Visual-based Anomaly Detection for BGP Origin AS Change (OASC)
description
Transcript of Visual-based Anomaly Detection for BGP Origin AS Change (OASC)
10/21/2003 DSOM'2003, Heidelberg, Germany 1
Visual-based Anomaly Detection for BGP Origin AS Change (OASC)
Soon-Tee Teoh1, Kwan-Liu Ma1, S. Felix Wu1, Dan Massey2, Xiao-Liang Zhao2, Dan Pei3, Lan Wang3, Lixia Zhang3, Randy Bush4
UC Davis, USC/ISI, UCLA, IIJ
10/21/2003 DSOM'2003, Heidelberg, Germany 2
Elisha: the long-term goal
• Monitoring and management of a large-scale complex system that we do not fully understand its behavior.
• Integration of human and machine intelligence to adaptively develop the domain knowledge for the target system.
10/21/2003 DSOM'2003, Heidelberg, Germany 3
In this talk…
• Knowledge Acquisition via Visualization– cognitive pattern matching– event correlation and explanation
• Outline– Background: Origin AS in BGP– The Elisha/OASC tool– One example and demo
10/21/2003 DSOM'2003, Heidelberg, Germany 4
Autonomous Systems (ASes)
UCDavis:169.237/16
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 5131153711423 6192
10/21/2003 DSOM'2003, Heidelberg, Germany 5
Origin AS in an AS Path• UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the
origin AS• AS Path: 5131153711423 6192
– 12654 13129 6461 3356 11423 6192– 12654 9177 3320 209 11423 6192– 12654 4608 1221 4637 11423 6192– 12654 777 2497 209 11423 6192– 12654 3549 3356 11423 6192– 12654 3257 3356 11423 6192– 12654 1103 11537 11423 6192– 12654 3333 3356 11423 6192– 12654 7018 209 11423 6192– 12654 2914 209 11423 6192– 12654 3549 209 11423 6192
• Observation Points in the Internet collecting BGP AS Path Updates: RIPE: AS-12654
12654
6192
11423
2091153733564637
2914701835493333
10/21/2003 DSOM'2003, Heidelberg, Germany 6
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
• New– AS Path: 29143011273 81– even worse: 169.237.6/24
• Which route path to use?• Legitimate or not??
12654
6192
11423
2093011
273
2914
81
169.237/16169.237.6/24
10/21/2003 DSOM'2003, Heidelberg, Germany 7
BGP OASC Events (one type only)
year Median number increase rate #BGP table entries increase rate1998 683 520001999 810.5 18.7% 60000 15.40%2000 951 17.3% 80000 33.30%2001 1294 34.8% 109000 36%
Max: 10226(9177 from a single AS)
10/21/2003 DSOM'2003, Heidelberg, Germany 8
Data from BGP Observation Points
10/21/2003 DSOM'2003, Heidelberg, Germany 9
Anomaly Detection
• False positive versus false negative• Anomaly analysis:
– To find the “meaning”, “explanation,” and “knowledge” behind those detected anomalies
10/21/2003 DSOM'2003, Heidelberg, Germany 10
Visual-based Anomaly Detection
• “Visual” Anomalies– Something catches your eyes…
• Mental/Cognitive “long-term” profile or normal behavior– We build the “long-term” profile in your mind.– Human experts can incorporate “domain
knowledge” about the target system/protocol.
10/21/2003 DSOM'2003, Heidelberg, Germany 11
Visual-based Anomaly Detection
decayupdate
clean
cognitivelyidentify thedeviation
alarm identification
InformationVisualizationToolkit
raw events cognitive profile
10/21/2003 DSOM'2003, Heidelberg, Germany 12
ELISHA/OASC
• Events:– Low level events: BGP Route Updates– High level events: OASC
• Still 1000+ per day and max 10226 per day for the whole Internet
• Information to represent visually:– IP address blocks– Origin AS in BGP Update Messages– Different Types of OASC Events
10/21/2003 DSOM'2003, Heidelberg, Germany 13
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110
Qua-Tree Representation ofIP Address Prefixes
169.237/1610101001.11101101/16
10/21/2003 DSOM'2003, Heidelberg, Germany 14
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110AS#
AS# Representation
AS-1
AS-7777
AS-15412
10/21/2003 DSOM'2003, Heidelberg, Germany 15
AS81 punched a “hole” on 169.237/16
yesterday169.237/16
today169.237/16169.237.6/24
yesterdayAS-6192
todayAS-81
victim
offender
10/21/2003 DSOM'2003, Heidelberg, Germany 16
8 OASC Event Types
• Using different colors to represent types of OASC events
• C type: CSS, CSM, CMS, CMM• H type: H• B type: B• O type: OS, OM
10/21/2003 DSOM'2003, Heidelberg, Germany 17
August 14, 2000
AS-7777punchedhundreds ofholes.
10/21/2003 DSOM'2003, Heidelberg, Germany 18
April 6, 2001
AS15412 caused 40K+ MOAS/OASC events within 2 weeks…
10/21/2003 DSOM'2003, Heidelberg, Germany 19
April 7-10, 2001
04/07/2001 all 04/07/2001 15412 04/08/2001 all 04/08/2001 15412
04/09/2001 all 04/09/2001 15412 04/10/2001 all 04/10/2001 15412
10/21/2003 DSOM'2003, Heidelberg, Germany 20
April 11-14, 2001
04/11/2001 all 04/11/2001 15412 04/12/2001 all 04/12/2001 15412
04/14/2001 all 04/14/2001 1541204/13/2001 1541204/13/2001 all
10/21/2003 DSOM'2003, Heidelberg, Germany 21
April 18-19, 2001 – Again??
04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412
10/21/2003 DSOM'2003, Heidelberg, Germany 22
Remarks
• The Elisha/OASC prototype discovered and helped to explain real-world BGP anomalies.
• Integration with Statistical approaches.
• Elisha: open source available– http://www.cs.ucdavis.edu/~wu/Elisha/– Linux/Windows