IP prefix hijack detection using BGP connectivity monitoring

In spite of significant on-going research, the Border gateway protocol (BGP) still encompasses conceptual vulnerability issues regarding impersonating the ownership of IP prefixes for ASes (Autonomous Systems). In this context, a number of research studies focused on securing BGP through historical-based and statistical-based behavioural models. This paper suggests a novel method based on tracking the connectivity of suspicious ASes, which are received from a program tracing IP prefix hijacking signature. The paper uses Full Cross-Validation test to investigate the accuracy of the invented method and studies the similarity and differences between malicious and benign observations before they are classified. Classification might not be the appropriate technique to deal with IP prefix hijack detection on its own; therefore we propose to combine the two methods (signature and classification-based) in order to cover the limitations of both techniques. From a processing perspective, the outputs from signature-based method are used as inputs for the classification-based. The main features are extracted from the ASpath attributes of potentially suspicious ASes. The features are considered a mixture of the behavioural characteristics of connectivity among routers. The best five supervised classifiers were used in the previous researches and go with the characteristics of dataset will be used in this paper to evaluate the detection method. Under different learning algorithms, Random Forest and J48 classifiers, the detection method is able to detect the hijacks with 81% accuracy.

[1]  Senén Barro,et al.  Do we need hundreds of classifiers to solve real world classification problems? , 2014, J. Mach. Learn. Res..

[2]  Michael Meier,et al.  Inter-AS routing anomalies: Improved detection and classification , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[3]  Philip S. Yu,et al.  Top 10 algorithms in data mining , 2007, Knowledge and Information Systems.

[4]  Miao Wang,et al.  A Packet-Based Anomaly Detection Model for Inter-domain Routing , 2009, 2009 IEEE International Conference on Networking, Architecture, and Storage.

[5]  Seok-Hee Hong Network Analysis and Visualisation , 2005, Graph Drawing.

[6]  Georg Carle,et al.  The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire , 2015, TMA.

[7]  Murat Can Ganiz,et al.  An anomaly detection framework for BGP , 2011, 2011 International Symposium on Innovations in Intelligent Systems and Applications.

[8]  Olaf Maennel,et al.  Towards detecting BGP route hijacking using the RPKI , 2012, SIGCOMM.

[9]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM 2007.

[10]  Marc Dacier,et al.  Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks , 2015, NDSS.

[11]  Amit Chhabra,et al.  Improved J48 Classification Algorithm for the Prediction of Diabetes , 2014 .

[12]  Arnold Pears,et al.  Connectivity Models : A New Approach to Modeling Contacts in Opportunistic Networks. ∗ , 2006 .

[13]  Marc Dacier,et al.  Malicious BGP hijacks: Appearances can be deceiving , 2014, 2014 IEEE International Conference on Communications (ICC).

[14]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[15]  Daniel Massey,et al.  On Detection of Anomalous Routing Dynamics in BGP , 2004, NETWORKING.