10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

Slides:



Advertisements
Similar presentations
Applications of one-class classification
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
04/12/2001ecs289k, spring ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
10/6/116Watch Project 1 6Watch: Gauging the Global Rollout of IPv6 Dan Massey Dave Meyer Lixia Zhang Colorado State U. Oregon UCLA.
Performing BGP Experiments on a Semi-Realistic Internet Testbed Environment The 2nd International Workshop on Security in Distributed Computing Systems,
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
DSN 2003 A Study of Packet Delivery Performance during Routing Convergence Dan Pei, Lan Wang, Lixia Zhang, UCLA Dan Massey, USC/ISI S. Felix Wu, UC Davis.
Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis
SENTINEL SAFE Product Overview. SEARCHING THE DATABASE Example: Investigators can search based on detailed criteria for targeted results. In this example.
01/04/2007ecs236 winter Intrusion Detection ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection Dr. S. Felix Wu Computer Science Department.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Analysis of BGP Routing Tables
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
01/04/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #3: Anomaly Detection Dr. S. Felix Wu Computer Science Department.
Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum.
10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.
02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.
A a secure peering. RIB table dump by attributes in order to save space. References 1. RouteViews, 2. RIPE,
March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
04/05/20011 ecs298k: Routing in General... lecture #2 Dr. S. Felix Wu Computer Science Department University of California, Davis
DARPA NMS PI Meeting November 14, 2002 Understanding BGP in Action Dan Massey USC/ISI.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Design and Implementation of SIP-aware DDoS Attack Detection System.
1 Studying Black Holes on the Internet with Hubble Ethan Katz-Bassett, Harsha V. Madhyastha, John P. John, Arvind Krishnamurthy, David Wetherall, Thomas.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.
A P STATISTICS LESSON 2 – 2 STANDARD NORMAL CALCULATIONS.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
A Visual Exploration Process for the Analysis of Internet Routing Data Soon Tee Teoh Kwan-Liu Ma S. Felix Wu Presented by Zhenzhen Yan April. 11, 2007.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
BGP topics to be discussed in the next few weeks: –Excessive route update –Routing instability –BGP policy issues –BGP route slow convergence problem –Interaction.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Research Design and Evaluation Colin Ware. Goals for empirical research Uncover fundamental truths and test theories (late stage science). Discover the.
1 Quantifying Path Exploration in the Internet Ricardo Oliveira, Rafit Izhak-Ratzin, Lixia Zhang, UCLA Beichuan Zhang, UArizona Dan Pei, AT&T Labs -- Research.
1 A Framework for Measuring and Predicting the Impact of Routing Changes Ying Zhang Z. Morley Mao Jia Wang.
02/01/2006USC/ISI1 Updates on Routing Experiments Cyber DEfense Technology Experimental Research (DETER) Network Evaluation Methods for Internet Security.
ETRI meeting (Sep 14, 2004) -- Dongkee LEE 1 Internet Routing Anomaly Monitoring System Dongkee LEE.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
1 Investigating occurrence of duplicate updates in BGP announcements Jong Han Park 1, Dan Jen 1, Mohit Lad 2, Shane Amante 3, Danny McPherson 4, Lixia.
Cyber security: Lithuanian National Regulatory Authority expertise in monitoring national networks resilience Dr. Rytis Rainys | rrt.lt at TAIEX Multi-beneficiary.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.
More Specific Announcements in BGP
Visualizing Internet Topology Dynamics with Cyclops
More Specific Announcements in BGP
BGP Multiple Origin AS (MOAS) Conflict Analysis
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
An Analysis of BGP Multiple Origin AS (MOAS) Conflicts
Visualization of Temporal Difference of BGP Routing Information
Routing Experiments Chen-Nee Chuah, Sonia Fahmy, Denys Ma,
Presentation transcript:

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1, Dan Massey 2, Xiao-Liang Zhao 2, Dan Pei 3, Lan Wang 3, Lixia Zhang 3, Randy Bush 4 UC Davis, USC/ISI, UCLA, IIJ

10/21/2003DSOM'2003, Heidelberg, Germany2 Elisha: the long-term goal Monitoring and management of a large- scale complex system that we do not fully understand its behavior. Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system.

10/21/2003DSOM'2003, Heidelberg, Germany3 In this talk… Knowledge Acquisition via Visualization –cognitive pattern matching –event correlation and explanation Outline –Background: Origin AS in BGP –The Elisha/OASC tool –One example and demo

10/21/2003DSOM'2003, Heidelberg, Germany4 Autonomous Systems (ASes) UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: /    6192

10/21/2003DSOM'2003, Heidelberg, Germany5 Origin AS in an AS Path UCDavis (AS-6192) owns /16 and AS-6192 is the origin AS AS Path: 513    6192 – – – – – – – – – – – Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS

10/21/2003DSOM'2003, Heidelberg, Germany6 Origin AS Changes (OASC) Ownership: UCDavis (AS-6192) owns /16 and AS-6192 is the origin AS Current –AS Path: 2914  209   6192 –for prefix: /16 New –AS Path: 2914  3011  273  81 –even worse: /24 Which route path to use? Legitimate or not?? / /24

10/21/2003DSOM'2003, Heidelberg, Germany7 BGP OASC Events (one type only) Max: (9177 from a single AS)

10/21/2003DSOM'2003, Heidelberg, Germany8 Data from BGP Observation Points

10/21/2003DSOM'2003, Heidelberg, Germany9 Anomaly Detection False positive versus false negative Anomaly analysis: –To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies

10/21/2003DSOM'2003, Heidelberg, Germany10 Visual-based Anomaly Detection “Visual” Anomalies –Something catches your eyes… Mental/Cognitive “long-term” profile or normal behavior –We build the “long-term” profile in your mind. –Human experts can incorporate “domain knowledge” about the target system/protocol.

10/21/2003DSOM'2003, Heidelberg, Germany11 Visual-based Anomaly Detection decay update clean cognitively identify the deviation alarm identification Information Visualization Toolkit raw events cognitive profile

10/21/2003DSOM'2003, Heidelberg, Germany12 ELISHA/OASC Events: –Low level events:BGP Route Updates –High level events:OASC Still per day and max per day for the whole Internet Information to represent visually: –IP address blocks –Origin AS in BGP Update Messages –Different Types of OASC Events

10/21/2003DSOM'2003, Heidelberg, Germany Qua-Tree Representation of IP Address Prefixes / /16

10/21/2003DSOM'2003, Heidelberg, Germany AS# AS# Representation AS-1 AS-7777 AS-15412

10/21/2003DSOM'2003, Heidelberg, Germany15 AS81 punched a “hole” on /16 yesterday /16 today / /24 yesterday AS-6192 today AS-81 victim offender

10/21/2003DSOM'2003, Heidelberg, Germany16 8 OASC Event Types Using different colors to represent types of OASC events C type: CSS, CSM, CMS, CMM H type: H B type: B O type: OS, OM

10/21/2003DSOM'2003, Heidelberg, Germany17 August 14, 2000 AS-7777 punched hundreds of holes.

10/21/2003DSOM'2003, Heidelberg, Germany18 April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks…

10/21/2003DSOM'2003, Heidelberg, Germany19 April 7-10, /07/2001 all04/07/ /08/2001 all04/08/ /09/2001 all04/09/ /10/2001 all04/10/

10/21/2003DSOM'2003, Heidelberg, Germany20 April 11-14, /11/2001 all04/11/ /12/2001 all04/12/ /14/2001 all04/14/ /13/ /13/2001 all

10/21/2003DSOM'2003, Heidelberg, Germany21 April 18-19, 2001 – Again?? 04/18/2001 all04/18/ /19/2001 all04/19/

10/21/2003DSOM'2003, Heidelberg, Germany22 Remarks The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies. Integration with Statistical approaches. Elisha: open source available – –Linux/Windows

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.