Detection of Interdomain Routing Anomalies Based on Higher-Order Path Analysis

Anomalous interdomain border gateway protocol (BGP) events including misconfigurations, attacks and large-scale power failures often affect the global routing infrastructure. Thus, the ability to detect and categorize such events is extremely useful. In this article we present a novel anomaly detection technique for BGP that distinguishes between different anomalies in BGP traffic. This technique is termed higher order path analysis (HOPA) and focuses on the discovery of patterns in higher order paths in supervised learning datasets. Our results demonstrate that not only worm events but also different types of worms as well as blackout events are cleanly separable and can be classified in real time based on our incremental approach. This novel approach to supervised learning has potential applications in cybersecurity/forensics and text/data mining in general.

[1]  Hsinchun Chen,et al.  Fighting organized crimes: using shortest-path algorithms to identify associations in criminal networks , 2004, Decis. Support Syst..

[2]  Daniel Massey,et al.  Detection of invalid routing announcement in the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[3]  Daniel Massey,et al.  On Detection of Anomalous Routing Dynamics in BGP , 2004, NETWORKING.

[4]  Takeaki Uno,et al.  An Output Linear Time Algorithm for Enumerating Chordless Cycles , 2003 .

[5]  William M. Pottenger,et al.  A framework for understanding Latent Semantic Indexing (LSI) performance , 2006, Inf. Process. Manag..

[6]  Jun Li,et al.  BGP Behavior Analysis During the August 2003 Blackout , 2003 .

[7]  ZVI GALIL,et al.  Efficient algorithms for finding maximum matching in graphs , 1986, CSUR.

[8]  Catherine Blake,et al.  UCI Repository of machine learning databases , 1998 .

[9]  Reinhard Diestel,et al.  Graph Theory , 1997 .

[10]  William M. Pottenger,et al.  Link Analysis of Higher-Order Paths in Supervised Learning Datasets , 2006 .

[11]  Zhen Wu,et al.  An internet routing forensics framework for discovering rules of abnormal BGP events , 2005, CCRV.

[12]  Daniel Massey,et al.  Observation and analysis of BGP behavior under stress , 2002, IMW '02.

[13]  Hinrich Schütze,et al.  Automatic Word Sense Discrimination , 1998, Comput. Linguistics.

[14]  Padma Raghavan,et al.  Level search schemes for information filtering and retrieval , 2001, Inf. Process. Manag..

[15]  Nick Feamster,et al.  Some Foundational Problems in Interdomain Routing , 2004 .

[16]  W. Bruce Croft,et al.  Corpus-based stemming using cooccurrence of word variants , 1998, TOIS.

[17]  Takeaki Uno,et al.  Algorithms for Enumerating All Perfect, Maximum and Maximal Matchings in Bipartite Graphs , 1997, ISAAC.

[18]  Joan Feigenbaum,et al.  Learning-based anomaly detection in BGP updates , 2005, MineNet '05.

[19]  Daniel Massey,et al.  Analysis of BGP Update Surge during Slammer Worm Attack , 2003, IWDC.

[20]  Christopher Krügel,et al.  Topology-Based Detection of Anomalous BGP Messages , 2003, RAID.

[21]  William M. Pottenger,et al.  A Software Infrastructure for Research in Textual Data Mining , 2004, Int. J. Artif. Intell. Tools.

[22]  Raymond J. Mooney,et al.  Relational Data Mining with Inductive Logic Programming for Link Discovery , 2002 .

[23]  Paul C. van Oorschot,et al.  Analysis of BGP prefix origins during Google's May 2005 outage , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[24]  AgrawalRakesh,et al.  Mining association rules between sets of items in large databases , 1993 .

[25]  Daniel Massey,et al.  An algorithmic approach to identifying link failures , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[26]  William M. Pottenger,et al.  A Framework for Understanding LSI Performance , 2004 .

[27]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[28]  D. Swanson Migraine and Magnesium: Eleven Neglected Connections , 2015, Perspectives in biology and medicine.

[29]  Matthew Roughan,et al.  Is BGP update storm a sign of trouble: Observing the internet control and data planes during internet worms , 2006 .

[30]  Matthew Roughan,et al.  BGP beacons , 2003, IMC '03.

[31]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM 2002.

[32]  Philip Edmonds,et al.  Choosing the Word Most Typical in Context Using a Lexical Co-occurrence Network , 1997, ACL.