Research On BGP Hijacking Anomaly Detection Algorithm Based On MOAS Event Characteristics

The global Internet is composed of tens of thousands of Autonomous systems(AS)with different internal structures.The Border Gateway Protocol(BGP)is responsible for delivering and exchanging routing messages for these autonomous systems.The BGP protocol has become an important infrastructure of the Internet,and ensuring the security of the BGP protocol is of great significance for maintaining the security of the cyberspace.However,because the BGP protocol did not consider security issues at the beginning of its design,BGP security issues continue to emerge.BGP prefix hijacking is a BGP security issue that has been continuously concerned by domestic and foreign researchers.Multiple Origin Autonomous System(MOAS)conflict detection technology is used to detect prefix hijacking in the control plane.Its core is to distinguish between normal MOAS conflicts and abnormal MOAS conflicts.The current common method is to detect the source AS in the message.Whether a declared prefix is authorized or not,to ensure the validity of the mapping relationship between the prefix address and the source AS,this requires the support of the RPKI authentication mechanism,but the current deployment of the RPKI authentication mechanism is not high,and the number of protected prefixes only accounts for all prefixes One-fifth of the number,so the scope of detection is limited.In order to solve the dependence of the MOAS detection technology on the authentication mechanism,this topic proposes a prefix hijacking detection algorithm based on the characteristics of multi-source AS events to study the characteristics of the source AS over time during the occurrence of MOAS conflicts,and determine the characteristics based on these characteristics.Whether the conflict is abnormal.To this end,this algorithm collects and processes the latest UPDATE message to find the MOAS conflict phenomenon in the routing,and extracts multiple independent MOAS events based on the observations from different observation points,and then according to the observations from different observation points.The status of the source AS changes over time,create an event matrix for a single event and calculate its eigenvalues,and finally determine whether the MOAS event is an abnormal event based on these eigenvalues.If the MOAS event is an abnormal event,its corresponding "The "prefix-MOAS number" mapping relationship is abnormal,and it is determined that a hijacking event has occurred.According to the above-mentioned research on the prefix hijacking detection algorithm based on the features of multi-source AS events,this topic designs and implements a BGP prefix hijacking detection system.The system is mainly divided into three modules:data acquisition module,data analysis module and anomaly detection module,which realize the detection of BGP prefix hijacking.Experiments show that the system can find and extract MOAS events,and can determine whether the event is abnormal based on the characteristic value and discover prefix hijacking.Comparing the experimental results with the BGPStream public data set,it is found that the anomaly detection rate of this system is close to 90%.