Yihao Chen,Qilei Yin,Qi Li,Zhuotao Liu,Ke Xu,Yi Xu,Mingwei Xu,Ziqian Liu,Jianping Wu

2024-02-25

Abstract:BGP is the de facto inter-domain routing protocol to ensure global connectivity of the Internet. However, various reasons, such as deliberate attacks or misconfigurations, could cause BGP routing anomalies. Traditional methods for BGP routing anomaly detection require significant manual investigation of routes by network operators. Although machine learning has been applied to automate the process, prior arts typically impose significant training overhead (such as large-scale data labeling and feature crafting), and only produce uninterpretable results. To address these limitations, this paper presents a routing anomaly detection system centering around a novel network representation learning model named BEAM. The core design of BEAM is to accurately learn the unique properties (defined as \emph{routing role}) of each Autonomous System (AS) in the Internet by incorporating BGP semantics. As a result, routing anomaly detection, given BEAM, is reduced to a matter of discovering unexpected routing role churns upon observing new route announcements. We implement a prototype of our routing anomaly detection system and extensively evaluate its performance. The experimental results, based on 18 real-world RouteViews datasets containing over 11 billion route announcement records, demonstrate that our system can detect all previously-confirmed routing anomalies, while only introducing at most five false alarms every 180 million route announcements. We also deploy our system at a large ISP to perform real-world detection for one month. During the course of deployment, our system detects 497 true anomalies in the wild with an average of only 1.65 false alarms per day.

Networking and Internet Architecture

Songtao Peng,Jiaqi Nie,Xincheng Shu,Zhongyuan Ruan,Lei Wang,Yunxuan Sheng,Qi Xuan

DOI: https://doi.org/10.1016/j.comnet.2022.109129

IF: 5.493

2022-01-01

Computer Networks

Abstract:As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it is long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.

Mengying Xu,Xing Li

DOI: https://doi.org/10.1109/itoec49072.2020.9141762

2020-01-01

Abstract:Being the default inter-domain route protocol in the Internet, the security of BGP has attracted increasing attention. BGP anomaly detection technique aims to detect and alert anomalous events so as to minimize the damage it causes. In the existing related works, manually designed statistical features such as number of BGP update messages and AS-PATH length are commonly used for further anomaly classfication. However, features selected by researchers based on their observations on limited events may have limited generalization. On the other hand, neural networks have the ability to automatically extract features from large-scale raw data. In this work, we propose a novel method using raw BGP update data for both feature extraction and anomaly classification. The experiments on real world BGP data are conducted and the results show that our method has a promising performance compared with previous methods.

Meng Meng,Ruijuan Zheng,Mingchuan Zhang,Junlong Zhu,Qingtao Wu

DOI: https://doi.org/10.1007/978-3-030-38961-1_12

2019-01-01

Abstract:The Border Gateway Protocol (BGP) is a vital protocol on the Internet. However, the BGP is susceptible against the prefix interception attack, how to seek a secure route against prefix interception attacks is an important problem. For this reason, we propose a novel and effective router selection method on the Internet. First, we evaluate resilience of autonomous systems against prefix interception attacks. Second, we evaluate security risk of next-hop routers and we also obtain the historical performance of next-hop routers via online learning. Finally, we compromise the two performance metrics of routers' resilience and historical performance to choose a secure route. Our method is verified by network simulations. The results show that the proposed method has more resilience against prefix interception attacks.

Chen Shen,Ruixin Wang,Xiang Li,Peiying Zhang,Kai Liu,Lizhuang Tan

DOI: https://doi.org/10.3390/electronics13204072

IF: 2.9

2024-10-17

Electronics

Abstract:In the Internet, ASs are interconnected using BGP. However, due to a lack of security considerations in the design of BGP, a series of security issues arise during the propagation of routing information, such as prefix hijacking, route leakage, and AS path tampering. Therefore, this paper conducts research on the detection of route leakage. By analyzing BGP routing information, we abstract the routing propagation relationship between ASs into a network topology graph, and extract graph features from the graph abstracted from routing data at certain time intervals. Based on the structural robustness features and centrality measurement features of the graph, we determine whether a route leakage has occurred during the current time period. To this end, we use machine learning methods and propose a weighted voting model. This model trains multiple single models and assigns weights to them, and through the weighted analysis of the results of multiple models, it can determine whether a route leakage has occurred. In addition, to determine the corresponding weights, we use genetic algorithms for identifying route leaks. The experimental results show that the method used in this paper has a high accuracy rate, and compared with a single model, it performs better on multiple datasets.

engineering, electrical & electronic,computer science, information systems,physics, applied

Dejing Dou,Jun Li,Han Qin,Shiwoong Kim,Sheng Zhong

DOI: https://doi.org/10.1137/1.9781611972771.46

2007-01-01

Abstract:Abnormal events, such as security attacks, misconfigurations, or electricity failures, could have severe consequences toward the normal operation of the Border Gateway Protocol (BGP) that is in charge of the delivery of packets between different autonomous domains, a key operation for the Internet to function. Unfortunately, it has been a difficult task for network security researchers and engineers to classify and detect these events. In our previous work, we have shown that with classification (which relies on the labeling with domain knowledge from BGP experts), it is feasible to effectively detect and distinguish some worms and blackouts from normal BGP behaviors. In this paper, we move one important step forward we show that we can automatically detect and classify between different abnormal BGP events based on a hierarchy discovered by clustering. As a systematic application of data mining, we devise a clustering method based on normalized BGP data that forms a tree-like hierarchy of abnormal BGP event classes. We then obtain a set of classification rules for each class (node) in the hierarchy, thus able to label unknown BGP data to a closest class. Our method works even as the BGP dynamics evolve over time, as shown in our experiments with seven different abnormal events during a four-year period. Our work, in a more general context, shows it is promising to conduct an interdisciplinary research between network security and data mining in solving real-world problems.

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Ben A. Scott,Michael N. Johnstone,Patryk Szewczyk

DOI: https://doi.org/10.3390/s24196414

IF: 3.9

2024-10-03

Sensors

Abstract:The Internet's default inter-domain routing system, the Border Gateway Protocol (BGP), remains insecure. Detection techniques are dominated by approaches that involve large numbers of features, parameters, domain-specific tuning, and training, often contributing to an unacceptable computational cost. Efforts to detect anomalous activity in the BGP have been almost exclusively focused on single observable monitoring points and Autonomous Systems (ASs). BGP attacks can exploit and evade these limitations. In this paper, we review and evaluate categories of BGP attacks based on their complexity. Previously identified next-generation BGP detection techniques remain incapable of detecting advanced attacks that exploit single observable detection approaches and those designed to evade public routing monitor infrastructures. Advanced BGP attack detection requires lightweight, rapid capabilities with the capacity to quantify group-level multi-viewpoint interactions, dynamics, and information. We term this approach advanced BGP anomaly detection. This survey evaluates 178 anomaly detection techniques and identifies which are candidates for advanced attack anomaly detection. Preliminary findings from an exploratory investigation of advanced BGP attack candidates are also reported.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhendong Wang,Zeyu Li,Junling Wang,Dahai Li

DOI: https://doi.org/10.1155/2021/9486949

IF: 1.968

2021-10-28

Security and Communication Networks

Abstract:The combination of deep learning and intrusion detection has become a hot topic in today’s network security. In the face of massive, high-dimensional network traffic with uneven sample distribution, how to be able to accurately detect anomalous traffic is the primary task of intrusion detection. Most research on intrusion detection systems based on network anomalous traffic detection has focused on supervised learning; however, the process of obtaining labeled data often requires a lot of time and effort, as well as the support of network experts. Therefore, it is worthwhile investigating the development of label-free self-supervised learning-based approaches called BYOL which is a simple and elegant framework with sufficiently powerful feature extraction capabilities for intrusion detection systems. In this paper, we propose a new data augmentation strategy for intrusion detection data and an intrusion detection model based on label-free self-supervised learning, using a new data augmentation strategy to introduce a perturbation enhancement model to learn invariant feature representation capability and an improved BYOL self-supervised learning method to train the UNSW-NB15 intrusion detection dataset without labels to extract network traffic feature representations. Linear evaluation on UNSW-NB15 and transfer learning on NSK-KDD, KDD CUP99, CIC IDS2017, and CIDDS_001 achieve excellent performance in all metrics.

computer science, information systems,telecommunications

Ali Hassan Muosa,A. H. Ali

DOI: https://doi.org/10.1109/csase51777.2022.9759613

2022-03-15

Abstract:The internet is formed by thousands of interconnected Autonomous Systems (ASes). The Border Gateway Protocol (BGP) exchanges routing information between autonomous domains. Anomalies in BGP are exceptional (misconfiguration, outage, and attacks). When they happen, the consequences can be widely hurtful. Anomaly detection in the internet routing section does not follow the normal behavior as an element. It is more important than anything else to detect internet routing anomalies using the BGP update messages quickly and accurately. This paper will propose a Short-Term Long Memory-based Autoencoders network (LSTM-AE) method for internet routing anomaly detection and trains itself to repeat clean datasets effectively. These memory units are a type of artificial Recurrent Neural Networks (RNN) architecture used in deep learning, are convenient for historical study time series modeling and anomaly detection using LSTM memory units instead of ordinary neurons to build the coder. Using LSTM-AE detects anomalies in 11 events to four kinds of anomalies through the data collected as time series.

X. Chen,B. Li,M. Shamsabardeh,R. Proietti,Z. Zhu,S. J. B. Yoo

DOI: https://doi.org/10.1109/jlt.2019.2902487

IF: 4.7

2019-01-01

Journal of Lightwave Technology

Abstract:This paper proposes a real-time and self-taught anomaly detection scheme for optical networks using hybrid unsupervised/supervised learning. Evaluations with an experimental dataset demonstrate that the proposed scheme can successfully identify 100% of the anomalies without any prior knowledge of abnormal network behaviors while restricting the false positive rate to be only 6.5%.

Zhangxuan Dang,Yu Zheng,Xinglin Lin,Chunlei Peng,Qiuyu Chen,Xinbo Gao

2024-03-13

Abstract:With the rapid development of the Internet, various types of anomaly traffic are threatening network security. We consider the problem of anomaly network traffic detection and propose a three-stage anomaly detection framework using only normal traffic. Our framework can generate pseudo anomaly samples without prior knowledge of anomalies to achieve the detection of anomaly data. Firstly, we employ a reconstruction method to learn the deep representation of normal samples. Secondly, these representations are normalized to a standard normal distribution using a bidirectional flow module. To simulate anomaly samples, we add noises to the normalized representations which are then passed through the generation direction of the bidirectional flow module. Finally, a simple classifier is trained to differentiate the normal samples and pseudo anomaly samples in the latent space. During inference, our framework requires only two modules to detect anomalous samples, leading to a considerable reduction in model size. According to the experiments, our method achieves the state of-the-art results on the common benchmarking datasets of anomaly network traffic detection. The code is given in the

Machine Learning,Artificial Intelligence,Cryptography and Security

Daniel Otero,Rafael Mateus,Randall Balestriero

2024-10-06

Abstract:Accurate anomaly detection is critical in vision-based infrastructure inspection, where it helps prevent costly failures and enhances safety. Self-Supervised Learning (SSL) offers a promising approach by learning robust representations from unlabeled data. However, its application in anomaly detection remains underexplored. This paper addresses this gap by providing a comprehensive evaluation of SSL methods for real-world anomaly detection, focusing on sewer infrastructure. Using the Sewer-ML dataset, we evaluate lightweight models such as ViT-Tiny and ResNet-18 across SSL frameworks, including BYOL, Barlow Twins, SimCLR, DINO, and MAE, under varying class imbalance levels. Through 250 experiments, we rigorously assess the performance of these SSL methods to ensure a robust and comprehensive evaluation. Our findings highlight the superiority of joint-embedding methods like SimCLR and Barlow Twins over reconstruction-based approaches such as MAE, which struggle to maintain performance under class imbalance. Furthermore, we find that the SSL model choice is more critical than the backbone architecture. Additionally, we emphasize the need for better label-free assessments of SSL representations, as current methods like RankMe fail to adequately evaluate representation quality, making cross-validation without labels infeasible. Despite the remaining performance gap between SSL and supervised models, these findings highlight the potential of SSL to enhance anomaly detection, paving the way for further research in this underexplored area of SSL applications.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Songtao Peng,Yiping Chen,Xincheng Shu,Wu Shuai,Shenhao Fang,Zhongyuan Ruan,Qi Xuan

2023-12-18

Abstract:In recent years, various international security events have occurred frequently and interacted between real society and cyberspace. Traditional traffic monitoring mainly focuses on the local anomalous status of events due to a large amount of data. BGP-based event monitoring makes it possible to perform differential analysis of international events. For many existing traffic anomaly detection methods, we have observed that the window-based noise reduction strategy effectively improves the success rate of time series anomaly detection. Motivated by this observation, we propose an unsupervised anomaly detection model, MAD-MulW, which incorporates a multi-window serial framework. Firstly, we design the W-GAT module to adaptively update the sample weights within the window and retain the updated information of the trailing sample, which not only reduces the outlier samples' noise but also avoids the space consumption of data scale expansion. Then, the W-LAT module based on predictive reconstruction both captures the trend of sample fluctuations over a certain period of time and increases the interclass variation through the reconstruction of the predictive sample. Our model has been experimentally validated on multiple BGP anomalous events with an average F1 score of over 90\%, which demonstrates the significant improvement effect of the stage windows and adaptive strategy on the efficiency and stability of the timing model.

Cryptography and Security

Lili Wu,Majid Khan Majahar Ali,Ying Tian

DOI: https://doi.org/10.1016/j.comcom.2023.12.043

IF: 5.047

2024-01-06

Computer Communications

Abstract:With the continuous development of artificial intelligence and big data, more and more communication protocols have appeared in the network connection. Because the network protocol content specification should not need to obtain the content of the common protocol by any means, it faces different attacks, which increases the complexity of network security detection to an unlimited extent. The absolute security analysis of the content of the relevant data protocol is not too limited. Based on the content of the unknown binary number protocol in the Internet of Things, this paper does the reverse research. To address the inefficiency, learning is focused on the inverse aspect of the content processing logic of the protocol for unsupervised execution attention. This paper proposes a method based on the name of the Dirichlet process mixture model normal field and the unknown protocol of the Internet of Things. It also establishes the behavioral criteria that process the logical inference least squares method to infer the content of the target protocol. Based on the original external characteristics of abnormal data in the Internet of Things, the neural network model of attention mechanism and the model checking of variational self-encoder are chosen. An innovative multi-dimensional spatial neural network model with a centralized control mechanism is taken to extract the spatial relevant information from the original external features, which are regarded as the intermediate external features. The intermediate extrinsic features are input to a variational self-encoder for computation and reconstruction. The experimental results verify that the time required by the proposed model is 45% less than that of the traditional structure. The flow processing improves by 36.7% compared with the optimization of the parameter control function. The specific method only relies on the original external characteristics of the Internet of Things traffic and can achieve better data anomaly detection and classification under the condition of not significantly improving the detection time. The abnormal data detection scheme of the Internet of Things designed in this paper not only fills the detection gap of the current mainstream Internet of Things system which lacks an autonomous supervision mechanism, but also effectively blocks external network intrusion and further improves the management authority verification system. It plays an indispensable role in the long-term stable operation of the Internet of Things platform.

computer science, information systems,telecommunications,engineering, electrical & electronic

ST Teoh,KL Ma,SF Wu,D Massey,XL Zhao,D Pei,L Wang,LX Zhang,R Bush

DOI: https://doi.org/10.1007/978-3-540-39671-0_14

2003-01-01

Abstract:To complement machine intelligence in anomaly event analysis and correlation, in this paper, we investigate the possibility of a human-interactive visual-based anomaly detection system for faults and security attacks related to the BGP (Border Gateway Protocol) routing protocol. In particular, we have built and tested a program, based on fairly simple information visualization techniques, to navigate interactively real-life BGP OASC (Origin AS Change) events. Our initial experience demonstrates that the integration of mechanical analysis and human intelligence can effectively improve the performance of anomaly detection and alert correlation. Furthermore, while a traditional representation of OASC events provides either little or no valuable information, our program can accurately identify, correlate previously unknown BGP/OASC problems, and provide network operators with a valuable high-level abstraction about the dynamics of BGP.

XL Zhao,D Pei,L Wang,D Massey,A Mankin,SF Wu,LX Zhang

DOI: https://doi.org/10.1109/dsn.2002.1028887

2002-01-01

Abstract:Network measurement has shown that a specific IP address prefix may be announced by more than one autonomous system (AS), a phenomenon commonly referred to as Multiple Origin AS, or MOAS. MOAS can be due to either operational need to support multi-homing, or false route announcements due to configuration or implementation errors, or even by intentional attacks. Packets following such bogus routes will be either dropped or, in the case of an intentional attack, delivered to a machine of the attacker's choosing.This paper presents a protocol enhancement to BGP which enables BGP to detect bogus route announcements from false origins. Rather than imposing cryptography-based authentication and encryption to secure routing message exchanges, our solution makes use of the rich connectivity among ASes that exists in the Internet. Simulation results show that this simple solution can effectively detect false routing announcements even in the presence of multiple compromised routers, become more robust in larger topologies, and can substantially reduce the impact of false routing announcements even with a partial deployment.

Meng Chen,Mingwei Xu,Xirui Song,Yuan Yang

DOI: https://doi.org/10.1109/LCN.2015.7366297

2015-01-01

Abstract:Anomalous BGP events can deteriorate Internet performance and connectivity thus have always been a research topic. However, most measurement works in this realm are prone to monitor-local events, namely, the events local to only few BGP monitors. Besides, events that are widely observed can also have negligible impact, e.g., prefix-local events. In contrast, a Large-scale BGP Event (LBE) makes a large quantity of prefixes be updated and can be observed by a large portion of monitors. Such events are anomalous even harmful. We formulate the problem of identifying LBEs from BGP updates, then propose the Iterative Cut-off Algorithm to solve it. We apply the method to some famous disruptive events and some `innocent' data, which are collected from more than 400 monitors. The measurement results validate the effectiveness of our method. Moreover, we detect a severe and persistent misconfiguration event that has remained unreported before.

YanMing Hu,Chuan Chen,BoWen Deng,YuJing Lai,Hao Lin,ZiBin Zheng,Jing Bian

DOI: https://doi.org/10.48550/arXiv.2304.05176

IF: 5.414

2023-04-11

Machine Learning

Abstract:Anomaly detection on attributed graphs is a crucial topic for its practical application. Existing methods suffer from semantic mixture and imbalance issue because they mainly focus on anomaly discrimination, ignoring representation learning. It conflicts with the assortativity assumption that anomalous nodes commonly connect with normal nodes directly. Additionally, there are far fewer anomalous nodes than normal nodes, indicating a long-tailed data distribution. To address these challenges, a unique algorithm,Decoupled Self-supervised Learning forAnomalyDetection (DSLAD), is proposed in this paper. DSLAD is a self-supervised method with anomaly discrimination and representation learning decoupled for anomaly detection. DSLAD employs bilinear pooling and masked autoencoder as the anomaly discriminators. By decoupling anomaly discrimination and representation learning, a balanced feature space is constructed, in which nodes are more semantically discriminative, as well as imbalance issue can be resolved. Experiments conducted on various six benchmark datasets reveal the effectiveness of DSLAD.

Shi Dong,Yuanjun Xia,Tao Peng

DOI: https://doi.org/10.1109/tnsm.2021.3120804

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:The rapid development of Internet technology has brought great convenience to our production life, and the ensuing security problems have become increasingly prominent. These problems threaten users' privacy and pose significant security risks to the normal conduct of many aspects of society, such as politics, economy, culture, and people's livelihood. The growth of the information transmission rate expands the scope of attacks and provides a more attack environment for intruders. Abnormal detection is an effective security protection technology that can monitor network transmission in real-time, effectively sense external attacks, and provide response decisions for relevant managers. The development of machine learning has also led to the development of abnormal traffic detection technology. The goal has been to use powerful and fast learning algorithms to deal with changing threats and respond in real-time. Most of the current abnormal detection research is based on simulation, using public and well-known datasets. On the one hand, the dataset contains high-dimensional massive data, which traditional machine learning methods cannot be processed. On the other hand, the labeled data scale is far behind the application requirements, and the dataset's labels are all manually labeled, so the labeling cost is exceptionally high. This paper proposes a semi-supervised Double Deep Q-Network (SSDDQN)-based optimization method for network abnormal traffic detection, mainly based on Double Deep Q-Network (DDQN), a representative of Deep Reinforcement Learning algorithm. In SSDDQN, the current network first adopts the autoencoder to reconstruct the traffic features and then uses a deep neural network as a classifier. The target network first uses the unsupervised learning algorithm K-Means clustering and then uses deep neural network prediction. The experiment uses NSL-KDD and AWID datasets for training and testing and -erforms a comprehensive comparison with existing machine learning models. The experimental results show that SSDDQN has certain advantages in time complexity and achieved good results in various evaluation metrics.

computer science, information systems