Bigfoot: A geo-based visualization methodology for detecting BGP threats

Studies of inter-domain routing in the Internet have highlighted the complex and dynamic nature of connectivity changes that take place daily on a global scale. The ability to assess and identify normal, malicious, irregular and unexpected behaviors in routing update streams is important in daily network and security operations. In this paper we describe Bigfoot, a Border Gateway Protocol (BGP) update visualization system that has been designed to highlight and assess a wide variety of behaviors in update streams. At the core of Bigfoot is the notion of visualizing the announcements of network prefixes via IP geolocation. We investigate different representations of polygons for network footprints and show how straightforward application of IP geolocation can lead to representations that are difficult to interpret. Bigfoot includes techniques to filter, organize, analyze and visualize BGP updates that enable characteristics and behaviors of interest to be identified effectively. To demonstrate Bigfoot's capabilities, we consider 1.79B BGP updates collected over a period of one year and identify 139 candidate events in this data. We investigate a subset of these events in detail, along with ground truth from existing literature to show how network footprint visualizations can be used in operational deployments.

[1]  Manish Karir,et al.  VAST: visualizing autonomous system topology , 2006, VizSEC '06.

[2]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[3]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[4]  Nick Feamster,et al.  BorderGuard: detecting cold potatoes from peers , 2004, IMC '04.

[5]  Chen-Nee Chuah,et al.  BGP eye: a new visualization tool for real-time detection and analysis of BGP anomalies , 2006, VizSEC '06.

[6]  Albert G. Greenberg,et al.  Combining routing and traffic data for detection of IP forwarding anomalies , 2004, SIGMETRICS '04/Performance '04.

[7]  Kwan-Liu Ma,et al.  BGPeep: An IP-Space Centered View for Internet Routing Data , 2008, VizSEC.

[8]  Lixia Zhang,et al.  BGPmon: A Real-Time, Scalable, Extensible Monitoring System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[9]  Giuseppe Di Battista,et al.  BGPlay: A System for Visualizing the Interdomain Routing Evolution , 2003, GD.

[10]  Georgios Theodoridis,et al.  BGPfuse: using visual feature fusion for the detection and attribution of BGP anomalies , 2013, VizSec '13.

[11]  M. Egenhofer Categorizing Binary Topological Relations Between Regions, Lines, and Points in Geographic Databases , 1998 .

[12]  Kwan-Liu Ma,et al.  Visual-Based Anomaly Detection for BGP Origin AS Change (OASC) Events , 2003, DSOM.

[13]  Yin Zhang,et al.  BGP routing stability of popular destinations , 2002, IMW '02.

[14]  Steve Uhlig,et al.  IP geolocation databases: unreliable? , 2011, CCRV.

[15]  Kwan-Liu Ma,et al.  Combining visual and automated data mining for near-real-time anomaly detection and analysis in BGP , 2004, VizSEC/DMSEC '04.

[16]  Jia Wang,et al.  Finding a needle in a haystack: pinpointing significant BGP routing changes in an IP network , 2005, NSDI.

[17]  Daniel Massey,et al.  Visualizing Internet Routing Changes , 2006, IEEE Transactions on Visualization and Computer Graphics.

[18]  Olivier Thonnard,et al.  VisTracer: a visual analytics tool to investigate routing anomalies in traceroutes , 2012, VizSec '12.

[19]  Christian Strobl Dimensionally Extended Nine-Intersection Model (DE-9IM) , 2008, Encyclopedia of GIS.

[20]  kc claffy,et al.  Geocompare: a comparison of public and commercial geolocation databases - Technical Report , 2011 .

[21]  Kwan-Liu Ma,et al.  A Visual Technique for Internet Anomaly Detection , 2002 .

[22]  Bruce M. Maggs,et al.  Posit: a lightweight approach for IP geolocation , 2012, PERV.

[23]  Paul Barford,et al.  Internet atlas: a geographic database of the internet , 2013, HotPlanet '13.

[24]  John S. Heidemann,et al.  Towards geolocation of millions of IP addresses , 2012, IMC '12.

[25]  Cengiz Alaettinoglu,et al.  Internet routing anomaly detection and visualization , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[26]  Daniel Massey,et al.  Link-Rank: a graphical tool for capturing BGP routing dynamics , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[27]  Georgios Theodoridis,et al.  Visual analytics for BGP monitoring and prefix hijacking identification , 2012, IEEE Network.

[28]  Dimitrios Tzovaras,et al.  BGPViewer: Using Graph representations to explore BGP routing changes , 2013, 2013 18th International Conference on Digital Signal Processing (DSP).