域间路由异常检测技术研究

doi:10.3969/j.issn.1671-1122.2019.11.009

信息网络安全 ›› 2019, Vol. 19 ›› Issue (11): 63-70.doi: 10.3969/j.issn.1671-1122.2019.11.009

域间路由异常检测技术研究

邓海莲¹, 刘宇靖¹(), 葛一漩², 苏金树¹

1.国防科技大学计算机学院,湖南长沙 410005
2.国防科技大学文理学院,湖南长沙 410005

收稿日期:2019-07-17 出版日期:2019-11-10 发布日期:2020-05-11
作者简介:
作者简介：邓海莲（1992—）,男,广西,硕士研究生,主要研究方向为网络安全;刘宇靖（1985—）,女,山东,助理研究员,博士,主要研究方向为网络路由系统安全;葛一漩（1998—）,男,山东,本科,主要研究方向为网络安全;苏金树（1965—）,男,福建,教授,博士,主要研究方向为网络空间安全。
基金资助:
国家自然科学基金[61602503]

Research on Inter-domain Routing Anomaly Detection Technology

Hailian DENG¹, Yujing LIU¹(), Yixuan GE², Jinshu SU¹

1. College of Computer Science and Technology, National University of Defense Technology, Changsha Hunan 410005, China
2. College of Liberal Arts and Sciences, National University of Defense Technology,Changsha Hunan 410005, China

Received:2019-07-17 Online:2019-11-10 Published:2020-05-11

摘要/Abstract

摘要：

由于BGP协议设计的缺陷,互联网域间路由系统面临着前缀劫持、路径篡改和路由泄露等严重安全问题。目前相关路由异常检测系统通常利用路由消息和数据流量的异常特征进行检测。但是由于网络环境瞬息变化,路由攻击形式变化多样,高效精确定位异常事件成为难点。文章通过对海量真实域间路由数据的分析可知,路由变化呈现幂律性,即绝大多数的源目对之间的路由是稳定的,极少部分源目对之间的路由是会频繁变化的。基于该观测结果,文章提出一种通过对比路由行为与正常模型的偏差检测异常路由行为的检测方法,并对互联网上真实发生的Google意外劫持日本网络前缀事件进行了检测验证。该方法可对路由异常事件检测、分析提供有力支撑,对提高异常事件的快速反应具有重要意义。

关键词: 域间路由, 异常检测, BGP

Abstract:

Due to the shortcomings of BGP protocol design, the inter-domain routing system suffers serious security problems such as prefix hijacking, path tampering and route leakage. Currently, the related routing anomaly detection systems usually use the abnormal characteristics of routing message and data traffic to detect. However, due to the instantaneous change of network environment and the variety of routing attacks, it is difficult to locate abnormal events effectively and accurately. This paper analyzes the massive real inter-domain routing data and finds that the routing changes show power law, that is, the routing between the vast majority of source target pairs is stable, and the routing between a few source target pairs will change frequently. Based on the observation results, this paper proposes a detection method of detecting abnormal routing behavior by comparing the deviation of routing behavior from the normal model, and tests and verifies the real hijacking of Japanese network events on the Internet. This method can provide powerful support for the detection and analysis of routing abnormal events, and is of great significance for improving the rapid response of abnormal events.

Key words: inter-domain routing, anomaly detection, BGP

中图分类号:

TP309

邓海莲, 刘宇靖, 葛一漩, 苏金树. 域间路由异常检测技术研究[J]. 信息网络安全, 2019, 19(11): 63-70.

Hailian DENG, Yujing LIU, Yixuan GE, Jinshu SU. Research on Inter-domain Routing Anomaly Detection Technology[J]. Netinfo Security, 2019, 19(11): 63-70.

图/表 15

图1

图2

图3

图4

图5

表1

图6

表2

表3

表4

图7

图8

表5

图9

图10

参考文献 16

[1]	LIU Yujing.Research on Survivability of Internet Inter-domain Routing System[D]. Changsha: National University of Defense Technology, 2013.
	刘宇靖. 互联网域间路由系统生存性研究[D].长沙:国防科学技术大学,2013.
[2]	DENG Wenping, ZHU Peidong, LU Xicheng, et al.On Evaluating BGP Routing Stress Attack[J]. JCM, 2010, 5(1): 13-22.
[3]	ZHU Peidong, CAO Huayang, DENG Wenping, et al.A Systematic Approach to Evaluating the Trustworthiness of the Internet Inter-domain Routing Information[J]. IEICE TRANSACTIONS on Information and Systems, 2012, 95(1): 20-28.
[4]	MIZUGUCHI T, YOSHIDA T. Inter-Domain Routing Security: BGP Route Hijacking[EB/OL]. , 2019-6-13.
[5]	KENT S, LYNN C, MIKKELSON J, et al. Secure Border Gateway Protocol(S-BGP) Real World Performance and Deployment Issues[EB/OL]. .
[6]	KRUEGEL C, MUTZ D, ROBERTSON W, et al.Topology-Based Detection of Anomalous BGP Messages[M]//Springer. Recent Advances in Intrusion Detection. Heidelberg: Springer-Verlag, 2003: 17-35.
[7]	LIU Yujing, WANG Zhilin, LI Nan.A Case Study of Detecting and Characterizing Large-Scale Prefix Hijackings in the Internet[C]//ACM. The 2017 VI International Conference on Network, Communication and Computing, December 8-10, 2017, Kunming, China. New York: ACM, 2017: 110-114.
[8]	LAD M, MASSEY D, PEI Dan, et al. PHAS: A Prefix Hijack Alert System[EB/OL]. , 2019-6-13.
[9]	ROUTE Views. University of Oregon Route Views Archive Project[EB/OL]. .
[10]	RIPE NCC. RIS RAW DATA[EB/OL]. , 2019-6-13.
[11]	ZHENG Changxi, JI Lusheng, PEI Dan, et al.A Light-Weights Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time[C]//ACM. The 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, August 27-31, 2007 , Kyoto, Japan. New York: ACM, 2007: 277-288.
[12]	ZHANG Zheng, ZHANG Ying, HU Y C, et al.iSPY: Detecting IP Prefix Hijacking on My Own[J]. IEEE/ACM Transactions on Networking, 2010, 18(6): 1815-1828.
[13]	HU Xin, MAO Z M.Accurate Real-time Identification of IP Prefix Hijacking[C]//IEEE. 2007 IEEE Symposium on Security and Privacy, May 20-23, 2007, Berkeley, USA. NJ: IEEE, 2007: 3-17.
[14]	SHI Xingang, XIANG Yang, WANG Zhiliang, et al.Detecting Prefix Hijackings in the Internet with Argus[C]//ACM. The 2012 ACM Internet Measurement Conference, November 14-16, 2012, Boston, Massachusetts, USA . New York: ACM, 2012: 15-28.
[15]	CAIDA. CAIDA Prefix2as[EB/OL]. , 2019-6-13.
[16]	CAIDA. CAIDA AS Relationships[EB/OL]. , 2019-6-13.

源目对之间正常路由路径变化数量≤	源目对数所占总体源目对数的比例
1	55.2%
2	77.4%
3	86.5%
4	91.2%
5	94.0%
6	95.7%
7	96.9%
8	97.7%
9	98.2%
10	98.7%
11	98.9%
12	99.2%
…	…
145	100%

Prefix	AS
201.156.16.0/20	6503
167.229.212.0/24	16637_2905

检测情况	值
检测路由更新消息总条数/条	21099
正常路由更新消息数/条	0
异常路由更新消息数/条	21099
前缀劫持数/条	0
子前缀劫持数/条	0
针对前缀的路径篡改数/条	2
针对子前缀的路径篡改数/条	21097
路径篡改中的异常链路	15169-4713
路径篡改中的异常链路出现次数/次	21099

域间路由异常检测技术研究

Research on Inter-domain Routing Anomaly Detection Technology

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 16

相关文章 15

编辑推荐

Metrics

本文评价

[1]	顾兆军, 任怡彤, 刘春波, 王志. 基于一致性预测算法的内网日志检测模型[J]. 信息网络安全, 2020, 20(3): 45-50.
[2]	王伟, 沈旭东. 基于实例的迁移时间序列异常检测算法研究[J]. 信息网络安全, 2019, 19(3): 11-18.
[3]	杨威超, 郭渊博, 钟雅, 甄帅辉. 基于设备型号分类和BP神经网络的物联网流量异常检测[J]. 信息网络安全, 2019, 19(12): 53-63.
[4]	朱海麒, 姜峰. 人工智能时代面向运维数据的异常检测技术研究与分析[J]. 信息网络安全, 2019, 19(11): 24-35.
[5]	李巍, 狄晓晓, 王迪, 李云春. 基于子图的服务器网络行为建模及异常检测方法研究[J]. 信息网络安全, 2018, 18(2): 1-9.
[6]	何利, 姚元辉. 基于上下文聚类的云虚拟机异常检测与识别策略[J]. 信息网络安全, 2018, 18(12): 54-65.
[7]	赵刚, 姚兴仁. 基于用户画像的异常行为检测模型[J]. 信息网络安全, 2017, 17(7): 18-24.
[8]	吴鑫, 严岳松, 刘晓然. 基于改进HMM的程序行为异常检测方法[J]. 信息网络安全, 2016, 16(9): 108-112.
[9]	杨连群, 温晋英, 刘树发, 王峰. 一种改进的图分割算法在用户行为异常检测中的应用[J]. 信息网络安全, 2016, 16(6): 35-40.
[10]	何明亮, 陈泽茂, 左进. 基于多窗口机制的聚类异常检测算法[J]. 信息网络安全, 2016, 16(11): 33-39.
[11]	刘汝隽, 辛阳. 网络安全数据可视分析系统的设计与实现[J]. 信息网络安全, 2016, 16(11): 40-44.
[12]	孙泽民, 芦天亮, 周阳. 基于BGP 协议的TCP MD5加密认证的破解技术分析[J]. 信息网络安全, 2015, 15(9): 37-40.
[13]	汤健, 孙春来, 毛克峰, 贾美英. 基于主元分析和互信息维数约简策略的网络入侵异常检测[J]. 信息网络安全, 2015, 15(9): 78-83.
[14]	胡照明,刘磊,尚博文,朱培栋. 一种AS-IP宣告关系真实性评估方法研究[J]. 信息网络安全, 2015, 15(11): 33-39.
[15]	李凌云, 敖吉, 乔治, 李剑. 基于微博的安全事件实时监测框架研究[J]. 信息网络安全, 2015, 15(1): 16-23.