Presentation is loading. Please wait.

Presentation is loading. Please wait.

Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum."— Presentation transcript:

1 Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum

2 Aug. 26, 2005 2 Motivations Identifying anomalous BGP-updates is important. Detecting security problems Flaky equipment It’s hard to define “anomalies.” Only know the signatures of a few types of anomalies (e.g., constant updating) Still at an early stage in understanding: What are the anomalies? What signal they generate?

3 Aug. 26, 2005 3 Anomalies in Update Dynamics Anomalies in update dynamics may reflect anomalies in the BGP updates. From a router’s view, update dynamics show as a sequence of update messages. Temporal features of this sequence are important in anomaly detection. Message burst duration and intensity Inter-burst interval

4 Aug. 26, 2005 4 Previous Analyses of Update Dynamics Many use simple aggregations. Consider aggregations over time interval T. Temporal features at levels finer than T are lost. To detect constant updating, these features may not be necessary. They may be needed to identify other types of anomalies. Some suffer from the magic number problem.

5 Aug. 26, 2005 5 Our Approach Learn a “model” of “normal” update behavior. Identify updates that deviate significantly for further investigation. Difference from previous work: Multi-scale analysis Representation captures more temporal features.

6 Aug. 26, 2005 6 Transformation of Update Message Signals We view the sequence of update messages for each prefix as a signal along time: Apply a wavelet transformation to the signal to reveal its temporal features. Time # of Messages

7 Aug. 26, 2005 7 Representation of Update Dynamics Build histograms for the distributions of the temporal features. View the histograms as a vector. A trace of update dynamics becomes a point in a vector space. The transformation and the representation capture temporal features at different time scales.

8 Aug. 26, 2005 8 Avoid Magic Numbers It is hard to determine a good value for the magic numbers. We consider a set of values in an interval [T min, T max ]. Using an interval large enough, our analysis can avoid the magic-number problem.

9 Aug. 26, 2005 9 Clustering Traces of update dynamics are mapped into points in a vector space. Clustering groups the update dynamics into clusters to reveal different types of dynamics.

10 Aug. 26, 2005 10 Learn Normal Dynamics Normal dynamics: regions containing most of the update traces Abnormal dynamics: traces mapped to a location far away from the normal

11 Aug. 26, 2005 11 System Overview Signal of updates Wavelet transformation Distribution of message-burst durations and intervals Representation in a vector space Learn normal dynamics and detect anomalies

12 Aug. 26, 2005 12 Experiments RouteViews data 6 Months of update messages Combined update messages from all RouteViews vantage points. Clustering for a single prefix along time and across prefixes.

13 Aug. 26, 2005 13 Preliminary Results Focusing on individual prefixes: Typically, the largest cluster contains 80-90% of instances of the update dynamics. Across prefixes: Several (3-4) largest clusters contain about 50% of the prefixes. In both cases, constant updating show as outliers.

14 Aug. 26, 2005 14 Further Investigation Ongoing work to find out: What are the particular types of dynamics in each cluster? Are the updates in the small clusters that deviate from the normal real anomalies? Use labeled examples to build the knowledge base. Incorporate the route attributes in our representation.

Download ppt "Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum."

Similar presentations

Applications of one-class classification

Applications of one-class classification
Ziming Zhang, Yucheng Zhao and Yiwen Wan.  Introduction&Motivation  Problem Statement  Paper Summeries  Discussion and Conclusions.

Ziming Zhang, Yucheng Zhao and Yiwen Wan.  Introduction&Motivation  Problem Statement  Paper Summeries  Discussion and Conclusions.
1 Copyright by Jiawei Han, modified by Charles Ling for cs411a/538a Data Mining and Data Warehousing v Introduction v Data warehousing and OLAP for data.

1 Copyright by Jiawei Han, modified by Charles Ling for cs411a/538a Data Mining and Data Warehousing v Introduction v Data warehousing and OLAP for data.
Ch2 Data Preprocessing part3 Dr. Bernard Chen Ph.D. University of Central Arkansas Fall 2009.

Ch2 Data Preprocessing part3 Dr. Bernard Chen Ph.D. University of Central Arkansas Fall 2009.
Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.

Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.
November 12, 2013Computer Vision Lecture 12: Texture 1Signature Another popular method of representing shape is called the signature. In order to compute.

November 12, 2013Computer Vision Lecture 12: Texture 1Signature Another popular method of representing shape is called the signature. In order to compute.
UC Berkeley Online System Problem Detection by Mining Console Logs Wei Xu* Ling Huang † Armando Fox* David Patterson* Michael Jordan* *UC Berkeley † Intel.

UC Berkeley Online System Problem Detection by Mining Console Logs Wei Xu* Ling Huang † Armando Fox* David Patterson* Michael Jordan* *UC Berkeley † Intel.
Detection of Deviant Behavior From Agent Traces Boštjan Kaluža Department of Intelligent Systems, Jožef Stefan Institute Jozef Stefan Institute Jožef Stefan.

Detection of Deviant Behavior From Agent Traces Boštjan Kaluža Department of Intelligent Systems, Jožef Stefan Institute Jozef Stefan Institute Jožef Stefan.
1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)

1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)
Statistical Approaches for Finding Bugs in Large-Scale Parallel Systems Leonardo R. Bachega.

Statistical Approaches for Finding Bugs in Large-Scale Parallel Systems Leonardo R. Bachega.
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.
1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.

1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.
Lecture 6: Hybrid Robot Control Gal A. Kaminka Introduction to Robots and Multi-Robot Systems Agents in Physical and Virtual Environments.

Lecture 6: Hybrid Robot Control Gal A. Kaminka Introduction to Robots and Multi-Robot Systems Agents in Physical and Virtual Environments.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.

BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
DYNAMICS OF PREFIX USAGE AT AN EDGE ROUTER Kaustubh Gadkari, Dan Massey and Christos Papadopoulos 1.

DYNAMICS OF PREFIX USAGE AT AN EDGE ROUTER Kaustubh Gadkari, Dan Massey and Christos Papadopoulos 1.
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University January.

Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University January.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
Self-Correlating Predictive Information Tracking for Large-Scale Production Systems Zhao, Tan, Gong, Gu, Wambolt Presented by: Andrew Hahn.

Self-Correlating Predictive Information Tracking for Large-Scale Production Systems Zhao, Tan, Gong, Gu, Wambolt Presented by: Andrew Hahn.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
Basic Concepts and Definitions Vector and Function Space. A finite or an infinite dimensional linear vector/function space described with set of non-unique.

Basic Concepts and Definitions Vector and Function Space. A finite or an infinite dimensional linear vector/function space described with set of non-unique.

Similar presentations

Ads by Google