信息网络安全 ›› 2019, Vol. 19 ›› Issue (11): 63-70.doi: 10.3969/j.issn.1671-1122.2019.11.009

• 技术研究 • 上一篇    下一篇

域间路由异常检测技术研究

邓海莲1, 刘宇靖1(), 葛一漩2, 苏金树1   

  1. 1.国防科技大学计算机学院,湖南长沙 410005
    2.国防科技大学文理学院,湖南长沙 410005
  • 收稿日期:2019-07-17 出版日期:2019-11-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:邓海莲(1992—),男,广西,硕士研究生,主要研究方向为网络安全;刘宇靖(1985—),女,山东,助理研究员,博士,主要研究方向为网络路由系统安全;葛一漩(1998—),男,山东,本科,主要研究方向为网络安全;苏金树(1965—),男,福建,教授,博士,主要研究方向为网络空间安全。

  • 基金资助:
    国家自然科学基金[61602503]

Research on Inter-domain Routing Anomaly Detection Technology

Hailian DENG1, Yujing LIU1(), Yixuan GE2, Jinshu SU1   

  1. 1. College of Computer Science and Technology, National University of Defense Technology, Changsha Hunan 410005, China
    2. College of Liberal Arts and Sciences, National University of Defense Technology,Changsha Hunan 410005, China
  • Received:2019-07-17 Online:2019-11-10 Published:2020-05-11

摘要:

由于BGP协议设计的缺陷,互联网域间路由系统面临着前缀劫持、路径篡改和路由泄露等严重安全问题。目前相关路由异常检测系统通常利用路由消息和数据流量的异常特征进行检测。但是由于网络环境瞬息变化,路由攻击形式变化多样,高效精确定位异常事件成为难点。文章通过对海量真实域间路由数据的分析可知,路由变化呈现幂律性,即绝大多数的源目对之间的路由是稳定的,极少部分源目对之间的路由是会频繁变化的。基于该观测结果,文章提出一种通过对比路由行为与正常模型的偏差检测异常路由行为的检测方法,并对互联网上真实发生的Google意外劫持日本网络前缀事件进行了检测验证。该方法可对路由异常事件检测、分析提供有力支撑,对提高异常事件的快速反应具有重要意义。

关键词: 域间路由, 异常检测, BGP

Abstract:

Due to the shortcomings of BGP protocol design, the inter-domain routing system suffers serious security problems such as prefix hijacking, path tampering and route leakage. Currently, the related routing anomaly detection systems usually use the abnormal characteristics of routing message and data traffic to detect. However, due to the instantaneous change of network environment and the variety of routing attacks, it is difficult to locate abnormal events effectively and accurately. This paper analyzes the massive real inter-domain routing data and finds that the routing changes show power law, that is, the routing between the vast majority of source target pairs is stable, and the routing between a few source target pairs will change frequently. Based on the observation results, this paper proposes a detection method of detecting abnormal routing behavior by comparing the deviation of routing behavior from the normal model, and tests and verifies the real hijacking of Japanese network events on the Internet. This method can provide powerful support for the detection and analysis of routing abnormal events, and is of great significance for improving the rapid response of abnormal events.

Key words: inter-domain routing, anomaly detection, BGP

中图分类号: