1 / 52

ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing

ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com. Intrusion Detection. Model. Input event sequence. Results. Intrusion

jocelyn-cleveland
Download Presentation

ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ecs236 Winter 2006:Intrusion Detection#4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com ecs236 winter 2006

  2. Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2006

  3. Internet in 1969 UTAH SRI What was the link speed/bandwidth? UCSB UCLA ecs236 winter 2006

  4. ARPANet in 1969 Internet UTAH SRI What was the link speed/bandwidth? UCSB 56 kbps UCLA ecs236 winter 2006

  5. The “Internet” as February 1, 2006 • 21319 Autonomous Systems • 177300 IP Address Prefixes announced ecs236 winter 2006 http://bgp.potaroo.net/cidr/

  6. AS and IP address prefix UCDavis: 169.237/16 AS6192 Autonomous System: AS6192 is the routers in UC Davis UC Davis owns 169.237/16 ecs236 winter 2006

  7. 169.237.0.0/16 (less specific) 169.237.0.0/17 169.237.128.0/17 169.237.192.0/18 169.237.204.0/19 (more specific) BGP prefers more specific Address Prefix • Notation of network address prefixes 169.237.0.0/16 10101001111011010000000000000000 • Prefix aggregation/de-aggregation 11111111111111110000000000000000 Prefix Prefix length ecs236 winter 2006

  8. Peering ASes UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 ecs236 winter 2006

  9. AS6192  AS11423 an AS Path: 169.237/16114236192 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 ecs236 winter 2006

  10. AS11423  AS11537 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1611537114236192 ecs236 winter 2006

  11. AS11537  AS513 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1651311537114236192 ecs236 winter 2006

  12. Packet Forwarding UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1651311537114236192 ecs236 winter 2006

  13. The Dynamics of “Internet” • Link/node failures • Software malfunctions • Implementation related • Policy configuration • Topology changes • Other “interesting” dynamics • (that we can not explain well yet…) ecs236 winter 2006

  14. The Scale of the “Internet” • Every single prefix, and their “dynamics”, must be propagated to every single AS (21319). • Every single AS must maintain the routing table such that it knows how to route the traffic toward any one of the 177300 prefixes to the right destination. • BGP is the protocol to support the exchange of routing information for ALL prefixes in ALL ASes. ecs236 winter 2006

  15. DNS and BGP • DNS  BGP • BGP  DNS • Without DNS, BGP and the Internet can still function. • But, without BGP, DNS won’t work very much. DNS BGP – Internet Service ecs236 winter 2006

  16. Routing Dynamics in 2001 a color dot = an AS Path being used # of BGP updates over a fixed period of time (e.g., 2 hours) ecs236 winter 2006

  17. DNS Root-A Server 2001.4.16:8.29 3333 9057 3356 3561 6245 2001.4.16:8.29 3333 9057 3356 701 6245 2001.4.16:8.49 3333 9057 3356 3561 6245 2001.4.16:8.55 3333 9057 3356 1239 6245 2001.4.16:8.56 3333 1103 8297 6453 1239 6245 2001.4.16:8.56 3333 1103 8297 6453 701 6245 2001.4.16:9.05 3333 1103 8297 6453 1239 6245 2001.4.16:9.24 3333 9057 3356 4544 6245 2001.4.16:9.27 3333 9057 3356 701 6245 2001.4.16:9.32 3333 1103 8297 6453 1239 6245 2001.4.16:9.33 Withdraw 2001.4.16:9.38 3333 9057 3356 4544 6245 2001.4.16:9.38 3333 286 209 4544 6245 2001.4.16:9.40 Withdraw 2001.4.16:10:2 3333 1103 8297 6453 1239 6245 2001.4.16:10:8 3333 9057 3356 3561 6245 ecs236 winter 2006

  18. Global Failure • AS7007 falsely de-aggregates 65000+ network prefixes in 1997 and the east coast Internet was down for 12 hours. ecs236 winter 2006

  19. Packet Forwarding UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1651311537114236192 ecs236 winter 2006

  20. Global Failure • AS7007 falsely de-aggregates 65000+ network prefixes in 1997 and the east coast Internet was down for 12 hours. 169.237/16 142.7.6/24 204.5.68/24 …. AS6192 AS11423 (UC) Black Hole AS11537 (CENIC) AS513 ecs236 winter 2006

  21. Understand • Lots of Anomalies • Anomaly detection • Understand and Explain the Anomalies • Network Management • Valuable Inputs for the future Design • Better and more practical Mathematical Models ecs236 winter 2006

  22. observed system events SBL-based Anomaly Detection model update the Model model-based event analysis Example Selection analysis reports Explanation Based Learning ecs236 winter 2006

  23. BGP Observation Points (e.g. RIPE AS12654) RIPE Each peer will tell us, at any moment of time, how to reach each of the 177300 prefixes! … “Get the real BGP data” Internet ecs236 winter 2006

  24. Multiple BGP Observation Points Oregon RIPE UC Davis Internet ecs236 winter 2006

  25. Real BGP Data Replay ecs236 winter 2006

  26. Origin AS in an AS Path • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • AS Path: 51311537114236192 • 12654 13129 6461 3356 11423 6192 • 12654 9177 3320 209 11423 6192 • 12654 4608 1221 4637 11423 6192 • 12654 777 2497 209 11423 6192 • 12654 3549 3356 11423 6192 • 12654 3257 3356 11423 6192 • 12654 1103 11537 11423 6192 • 12654 3333 3356 11423 6192 • 12654 7018 209 11423 6192 • 12654 2914 209 11423 6192 • 12654 3549 209 11423 6192 12654 3333 3549 7018 2914 4637 3356 11537 209 11423 March 2002 6192 ecs236 winter 2006

  27. 169.237/16 November 2004 1668 3356 2152 6192 3257 3356 2152 6192 21202 30912 29518 3549 3356 2152 6192 3561 3356 2152 6192 5511 3356 2152 6192 6453 3356 2152 6192 7018 3356 2152 6192 3557 2152 6192 1221 4637 2152 6192 6539 2152 6192 6939 2152 6192 3257 6939 2152 6192 16150 8434 3257 6939 2152 6192 5390 6939 2152 6192 8121 6939 2152 6192 8426 6939 2152 6192 12956 6939 2152 6192 13237 6939 2152 6192 15444 6939 2152 6192 11608 2152 6192 10876 4600 11537 2153 6192 7660 11537 2153 6192 2152 6192 286 174 2152 6192 2914 174 2152 6192 3130 2914 174 2152 6192 3292 174 2152 6192 3549 174 2152 6192 2493 3602 174 2152 6192 5462 174 2152 6192 5503 174 2152 6192 5511 174 2152 6192 6667 174 2152 6192 6762 174 2152 6192 6895 174 2152 6192 15444 174 2152 6192 293 2153 6192 2497 2152 6192 4777 2497 2152 6192 7500 2497 2152 6192 3303 2152 6192 3356 2152 6192 2905 701 3356 2152 6192 1239 3356 2152 6192 3130 1239 3356 2152 6192 AS2152    CSU-53 California State UniversityAS2153    CSU-53 California State University ecs236 winter 2006

  28. Origin AS Changes (OASC) 12654 • Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • Current • AS Path: 2914209114236192 • for prefix: 169.237/16 • New • AS Path: 2914301127381 • even worse: 169.237.6/24 • Which route path to use? • Normal or Abnormal?? 2914 3011 209 273 11423 81 6192 169.237/16 169.237.6/24 ecs236 winter 2006

  29. Max: 10226 (9177 from a single AS) ecs236 winter 2006

  30. Origin AS Changes (OASC) 12654 • Normal or Abnormal?? • How to handle this problem? 2914 3011 209 273 11423 81 6192 169.237/16 169.237.6/24 ecs236 winter 2006

  31. timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2006

  32. raw events Information Visualization Toolkit update decay clean cognitive profile cognitively identify the deviation alarm identification ecs236 winter 2006

  33. Real-Time OASC Detection • Low level events: BGP Route Updates • High level events: OASC • 1000+ per day and max 10226 per day • per 3-minutes window in real-time demo • IP address blocks • Origin AS in BGP Update Messages • Different Types of OASC Events ecs236 winter 2006

  34. Qua-Tree Representation of IP Address Prefixes 01 11 110001 110011 111001 111011 110000 110010 111000 111010 00110110 1001 AS# 00 10 169.237/16 10101001.11101101/16 ecs236 winter 2006

  35. AS# Representation AS-6192 AS-7777 01 11 110001 110011 111001 111011 110000 110010 111000 111010 AS# 00110110 1001 AS-81 00 10 AS-1 AS-15412 ecs236 winter 2006

  36. AS81 punched a “hole” on 169.237/16 yesterday AS-6192 victim yesterday 169.237/16 today 169.237/16 169.237.6/24 offender today AS-81 ecs236 winter 2006

  37. OASC Event Types • Using different colors to represent types of OASC events • C type: CSS, CSM, CMS, CMM • H type: H • B type: B • O type: OS, OM ecs236 winter 2006

  38. August 14, 2000 AS-7777 punched hundreds of holes. ecs236 winter 2006

  39. April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks… ecs236 winter 2006

  40. 04/07/2001 all 04/07/2001 15412 04/08/2001 all 04/08/2001 15412 04/09/2001 all 04/09/2001 15412 04/10/2001 all 04/10/2001 15412 April 7-10, 2001 ecs236 winter 2006

  41. 04/11/2001 all 04/11/2001 15412 04/12/2001 all 04/12/2001 15412 04/13/2001 all 04/13/2001 15412 04/14/2001 all 04/14/2001 15412 April 11-14, 2001 ecs236 winter 2006

  42. 04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412 April 18-19, 2001 – Again?? ecs236 winter 2006

  43. SPRINT (AS-1239)(on December 3, 2000, 3000+ B events) ecs236 winter 2006

  44. Gaining Knowledge about OASC • Which types of “screens” are more interesting and why? • Why was AS15412 picked for further special examination? • Under this context, why were we only focusing on April 6-12 and April 18-19? • Or, why is April 16 irrelevant? • Why are April 12 and 18 similar? • What is the difference between these two instances in April of 2001? ecs236 winter 2006

  45. observed system events SBL-based Anomaly Detection model update the Model model-based event analysis Example Selection analysis reports Explanation Based Learning ecs236 winter 2006

  46. The KDD Process • Knowledge about the application domain • Data preparation • Data mining • Interpretation • Using the discovered knowledge ecs236 winter 2006

  47. OASC Data • How do we define an OASC event? • 169.237/16 • Origin AS Changes from AS-6192 to AS-81 • But, exactly how should we obtain the information? ecs236 winter 2006

  48. BGP Observation Points (e.g. RIPE AS12654) RIPE Each peer will tell us, at any moment of time, how to reach each of the 177300 prefixes! … “Get the real BGP data” Internet ecs236 winter 2006

  49. One Routing table for all 177300 prefixes AS-12654 RIPE … Each peer will tell us, at any moment of time, how to reach each of the 177300 prefixes! ecs236 winter 2006

  50. Per-Day Analysis • Today’s routing table against yesterday’s • on ALL prefixes ecs236 winter 2006

More Related