Presentation is loading. Please wait.

Presentation is loading. Please wait.

02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer."— Presentation transcript:

1 02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com

2 02/06/2006ecs236 winter 20062 Intrusion Detection Intrusion Detection Model Input event sequence Results Pattern matching

3 02/06/2006ecs236 winter 20063 Internet in 1969 UTAH UCLA SRI UCSB What was the link speed/bandwidth?

4 02/06/2006ecs236 winter 20064 ARPANet in 1969  Internet UTAH UCLA SRI UCSB What was the link speed/bandwidth? 56 kbps

5 02/06/2006ecs236 winter 20065 The “Internet” The “Internet” as February 1, 2006 l 21319Autonomous Systems l 177300IP Address Prefixes announced http://bgp.potaroo.net/cidr/

6 02/06/2006ecs236 winter 20066 AS and IP address prefix UCDavis: 169.237/16 AS6192 Autonomous System: AS6192 is the routers in UC Davis UC Davis owns 169.237/16

7 02/06/2006ecs236 winter 20067 Address Prefix l Prefix aggregation/de-aggregation l Notation of network address prefixes 169.237.0.0/16 10101001111011010000000000000000 11111111111111110000000000000000 PrefixPrefix length 169.237.0.0/16 (less specific) 169.237.128.0/17 169.237.192.0/18 169.237.204.0/19 (more specific) 169.237.0.0/17 BGP prefers more specific

8 02/06/2006ecs236 winter 20068 Peering ASes UCDavis: 169.237/16 AS6192AS11423 (UC) AS11537 (CENIC) AS513

9 02/06/2006ecs236 winter 20069 AS6192  AS11423 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 11423  6192

10 02/06/2006ecs236 winter 200610 AS11423  AS11537 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 11537  11423  6192

11 02/06/2006ecs236 winter 200611 AS11537  AS513 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 513  11537  11423  6192

12 02/06/2006ecs236 winter 200612 Packet Forwarding UCDavis: 169.237/16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 513  11537  11423  6192

13 02/06/2006ecs236 winter 200613 The Dynamics of “Internet”  Link/node failures  Software malfunctions  Implementation related  Policy configuration  Topology changes  Other “interesting” dynamics (that we can not explain well yet…)

14 02/06/2006ecs236 winter 200614 The Scale of the “Internet” l Every single prefix, and their “dynamics”, must be propagated to every single AS (21319). l Every single AS must maintain the routing table such that it knows how to route the traffic toward any one of the 177300 prefixes to the right destination. l BGP is the protocol to support the exchange of routing information for ALL prefixes in ALL ASes.

15 02/06/2006ecs236 winter 200615 DNS and BGP l DNS  BGP l BGP  DNS l Without DNS, BGP and the Internet can still function. l But, without BGP, DNS won’t work very much. DNS BGP – Internet Service

16 02/06/2006ecs236 winter 200616 Routing Dynamics in 2001 # of BGP updates over a fixed period of time (e.g., 2 hours) a color dot = an AS Path being used

17 02/06/2006ecs236 winter 200617 DNS Root-A Server 2001.4.16:8.29 3333 9057 3356 3561 6245 2001.4.16:8.29 3333 9057 3356 701 6245 2001.4.16:8.49 3333 9057 3356 3561 6245 2001.4.16:8.55 3333 9057 3356 1239 6245 2001.4.16:8.56 3333 1103 8297 6453 1239 6245 2001.4.16:8.56 3333 1103 8297 6453 701 6245 2001.4.16:9.05 3333 1103 8297 6453 1239 6245 2001.4.16:9.24 3333 9057 3356 4544 6245 2001.4.16:9.27 3333 9057 3356 701 6245 2001.4.16:9.32 3333 1103 8297 6453 1239 6245 2001.4.16:9.33 Withdraw 2001.4.16:9.38 3333 9057 3356 4544 6245 2001.4.16:9.38 3333 286 209 4544 6245 2001.4.16:9.40 Withdraw 2001.4.16:10:2 3333 1103 8297 6453 1239 6245 2001.4.16:10:8 3333 9057 3356 3561 6245

18 02/06/2006ecs236 winter 200618 Global Failure l AS7007 falsely de-aggregates 65000+ network prefixes in 1997 and the east coast Internet was down for 12 hours.

19 02/06/2006ecs236 winter 200619 Packet Forwarding UCDavis: 169.237/16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/16 513  11537  11423  6192

20 02/06/2006ecs236 winter 200620 Global Failure l AS7007 falsely de-aggregates 65000+ network prefixes in 1997 and the east coast Internet was down for 12 hours. AS6192AS11423 (UC) AS11537 (CENIC) AS513 169.237/16 142.7.6/24 204.5.68/24 …. Black Hole

21 02/06/2006ecs236 winter 200621 Understand l Lots of Anomalies –Anomaly detection l Understand and Explain the Anomalies –Network Management –Valuable Inputs for the future Design –Better and more practical Mathematical Models

22 02/06/2006ecs236 winter 200622 the Model model-based event analysis observed system events SBL-based Anomaly Detection analysis reports Example Selection Explanation Based Learning model update

23 02/06/2006ecs236 winter 200623 BGP Observation Points (e.g. RIPE AS12654) Internet RIPE … Each peer will tell us, at any moment of time, how to reach each of the 177300 prefixes! “Get the real BGP data”

24 02/06/2006ecs236 winter 200624 Multiple BGP Observation Points Oregon Internet RIPEUC Davis

25 02/06/2006ecs236 winter 200625 Real BGP Data Replay

26 02/06/2006ecs236 winter 200626 Origin AS in an AS Path l UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS l AS Path: 513  11537  11423  6192 –12654 13129 6461 3356 11423 6192 –12654 9177 3320 209 11423 6192 –12654 4608 1221 4637 11423 6192 –12654 777 2497 209 11423 6192 –12654 3549 3356 11423 6192 –12654 3257 3356 11423 6192 –12654 1103 11537 11423 6192 –12654 3333 3356 11423 6192 –12654 7018 209 11423 6192 –12654 2914 209 11423 6192 –12654 3549 209 11423 6192 12654 6192 11423 2091153733564637 2914701835493333

27 02/06/2006ecs236 winter 200627 2152 6192 286 174 2152 6192 2914 174 2152 6192 3130 2914 174 2152 6192 3292 174 2152 6192 3549 174 2152 6192 2493 3602 174 2152 6192 5462 174 2152 6192 5503 174 2152 6192 5511 174 2152 6192 6667 174 2152 6192 6762 174 2152 6192 6895 174 2152 6192 15444 174 2152 6192 293 2153 6192 2497 2152 6192 4777 2497 2152 6192 7500 2497 2152 6192 3303 2152 6192 3356 2152 6192 2905 701 3356 2152 6192 1239 3356 2152 6192 3130 1239 3356 2152 6192 1668 3356 2152 6192 3257 3356 2152 6192 21202 30912 29518 3549 3356 2152 6192 3561 3356 2152 6192 5511 3356 2152 6192 6453 3356 2152 6192 7018 3356 2152 6192 3557 2152 6192 1221 4637 2152 6192 6539 2152 6192 6939 2152 6192 3257 6939 2152 6192 16150 8434 3257 6939 2152 6192 5390 6939 2152 6192 8121 6939 2152 6192 8426 6939 2152 6192 12956 6939 2152 6192 13237 6939 2152 6192 15444 6939 2152 6192 11608 2152 6192 10876 4600 11537 2153 6192 7660 11537 2153 6192 169.237/16 AS2152 CSU-53 California State University AS2153 CSU-53 California State University

28 02/06/2006ecs236 winter 200628 Origin AS Changes (OASC) l Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS l Current –AS Path: 2914  209  11423  6192 –for prefix: 169.237/16 l New –AS Path: 2914  3011  273  81 –even worse: 169.237.6/24 l Which route path to use? l Normal or Abnormal?? 12654 6192 11423 2093011 273 2914 81 169.237/16 169.237.6/24

29 02/06/2006ecs236 winter 200629 Max: 10226 (9177 from a single AS)

30 02/06/2006ecs236 winter 200630 Origin AS Changes (OASC) l Normal or Abnormal?? –How to handle this problem? 12654 6192 11423 2093011 273 2914 81 169.237/16 169.237.6/24

31 02/06/2006ecs236 winter 200631 decay update clean compute the deviation alarm generationthreshold control timer control raw events long term profile 051015202530 0

32 02/06/2006ecs236 winter 200632 decay update clean cognitively identify the deviation alarm identification Information Visualization Toolkit raw events cognitive profile

33 02/06/2006ecs236 winter 200633 Real-Time OASC Detection l Low level events:BGP Route Updates l High level events:OASC –1000+ per day and max 10226 per day –per 3-minutes window in real-time demo l IP address blocks l Origin AS in BGP Update Messages l Different Types of OASC Events

34 02/06/2006ecs236 winter 200634 1101 1000 1001 110001110011111001111011 110000110010111000111010 00110110 AS# Qua-Tree Representation of IP Address Prefixes 169.237/16 10101001.11101101/16

35 02/06/2006ecs236 winter 200635 1101 1000 1001 110001110011111001111011 110000110010111000111010 00110110 AS# AS# Representation AS-1 AS-7777 AS-15412 AS-6192 AS-81

36 02/06/2006ecs236 winter 200636 AS81 punched a “hole” on 169.237/16 yesterday 169.237/16 today 169.237/16 169.237.6/24 yesterday AS-6192 today AS-81 victim offender

37 02/06/2006ecs236 winter 200637 OASC Event Types l Using different colors to represent types of OASC events l C type: CSS, CSM, CMS, CMM l H type: H l B type: B l O type: OS, OM

38 02/06/2006ecs236 winter 200638 August 14, 2000 AS-7777 punched hundreds of holes.

39 02/06/2006ecs236 winter 200639 April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks…

40 02/06/2006ecs236 winter 200640 April 7-10, 2001 04/07/2001 all04/07/2001 1541204/08/2001 all04/08/2001 1541204/09/2001 all04/09/2001 1541204/10/2001 all04/10/2001 15412

41 02/06/2006ecs236 winter 200641 April 11-14, 2001 04/11/2001 all04/11/2001 1541204/12/2001 all04/12/2001 15412 04/14/2001 all04/14/2001 1541204/13/2001 1541204/13/2001 all

42 02/06/2006ecs236 winter 200642 April 18-19, 2001 – Again?? 04/18/2001 all04/18/2001 1541204/19/2001 all04/19/2001 15412

43 02/06/2006ecs236 winter 200643 SPRINT (AS-1239) (on December 3, 2000, 3000+ B events)

44 02/06/2006ecs236 winter 200644 l Which types of “screens” are more interesting and why? l Why was AS15412 picked for further special examination? l Under this context, why were we only focusing on April 6-12 and April 18-19? –Or, why is April 16 irrelevant? l Why are April 12 and 18 similar? l What is the difference between these two instances in April of 2001? Gaining Knowledge about OASC

45 02/06/2006ecs236 winter 200645 the Model model-based event analysis observed system events SBL-based Anomaly Detection analysis reports Example Selection Explanation Based Learning model update

46 02/06/2006ecs236 winter 200646 The KDD Process l Knowledge about the application domain l Data preparation l Data mining l Interpretation l Using the discovered knowledge

47 02/06/2006ecs236 winter 200647 OASC Data l How do we define an OASC event? –169.237/16 –Origin AS Changes from AS-6192 to AS-81 –But, exactly how should we obtain the information?

48 02/06/2006ecs236 winter 200648 BGP Observation Points (e.g. RIPE AS12654) Internet RIPE … Each peer will tell us, at any moment of time, how to reach each of the 177300 prefixes! “Get the real BGP data”

49 02/06/2006ecs236 winter 200649 RIPE … Each peer will tell us, at any moment of time, how to reach each of the 177300 prefixes! One One Routing table for 177300 all 177300 prefixes AS-12654

50 02/06/2006ecs236 winter 200650 Per-Day Analysis l Today’s routing table against yesterday’s –on ALL prefixes

51 02/06/2006ecs236 winter 200651 Per-Update Analysis l Finer granularity l Observing “per-peer” OASC events l Correlation with AS Topology information

52 02/06/2006ecs236 winter 200652 Project Proposal Areas l Network-based IDS l Host-based IDS l Application-based IDS l Routing infrastructure Security l Anomaly Detection and Alert Correlation l IDS evaluation and Honeypot l Or, anything else you are interested

Download ppt "02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer."

Similar presentations

Introduction to IP Routing Geoff Huston. Routing How do packets get from A to B in the Internet? A B Internet.

Introduction to IP Routing Geoff Huston. Routing How do packets get from A to B in the Internet? A B Internet.
04/12/2001ecs289k, spring 20011 ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.

04/12/2001ecs289k, spring ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.
Routing Basics.

Routing Basics.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis

Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis
BGP in 2009 Geoff Huston APNIC May 2009. Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.
01/04/2007ecs236 winter 20071 Intrusion Detection ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection Dr. S. Felix Wu Computer Science Department.

01/04/2007ecs236 winter Intrusion Detection ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection Dr. S. Felix Wu Computer Science Department.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Analysis of BGP Routing Tables

Analysis of BGP Routing Tables
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.

Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,
01/04/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #3: Anomaly Detection Dr. S. Felix Wu Computer Science Department.

01/04/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #3: Anomaly Detection Dr. S. Felix Wu Computer Science Department.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.

10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.
Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.

Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.
March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.

March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.

Similar presentations

Ads by Google