Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Learning with Semantics: Towards a Semantics-Aware Routing Anomaly Detection System (2402.16025v1)

Published 25 Feb 2024 in cs.NI

Abstract: BGP is the de facto inter-domain routing protocol to ensure global connectivity of the Internet. However, various reasons, such as deliberate attacks or misconfigurations, could cause BGP routing anomalies. Traditional methods for BGP routing anomaly detection require significant manual investigation of routes by network operators. Although machine learning has been applied to automate the process, prior arts typically impose significant training overhead (such as large-scale data labeling and feature crafting), and only produce uninterpretable results. To address these limitations, this paper presents a routing anomaly detection system centering around a novel network representation learning model named BEAM. The core design of BEAM is to accurately learn the unique properties (defined as \emph{routing role}) of each Autonomous System (AS) in the Internet by incorporating BGP semantics. As a result, routing anomaly detection, given BEAM, is reduced to a matter of discovering unexpected routing role churns upon observing new route announcements. We implement a prototype of our routing anomaly detection system and extensively evaluate its performance. The experimental results, based on 18 real-world RouteViews datasets containing over 11 billion route announcement records, demonstrate that our system can detect all previously-confirmed routing anomalies, while only introducing at most five false alarms every 180 million route announcements. We also deploy our system at a large ISP to perform real-world detection for one month. During the course of deployment, our system detects 497 true anomalies in the wild with an average of only 1.65 false alarms per day.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (69)
  1. M. Doug, “Large european routing leak sends traffic through china telecom,” Oracle blog, 2019. [Online]. Available: https://blogs.oracle.com/internetintelligence/
  2. S. Aftab, “A major bgp hijack by as55410-vodafone idea ltd,” MANRS blog, 2021. [Online]. Available: https://www.manrs.org/2021/04/a-major-bgp-hijack-by-as55410-vodafone-idea-ltd/
  3. C. Catalin, “Klayswap crypto users lose funds after bgp hijack,” The Record blog, 2022. [Online]. Available: https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/
  4. M. Lepinski and K. Sriram, “Bgpsec protocol specification,” RFC 8205, IETF, 2017.
  5. P. v. Oorschot, T. Wan, and E. Kranakis, “On interdomain routing security and pretty secure bgp (psbgp),” TISSEC, vol. 10, no. 3, pp. 11–es, 2007.
  6. S. Kent, C. Lynn, and K. Seo, “Secure border gateway protocol (s-bgp),” J-SAC, vol. 18, no. 4, pp. 582–592, 2000.
  7. P. Mohapatra, J. Scudder, D. Ward, R. Bush, and R. Austein, “Bgp prefix origin validation,” in IETF RFC 6811, 2013.
  8. W. Chen, Z. Wang, D. Han, C. Duan, X. Yin, J. Yang, and X. Shi, “Rov-mi: Large-scale, accurate and efficient measurement of rov deployment,” in NDSS, 2022.
  9. C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis, “A light-weight distributed scheme for detecting ip prefix hijacks in real-time,” SIGCOMM CCR, vol. 37, no. 4, pp. 277–288, 2007.
  10. P.-A. Vervier, O. Thonnard, and M. Dacier, “Mind your blocks: On the stealthiness of malicious bgp hijacks.” in NDSS, 2015.
  11. P. Sermpezis, V. Kotronis, P. Gigis, X. Dimitropoulos, D. Cicalese, A. King, and A. Dainotti, “Artemis: Neutralizing bgp hijacking within a minute,” TON, vol. 26, no. 6, pp. 2471–2486, 2018.
  12. J. Schlamp, R. Holz, Q. Jacquemart, G. Carle, and E. W. Biersack, “Heap: reliable assessment of bgp hijacking attacks,” J-SAC, vol. 34, no. 6, pp. 1849–1861, 2016.
  13. X. Hu and Z. M. Mao, “Accurate real-time identification of ip prefix hijacking,” in S&P.   IEEE, 2007, pp. 3–17.
  14. J. Li, T. Ehrenkranz, and P. Elliott, “Buddyguard: A buddy system for fast and reliable detection of ip prefix anomalies,” in ICNP.   IEEE, 2012, pp. 1–10.
  15. X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu, “Detecting prefix hijackings in the internet with argus,” in IMC, 2012, pp. 15–28.
  16. Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush, “ispy: Detecting ip prefix hijacking on my own,” in SIGCOMM, 2008, pp. 327–338.
  17. J. Li, D. Dou, Z. Wu, S. Kim, and V. Agarwal, “An internet routing forensics framework for discovering rules of abnormal bgp events,” SIGCOMM CCR, vol. 35, no. 5, pp. 55–66, 2005.
  18. H. Yan, R. Oliveira, K. Burnett, D. Matthews, L. Zhang, and D. Massey, “Bgpmon: A real-time, scalable, extensible monitoring system,” in CATCH.   IEEE, 2009, pp. 212–223.
  19. M. Cheng, Q. Xu, L. Jianming, W. Liu, Q. Li, and J. Wang, “Ms-lstm: A multi-scale lstm model for bgp anomaly detection,” in ICNP.   IEEE, 2016, pp. 1–6.
  20. C. Testart, P. Richter, A. King, A. Dainotti, and D. Clark, “Profiling bgp serial hijackers: capturing persistent misbehavior in the global routing table,” in IMC, 2019, pp. 420–434.
  21. M. Cheng, Q. Li, J. Lv, W. Liu, and J. Wang, “Multi-scale lstm model for bgp anomaly classification,” TSC, 2018.
  22. Y. Dong, Q. Li, R. O. Sinnott, Y. Jiang, and S. Xia, “Isp self-operated bgp anomaly detection based on weakly supervised learning,” in ICNP.   IEEE, 2021, pp. 1–11.
  23. B. Al-Musawi, P. Branch, and G. Armitage, “Detecting bgp instability using recurrence quantification analysis (rqa),” in IPCCC.   IEEE, 2015, pp. 1–8.
  24. N. M. Al-Rousan and L. Trajković, “Machine learning models for classification of bgp anomalies,” in HPSR.   IEEE, 2012, pp. 103–108.
  25. A. Lutu, M. Bagnulo, J. Cid-Sueiro, and O. Maennel, “Separating wheat from chaff: Winnowing unintended prefixes using machine learning,” in INFOCOM.   IEEE, 2014, pp. 943–951.
  26. S. Deshpande, M. Thottan, T. K. Ho, and B. Sikdar, “An online mechanism for bgp instability detection and analysis,” TOC, vol. 58, no. 11, pp. 1470–1484, 2009.
  27. G. Theodoridis, O. Tsigkas, and D. Tzovaras, “A novel unsupervised method for securing bgp against routing hijacks,” in ISCIS.   Springer, 2013, pp. 21–29.
  28. T. Shapira and Y. Shavitt, “A deep learning approach for ip hijack detection based on asn embedding,” in NetAI, 2020, pp. 35–41.
  29. K. Hoarau, P. U. Tournoux, and T. Razafindralambo, “Suitability of graph representation for bgp anomaly detection,” in LCN.   IEEE, 2021, pp. 305–310.
  30. T. Shapira and Y. Shavitt, “Ap2vec: an unsupervised approach for bgp hijacking detection,” TNSM, vol. 19, no. 3, pp. 2255–2268, 2022.
  31. O. R. Sanchez, S. Ferlin, C. Pelsser, and R. Bush, “Comparing machine learning algorithms for bgp anomaly detection using graph features,” in Big-DAMA, 2019, pp. 35–41.
  32. L. Gao, “On inferring autonomous system relationships in the internet,” TON, vol. 9, no. 6, pp. 733–745, 2001.
  33. H. Ballani, P. Francis, and X. Zhang, “A study of prefix hijacking and interception in the internet,” SIGCOMM CCR, vol. 37, no. 4, pp. 265–276, 2007.
  34. L. Prehn and A. Feldmann, “How biased is our validation (data) for as relationships?” in IMC, 2021, pp. 612–620.
  35. V. Giotsas, M. Luckie, B. Huffaker, and K. Claffy, “Inferring complex as relationships,” in IMC, 2014, pp. 23–30.
  36. M. Luckie, B. Huffaker, A. Dhamdhere, V. Giotsas, and K. Claffy, “As relationships, customer cones, and validation,” in IMC, 2013, pp. 243–256.
  37. J. Tang, M. Qu, M. Wang, M. Zhang, J. Yan, and Q. Mei, “Line: Large-scale information network embedding,” in WWW, 2015, pp. 1067–1077.
  38. CAIDA. AS Relationships Dataset. Accessed Dec. 10, 2021. [Online]. Available: https://www.caida.org/catalog/datasets/as-relationships/
  39. Z. Jin, X. Shi, Y. Yang, X. Yin, Z. Wang, and J. Wu, “Toposcope: Recover as relationships from fragmentary observations,” in IMC, 2020, pp. 266–280.
  40. H. Robbins and S. Monro, “A stochastic approximation method,” Ann. Math. Stat., pp. 400–407, 1951.
  41. L. Van der Maaten and G. Hinton, “Visualizing data using t-sne.” J. Mach. Learn. Res., vol. 9, no. 11, 2008.
  42. G. Y. Lu and D. W. Wong, “An adaptive inverse-distance weighting spatial interpolation technique,” Comput Geosci, vol. 34, no. 9, pp. 1044–1055, 2008.
  43. X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. F. Wu, and L. Zhang, “An analysis of bgp multiple origin as (moas) conflicts,” in SIGCOMM WS, 2001, pp. 31–35.
  44. D. J. Berndt and J. Clifford, “Using dynamic time warping to find patterns in time series.” in KDD workshop, vol. 10, no. 16.   Seattle, WA, USA:, 1994, pp. 359–370.
  45. “Oracle blogs,” Accessed Dec. 10, 2021. [Online]. Available: https://blogs.oracle.com/internetintelligence/
  46. BGPStream. All Events for BGP Stream. Accessed Dec. 10, 2021. [Online]. Available: https://bgpstream.com/
  47. University of Oregon Route Views Project. MRT format RIBs and UPDATEs. Accessed Dec. 10, 2021. [Online]. Available: http://routeviews.org/
  48. K. Arvai, “kneed.” [Online]. Available: https://github.com/arvkevi/kneed
  49. E. S. Ristad and P. N. Yianilos, “Learning string-edit distance,” PAMI, vol. 20, no. 5, pp. 522–532, 1998.
  50. M.-H. Feng, C.-C. Hsu, C.-T. Li, M.-Y. Yeh, and S.-D. Lin, “Marine: Multi-relational network embeddings with relational proximity and node attributes,” in ACM WWW, 2019, pp. 470–479.
  51. A. Grover and J. Leskovec, “node2vec: Scalable feature learning for networks,” in SIGKDD, 2016, pp. 855–864.
  52. D. Wang, P. Cui, and W. Zhu, “Structural deep network embedding,” in SIGKDD, 2016, pp. 1225–1234.
  53. Y. Gilad, A. Cohen, A. Herzberg, M. Schapira, and H. Shulman, “Are we there yet? on rpki’s deployment and security,” Cryptology ePrint Archive, 2016.
  54. R. K. Chang and M. Lo, “Inbound traffic engineering for multihomed ass using as path prepending,” IEEE Netw., vol. 19, no. 2, pp. 18–25, 2005.
  55. CAIDA. AS Rank. Accessed May. 25, 2023. [Online]. Available: https://asrank.caida.org/
  56. K. Sriram, D. Montgomery, D. McPherson, E. Osterweil, and B. Dickson, “Problem definition and classification of bgp route leaks,” RFC 7908, IETF, 2016.
  57. J. Mitchell, “Autonomous system (as) reservation for private use,” RFC 6996, IETF, 2013.
  58. D. Zhang, J. Yin, X. Zhu, and C. Zhang, “Network representation learning: A survey,” TBD, vol. 6, no. 1, pp. 3–28, 2018.
  59. Z. Qiu, W. Hu, J. Wu, Z. Tang, and X. Jia, “Noise-resilient similarity preserving network embedding for social networks.” in IJCAI, 2019, pp. 3282–3288.
  60. L. Liu, X. Li, W. K. Cheung, and L. Liao, “Structural representation learning for user alignment across social networks,” TKDE, vol. 32, no. 9, pp. 1824–1837, 2019.
  61. W. Wang, H. Yin, X. Du, W. Hua, Y. Li, and Q. V. H. Nguyen, “Online user representation learning across heterogeneous social networks,” in SIGIR, 2019, pp. 545–554.
  62. Q. Tan, N. Liu, X. Zhao, H. Yang, J. Zhou, and X. Hu, “Learning to hash with graph neural networks for recommender systems,” in WWW, 2020, pp. 1988–1998.
  63. S. Ge, C. Wu, F. Wu, T. Qi, and Y. Huang, “Graph enhanced representation learning for news recommendation,” in WWW, 2020, pp. 2863–2869.
  64. H. Liu, J. Han, Y. Fu, J. Zhou, X. Lu, and H. Xiong, “Multi-modal transportation recommendation with unified route representation learning,” VLDB, vol. 14, no. 3, pp. 342–350, 2020.
  65. Y. Ye, S. Hou, L. Chen, J. Lei, W. Wan, J. Wang, Q. Xiong, and F. Shao, “Out-of-sample node representation learning for heterogeneous graph in real-time android malware detection,” in IJCAI, 2019.
  66. S. Zhang, H. Yin, T. Chen, Q. V. N. Hung, Z. Huang, and L. Cui, “Gcn-based user representation learning for unifying robust recommendation and fraudster detection,” in SIGIR, 2020, pp. 689–698.
  67. Y. Fan, M. Ju, S. Hou, Y. Ye, W. Wan, K. Wang, Y. Mei, and Q. Xiong, “Heterogeneous temporal graph transformer: An intelligent system for evolving android malware detection,” in SIGKDD, 2021, pp. 2831–2839.
  68. CAIDA. AS Organizations Dataset. Accessed Dec. 10, 2021. [Online]. Available: https://www.caida.org/catalog/datasets/as-organizations/
  69. ——. AS-to-Organization Mapping Dataset. Accessed May. 25, 2023. [Online]. Available: https://www.caida.org/catalog/datasets/as-organizations/
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now