Meng Chen,Mingwei Xu,Qing Li,Xirui Song,Yuan Yang

DOI: https://doi.org/10.1109/PCCC.2015.7410284

2015-01-01

Abstract:Many attempts have been made to detect and analyze anomalous Internet events through dissecting BGP updates and tables, and substantial progress has been made in detecting and quantifying the impact of major Internet disruptions. However, we notice that most works in this realm either deploy/use a limited quantity of monitors or analyze aggregated statistics, and such practice may result in overestimating the impact of monitor-local events, which can be viewed only by a rather small portion of the Internet. To eliminate the impact of such local events on the detection of Internet-level anomalies, we raise the concept of Large-scale BGP Event (LBE), which affects a large amount of IP prefixes (high impact) and is widely observable (non-local). To detect LBE, we record update data in the Update Visibility Matrix (UVM) according to the prefix and monitor related to each update. At first, we formulate the problem of identifying LBE in UVM as a bi-clustering problem; after proving it is NP-hard, we describe our heuristic algorithm. Next, we apply our scheme to more than 2 TB of historical data. We find that LBE is highly correlated with many well-known disruptive incidents. Furthermore, we also identify some abnormal events that have never been investigated. We believe our work can assist in network operation tasks such as problem prevention, diagnosis, and recovery. © 2015 IEEE.

Meng Chen,Mingwei Xu,Xirui Song,Yuan Yang

DOI: https://doi.org/10.1109/LCN.2015.7366297

2015-01-01

Abstract:Anomalous BGP events can deteriorate Internet performance and connectivity thus have always been a research topic. However, most measurement works in this realm are prone to monitor-local events, namely, the events local to only few BGP monitors. Besides, events that are widely observed can also have negligible impact, e.g., prefix-local events. In contrast, a Large-scale BGP Event (LBE) makes a large quantity of prefixes be updated and can be observed by a large portion of monitors. Such events are anomalous even harmful. We formulate the problem of identifying LBEs from BGP updates, then propose the Iterative Cut-off Algorithm to solve it. We apply the method to some famous disruptive events and some `innocent' data, which are collected from more than 400 monitors. The measurement results validate the effectiveness of our method. Moreover, we detect a severe and persistent misconfiguration event that has remained unreported before.

Meng Chen,Mingwei Xu,Yuan Yang

DOI: https://doi.org/10.1109/noms.2016.7502915

2016-01-01

Abstract:Measuring the instability of IP prefixes in BGP is critical for network operation and management. In particular, identifying and investigating the most active prefixes assist in detecting, analyzing, and understanding network problems. The traditional metric to assess the activeness of a prefix is the quantity of BGP update. However, this metric may be strongly affected by monitor-local events: the large amount of updates for a highly active prefix may be caused by an event with rather limited impact area. To cope with the issue, we propose a two-dimensional method: in addition to the traditional metric, Update Quantity (UQ), we introduce Update Visibility (UV). The key idea is that we mark a prefix as a 'Highly Active Prefix' only when the large number of updates for it are widely observable. We define five types of active prefixes and propose a measurement method. We apply the method to 947 GB updates; the measurement results show that the two-dimensional method provides a more comprehensive picture of the highly active prefixes in the Internet than traditional single-metric schemes, and provides insights into network operations.

Dejing Dou,Jun Li,Han Qin,Shiwoong Kim,Sheng Zhong

DOI: https://doi.org/10.1137/1.9781611972771.46

2007-01-01

Abstract:Abnormal events, such as security attacks, misconfigurations, or electricity failures, could have severe consequences toward the normal operation of the Border Gateway Protocol (BGP) that is in charge of the delivery of packets between different autonomous domains, a key operation for the Internet to function. Unfortunately, it has been a difficult task for network security researchers and engineers to classify and detect these events. In our previous work, we have shown that with classification (which relies on the labeling with domain knowledge from BGP experts), it is feasible to effectively detect and distinguish some worms and blackouts from normal BGP behaviors. In this paper, we move one important step forward we show that we can automatically detect and classify between different abnormal BGP events based on a hierarchy discovered by clustering. As a systematic application of data mining, we devise a clustering method based on normalized BGP data that forms a tree-like hierarchy of abnormal BGP event classes. We then obtain a set of classification rules for each class (node) in the hierarchy, thus able to label unknown BGP data to a closest class. Our method works even as the BGP dynamics evolve over time, as shown in our experiments with seven different abnormal events during a four-year period. Our work, in a more general context, shows it is promising to conduct an interdisciplinary research between network security and data mining in solving real-world problems.

LU Junxiu,CHEN Maoke,LI Xing

DOI: https://doi.org/10.3969/j.issn.1672-9781.2008.02.045

2008-01-01

Abstract:Evaluating the effect of network events on Internet reachability is very important for ISPs. This paper design and implement a real-time tool called BGPSense to evaluate reachability based on BGP updates. BGPSense not only considers the temporal correlation and jitter of BGPupdates from different peers, also takes the importance metric of route into considerations. Using BGPSense, we study the effect of Slammerworm, US/CA blackout and Taiwan Earthquake on Internet reachability and find that BGPSense can clearly show the different effect of thesenetwork events. We believe BGPSense can help network operators and administrators to better understand and diagnose their networks.

Lan Wang,Xiaoliang Zhao,Dan Pei,Randy Bush,Daniel Massey,Allison Mankin,S. Felix Wu,Lixia Zhang

DOI: https://doi.org/10.1145/637201.637231

2002-01-01

Abstract:Despite BGP's critical importance as the de-facto Internet inter-domain routing protocol, there is little understanding of how BGP actually performs under stressful conditions when dependable routing is most needed. In this paper, we examine BGP's behavior during one stressful period, the Code Red/Nimda attack on September 18, 2001. The attack was correlated with a 30-fold increase in the BGP update messages at a monitoring point which peers with a number of Internet service providers. Our examination of BGP's behavior during the event concludes that BGP exhibited no significant abnormality, and that over 40% of the observed updates can be attributed to the monitoring artifact in current BGP measurement settings. Our analysis, however, does reveal several weak points in both the protocol and its implementation, such as BGP's sensitivity to the transport session reliability, its inability to avoid the global propagation of small local changes, and its certain implementation features whose otherwise benign effects only get amplified under stressful conditions. We also identify areas for improvement in the current network measurement and monitoring effort.

Hongyan Liu,Xi Sun,Xiang Chen,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.jnca.2024.103904

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Modern network measurement employs several measurement points in the substrate network. These points perform measurement tasks to measure traffic and report real-time events to monitoring servers in the control plane. These servers convert events to flow statistics and report them to network management applications, which require both low latency (i.e., collecting events within a limited time deadline) and high reliability (i.e., bounding the probability of event loss). However, existing solutions fail to satisfy the two requirements because they ignore the transmission latency and reliability when collecting events from measurement points to monitoring servers. In this paper, we propose Terra, a framework that aims to offer low-latency and reliable event collection. Terra provides a near-optimal heuristic that guides each measurement point to select monitoring servers to receive its events and corresponding network paths for transferring events with timeliness and reliability guarantee. We have implemented Terra on a 64 × 100Gbps Tofino-based switch. We conduct testbed experiments to demonstrate the effectiveness of Terra in practice. The results indicate that Terra offers low-latency and reliable event collection while preserving high application-level accuracy.

Joel Obstfeld,Xiaoyu Chen,Olivier Frebourg,Pavan Sudheendra

DOI: https://doi.org/10.48550/arXiv.1705.08666

2017-05-24

Abstract:BGP (Border Gateway Protocol) serves as the primary routing protocol for the Internet, enabling Autonomous Systems (individual network operators) to exchange network reachability information. Alongside significant on-going research and development efforts, there is a practical need to understand the nature of events that occur on the Internet. Network operators are acutely aware of security-related incidents such as 'Prefix Hijacking' as well as the impact of network instabilities that ripple through the Internet. Recent research focused on the study of BGP anomalies (both network/prefix instability and security-related incidents) has been based on the analysis of historical logs. Further analysis to understand the nature of these anomalous events is not always sufficient to be able to differentiate malicious activities, such as prefix- or sub-prefix- hijacking, from those events caused by inadvertent misconfigurations. In addition, such techniques are challenged by a lack of sufficient resources to store and process data feeds in real-time from multiple BGP Vantage Points (VPs). In this paper, we present a BGP Deep-analysis application developed using the PNDA (Platform for Network Data Analytics) 'Big-Data' platform. PNDA provides a highly scalable environment that enables the ingestion and processing of 'live' BGP feeds from many vantage points in a schema-agnostic manner. The Apache Spark-based application, in conjunction with PNDA's distributed processing capabilities, is able to perform high-level insights as well as near-to-real-time statistical analysis

Networking and Internet Architecture

Ricardo Oliveira,Beichuan Zhang,Dan Pei,Lixia Zhang

DOI: https://doi.org/10.1109/tnet.2009.2016390

2009-01-01

IEEE/ACM Transactions on Networking

Abstract:A number of previous measurement studies [10, 12, 17] have shown the existence of path exploration and slow convergence in the global Internet routing system, and a number of protocol enhancements have been proposed to remedy the problem [21, 15, 4, 20, 5]. However all the previous measurements were conducted over a small number of testing prefixes. There has been no systematic study to quantify the pervasiveness of BGP slow convergence in the operational Internet, nor there is any known effort to deploy any of the proposed solutions.In this paper we present our measurement results from identifying BGP slow convergence events across the entire global routing table. Our data shows that the severity of path exploration and slow convergence varies depending on where prefixes are originated and where the observations are made in the Internet routing hierarchy. In general, routers in tier-1 ISPs observe less path exploration, hence shorter convergence delays than routers in edge ASes, and prefixes originated from tier-1 ISPs also experience less path exploration than those originated from edge ASes. Our data also shows that the convergence time of route fail-over events is similar to that of new route announcements, and significantly shorter than that of route failures, which confirms our earlier analytical results [19]. In addition, we also developed a usage-time based path preference inference method which can be used by future studies of BGP dynamics.

Ben Scott,Michael N. Johnstone,Patryk Szewczyk,Steven Richardson

DOI: https://doi.org/10.1016/j.comnet.2024.110257

IF: 5.493

2024-02-19

Computer Networks

Abstract:The Border Gateway Protocol (BGP), acting as the communication protocol that binds the Internet, remains vulnerable despite Internet security advancements. This is not surprising, as the Internet was not designed to be resilient to cyber-attacks, therefore the detection of anomalous activity was not of prime importance to the Internet creators. Detection of BGP anomalies can potentially provide network operators with an early warning system to focus on protecting networks, systems, and infrastructure from significant impact, improve security posture and resilience, while ultimately contributing to a secure global Internet environment. In this paper, we present a novel technique for the detection of BGP anomalies in different events. This research uses publicly available datasets of BGP messages collected from the repositories, Route Views and Réseaux IP Européens (RIPE). Our contribution is the application of a time series data mining approach, Matrix Profile (MP) , to detect BGP anomalies in all categories of BGP events. Advantages of the MP detection technique compared to extant approaches include that it is domain agnostic, is assumption-free, requires few parameters, does not require training data, and is scalable and storage efficient. The single hyper-parameter analysed in MP shows it is robust to change. Our results indicate the MP detection scheme is competitive against existing detection schemes. A novel BGP anomaly detection scheme is also proposed for further research and validation.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Songtao Peng,Jiaqi Nie,Xincheng Shu,Zhongyuan Ruan,Lei Wang,Yunxuan Sheng,Qi Xuan

DOI: https://doi.org/10.1016/j.comnet.2022.109129

IF: 5.493

2022-01-01

Computer Networks

Abstract:As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it is long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.

Ricardo Oliveira,Mohit Lad,Beichuan Zhang,Dan Pei,Daniel Massey,Lixia Zhang

2006-01-01

Abstract:Abstract BGP Monitoring projects such as RouteViews and RIPE RIS provide valuable data for networking research. Prior efforts, such as understanding BGP dynamics, have mined the BGP data collected by RouteViews and RIPE to make,general in- ferences about the Internet routing. Ideally one would like to have the collected BGP data covering the entire Internet. However various operational constrains limit the number,of monitors to be used for the data collection, and up to this point, the selection of monitors has been based on intuitive judgment,among,available candidates. In this paper we use link coverage, defined as the set of links observed by all the monitors, as the monitor selection criterion and evaluate the current monitor selection by RouteViews project. We show that a simple greedy strategy can achieve much,better link coverage than that achieved by the same,number,of moni- tors selected by RouteViews. Our results also show that edge nodes of the Internet provide more link coverage than the tier- 1 nodes in general.

Taihong Wang,Xingang Shi,Xia Yin,Zhiliang

2015-01-01

Abstract:Inter-domain routing convergence is the state of a set of routers that have the same topological information about the internetwork in which they operate. Previous measurement studies about inter-domain routing convergence are carried out through the analysis of BGP update traffic. However, this kind of studies only consider the time that inter-domain routers take to reach a consistent view of the network topology after internet path failure, failover and repair. There has been no study to quantify the time that inter-domain routers take to distribute a routing update across the network. In this paper we develop a system to measure the propagation behavior of BGP route updates, including both passive data collection and active data probe in the real world. This system has been continuously monitoring the Internet for more than three years. During this period, 143K route updates were detected, and 5172k detection were triggered. Our data shows that route oscillations that have only been theoretically studied before do exist in the Internet. Inter-domain routers take about 30 seconds to distribute a routing update across the network.

Xin Wu,Xia Yin,Zhiliang Wang,Min Tang

DOI: https://doi.org/10.1109/isads.2009.5207350

2009-01-01

Abstract:In order to better understand BGP dynamics, a time-based approach has been developed to cluster BGP updates into routing events. Its basic idea is to cluster consecutive BGP updates of the same prefix into one routing events if the updates are separated by a time interval less than a threshold. Most of static threshold methods might incorrectly group multiple events into one if the threshold is too high, or divide a single event into multiple ones if the threshold is too low. On the other hand, previous dynamic threshold approach did not present a persuasive way to calculate one of its key parameters. In this paper we present a three-step dynamic threshold method to cluster BGP updates into routing events. We evaluate our approach using updates of BGP beacon prefixes downloaded from route views. The experiment result shows that our dynamic threshold approach could cluster updates into routing events more precisely than previous methods, and thus improve the accuracy of the BGP measurement studies.

Ben A. Scott,Michael N. Johnstone,Patryk Szewczyk

DOI: https://doi.org/10.3390/s24196414

IF: 3.9

2024-10-03

Sensors

Abstract:The Internet's default inter-domain routing system, the Border Gateway Protocol (BGP), remains insecure. Detection techniques are dominated by approaches that involve large numbers of features, parameters, domain-specific tuning, and training, often contributing to an unacceptable computational cost. Efforts to detect anomalous activity in the BGP have been almost exclusively focused on single observable monitoring points and Autonomous Systems (ASs). BGP attacks can exploit and evade these limitations. In this paper, we review and evaluate categories of BGP attacks based on their complexity. Previously identified next-generation BGP detection techniques remain incapable of detecting advanced attacks that exploit single observable detection approaches and those designed to evade public routing monitor infrastructures. Advanced BGP attack detection requires lightweight, rapid capabilities with the capacity to quantify group-level multi-viewpoint interactions, dynamics, and information. We term this approach advanced BGP anomaly detection. This survey evaluates 178 anomaly detection techniques and identifies which are candidates for advanced attack anomaly detection. Preliminary findings from an exploratory investigation of advanced BGP attack candidates are also reported.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

K. Chen,C. Hu

DOI: https://doi.org/10.1049/iet-com.2010.0432

IF: 1.345

2011-01-01

IET Communications

Abstract:Network measurement projects such as NLANR, Routeviews and RIPE have greatly advanced people's ability to understand, manage and engineer the Internet. Meanwhile, the significant maintenance fee to support such monitoring infrastructures motivates us to think about a cost-effective way to manage these systems. In this study, the authors measure, model and evaluate the border gateway protocol (BGP) monitoring system (BGPMon) that is mainly composed of vantage point ASes (i.e. monitors or VPs) peered with Routeviews and RIPE. The results from the authors’ experiments show the feasibility to use fewer VPs while still retaining the original monitoring capability of the existing BGPMon. Only 110 VPs out of the original 438 ones are capable of monitoring most of the information for all the six metrics with the optimum VP selection method given in this paper. The authors further evaluate the selected VPs at different times and observe that the performance is encouragingly stable, for example, more than 99% of the information for five out of the six metrics can be constantly captured with less than 110 VPs in random samples.

GUO Li-li,LI Wen-yu,MA Qiang

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.21.061

2008-01-01

Abstract:In order to detect the BGP convergence of the Internet,this paper presents an approach of analyzing BGP convergence based on data collected by a passive probe machine.In the approach presented,we get the BGP routing tables and Update packets passively received by the probe machine deployed in the Internet,then we analyze these packets to get a series of values which estimate the performance of the BGP convergence.The function of the approach is proved through an experiment with a small real network after we finishing the codes.The results show that this approach has good performance in analyzing the BGP convergence of a network without taking obvious instabilities into it.

Xia Yin,Min Tang,Zhiliang Wang

DOI: https://doi.org/10.1109/bcn.2007.372749

2007-01-01

Abstract:To better understand BGP dynamics, a number of previous measurement studies have focused on the convergence time of the routing events in the global routing system. A time-based approach has been developed to cluster BGP updates stream of the same prefix and the same observation point into routing events with threshold value. In practical networks, the same static threshold value, i.e. 4 minutes, can not group updates into events correctly. In this paper, we present an algorithm of dynamic threshold value for per destination network based on the probability method. Our experimental results show that the threshold value is sensitive to prefixes. A threshold value suitable for one prefix is not likely appropriate for another. Therefore, we think the dynamic values are more suitable for prefixes than the static value. With our method, the routing events can be clustered precisely, so that can improve the accuracy of the measurement studies.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Henry Birge-Lee,Maria Apostolaki,Jennifer Rexford

2024-08-19

Abstract:As the deployment of comprehensive Border Gateway Protocol (BGP) security measures is still in progress, BGP monitoring continues to play a critical role in protecting the Internet from routing attacks. Fundamentally, monitoring involves observing BGP feeds to detect suspicious announcements and taking defensive action. However, BGP monitoring relies on seeing the malicious BGP announcement in the first place! In this paper, we develop a novel attack that can hide itself from all state-of-the-art BGP monitoring systems we tested while affecting the entire Internet. The attack involves launching a sub-prefix hijack with the RFC-specified NO_EXPORT community attached to prevent networks with the malicious route installed from sending the route to BGP monitoring systems. We study the viability of this attack at four tier-1 networks and find all networks we studied were vulnerable to the attack. Finally, we propose a mitigation that significantly improves the robustness of the BGP monitoring ecosystem. Our paper aims to raise awareness of this issue and offer guidance to providers to protect against such attacks.

Cryptography and Security,Networking and Internet Architecture