10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

Performing BGP Experiments on a Semi-Realistic Internet Testbed Environment The 2nd International Workshop on Security in Distributed Computing Systems,
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.
DSN 2003 A Study of Packet Delivery Performance during Routing Convergence Dan Pei, Lan Wang, Lixia Zhang, UCLA Dan Massey, USC/ISI S. Felix Wu, UC Davis.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis
Internet Routing Table Analysis Update Philip Smith APNIC Routing SIG Taipei, February 2003.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Firewalls and Intrusion Detection Systems
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.
02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.
Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.
March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.
03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis
Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.
Department Of Computer Engineering
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
Routing Measurements Matt Zekauskas, ITF Meeting 2006-Apr-24.
A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Presentation title SUB TITLE HERE Intelligent 21st Century Strategies for Broadband and Cyber Infrastructures Security By Dr. Emmanuel Hooper, PhD, PhD,
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
A Visual Exploration Process for the Analysis of Internet Routing Data Soon Tee Teoh Kwan-Liu Ma S. Felix Wu Presented by Zhenzhen Yan April. 11, 2007.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.
Towards an Accurate AS-level Traceroute Tool Z. Morley Mao*, Jennifer Rexford , Jia Wang , Randy Katz* *University of California at Berkeley  AT&T Labs--Research.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
BGP topics to be discussed in the next few weeks: –Excessive route update –Routing instability –BGP policy issues –BGP route slow convergence problem –Interaction.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
1 Presentation_ID © 1998, Cisco Systems, Inc. Internet Routing Table Analysis Update Philip Smith APNIC Routing SIG, APRICOT, Kuala Lumpur,
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
02/01/2006USC/ISI1 Updates on Routing Experiments Cyber DEfense Technology Experimental Research (DETER) Network Evaluation Methods for Internet Security.
Information-Centric Networks04b-1 Week 4 / Paper 2 Understanding BGP Misconfiguration –Rahil Mahajan, David Wetherall, Tom Anderson –ACM SIGCOMM 2002 Main.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
PRINCIPLES OF COMMUNICATION NETWORKS Tel Aviv University March-2010.
ETRI meeting (Sep 14, 2004) -- Dongkee LEE 1 Internet Routing Anomaly Monitoring System Dongkee LEE.
Information-Centric Networks Section # 4.2: Routing Issues Instructor: George Xylomenos Department: Informatics.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Mirjam KuehneRIPE Meeting # 31 RIPE ncc Internet Administration and the RIPE NCC Daniel Karrenberg.
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
1 Investigating occurrence of duplicate updates in BGP announcements Jong Han Park 1, Dan Jen 1, Mohit Lad 2, Shane Amante 3, Danny McPherson 4, Lixia.
DNS Traffic Management and DNS data mining Making Windows DNS Server Cloud Ready ~Kumar Ashutosh, Microsoft.
1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.
Visualizing Internet Topology Dynamics with Cyclops
شبکه هاي کامپيوتري فصل پنجم: لايه شبکه (NetworkLayer)
شبکه هاي کامپيوتري فصل پنجم: لايه شبکه (NetworkLayer)
COS 561: Advanced Computer Networks
More Specific Announcements in BGP
BGP Multiple Origin AS (MOAS) Conflict Analysis
An Analysis of BGP Multiple Origin AS (MOAS) Conflicts
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Routing Experiments Chen-Nee Chuah, Sonia Fahmy, Denys Ma,
Presentation transcript:

10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI Dan Pei, Lan Wang, Lixia Zhang UCLA Randy Bush IIJ

10/17/2002RAID 2002, Zurich2 Outline Visual-based “Anomaly Detection” The BGP/MOAS Problem ELISHA and demo Conclusion/Future Works

10/17/2002RAID 2002, Zurich3 A Few Research Objectives Limitations on “Anomaly Detection” –We need to convey the alerts (or their abstraction) to the “human” users or experts Not only detecting the problem, but also, via an interactive process, finding more details about it –Root cause analysis –Event Correlation Human versus Machine Intelligence

10/17/2002RAID 2002, Zurich4 Visual-based “Anomaly Detection” Utilize human’s cognitive pattern matching capability and techniques from information visualization. “Visual” Anomalies –Something catches your eyes…

10/17/2002RAID 2002, Zurich5 An Interactive Process Methodology –Build an interactive interface between network management and operators, so they can visualize the data –Features help operators quickly perceive anomalies Data Collection Filtering Mapping Rendering Viewing

10/17/2002RAID 2002, Zurich6 BGP & Autonomous Systems AS6192 (UCDavis)AS11423 (UC) AS11537 (CENIC) /16

10/17/2002RAID 2002, Zurich UCDavis UC, the origin ID is CENIC is admined by University Corporation for Advanced Internet Development, origin ID UCAID is admined CERN - European Organization for Nuclear Research 3356 is admined by Level 3 Communications, LLC, origin ID is L3CL is admined by Abovenet Communications, Inc is RIPE Network Coordination Centre 209 is admined by Qwest, origin ID is QWEST is RIPE Network Coordination Centre 9177 is admined by NEXTRANET, T-Systems Multilink AG Switzerland. 4637, 1221 and 4608 are admined by APNIC, but I can't find who they are in APNIC whois database is admined by Global Crossing, it is locate at Phoenix AZ and 3333, 1103 are RIPE Network Coordination Centre 2914 is admined by Verio, Inc 7018 is admined by AT&T

10/17/2002RAID 2002, Zurich8 Origin AS in an AS Path UCDavis (AS-6192) owns /16 and AS is the origin AS AS Path: 2194  209   6192 – – – – – – – – – – – – Observation Points in the Internet collecting BGP AS Path Updates –RIPE: AS-12654

10/17/2002RAID 2002, Zurich9 BGP MOAS/OASC Events Observable Changes in IP Address Ownership –OASC: Origin AS Changes Example 1: –Multiple ASes announce the same block of IP addresses. –MOAS stands for Multiple Origin AS. Example 2: –Punch Holes in the Address Space. –AS-7777 announced /24 Maybe legitimate or faulty. Many different types of MOAS/OASC events

10/17/2002RAID 2002, Zurich10 BGP MOAS/OASC Events Max: (9177 from a single AS)

10/17/2002RAID 2002, Zurich11 ELISHA/MOAS Low level events:BGP Route Updates High level events:MOAS/OASC –Still per day and max per day IP address blocks Origin AS in BGP Update Messages Different Types of MOAS conflicts

10/17/2002RAID 2002, Zurich AS# Quad-Tree Representation

10/17/2002RAID 2002, Zurich13 MOAS Event Types Using different colors to represent types of MOAS events C type: CSS, CSM, CMS, CMM H type: H B type: B O type: OS, OM

10/17/2002RAID 2002, Zurich one CSM instance victim suspect Example: CSM (Change S  M)

10/17/2002RAID 2002, Zurich15 AS-7777 Punched a Hole Which AS against which And which address blocks?

10/17/2002RAID 2002, Zurich16 Interesting ASs to watch AS7777 –August 14, 2000H, OS AS15412 –April 6-19, 2001CSM, CMS AS4740 –August 18, 2001CSM, CMS –September 27, 2001CSM, CMS AS701 –May 02, 2001H (63.0/10) *****March 1, 2000, July 11, 200, September 26, AS64518 –September 18, 2001-NimdaH’ed from many ASes.

10/17/2002RAID 2002, Zurich17 Demo time!!

10/17/2002RAID 2002, Zurich18 08/14/2000 & 04/2001

10/17/2002RAID 2002, Zurich19 Remarks Preliminary but encouraging results –Root cause analysis –Event correlation Integration of Information Visualization, Interactive Investigation Process, and Data Mining Examining several other problems: –BGP Route Path Dynamics and Stability –TCP/IP and HTTP Traffic Availability (source code, papers, ppt) – Sponsored by DARPA and NSF

10/17/2002RAID 2002, Zurich20 August 14, 2000 (larger)

10/17/2002RAID 2002, Zurich21 2-D versus 3-D on August 14, 2000

10/17/2002RAID 2002, Zurich22

10/17/2002RAID 2002, Zurich23 BGP AS Path Dynamics (1)

10/17/2002RAID 2002, Zurich24 BGP AS Path Dynamics (2)

10/17/2002RAID 2002, Zurich25 Address Appearing Frequency Normal

10/17/2002RAID 2002, Zurich26 DDoS Attack

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.