02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer Science Department University of California, Davis
02/06/2006ecs236 winter Intrusion Detection Intrusion Detection Model Input event sequence Results Pattern matching
02/06/2006ecs236 winter Internet in 1969 UTAH UCLA SRI UCSB What was the link speed/bandwidth?
02/06/2006ecs236 winter ARPANet in 1969 Internet UTAH UCLA SRI UCSB What was the link speed/bandwidth? 56 kbps
02/06/2006ecs236 winter The “Internet” The “Internet” as February 1, 2006 l 21319Autonomous Systems l IP Address Prefixes announced
02/06/2006ecs236 winter AS and IP address prefix UCDavis: /16 AS6192 Autonomous System: AS6192 is the routers in UC Davis UC Davis owns /16
02/06/2006ecs236 winter Address Prefix l Prefix aggregation/de-aggregation l Notation of network address prefixes / PrefixPrefix length /16 (less specific) / / /19 (more specific) /17 BGP prefers more specific
02/06/2006ecs236 winter Peering ASes UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513
02/06/2006ecs236 winter AS6192 AS11423 UCDavis: /16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: / 6192
02/06/2006ecs236 winter AS11423 AS11537 UCDavis: /16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: / 6192
02/06/2006ecs236 winter AS11537 AS513 UCDavis: /16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: / 6192
02/06/2006ecs236 winter Packet Forwarding UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: / 6192
02/06/2006ecs236 winter The Dynamics of “Internet” Link/node failures Software malfunctions Implementation related Policy configuration Topology changes Other “interesting” dynamics (that we can not explain well yet…)
02/06/2006ecs236 winter The Scale of the “Internet” l Every single prefix, and their “dynamics”, must be propagated to every single AS (21319). l Every single AS must maintain the routing table such that it knows how to route the traffic toward any one of the prefixes to the right destination. l BGP is the protocol to support the exchange of routing information for ALL prefixes in ALL ASes.
02/06/2006ecs236 winter DNS and BGP l DNS BGP l BGP DNS l Without DNS, BGP and the Internet can still function. l But, without BGP, DNS won’t work very much. DNS BGP – Internet Service
02/06/2006ecs236 winter Routing Dynamics in 2001 # of BGP updates over a fixed period of time (e.g., 2 hours) a color dot = an AS Path being used
02/06/2006ecs236 winter DNS Root-A Server : : : : : : : : : : :9.33 Withdraw : : :9.40 Withdraw :10: :10:
02/06/2006ecs236 winter Global Failure l AS7007 falsely de-aggregates network prefixes in 1997 and the east coast Internet was down for 12 hours.
02/06/2006ecs236 winter Packet Forwarding UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: / 6192
02/06/2006ecs236 winter Global Failure l AS7007 falsely de-aggregates network prefixes in 1997 and the east coast Internet was down for 12 hours. AS6192AS11423 (UC) AS11537 (CENIC) AS / / /24 …. Black Hole
02/06/2006ecs236 winter Understand l Lots of Anomalies –Anomaly detection l Understand and Explain the Anomalies –Network Management –Valuable Inputs for the future Design –Better and more practical Mathematical Models
02/06/2006ecs236 winter the Model model-based event analysis observed system events SBL-based Anomaly Detection analysis reports Example Selection Explanation Based Learning model update
02/06/2006ecs236 winter BGP Observation Points (e.g. RIPE AS12654) Internet RIPE … Each peer will tell us, at any moment of time, how to reach each of the prefixes! “Get the real BGP data”
02/06/2006ecs236 winter Multiple BGP Observation Points Oregon Internet RIPEUC Davis
02/06/2006ecs236 winter Real BGP Data Replay
02/06/2006ecs236 winter Origin AS in an AS Path l UCDavis (AS-6192) owns /16 and AS-6192 is the origin AS l AS Path: 513 6192 – – – – – – – – – – –
02/06/2006ecs236 winter /16 AS2152 CSU-53 California State University AS2153 CSU-53 California State University
02/06/2006ecs236 winter Origin AS Changes (OASC) l Ownership: UCDavis (AS-6192) owns /16 and AS-6192 is the origin AS l Current –AS Path: 2914 209 6192 –for prefix: /16 l New –AS Path: 2914 3011 273 81 –even worse: /24 l Which route path to use? l Normal or Abnormal?? / /24
02/06/2006ecs236 winter Max: (9177 from a single AS)
02/06/2006ecs236 winter Origin AS Changes (OASC) l Normal or Abnormal?? –How to handle this problem? / /24
02/06/2006ecs236 winter decay update clean compute the deviation alarm generationthreshold control timer control raw events long term profile
02/06/2006ecs236 winter decay update clean cognitively identify the deviation alarm identification Information Visualization Toolkit raw events cognitive profile
02/06/2006ecs236 winter Real-Time OASC Detection l Low level events:BGP Route Updates l High level events:OASC –1000+ per day and max per day –per 3-minutes window in real-time demo l IP address blocks l Origin AS in BGP Update Messages l Different Types of OASC Events
02/06/2006ecs236 winter AS# Qua-Tree Representation of IP Address Prefixes / /16
02/06/2006ecs236 winter AS# AS# Representation AS-1 AS-7777 AS AS-6192 AS-81
02/06/2006ecs236 winter AS81 punched a “hole” on /16 yesterday /16 today / /24 yesterday AS-6192 today AS-81 victim offender
02/06/2006ecs236 winter OASC Event Types l Using different colors to represent types of OASC events l C type: CSS, CSM, CMS, CMM l H type: H l B type: B l O type: OS, OM
02/06/2006ecs236 winter August 14, 2000 AS-7777 punched hundreds of holes.
02/06/2006ecs236 winter April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks…
02/06/2006ecs236 winter April 7-10, /07/2001 all04/07/ /08/2001 all04/08/ /09/2001 all04/09/ /10/2001 all04/10/
02/06/2006ecs236 winter April 11-14, /11/2001 all04/11/ /12/2001 all04/12/ /14/2001 all04/14/ /13/ /13/2001 all
02/06/2006ecs236 winter April 18-19, 2001 – Again?? 04/18/2001 all04/18/ /19/2001 all04/19/
02/06/2006ecs236 winter SPRINT (AS-1239) (on December 3, 2000, B events)
02/06/2006ecs236 winter l Which types of “screens” are more interesting and why? l Why was AS15412 picked for further special examination? l Under this context, why were we only focusing on April 6-12 and April 18-19? –Or, why is April 16 irrelevant? l Why are April 12 and 18 similar? l What is the difference between these two instances in April of 2001? Gaining Knowledge about OASC
02/06/2006ecs236 winter the Model model-based event analysis observed system events SBL-based Anomaly Detection analysis reports Example Selection Explanation Based Learning model update
02/06/2006ecs236 winter The KDD Process l Knowledge about the application domain l Data preparation l Data mining l Interpretation l Using the discovered knowledge
02/06/2006ecs236 winter OASC Data l How do we define an OASC event? – /16 –Origin AS Changes from AS-6192 to AS-81 –But, exactly how should we obtain the information?
02/06/2006ecs236 winter BGP Observation Points (e.g. RIPE AS12654) Internet RIPE … Each peer will tell us, at any moment of time, how to reach each of the prefixes! “Get the real BGP data”
02/06/2006ecs236 winter RIPE … Each peer will tell us, at any moment of time, how to reach each of the prefixes! One One Routing table for all prefixes AS-12654
02/06/2006ecs236 winter Per-Day Analysis l Today’s routing table against yesterday’s –on ALL prefixes
02/06/2006ecs236 winter Per-Update Analysis l Finer granularity l Observing “per-peer” OASC events l Correlation with AS Topology information
02/06/2006ecs236 winter Project Proposal Areas l Network-based IDS l Host-based IDS l Application-based IDS l Routing infrastructure Security l Anomaly Detection and Alert Correlation l IDS evaluation and Honeypot l Or, anything else you are interested