Visual based anomaly detection for bgp origin as change oasc
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Visual-based Anomaly Detection for BGP Origin AS Change (OASC) PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Visual-based Anomaly Detection for BGP Origin AS Change (OASC). Soon-Tee Teoh 1 , Kwan-Liu Ma 1 , S. Felix Wu 1 , Dan Massey 2 , Xiao-Liang Zhao 2 , Dan Pei 3 , Lan Wang 3 , Lixia Zhang 3 , Randy Bush 4 UC Davis, USC/ISI , UCLA , IIJ. Elisha : the long-term goal.

Download Presentation

Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Visual based anomaly detection for bgp origin as change oasc

Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

Soon-Tee Teoh1, Kwan-Liu Ma1, S. Felix Wu1, Dan Massey2, Xiao-Liang Zhao2, Dan Pei3, Lan Wang3, Lixia Zhang3, Randy Bush4

UC Davis, USC/ISI, UCLA, IIJ

DSOM'2003, Heidelberg, Germany


Elisha the long term goal

Elisha: the long-term goal

  • Monitoring and management of a large-scale complex system that we do not fully understand its behavior.

  • Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system.

DSOM'2003, Heidelberg, Germany


In this talk

In this talk…

  • Knowledge Acquisition via Visualization

    • cognitive pattern matching

    • event correlation and explanation

  • Outline

    • Background: Origin AS in BGP

    • The Elisha/OASC tool

    • One example and demo

DSOM'2003, Heidelberg, Germany


Autonomous systems ases

Autonomous Systems (ASes)

AS6192

AS11423 (UC)

AS11537 (CENIC)

AS513

UCDavis:

169.237/16

an AS Path:

169.237/1651311537114236192

DSOM'2003, Heidelberg, Germany


Origin as in an as path

Origin AS in an AS Path

12654

3333

3549

7018

2914

4637

3356

11537

209

11423

6192

  • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS

  • AS Path: 51311537114236192

    • 12654 13129 6461 3356 11423 6192

    • 12654 9177 3320 209 11423 6192

    • 12654 4608 1221 4637 11423 6192

    • 12654 777 2497 209 11423 6192

    • 12654 3549 3356 11423 6192

    • 12654 3257 3356 11423 6192

    • 12654 1103 11537 11423 6192

    • 12654 3333 3356 11423 6192

    • 12654 7018 209 11423 6192

    • 12654 2914 209 11423 6192

    • 12654 3549 209 11423 6192

  • Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS-12654

DSOM'2003, Heidelberg, Germany


Origin as changes oasc

Origin AS Changes (OASC)

12654

  • Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS

  • Current

    • AS Path: 2914209114236192

    • for prefix: 169.237/16

  • New

    • AS Path: 2914301127381

    • even worse: 169.237.6/24

  • Which route path to use?

  • Legitimate or not??

2914

3011

209

273

11423

81

6192

169.237/16

169.237.6/24

DSOM'2003, Heidelberg, Germany


Bgp oasc events one type only

BGP OASC Events (one type only)

Max: 10226

(9177 from a single AS)

DSOM'2003, Heidelberg, Germany


Visual based anomaly detection for bgp origin as change oasc

Data from BGP Observation Points

DSOM'2003, Heidelberg, Germany


Anomaly detection

Anomaly Detection

  • False positive versus false negative

  • Anomaly analysis:

    • To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies

DSOM'2003, Heidelberg, Germany


Visual based anomaly detection

Visual-based Anomaly Detection

  • “Visual” Anomalies

    • Something catches your eyes…

  • Mental/Cognitive “long-term” profile or normal behavior

    • We build the “long-term” profile in your mind.

    • Human experts can incorporate “domain knowledge” about the target system/protocol.

DSOM'2003, Heidelberg, Germany


Visual based anomaly detection1

Visual-based Anomaly Detection

raw events

Information

Visualization

Toolkit

update

decay

clean

cognitive profile

cognitively

identify the

deviation

alarm identification

DSOM'2003, Heidelberg, Germany


Elisha oasc

ELISHA/OASC

  • Events:

    • Low level events:BGP Route Updates

    • High level events:OASC

      • Still 1000+ per day and max 10226 per day for the whole Internet

  • Information to represent visually:

    • IP address blocks

    • Origin AS in BGP Update Messages

    • Different Types of OASC Events

DSOM'2003, Heidelberg, Germany


Visual based anomaly detection for bgp origin as change oasc

Qua-Tree Representation of

IP Address Prefixes

01

11

110001

110011

111001

111011

110000

110010

111000

111010

00110110

1001

00

10

169.237/16

10101001.11101101/16

DSOM'2003, Heidelberg, Germany


Visual based anomaly detection for bgp origin as change oasc

AS# Representation

AS-7777

01

11

110001

110011

111001

111011

110000

110010

111000

111010

AS#

00110110

1001

00

10

AS-1

AS-15412

DSOM'2003, Heidelberg, Germany


Visual based anomaly detection for bgp origin as change oasc

AS81 punched a “hole” on 169.237/16

yesterday

AS-6192

victim

yesterday

169.237/16

today

169.237/16

169.237.6/24

offender

today

AS-81

DSOM'2003, Heidelberg, Germany


8 oasc event types

8 OASC Event Types

  • Using different colors to represent types of OASC events

  • C type: CSS, CSM, CMS, CMM

  • H type: H

  • B type: B

  • O type: OS, OM

DSOM'2003, Heidelberg, Germany


August 14 2000

August 14, 2000

AS-7777

punched

hundreds of

holes.

DSOM'2003, Heidelberg, Germany


April 6 2001

April 6, 2001

AS15412 caused 40K+ MOAS/OASC events within 2 weeks…

DSOM'2003, Heidelberg, Germany


April 7 10 2001

April 7-10, 2001

04/07/2001 all

04/07/2001 15412

04/08/2001 all

04/08/2001 15412

04/09/2001 all

04/09/2001 15412

04/10/2001 all

04/10/2001 15412

DSOM'2003, Heidelberg, Germany


April 11 14 2001

April 11-14, 2001

04/11/2001 all

04/11/2001 15412

04/12/2001 all

04/12/2001 15412

04/13/2001 all

04/13/2001 15412

04/14/2001 all

04/14/2001 15412

DSOM'2003, Heidelberg, Germany


April 18 19 2001 again

April 18-19, 2001 – Again??

04/18/2001 all

04/18/2001 15412

04/19/2001 all

04/19/2001 15412

DSOM'2003, Heidelberg, Germany


Remarks

Remarks

  • The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies.

  • Integration with Statistical approaches.

  • Elisha: open source available

    • http://www.cs.ucdavis.edu/~wu/Elisha/

    • Linux/Windows

DSOM'2003, Heidelberg, Germany


  • Login