| Nowadays,the Internet is developing rapidly,the scale of the network is expanding,and the data traffic is exponentially increasing.The inter-domain routing system plays an increasingly important role.Because the inter-domain routing protocol(Border Gateway Protocol)is flawed at the beginning of design,and lacks an effective security authentication mechanism,the inter-domain routing system faces serious security problems such as prefix hijacking,path tampering and route leakage.Although there have been many studies to improve the security authentication mechanism of inter-domain routing protocols,there is always a lack of incentive to renew network protocols and equipment because of commercial interests among manufacturers.Therefore,this mechanism is not really applied to real networks,and it is difficult to effectively solve the current security problem of inter-domain routing.Obviously,the more practical and easy-to-deploy anomaly detection mechanism has become an important solution.At present,in the field of interdomain routing anomaly detection,related research usually uses the abnormal characteristics of routing messages and data traffic for detection.However,due to the characteristics of the network environment's rapid changes,the forms of interdomain routing attacks are diverse and difficult to predict.How to accurately and efficiently detect and analyze large-scale interdomain routing anomalies is a very challenging task.In response to this problem,the main work and innovations of this article are as follows:1.Analyze the normal inter-domain routing state and find the power law of the source to the number of routing paths.By analyzing a large number of inter-domain routing data,it is found that in the absence of abnormal events,the number of routing paths from most source addresses(monitoring point ip addresses)to destination addresses(prefix ip addresses)is very small,and only a very small number of them are available.That is,the route between most source pairs is stable,and the route between the source pairs of very few parts changes frequently.This property is the key basis for the method of detecting anomaly between domains in this paper.2.Based on the power law of normal routing paths,an interdomain routing anomaly detection algorithm was proposed.Based on the rule of source-to-route paths under normal routing conditions,combined with the characteristics of abnormal behaviors of prefix hijacking and path tampering,a routing path feature database,prefix corresponding feature database,and AS adjacent feature database were constructed as normal routes for abnormal detection The state model proposes a detection method to detect abnormal routing behavior by comparing the deviation of routing behavior with the normal model.Three detection indicators are defined: the number of BGP Updates messages,the number of new path routes,and the difference value of single path routes.This method is used to detect the historical events of Google 's accidental hijacking of Japanese network prefixes in 2017.Sub-prefix hijacking,path tampering with prefix hijacking,and inter-domain routing anomalous behavior with path tampering with sub-prefixes.3.Complete the design and implementation of the inter-domain routing anomaly detection system.According to the proposed interdomain routing anomaly detection algorithm,analyze the functional requirements of the system,complete the design and implementation of six modules: data acquisition module,preprocessing module,database module,screening module,anomaly detection module and visualization module.The detection of events shows the effect of detection. |
PDF Full Text Request