact of such local events on the detection of Internet-level anomalies, we raise the concept of Large-scale BGP Event (LBE), which affects a large amount of IP prefixes (high impact) and is widely observable (non-local). To detect LBE, we record update data in the Update Visibility Matrix (UVM) according to the prefix and monitor related to each update. At first, we formulate the problem of identifying LBE in UVM as a bi-clustering problem; after proving it is NP-hard, we describe our heuristic algorithm. Next, we apply our scheme to more than 2 TB of historical data. We find that LBE is highly correlated with many well-known disruptive incidents. Furthermore, we also identify some abnormal events that have never been investigated. We believe our work can assist in network operation tasks such as problem prevention, diagnosis, and recovery. © 2015 IEEE.

Meng Chen,Mingwei Xu,Yuan Yang

DOI: https://doi.org/10.1109/noms.2016.7502915

2016-01-01

Abstract:Measuring the instability of IP prefixes in BGP is critical for network operation and management. In particular, identifying and investigating the most active prefixes assist in detecting, analyzing, and understanding network problems. The traditional metric to assess the activeness of a prefix is the quantity of BGP update. However, this metric may be strongly affected by monitor-local events: the large amount of updates for a highly active prefix may be caused by an event with rather limited impact area. To cope with the issue, we propose a two-dimensional method: in addition to the traditional metric, Update Quantity (UQ), we introduce Update Visibility (UV). The key idea is that we mark a prefix as a 'Highly Active Prefix' only when the large number of updates for it are widely observable. We define five types of active prefixes and propose a measurement method. We apply the method to 947 GB updates; the measurement results show that the two-dimensional method provides a more comprehensive picture of the highly active prefixes in the Internet than traditional single-metric schemes, and provides insights into network operations.

Hongyan Liu,Xi Sun,Xiang Chen,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.jnca.2024.103904

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Modern network measurement employs several measurement points in the substrate network. These points perform measurement tasks to measure traffic and report real-time events to monitoring servers in the control plane. These servers convert events to flow statistics and report them to network management applications, which require both low latency (i.e., collecting events within a limited time deadline) and high reliability (i.e., bounding the probability of event loss). However, existing solutions fail to satisfy the two requirements because they ignore the transmission latency and reliability when collecting events from measurement points to monitoring servers. In this paper, we propose Terra, a framework that aims to offer low-latency and reliable event collection. Terra provides a near-optimal heuristic that guides each measurement point to select monitoring servers to receive its events and corresponding network paths for transferring events with timeliness and reliability guarantee. We have implemented Terra on a 64 × 100Gbps Tofino-based switch. We conduct testbed experiments to demonstrate the effectiveness of Terra in practice. The results indicate that Terra offers low-latency and reliable event collection while preserving high application-level accuracy.

Dejing Dou,Jun Li,Han Qin,Shiwoong Kim,Sheng Zhong

DOI: https://doi.org/10.1137/1.9781611972771.46

2007-01-01

Abstract:Abnormal events, such as security attacks, misconfigurations, or electricity failures, could have severe consequences toward the normal operation of the Border Gateway Protocol (BGP) that is in charge of the delivery of packets between different autonomous domains, a key operation for the Internet to function. Unfortunately, it has been a difficult task for network security researchers and engineers to classify and detect these events. In our previous work, we have shown that with classification (which relies on the labeling with domain knowledge from BGP experts), it is feasible to effectively detect and distinguish some worms and blackouts from normal BGP behaviors. In this paper, we move one important step forward we show that we can automatically detect and classify between different abnormal BGP events based on a hierarchy discovered by clustering. As a systematic application of data mining, we devise a clustering method based on normalized BGP data that forms a tree-like hierarchy of abnormal BGP event classes. We then obtain a set of classification rules for each class (node) in the hierarchy, thus able to label unknown BGP data to a closest class. Our method works even as the BGP dynamics evolve over time, as shown in our experiments with seven different abnormal events during a four-year period. Our work, in a more general context, shows it is promising to conduct an interdisciplinary research between network security and data mining in solving real-world problems.

Ricardo Oliveira,Beichuan Zhang,Dan Pei,Lixia Zhang

DOI: https://doi.org/10.1109/tnet.2009.2016390

2009-01-01

IEEE/ACM Transactions on Networking

Abstract:A number of previous measurement studies [10, 12, 17] have shown the existence of path exploration and slow convergence in the global Internet routing system, and a number of protocol enhancements have been proposed to remedy the problem [21, 15, 4, 20, 5]. However all the previous measurements were conducted over a small number of testing prefixes. There has been no systematic study to quantify the pervasiveness of BGP slow convergence in the operational Internet, nor there is any known effort to deploy any of the proposed solutions.In this paper we present our measurement results from identifying BGP slow convergence events across the entire global routing table. Our data shows that the severity of path exploration and slow convergence varies depending on where prefixes are originated and where the observations are made in the Internet routing hierarchy. In general, routers in tier-1 ISPs observe less path exploration, hence shorter convergence delays than routers in edge ASes, and prefixes originated from tier-1 ISPs also experience less path exploration than those originated from edge ASes. Our data also shows that the convergence time of route fail-over events is similar to that of new route announcements, and significantly shorter than that of route failures, which confirms our earlier analytical results [19]. In addition, we also developed a usage-time based path preference inference method which can be used by future studies of BGP dynamics.

LU Junxiu,CHEN Maoke,LI Xing

DOI: https://doi.org/10.3969/j.issn.1672-9781.2008.02.045

2008-01-01

Abstract:Evaluating the effect of network events on Internet reachability is very important for ISPs. This paper design and implement a real-time tool called BGPSense to evaluate reachability based on BGP updates. BGPSense not only considers the temporal correlation and jitter of BGPupdates from different peers, also takes the importance metric of route into considerations. Using BGPSense, we study the effect of Slammerworm, US/CA blackout and Taiwan Earthquake on Internet reachability and find that BGPSense can clearly show the different effect of thesenetwork events. We believe BGPSense can help network operators and administrators to better understand and diagnose their networks.

Lan Wang,Xiaoliang Zhao,Dan Pei,Randy Bush,Daniel Massey,Allison Mankin,S. Felix Wu,Lixia Zhang

DOI: https://doi.org/10.1145/637201.637231

2002-01-01

Abstract:Despite BGP's critical importance as the de-facto Internet inter-domain routing protocol, there is little understanding of how BGP actually performs under stressful conditions when dependable routing is most needed. In this paper, we examine BGP's behavior during one stressful period, the Code Red/Nimda attack on September 18, 2001. The attack was correlated with a 30-fold increase in the BGP update messages at a monitoring point which peers with a number of Internet service providers. Our examination of BGP's behavior during the event concludes that BGP exhibited no significant abnormality, and that over 40% of the observed updates can be attributed to the monitoring artifact in current BGP measurement settings. Our analysis, however, does reveal several weak points in both the protocol and its implementation, such as BGP's sensitivity to the transport session reliability, its inability to avoid the global propagation of small local changes, and its certain implementation features whose otherwise benign effects only get amplified under stressful conditions. We also identify areas for improvement in the current network measurement and monitoring effort.

Xin Wu,Xia Yin,Zhiliang Wang,Min Tang

DOI: https://doi.org/10.1109/isads.2009.5207350

2009-01-01

Abstract:In order to better understand BGP dynamics, a time-based approach has been developed to cluster BGP updates into routing events. Its basic idea is to cluster consecutive BGP updates of the same prefix into one routing events if the updates are separated by a time interval less than a threshold. Most of static threshold methods might incorrectly group multiple events into one if the threshold is too high, or divide a single event into multiple ones if the threshold is too low. On the other hand, previous dynamic threshold approach did not present a persuasive way to calculate one of its key parameters. In this paper we present a three-step dynamic threshold method to cluster BGP updates into routing events. We evaluate our approach using updates of BGP beacon prefixes downloaded from route views. The experiment result shows that our dynamic threshold approach could cluster updates into routing events more precisely than previous methods, and thus improve the accuracy of the BGP measurement studies.

Songtao Peng,Jiaqi Nie,Xincheng Shu,Zhongyuan Ruan,Lei Wang,Yunxuan Sheng,Qi Xuan

DOI: https://doi.org/10.1016/j.comnet.2022.109129

IF: 5.493

2022-01-01

Computer Networks

Abstract:As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it is long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.

GUO Li-li,LI Wen-yu,MA Qiang

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.21.061

2008-01-01

Abstract:In order to detect the BGP convergence of the Internet,this paper presents an approach of analyzing BGP convergence based on data collected by a passive probe machine.In the approach presented,we get the BGP routing tables and Update packets passively received by the probe machine deployed in the Internet,then we analyze these packets to get a series of values which estimate the performance of the BGP convergence.The function of the approach is proved through an experiment with a small real network after we finishing the codes.The results show that this approach has good performance in analyzing the BGP convergence of a network without taking obvious instabilities into it.

Xia Yin,Min Tang,Zhiliang Wang

DOI: https://doi.org/10.1109/bcn.2007.372749

2007-01-01

Abstract:To better understand BGP dynamics, a number of previous measurement studies have focused on the convergence time of the routing events in the global routing system. A time-based approach has been developed to cluster BGP updates stream of the same prefix and the same observation point into routing events with threshold value. In practical networks, the same static threshold value, i.e. 4 minutes, can not group updates into events correctly. In this paper, we present an algorithm of dynamic threshold value for per destination network based on the probability method. Our experimental results show that the threshold value is sensitive to prefixes. A threshold value suitable for one prefix is not likely appropriate for another. Therefore, we think the dynamic values are more suitable for prefixes than the static value. With our method, the routing events can be clustered precisely, so that can improve the accuracy of the measurement studies.

Joel Obstfeld,Xiaoyu Chen,Olivier Frebourg,Pavan Sudheendra

DOI: https://doi.org/10.48550/arXiv.1705.08666

2017-05-24

Abstract:BGP (Border Gateway Protocol) serves as the primary routing protocol for the Internet, enabling Autonomous Systems (individual network operators) to exchange network reachability information. Alongside significant on-going research and development efforts, there is a practical need to understand the nature of events that occur on the Internet. Network operators are acutely aware of security-related incidents such as 'Prefix Hijacking' as well as the impact of network instabilities that ripple through the Internet. Recent research focused on the study of BGP anomalies (both network/prefix instability and security-related incidents) has been based on the analysis of historical logs. Further analysis to understand the nature of these anomalous events is not always sufficient to be able to differentiate malicious activities, such as prefix- or sub-prefix- hijacking, from those events caused by inadvertent misconfigurations. In addition, such techniques are challenged by a lack of sufficient resources to store and process data feeds in real-time from multiple BGP Vantage Points (VPs). In this paper, we present a BGP Deep-analysis application developed using the PNDA (Platform for Network Data Analytics) 'Big-Data' platform. PNDA provides a highly scalable environment that enables the ingestion and processing of 'live' BGP feeds from many vantage points in a schema-agnostic manner. The Apache Spark-based application, in conjunction with PNDA's distributed processing capabilities, is able to perform high-level insights as well as near-to-real-time statistical analysis

Networking and Internet Architecture

Yihao Chen,Qilei Yin,Qi Li,Zhuotao Liu,Ke Xu,Yi Xu,Mingwei Xu,Ziqian Liu,Jianping Wu

2024-02-25

Abstract:BGP is the de facto inter-domain routing protocol to ensure global connectivity of the Internet. However, various reasons, such as deliberate attacks or misconfigurations, could cause BGP routing anomalies. Traditional methods for BGP routing anomaly detection require significant manual investigation of routes by network operators. Although machine learning has been applied to automate the process, prior arts typically impose significant training overhead (such as large-scale data labeling and feature crafting), and only produce uninterpretable results. To address these limitations, this paper presents a routing anomaly detection system centering around a novel network representation learning model named BEAM. The core design of BEAM is to accurately learn the unique properties (defined as \emph{routing role}) of each Autonomous System (AS) in the Internet by incorporating BGP semantics. As a result, routing anomaly detection, given BEAM, is reduced to a matter of discovering unexpected routing role churns upon observing new route announcements. We implement a prototype of our routing anomaly detection system and extensively evaluate its performance. The experimental results, based on 18 real-world RouteViews datasets containing over 11 billion route announcement records, demonstrate that our system can detect all previously-confirmed routing anomalies, while only introducing at most five false alarms every 180 million route announcements. We also deploy our system at a large ISP to perform real-world detection for one month. During the course of deployment, our system detects 497 true anomalies in the wild with an average of only 1.65 false alarms per day.

Networking and Internet Architecture

Mengying Xu,Xing Li

DOI: https://doi.org/10.1109/itoec49072.2020.9141762

2020-01-01

Abstract:Being the default inter-domain route protocol in the Internet, the security of BGP has attracted increasing attention. BGP anomaly detection technique aims to detect and alert anomalous events so as to minimize the damage it causes. In the existing related works, manually designed statistical features such as number of BGP update messages and AS-PATH length are commonly used for further anomaly classfication. However, features selected by researchers based on their observations on limited events may have limited generalization. On the other hand, neural networks have the ability to automatically extract features from large-scale raw data. In this work, we propose a novel method using raw BGP update data for both feature extraction and anomaly classification. The experiments on real world BGP data are conducted and the results show that our method has a promising performance compared with previous methods.

Songtao Peng,Yiping Chen,Xincheng Shu,Wu Shuai,Shenhao Fang,Zhongyuan Ruan,Qi Xuan

2023-12-18

Abstract:In recent years, various international security events have occurred frequently and interacted between real society and cyberspace. Traditional traffic monitoring mainly focuses on the local anomalous status of events due to a large amount of data. BGP-based event monitoring makes it possible to perform differential analysis of international events. For many existing traffic anomaly detection methods, we have observed that the window-based noise reduction strategy effectively improves the success rate of time series anomaly detection. Motivated by this observation, we propose an unsupervised anomaly detection model, MAD-MulW, which incorporates a multi-window serial framework. Firstly, we design the W-GAT module to adaptively update the sample weights within the window and retain the updated information of the trailing sample, which not only reduces the outlier samples' noise but also avoids the space consumption of data scale expansion. Then, the W-LAT module based on predictive reconstruction both captures the trend of sample fluctuations over a certain period of time and increases the interclass variation through the reconstruction of the predictive sample. Our model has been experimentally validated on multiple BGP anomalous events with an average F1 score of over 90\%, which demonstrates the significant improvement effect of the stage windows and adaptive strategy on the efficiency and stability of the timing model.

Cryptography and Security

ST Teoh,KL Ma,SF Wu,D Massey,XL Zhao,D Pei,L Wang,LX Zhang,R Bush

DOI: https://doi.org/10.1007/978-3-540-39671-0_14

2003-01-01

Abstract:To complement machine intelligence in anomaly event analysis and correlation, in this paper, we investigate the possibility of a human-interactive visual-based anomaly detection system for faults and security attacks related to the BGP (Border Gateway Protocol) routing protocol. In particular, we have built and tested a program, based on fairly simple information visualization techniques, to navigate interactively real-life BGP OASC (Origin AS Change) events. Our initial experience demonstrates that the integration of mechanical analysis and human intelligence can effectively improve the performance of anomaly detection and alert correlation. Furthermore, while a traditional representation of OASC events provides either little or no valuable information, our program can accurately identify, correlate previously unknown BGP/OASC problems, and provide network operators with a valuable high-level abstraction about the dynamics of BGP.

Ricardo Oliveira,Mohit Lad,Beichuan Zhang,Dan Pei,Daniel Massey,Lixia Zhang

2006-01-01

Abstract:Abstract BGP Monitoring projects such as RouteViews and RIPE RIS provide valuable data for networking research. Prior efforts, such as understanding BGP dynamics, have mined the BGP data collected by RouteViews and RIPE to make,general in- ferences about the Internet routing. Ideally one would like to have the collected BGP data covering the entire Internet. However various operational constrains limit the number,of monitors to be used for the data collection, and up to this point, the selection of monitors has been based on intuitive judgment,among,available candidates. In this paper we use link coverage, defined as the set of links observed by all the monitors, as the monitor selection criterion and evaluate the current monitor selection by RouteViews project. We show that a simple greedy strategy can achieve much,better link coverage than that achieved by the same,number,of moni- tors selected by RouteViews. Our results also show that edge nodes of the Internet provide more link coverage than the tier- 1 nodes in general.

Yutao Dong,Qing Li,Richard O. Sinnott,Yong Jiang,Shutao Xia

DOI: https://doi.org/10.1109/icnp52444.2021.9651957

2021-01-01

Abstract:The Border Gateway Protocol (BGP) is arguably the most important and irreplaceable protocol in the network. However, the lack of routing authentication and validation makes it vulnerable to attacks, including routing leaks, route hijacking, prefix hijacking, etc. Therefore, in this paper we propose a generalized framework for ISP self-operated BGP anomaly detection based on weakly supervised learning. To tackle the problem of insufficient data in BGP anomaly detection, we propose an approach to learn from the other anomaly detection systems through knowledge distillation. To reduce the impact of inaccurate supervision, we design a self-attention-based Long Short-Term Memory (LSTM) model to self-adaptively mine the differences between BGP anomaly categories, including both feature and time dimensions. Finally, we implement a system and demonstrate the performance through a set of comprehensive experiments. Compared with the state-of-the-art schemes, our scheme has better generalization on various anomaly types.

Thomas Krenc,Robert Beverly,Georgios Smaragdakis

DOI: https://doi.org/10.48550/arXiv.2110.03816

2021-10-08

Abstract:BGP communities are a popular mechanism used by network operators for traffic engineering, blackholing, and to realize network policies and business strategies. In recent years, many research works have contributed to our understanding of how BGP communities are utilized, as well as how they can reveal secondary insights into real-world events such as outages and security attacks. However, one fundamental question remains unanswered: "Which ASes tag announcements with BGP communities and which remove communities in the announcements they receive?" A grounded understanding of where BGP communities are added or removed can help better model and predict BGP-based actions in the Internet and characterize the strategies of network operators. In this paper we develop, validate, and share data from the first algorithm that can infer BGP community tagging and cleaning behavior at the AS-level. The algorithm is entirely passive and uses BGP update messages and snapshots, e.g. from public route collectors, as input. First, we quantify the correctness and accuracy of the algorithm in controlled experiments with simulated topologies. To validate in the wild, we announce prefixes with communities and confirm that more than 90% of the ASes that we classify behave as our algorithm predicts. Finally, we apply the algorithm to data from four sets of BGP collectors: RIPE, RouteViews, Isolario, and PCH. Tuned conservatively, our algorithm ascribes community tagging and cleaning behaviors to more than 13k ASes, the majority of which are large networks and providers. We make our algorithm and inferences available as a public resource to the BGP research community.

Networking and Internet Architecture