02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.

Slides:

Advertisements

Similar presentations

Introduction to IP Routing Geoff Huston. Routing How do packets get from A to B in the Internet? A B Internet.

Advertisements

04/12/2001ecs289k, spring ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.

Routing Basics.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis

BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

01/04/2007ecs236 winter Intrusion Detection ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection Dr. S. Felix Wu Computer Science Department.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Analysis of BGP Routing Tables

Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

01/04/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #3: Anomaly Detection Dr. S. Felix Wu Computer Science Department.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.

Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.

March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

UCDavis, ecs150 Spring /10/2006ecs150, spring Operating System ecs150 Spring 2006 : Operating System #6: Turnstile (articles & Solaris Internals)

04/05/20011 ecs298k: Routing in General... lecture #2 Dr. S. Felix Wu Computer Science Department University of California, Davis

ROUTING PROTOCOLS Rizwan Rehman. Static routing  each router manually configured with a list of destinations and the next hop to reach those destinations.

OSPF To route, a router needs to do the following: Know the destination address Identify the sources it can learn from Discover possible.

Better by a HAIR: Hardware-Amenable Internet Routing Brent Mochizuki University of Illinois at Urbana-Champaign Joint work with: Firat Kiyak (Illinois)

Computer Networks Layering and Routing Dina Katabi

1 Studying Black Holes on the Internet with Hubble Ethan Katz-Bassett, Harsha V. Madhyastha, John P. John, Arvind Krishnamurthy, David Wetherall, Thomas.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

S305 – Network Infrastructure Chapter 5 Network and Transport Layers.

1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

1 Interdomain Routing (BGP) By Behzad Akbari Fall 2008 These slides are based on the slides of Ion Stoica (UCB) and Shivkumar (RPI)

 Network Segments  NICs  Repeaters  Hubs  Bridges  Switches  Routers and Brouters  Gateways 2.

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

SEP: Sensibility analysis of BGP convergence and scalability using network simulation Sensibility analysis of BGP convergence and scalability using network.

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

A Visual Exploration Process for the Analysis of Internet Routing Data Soon Tee Teoh Kwan-Liu Ma S. Felix Wu Presented by Zhenzhen Yan April. 11, 2007.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford.

A Measurement Study on the Impact of Routing Events on End-to-End Internet Path Performance Feng Wang 1, Zhuoqing Morley Mao 2 Jia Wang 3, Lixin Gao 1,

T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.

A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡

TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.

By, Matt Guidry Yashas Shankar.  Analyze BGP beacons which are announced and withdrawn, usually within two hour intervals.  The withdraws have an effect.

Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.

02/01/2006USC/ISI1 Updates on Routing Experiments Cyber DEfense Technology Experimental Research (DETER) Network Evaluation Methods for Internet Security.

1 Version 3.1 Module 6 Routed & Routing Protocols.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.

Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.

1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.

COMP 3270 Computer Networks

COS 561: Advanced Computer Networks

BGP supplement Abhigyan Sharma.

COS 561: Advanced Computer Networks

Dynamic Routing and OSPF

The real-time Internet routing observatory

COS 561: Advanced Computer Networks

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts

COS 561: Advanced Computer Networks

Fixing the Internet: Think Locally, Impact Globally

Routing Experiments Chen-Nee Chuah, Sonia Fahmy, Denys Ma,

BGP Instability Jennifer Rexford

Presentation transcript:

02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer Science Department University of California, Davis

02/06/2006ecs236 winter Intrusion Detection Intrusion Detection Model Input event sequence Results Pattern matching

02/06/2006ecs236 winter Internet in 1969 UTAH UCLA SRI UCSB What was the link speed/bandwidth?

02/06/2006ecs236 winter ARPANet in 1969  Internet UTAH UCLA SRI UCSB What was the link speed/bandwidth? 56 kbps

02/06/2006ecs236 winter The “Internet” The “Internet” as February 1, 2006 l 21319Autonomous Systems l IP Address Prefixes announced

02/06/2006ecs236 winter AS and IP address prefix UCDavis: /16 AS6192 Autonomous System: AS6192 is the routers in UC Davis UC Davis owns /16

02/06/2006ecs236 winter Address Prefix l Prefix aggregation/de-aggregation l Notation of network address prefixes / PrefixPrefix length /16 (less specific) / / /19 (more specific) /17 BGP prefers more specific

02/06/2006ecs236 winter Peering ASes UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513

02/06/2006ecs236 winter AS6192  AS11423 UCDavis: /16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: /  6192

02/06/2006ecs236 winter AS11423  AS11537 UCDavis: /16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: /   6192

02/06/2006ecs236 winter AS11537  AS513 UCDavis: /16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: /    6192

02/06/2006ecs236 winter Packet Forwarding UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: /    6192

02/06/2006ecs236 winter The Dynamics of “Internet”  Link/node failures  Software malfunctions  Implementation related  Policy configuration  Topology changes  Other “interesting” dynamics (that we can not explain well yet…)

02/06/2006ecs236 winter The Scale of the “Internet” l Every single prefix, and their “dynamics”, must be propagated to every single AS (21319). l Every single AS must maintain the routing table such that it knows how to route the traffic toward any one of the prefixes to the right destination. l BGP is the protocol to support the exchange of routing information for ALL prefixes in ALL ASes.

02/06/2006ecs236 winter DNS and BGP l DNS  BGP l BGP  DNS l Without DNS, BGP and the Internet can still function. l But, without BGP, DNS won’t work very much. DNS BGP – Internet Service

02/06/2006ecs236 winter Routing Dynamics in 2001 # of BGP updates over a fixed period of time (e.g., 2 hours) a color dot = an AS Path being used

02/06/2006ecs236 winter DNS Root-A Server : : : : : : : : : : :9.33 Withdraw : : :9.40 Withdraw :10: :10:

02/06/2006ecs236 winter Global Failure l AS7007 falsely de-aggregates network prefixes in 1997 and the east coast Internet was down for 12 hours.

02/06/2006ecs236 winter Packet Forwarding UCDavis: /16 AS6192AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: /    6192

02/06/2006ecs236 winter Global Failure l AS7007 falsely de-aggregates network prefixes in 1997 and the east coast Internet was down for 12 hours. AS6192AS11423 (UC) AS11537 (CENIC) AS / / /24 …. Black Hole

02/06/2006ecs236 winter Understand l Lots of Anomalies –Anomaly detection l Understand and Explain the Anomalies –Network Management –Valuable Inputs for the future Design –Better and more practical Mathematical Models

02/06/2006ecs236 winter the Model model-based event analysis observed system events SBL-based Anomaly Detection analysis reports Example Selection Explanation Based Learning model update

02/06/2006ecs236 winter BGP Observation Points (e.g. RIPE AS12654) Internet RIPE … Each peer will tell us, at any moment of time, how to reach each of the prefixes! “Get the real BGP data”

02/06/2006ecs236 winter Multiple BGP Observation Points Oregon Internet RIPEUC Davis

02/06/2006ecs236 winter Real BGP Data Replay

02/06/2006ecs236 winter Origin AS in an AS Path l UCDavis (AS-6192) owns /16 and AS-6192 is the origin AS l AS Path: 513    6192 – – – – – – – – – – –

02/06/2006ecs236 winter /16 AS2152 CSU-53 California State University AS2153 CSU-53 California State University

02/06/2006ecs236 winter Origin AS Changes (OASC) l Ownership: UCDavis (AS-6192) owns /16 and AS-6192 is the origin AS l Current –AS Path: 2914  209   6192 –for prefix: /16 l New –AS Path: 2914  3011  273  81 –even worse: /24 l Which route path to use? l Normal or Abnormal?? / /24

02/06/2006ecs236 winter Max: (9177 from a single AS)

02/06/2006ecs236 winter Origin AS Changes (OASC) l Normal or Abnormal?? –How to handle this problem? / /24

02/06/2006ecs236 winter decay update clean compute the deviation alarm generationthreshold control timer control raw events long term profile

02/06/2006ecs236 winter decay update clean cognitively identify the deviation alarm identification Information Visualization Toolkit raw events cognitive profile

02/06/2006ecs236 winter Real-Time OASC Detection l Low level events:BGP Route Updates l High level events:OASC –1000+ per day and max per day –per 3-minutes window in real-time demo l IP address blocks l Origin AS in BGP Update Messages l Different Types of OASC Events

02/06/2006ecs236 winter AS# Qua-Tree Representation of IP Address Prefixes / /16

02/06/2006ecs236 winter AS# AS# Representation AS-1 AS-7777 AS AS-6192 AS-81

02/06/2006ecs236 winter AS81 punched a “hole” on /16 yesterday /16 today / /24 yesterday AS-6192 today AS-81 victim offender

02/06/2006ecs236 winter OASC Event Types l Using different colors to represent types of OASC events l C type: CSS, CSM, CMS, CMM l H type: H l B type: B l O type: OS, OM

02/06/2006ecs236 winter August 14, 2000 AS-7777 punched hundreds of holes.

02/06/2006ecs236 winter April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks…

02/06/2006ecs236 winter April 7-10, /07/2001 all04/07/ /08/2001 all04/08/ /09/2001 all04/09/ /10/2001 all04/10/

02/06/2006ecs236 winter April 11-14, /11/2001 all04/11/ /12/2001 all04/12/ /14/2001 all04/14/ /13/ /13/2001 all

02/06/2006ecs236 winter April 18-19, 2001 – Again?? 04/18/2001 all04/18/ /19/2001 all04/19/

02/06/2006ecs236 winter SPRINT (AS-1239) (on December 3, 2000, B events)

02/06/2006ecs236 winter l Which types of “screens” are more interesting and why? l Why was AS15412 picked for further special examination? l Under this context, why were we only focusing on April 6-12 and April 18-19? –Or, why is April 16 irrelevant? l Why are April 12 and 18 similar? l What is the difference between these two instances in April of 2001? Gaining Knowledge about OASC

02/06/2006ecs236 winter the Model model-based event analysis observed system events SBL-based Anomaly Detection analysis reports Example Selection Explanation Based Learning model update

02/06/2006ecs236 winter The KDD Process l Knowledge about the application domain l Data preparation l Data mining l Interpretation l Using the discovered knowledge

02/06/2006ecs236 winter OASC Data l How do we define an OASC event? – /16 –Origin AS Changes from AS-6192 to AS-81 –But, exactly how should we obtain the information?

02/06/2006ecs236 winter BGP Observation Points (e.g. RIPE AS12654) Internet RIPE … Each peer will tell us, at any moment of time, how to reach each of the prefixes! “Get the real BGP data”

02/06/2006ecs236 winter RIPE … Each peer will tell us, at any moment of time, how to reach each of the prefixes! One One Routing table for all prefixes AS-12654

02/06/2006ecs236 winter Per-Day Analysis l Today’s routing table against yesterday’s –on ALL prefixes

02/06/2006ecs236 winter Per-Update Analysis l Finer granularity l Observing “per-peer” OASC events l Correlation with AS Topology information

02/06/2006ecs236 winter Project Proposal Areas l Network-based IDS l Host-based IDS l Application-based IDS l Routing infrastructure Security l Anomaly Detection and Alert Correlation l IDS evaluation and Honeypot l Or, anything else you are interested