Presentation is loading. Please wait.

Presentation is loading. Please wait.

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,"— Presentation transcript:

1 10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1, Dan Massey 2, Xiao-Liang Zhao 2, Dan Pei 3, Lan Wang 3, Lixia Zhang 3, Randy Bush 4 UC Davis, USC/ISI, UCLA, IIJ

2 10/21/2003DSOM'2003, Heidelberg, Germany2 Elisha: the long-term goal Monitoring and management of a large- scale complex system that we do not fully understand its behavior. Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system.

3 10/21/2003DSOM'2003, Heidelberg, Germany3 In this talk… Knowledge Acquisition via Visualization –cognitive pattern matching –event correlation and explanation Outline –Background: Origin AS in BGP –The Elisha/OASC tool –One example and demo

4 10/21/2003DSOM'2003, Heidelberg, Germany4 Autonomous Systems (ASes) UCDavis: 169.237/16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 513  11537  11423  6192

5 10/21/2003DSOM'2003, Heidelberg, Germany5 Origin AS in an AS Path UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS AS Path: 513  11537  11423  6192 –12654 13129 6461 3356 11423 6192 –12654 9177 3320 209 11423 6192 –12654 4608 1221 4637 11423 6192 –12654 777 2497 209 11423 6192 –12654 3549 3356 11423 6192 –12654 3257 3356 11423 6192 –12654 1103 11537 11423 6192 –12654 3333 3356 11423 6192 –12654 7018 209 11423 6192 –12654 2914 209 11423 6192 –12654 3549 209 11423 6192 Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS-12654 12654 6192 11423 2091153733564637 2914701835493333

6 10/21/2003DSOM'2003, Heidelberg, Germany6 Origin AS Changes (OASC) Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS Current –AS Path: 2914  209  11423  6192 –for prefix: 169.237/16 New –AS Path: 2914  3011  273  81 –even worse: 169.237.6/24 Which route path to use? Legitimate or not?? 12654 6192 11423 2093011 273 2914 81 169.237/16 169.237.6/24

7 10/21/2003DSOM'2003, Heidelberg, Germany7 BGP OASC Events (one type only) Max: 10226 (9177 from a single AS)

8 10/21/2003DSOM'2003, Heidelberg, Germany8 Data from BGP Observation Points

9 10/21/2003DSOM'2003, Heidelberg, Germany9 Anomaly Detection False positive versus false negative Anomaly analysis: –To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies

10 10/21/2003DSOM'2003, Heidelberg, Germany10 Visual-based Anomaly Detection “Visual” Anomalies –Something catches your eyes… Mental/Cognitive “long-term” profile or normal behavior –We build the “long-term” profile in your mind. –Human experts can incorporate “domain knowledge” about the target system/protocol.

11 10/21/2003DSOM'2003, Heidelberg, Germany11 Visual-based Anomaly Detection decay update clean cognitively identify the deviation alarm identification Information Visualization Toolkit raw events cognitive profile

12 10/21/2003DSOM'2003, Heidelberg, Germany12 ELISHA/OASC Events: –Low level events:BGP Route Updates –High level events:OASC Still 1000+ per day and max 10226 per day for the whole Internet Information to represent visually: –IP address blocks –Origin AS in BGP Update Messages –Different Types of OASC Events

13 10/21/2003DSOM'2003, Heidelberg, Germany13 1101 1000 1001 110001110011111001111011 110000110010111000111010 00110110 Qua-Tree Representation of IP Address Prefixes 169.237/16 10101001.11101101/16

14 10/21/2003DSOM'2003, Heidelberg, Germany14 1101 1000 1001 110001110011111001111011 110000110010111000111010 00110110 AS# AS# Representation AS-1 AS-7777 AS-15412

15 10/21/2003DSOM'2003, Heidelberg, Germany15 AS81 punched a “hole” on 169.237/16 yesterday 169.237/16 today 169.237/16 169.237.6/24 yesterday AS-6192 today AS-81 victim offender

16 10/21/2003DSOM'2003, Heidelberg, Germany16 8 OASC Event Types Using different colors to represent types of OASC events C type: CSS, CSM, CMS, CMM H type: H B type: B O type: OS, OM

17 10/21/2003DSOM'2003, Heidelberg, Germany17 August 14, 2000 AS-7777 punched hundreds of holes.

18 10/21/2003DSOM'2003, Heidelberg, Germany18 April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks…

19 10/21/2003DSOM'2003, Heidelberg, Germany19 April 7-10, 2001 04/07/2001 all04/07/2001 1541204/08/2001 all04/08/2001 1541204/09/2001 all04/09/2001 1541204/10/2001 all04/10/2001 15412

20 10/21/2003DSOM'2003, Heidelberg, Germany20 April 11-14, 2001 04/11/2001 all04/11/2001 1541204/12/2001 all04/12/2001 15412 04/14/2001 all04/14/2001 1541204/13/2001 1541204/13/2001 all

21 10/21/2003DSOM'2003, Heidelberg, Germany21 April 18-19, 2001 – Again?? 04/18/2001 all04/18/2001 1541204/19/2001 all04/19/2001 15412

22 10/21/2003DSOM'2003, Heidelberg, Germany22 Remarks The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies. Integration with Statistical approaches. Elisha: open source available –http://www.cs.ucdavis.edu/~wu/Elisha/http://www.cs.ucdavis.edu/~wu/Elisha/ –Linux/Windows

Download ppt "10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,"

Similar presentations

Applications of one-class classification

Applications of one-class classification
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
04/12/2001ecs289k, spring 20011 ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.

04/12/2001ecs289k, spring ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.

Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
10/6/116Watch Project 1 6Watch: Gauging the Global Rollout of IPv6 Dan Massey Dave Meyer Lixia Zhang Colorado State U. Oregon UCLA.

10/6/116Watch Project 1 6Watch: Gauging the Global Rollout of IPv6 Dan Massey Dave Meyer Lixia Zhang Colorado State U. Oregon UCLA.
Performing BGP Experiments on a Semi-Realistic Internet Testbed Environment The 2nd International Workshop on Security in Distributed Computing Systems,

Performing BGP Experiments on a Semi-Realistic Internet Testbed Environment The 2nd International Workshop on Security in Distributed Computing Systems,
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
DSN 2003 A Study of Packet Delivery Performance during Routing Convergence Dan Pei, Lan Wang, Lixia Zhang, UCLA Dan Massey, USC/ISI S. Felix Wu, UC Davis.

DSN 2003 A Study of Packet Delivery Performance during Routing Convergence Dan Pei, Lan Wang, Lixia Zhang, UCLA Dan Massey, USC/ISI S. Felix Wu, UC Davis.
Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis

Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis
SENTINEL SAFE Product Overview. SEARCHING THE DATABASE Example: Investigators can search based on detailed criteria for targeted results. In this example.

SENTINEL SAFE Product Overview. SEARCHING THE DATABASE Example: Investigators can search based on detailed criteria for targeted results. In this example.
01/04/2007ecs236 winter 20071 Intrusion Detection ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection Dr. S. Felix Wu Computer Science Department.

01/04/2007ecs236 winter Intrusion Detection ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection Dr. S. Felix Wu Computer Science Department.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Analysis of BGP Routing Tables

Analysis of BGP Routing Tables
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

Similar presentations

Ads by Google