Rule-Based Anomaly Detection of Inter-domain Routing System

Inter-domain routing (IDR) system is a critical part of the Internet infrastructure. However, anomalies exist in BGP routing behaviors because of BGP misconfigurations, router malfunctions or deliberate attacking. To help secure the IDR system, this paper presents a rule-based framework and a rich set of detection rules to identify the abnormal routing behaviors. The detection rules are categorized into General Anomaly-detection Rules (GADRs) and Special Anomaly-detection Rules (SADRs), and they work together with the Basic Models and the Generated Models of the Internet respectively. Under the proposed framework, a prototype system, ISP-Health, is implemented, which can find out various abnormal routes and complex hidden routing attacks.

[1]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM 2002.

[2]  Bassam Halabi,et al.  Internet Routing Architectures , 1997 .

[3]  Evi Nemeth,et al.  Internet expansion, refinement and churn , 2002, Eur. Trans. Telecommun..

[4]  Daniel Massey,et al.  An analysis of BGP multiple origin AS (MOAS) conflicts , 2001, IMW '01.

[5]  Ramesh Govindan,et al.  Locating BGP missing routes using multiple perspectives , 2004, NetT '04.

[6]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[7]  Charles Lynn,et al.  Secure Border Gateway Protocol (Secure-BGP) , 2000 .

[8]  Danny McPherson,et al.  Internet Routing Architectures, Second Edition , 2000 .

[9]  Randy H. Katz,et al.  Characterizing the Internet hierarchy from multiple vantage points , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[10]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.