Abstract
Despite the robust structure of the Internet, it is still susceptible to disruptive routing updates that prevent network traffic from reaching its destination. Our research shows that BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity. We hypothesize that we may use these bursty characteristics to detect anomalous routing incidents. In this work, we use manually verified ground truth metadata and volume of announcements as a baseline measure, and propose a burstiness measure that detects prior anomalous incidents with high recall and better precision than the volume baseline. We quantify the burstiness of inter-arrival times around the date and times of four large-scale incidents: the Indosat hijacking event in April 2014, the Telecom Malaysia leak in June 2015, the Bharti Airtel Ltd. hijack in November 2015, and the MainOne leak in November 2018; and three smaller scale incidents that led to traffic interception: the Belarusian traffic direction in February 2013, the Icelandic traffic direction in July 2013, and the Russian telecom that hijacked financial services in April 2017. Our method leverages the burstiness of disruptive update messages to detect these incidents. We describe limitations, open challenges, and how this method can be used for routing anomaly detection.
Original language | English |
---|---|
Article number | 107835 |
Journal | Computer Networks |
Volume | 188 |
DOIs | |
State | Published - Apr 7 2021 |
Funding
This research has been supported in part by NSF CNS, USA 1565375 and Cisco Research, USA 591000 . This work was carried out in part at Oak Ridge National Laboratory, managed by UT-Battelle, LLC for the U.S. Department of Energy under Contract No. DE-AC05-00OR22725. Pablo Moriano thanks Kalyan Perumalla and Steve Rich for their guidance, and Claudia Castro for her assistance in designing Fig.1 . Raquel Hill is a tenured associate professor and chair of the Computer and Information Sciences Department at Spelman College. Prior to joining Spelman College, Hill was an associate professor of computer science and the director of the Cybersecurity Academic Program in the Luddy School of Informatics, Computing, and Engineering at Indiana University Bloomington. She holds bachelor and master’s degrees in computer science from Georgia Institute of Technology and a Ph.D. in computer science from Harvard University. Her primary research interests span the areas of trust and security for distributing computing environments and data privacy. Her research has been funded by various agencies, including the National Science Foundation. She has published numerous articles on various topics, including security for electronic voting systems, encryption-based access control, trusted computing, smartphone security, network security and privacy in research datasets. Her interdisciplinary work on the re-identification risks in medical-related behavioral science data was featured in Forbes magazine article, “Anonymous Sex Survey Takers Get Identified in Data Dive.” In 2016, Hill was selected and highlighted in Brilliant Minds at IU Bloomington, an ongoing series of short videos featuring some of the fascinating research and creative activities that IU Bloomington faculty pursue. Hill is a passionate educator, and she was awarded Indiana University’s Trustees Teaching Award in 2019. Also, she has dedicated time to mentoring undergraduate students, participating in departmental and campus-level initiatives to engage undergraduates in research. This manuscript has been authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the US Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan ( http://energy.gov/downloads/doe-public-access-plan ).
Funders | Funder number |
---|---|
Cisco Research | USA 591000 |
NSF CNS | USA 1565375 |
US Department of Energy | |
National Science Foundation | |
U.S. Department of Energy | DE-AC05-00OR22725 |
Oak Ridge National Laboratory | |
UT-Battelle |
Keywords
- Anomaly detection
- Border Gateway Protocol (BGP)
- Burstiness
- Internet measurements
- Prefix hijacking
- Time series analysis