visual based anomaly detection for bgp origin as change oasc n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Visual-based Anomaly Detection for BGP Origin AS Change (OASC) PowerPoint Presentation
Download Presentation
Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

Loading in 2 Seconds...

play fullscreen
1 / 22

Visual-based Anomaly Detection for BGP Origin AS Change (OASC) - PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on

Visual-based Anomaly Detection for BGP Origin AS Change (OASC). Soon-Tee Teoh 1 , Kwan-Liu Ma 1 , S. Felix Wu 1 , Dan Massey 2 , Xiao-Liang Zhao 2 , Dan Pei 3 , Lan Wang 3 , Lixia Zhang 3 , Randy Bush 4 UC Davis, USC/ISI , UCLA , IIJ. Elisha : the long-term goal.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Visual-based Anomaly Detection for BGP Origin AS Change (OASC)' - reese-byers


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
visual based anomaly detection for bgp origin as change oasc

Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

Soon-Tee Teoh1, Kwan-Liu Ma1, S. Felix Wu1, Dan Massey2, Xiao-Liang Zhao2, Dan Pei3, Lan Wang3, Lixia Zhang3, Randy Bush4

UC Davis, USC/ISI, UCLA, IIJ

DSOM'2003, Heidelberg, Germany

elisha the long term goal
Elisha: the long-term goal
  • Monitoring and management of a large-scale complex system that we do not fully understand its behavior.
  • Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system.

DSOM'2003, Heidelberg, Germany

in this talk
In this talk…
  • Knowledge Acquisition via Visualization
    • cognitive pattern matching
    • event correlation and explanation
  • Outline
    • Background: Origin AS in BGP
    • The Elisha/OASC tool
    • One example and demo

DSOM'2003, Heidelberg, Germany

autonomous systems ases
Autonomous Systems (ASes)

AS6192

AS11423 (UC)

AS11537 (CENIC)

AS513

UCDavis:

169.237/16

an AS Path:

169.237/1651311537114236192

DSOM'2003, Heidelberg, Germany

origin as in an as path
Origin AS in an AS Path

12654

3333

3549

7018

2914

4637

3356

11537

209

11423

6192

  • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
  • AS Path: 51311537114236192
    • 12654 13129 6461 3356 11423 6192
    • 12654 9177 3320 209 11423 6192
    • 12654 4608 1221 4637 11423 6192
    • 12654 777 2497 209 11423 6192
    • 12654 3549 3356 11423 6192
    • 12654 3257 3356 11423 6192
    • 12654 1103 11537 11423 6192
    • 12654 3333 3356 11423 6192
    • 12654 7018 209 11423 6192
    • 12654 2914 209 11423 6192
    • 12654 3549 209 11423 6192
  • Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS-12654

DSOM'2003, Heidelberg, Germany

origin as changes oasc
Origin AS Changes (OASC)

12654

  • Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
  • Current
    • AS Path: 2914209114236192
    • for prefix: 169.237/16
  • New
    • AS Path: 2914301127381
    • even worse: 169.237.6/24
  • Which route path to use?
  • Legitimate or not??

2914

3011

209

273

11423

81

6192

169.237/16

169.237.6/24

DSOM'2003, Heidelberg, Germany

bgp oasc events one type only
BGP OASC Events (one type only)

Max: 10226

(9177 from a single AS)

DSOM'2003, Heidelberg, Germany

slide8

Data from BGP Observation Points

DSOM'2003, Heidelberg, Germany

anomaly detection
Anomaly Detection
  • False positive versus false negative
  • Anomaly analysis:
    • To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies

DSOM'2003, Heidelberg, Germany

visual based anomaly detection
Visual-based Anomaly Detection
  • “Visual” Anomalies
    • Something catches your eyes…
  • Mental/Cognitive “long-term” profile or normal behavior
    • We build the “long-term” profile in your mind.
    • Human experts can incorporate “domain knowledge” about the target system/protocol.

DSOM'2003, Heidelberg, Germany

visual based anomaly detection1
Visual-based Anomaly Detection

raw events

Information

Visualization

Toolkit

update

decay

clean

cognitive profile

cognitively

identify the

deviation

alarm identification

DSOM'2003, Heidelberg, Germany

elisha oasc
ELISHA/OASC
  • Events:
    • Low level events: BGP Route Updates
    • High level events: OASC
      • Still 1000+ per day and max 10226 per day for the whole Internet
  • Information to represent visually:
    • IP address blocks
    • Origin AS in BGP Update Messages
    • Different Types of OASC Events

DSOM'2003, Heidelberg, Germany

slide13

Qua-Tree Representation of

IP Address Prefixes

01

11

110001

110011

111001

111011

110000

110010

111000

111010

00110110

1001

00

10

169.237/16

10101001.11101101/16

DSOM'2003, Heidelberg, Germany

slide14

AS# Representation

AS-7777

01

11

110001

110011

111001

111011

110000

110010

111000

111010

AS#

00110110

1001

00

10

AS-1

AS-15412

DSOM'2003, Heidelberg, Germany

slide15

AS81 punched a “hole” on 169.237/16

yesterday

AS-6192

victim

yesterday

169.237/16

today

169.237/16

169.237.6/24

offender

today

AS-81

DSOM'2003, Heidelberg, Germany

8 oasc event types
8 OASC Event Types
  • Using different colors to represent types of OASC events
  • C type: CSS, CSM, CMS, CMM
  • H type: H
  • B type: B
  • O type: OS, OM

DSOM'2003, Heidelberg, Germany

august 14 2000
August 14, 2000

AS-7777

punched

hundreds of

holes.

DSOM'2003, Heidelberg, Germany

april 6 2001
April 6, 2001

AS15412 caused 40K+ MOAS/OASC events within 2 weeks…

DSOM'2003, Heidelberg, Germany

april 7 10 2001
April 7-10, 2001

04/07/2001 all

04/07/2001 15412

04/08/2001 all

04/08/2001 15412

04/09/2001 all

04/09/2001 15412

04/10/2001 all

04/10/2001 15412

DSOM'2003, Heidelberg, Germany

april 11 14 2001
April 11-14, 2001

04/11/2001 all

04/11/2001 15412

04/12/2001 all

04/12/2001 15412

04/13/2001 all

04/13/2001 15412

04/14/2001 all

04/14/2001 15412

DSOM'2003, Heidelberg, Germany

april 18 19 2001 again
April 18-19, 2001 – Again??

04/18/2001 all

04/18/2001 15412

04/19/2001 all

04/19/2001 15412

DSOM'2003, Heidelberg, Germany

remarks
Remarks
  • The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies.
  • Integration with Statistical approaches.
  • Elisha: open source available
    • http://www.cs.ucdavis.edu/~wu/Elisha/
    • Linux/Windows

DSOM'2003, Heidelberg, Germany