Visual-Based Anomaly Detection for BGP Origin AS Change (OASC) Events

Teoh, Soon Tee; Ma, Kwan‐Liu; Wu, S. Felix; Massey, Dan; Zhao, Xiaomeng; Pei, Dan; Wang, Lan; Zhang, Lixia; Bush, Randy

doi:10.1007/978-3-540-39671-0_14

Cited by 17 publications

(8 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…“A picture is worth a thousand of words.” Information visualization generally needs to handle very large amounts of textual, symbolic, or relational data and to transfer these data into graphics that can be displayed . A visualization system provides a more perceptive method for security analysis.…”

Section: Data Process and Analysismentioning

confidence: 99%

A survey of security visualization for computer network logs

Zhang

Xiao

Chen

et al. 2011

Security Comm Networks

View full text Add to dashboard Cite

Network security is an important area in computer science. Although great efforts have already been made regarding security problems, networks are still threatened by all kinds of potential attacks, which may lead to huge damage and loss. Log files are main sources for security analysis. However, log files are not user friendly. It is laborious work to obtain useful information from log files. Compared with log files, visualization systems designed for security purposes provide more perceptive and effective sources for security analysis. Most security visualization systems are based on log files. In this paper, we provide a survey on visualization designs for computer network security. In this survey, we looked into different security visual analytics, and we organized them into five categories. Copyright © 2011 John Wiley & Sons, Ltd.

show abstract

Section: Data Process and Analysismentioning

confidence: 99%

A survey of security visualization for computer network logs

Zhang

Xiao

Chen

et al. 2011

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…Besides cryptographic solutions, other works focused on the MOAS conflicts. Wu et al worked on BGP anomalies and MOAS visualization tools (Teoh, 2003) (Teoh, 2004). Anomaly visualization is not efficient enough againt anomalies, it would be more efficient to have a mechanism that detects and reacts to anomalies as the routing system is running or even a mechanism that prevent those attacks.…”

Section: Related Workmentioning

confidence: 99%

Internet Routing Security: An Approach to Detect and to React to Incorrect Advertisements

Féki¹,

Xiao-li²,

Achemlal³

et al. 2006

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

Internet is composed of thousands of autonomous systems (AS). The Border Gateway Protocol (BGP) is the exterior routing protocol used to exchange network reachability information between border routers of each AS. The correctness of the exchanged information in BGP messages is crucial to the Internet routing system. Unfortunately, BGP is vulnerable to different attacks that have considerable impacts on routing system. Network prefix hijacking, where an AS illegitimately originates a prefix is one of the most important attacks. It allows the attacker to receive traffic in destination to the prefix owner. The attacker is then able to blackhole the traffic or to force it to take another path. Proposed solutions rely on public key infrastructures and cryptographic mechanisms to prevent incorrect routing information propagation. In practice these approaches involve many parties (Internet Service Providers, Operators, Vendors, and Regional Internet Registries) and are difficult to deploy. In this paper we formally define routing information correctness, especially the legitimacy of an AS to originate a prefix. We also propose a method to associate with an AS a legitimacy level to originate a prefix. We use Regional Internet Registry databases to initialize the legitimacy level. We also use received announcements and public routing data to update this legitimacy level. We finally describe all conceivable reactions facing origin AS changes.

show abstract

“…For example, the study in [34] proposed to enhance BGP protocol to detect IP address ownership violation . Researchers also applied visualization [29] and topology-based [14] techniques to attack the above problem. The more related work to IRF is [33], which used signature-based and statistics-base methods.…”

Section: Related Workmentioning

confidence: 99%

An internet routing forensics framework for discovering rules of abnormal BGP events

Dou

et al. 2005

SIGCOMM Comput. Commun. Rev.

View full text Add to dashboard Cite

a c m s i g c o m m ABSTRACTAbnormal BGP events such as attacks, misconfigurations, electricity failures, can cause anomalous or pathological routing behavior at either global level or prefix level, and thus must be detected in their early stages. Instead of using ad hoc methods to analyze BGP data, in this paper we introduce an Internet Routing Forensics framework to systematically process BGP routing data, discover rules of abnormal BGP events, and apply these rules to detect the occurrences of these events. In particular, we leverage data mining techniques to train the framework to learn rules of abnormal BGP events, and our results from two case studies show that these rules are effective. In one case study, rules of worm events discovered from the BGP data during the outbreaks of the CodeRed and Nimda worms were able to successfully detect worm impact on BGP when an independent worm, the Slammer, subsequently occurred. Similarly, in another case study, rules of electricity blackout events obtained using BGP data from the 2003 East Coast blackout were able to detect the BGP impact from the Florida blackout caused by Hurricane Frances in 2004.

show abstract

Visual-Based Anomaly Detection for BGP Origin AS Change (OASC) Events

Cited by 17 publications

References 7 publications

A survey of security visualization for computer network logs

A survey of security visualization for computer network logs

Internet Routing Security: An Approach to Detect and to React to Incorrect Advertisements

An internet routing forensics framework for discovering rules of abnormal BGP events

Contact Info

Product

Resources

About