A BGP Hijacking Detection System Based On Multi-dimensional Historical Data Analysis

The Border Gateway Protocol(BGP)is the standard inter-domain routing protocol of the Internet.Its reliability and stability are related to the security of the whole Internet.BGP lacks the authentication mechanism of address resources.Illegal or wrong routing configuration will lead to the hijack events of routing prefix,which will seriously affect the normal operation of network communication and upper application services.The traditional methods to detect hijack events mainly analyze the change of the prefix ownership by using control plane sources or using active probing to obtain data plane features and the prefix's reachability.These methods rely on a wide range of infrastructure,measurement point coverage and continuous detection.However,there are various dimensions of routing information in the Internet,and a lot of valuable and stable prefix belonging information is contained in the historical routing messages,which provides more data support for prefix hijacking detection.This paper proposed a prefix hijacking detection method based on multi-dimensional historical data analysis and implemented a prefix hijacking detection system base on it.This method uses multi-dimensional historical data to solve the problem of difficult acquisition of benchmark data and low accuracy.At the same time,it avoids the disadvantages of large deployment cost and long detection delay of active probing method.The main work of this paper includes two aspects.First of all,this paper proposes a prefix hijacking detection method based on multi-dimensional historical data analysis.By analyzing and quantifying the historical BGP routing table data,the authority historical registration data and the AS geographic location data,the credibility table of the corresponding relationship between IP prefix and the origin AS is obtained as the benchmark data for judging prefix hijacking.Secondly,based on this method,this paper designs and implements a prefix hijacking detection system,including four modules:data collection,data analysis,data storage and anomaly detection.The system can extract the BGP update information and compare it with the system knowledge base to get the credibility of the relationship between the IP prefix and the origin AS in the update.According to the preset threshold,it can alert anomalies.The experimental results show that the system can effectively and accurately detect prefix hijacking events.