Visual-Based Anomaly Detection for BGP Origin AS Change (OASC) Events

  • Soon-Tee Teoh
  • Kwan-Liu Ma
  • S. Felix Wu
  • Dan Massey
  • Xiao-Liang Zhao
  • Dan Pei
  • Lan Wang
  • Lixia Zhang
  • Randy Bush
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2867)

Abstract

To complement machine intelligence in anomaly event analysis and correlation, in this paper, we investigate the possibility of a human-interactive visual-based anomaly detection system for faults and security attacks related to the BGP (Border Gateway Protocol) routing protocol. In particular, we have built and tested a program, based on fairly simple information visualization techniques, to navigate interactively real-life BGP OASC (Origin AS Change) events. Our initial experience demonstrates that the integration of mechanical analysis and human intelligence can effectively improve the performance of anomaly detection and alert correlation. Furthermore, while a traditional representation of OASC events provides either little or no valuable information, our program can accurately identify, correlate previously unknown BGP/OASC problems, and provide network operators with a valuable high-level abstraction about the dynamics of BGP.

References

  1. 1.
    Gentner, D., Stevens, A.L. (eds.): Mental Models. Cognitive Science (1983)Google Scholar
  2. 2.
    Rekher, Y., Li, T.: A Border Gateway Protocol 4 (BGP-4), rfc1771, IETFGoogle Scholar
  3. 3.
    Cowie, J., Ogielski, A., Premore, B.J., Yuan, Y.: Global Routing Instabilities during Code Red II and Nimda Worm Propagation. NANOG (September 19, 2001)Google Scholar
  4. 4.
    Wang, L., Zhao, X., Pei, D., Bush, R., Massey, D., Mankin, A., Wu, S.F., Zhang, L.: Observation and Analysis of BGP Behavior under Stress. In: ACM SIGCOMM IMW (Internet Measurement Workshop), Marseille, France (November 2002)Google Scholar
  5. 5.
    Kent, S., Lynn, C., Seo, K.: Secure Border Gateway Protocol (Secure-BGP). IEEE Journal on Selected Areas in Communications 18(4), 582–592 (2000)CrossRefGoogle Scholar
  6. 6.
    Massey, D., Wang, L., Zhao, X., Pei, D., Bush, R., Mankin, A., Wu, F., Zhang, L.: Protecting the BGP Routes to Top Level DNS Servers. In: NANOG 25, Toronto, Canada (June 2002)Google Scholar
  7. 7.
    Herman, I., Melançon, G., Scott Marshall, M.: Graph Visualization and Navigation in Information Visualization: a Survey. IEEE Transactions on Visualization and Computer Graphics 6(1), 24–43 (2000)CrossRefGoogle Scholar
  8. 8.
    Hawkinson, J., Bates, T.: Guidelines for creation, selection, and registration of an Autonomous System (AS). rfc1930, IETFGoogle Scholar
  9. 9.
    Zhao, X., Pei, D., Wang, L., Zhang, L., Massey, D., Mankin, A., Wu, S.F.: Detection of Invalid Route Announcement in the Internet. In: International Conference on Dependable Systems & Networks (2002)Google Scholar
  10. 10.
    Zhao, X., Pei, D., Wang, L., Massey, D., Mankin, A., Wu, S.F., Zhang, L.: An Analysis of BGP Multiple Origin AS (MOAS) Conflict. In: ACM SIGCOMM Internet Measurement Workshop, San Francisco, November 1-2, pp. 31–35 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Soon-Tee Teoh
    • 1
  • Kwan-Liu Ma
    • 1
  • S. Felix Wu
    • 1
  • Dan Massey
    • 2
  • Xiao-Liang Zhao
    • 2
  • Dan Pei
    • 3
  • Lan Wang
    • 3
  • Lixia Zhang
    • 3
  • Randy Bush
    • 4
  1. 1.Computer Science DepartmentUniversity of CaliforniaDavisUSA
  2. 2.Networking Group – East (NGE)USC/ISI ArlingtonUSA
  3. 3.Computer Science DepartmentUCLALos AngelosUSA
  4. 4.IIJBainbridge IslandUSA

Personalised recommendations