基于绕行路径的聚类分析与异常检测
Clustering Analysis and Anomaly Detection Based on the Detour Path

作者: 刘 磊 , 朱培栋 , 闫 爽 , 富 威 :国防科学技术大学计算机学院,湖南 长沙;

关键词: BGP绕行路径聚类分析异常检测BGP Detour Path Clustering Analysis Anomaly Detection

摘要:
本文对BGP路由中的绕行路径作了定义,通过观察路由表的AS_PATH属性,总结归纳了绕行路径的六种表现形式,即连续重复AS、环路、绕邻居AS、绕国、绕境、绕跨国企业。同时,对绕行路径的表现形式进行了聚类分析,并提出了基于绕行路径的连续重复AS、路由环路、国内流量外泄、路径伪造、路径篡改等异常路由检测方法。实验表明,本文所提方法能够有效检测异常路由行为,同时揭示了绕行路径的存在是使得网络流量传递平均最短路径变长的主要原因之一。
 
In this paper, the detour path is defined firstly. Through the observation of AS_PATH property of the routing table, we sum up the six forms of the detour path, i.e., continuously repeated AS, loop, around the neighbor AS, around the country, around the border and around the multinational company. Moreover, we did the clustering analysis of the manifestation of detour path and put forward the routing anomaly detection method based on the detour path. The method can detect the continuous repeated AS, routing loop, domestic traffic leaked, forged path, garbled path with such anomalies. Experiments show that the proposed method can effectively detect abnormal routing behavior and also suggest that one of the main reasons for the average shortest path of Internet traffic which becomes longer is the existence of the detour paths.

文章引用: 刘 磊 , 朱培栋 , 闫 爽 , 富 威 (2016) 基于绕行路径的聚类分析与异常检测。 软件工程与应用, 5, 93-102. doi: 10.12677/SEA.2016.52011

参考文献

[1] Vohra, Q. and Chen, E. (2007) RFC 4893: BGP Support for Four-octet AS Number Space. Internet Engineering Task Force (IETF).

[2] Bono, J.V. (1997) 7007 Explanation and Apology. NANOG.

[3] Lad, M., Oliveira, R., Zhang, B. and Zhang, L. (2007) Understanding Resiliency of Internet Topology against Prefix Hijack Attacks. Proceedings of 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2007, DSN’07, Edinburgh, 25-28 June 2007, 368-377.

[4] Toonk, A. BGP Optimizer Causes Thousands of Fake Routes. http://www.bgpmon.net/bgp-optimizer-causes-thousands-of-fake-routes/

[5] Toonk, A. The Canadian Bitcoin Hijack. http://www.bgpmon.net/the-canadian-bitcoin-hijack/

[6] Toonk, A. Large Scale BGP Hijack Out of India. http://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/

[7] Toonk, A. Massive Route Leak Causes Internet Slowdown. http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/

[8] 黎松, 诸葛建伟, 李星. BGP安全研究[J]. 软件学报, 2013, 24(1): 121-138.

[9] Kruegel, C., Mutz, D., Robertson, W. and Valeur, F. (2010) Topology-Based Detection of Anomalous BGP Messages. In: Recent Advances in Intrusion Detection, Springer, Berlin Heidelberg, 17-35.
http://dx.doi.org/10.1007/978-3-540-45248-5_2

[10] Li, J., Ehrenkranz, T. and Elliott, P. (2012) Buddyguard: A Buddy System for Fast and Reliable Detection of IP Prefix Anomalies. 2012 20th IEEE International Conference on Network Protocols (ICNP), Austin, 30 October-2 November 2012, 1-10.

[11] Hong, S.C., Hong, J.W.K. and Ju, H. (2011) IP Preifx Hijacking Detection Using the Collection of AS Characteristics. 2011 13th Asia-Pacific Network Operations and Management Symposium (APNOMS), Taipei, 21-23 September 2011 1-7.

[12] Zhang, Y. and Pourzandi, M. (2012) Studying Impacts of Prefix Interception Attack by Exploring BGP AS-PATH Prepending. Proceedings of 2012 IEEE 32nd International Conference on Distributed Computing Systems (ICDCS), Macau, 18-21 June 2012, 667-677.

[13] 刘磊, 朱培栋, 胡照明. 一种基于时空可信度推断AS商业关系的方法[J]. 软件工程与应用, 2016, 5(1): 38-46.

分享
Top