Research On Multi-Dimensional Security Monitoring For The Internet Inter-domain Routing

With the commercialization of the Internet, more applications have been deployed on the Internet. The inter-domain routing system is the key infrastructure of the Internet, and imposes a determinant impact on traffic forwarding. Since the inter-domain routing system is vulnerable due to its lack of security mechanism, several new routing protocols have been designed. However, due to the difficulties of deployment and costs of running, these protocols are not adopted by industrial community. Although, some companies offer monitoring services for the public, these services only focus on routing information display and do not aim at the security aspect. Based on in-depth research on the security and stability of the inter-domain routing system, we propose a multi-dimensional detection framework to discover potential anomalies both in routing items and traffic with data-plane, control-plane and policy-plane. Experiments on routing information archives show that by mutual complement and validation in multiple dimensions, our security-directed and measure-enriched approach is able to detect routing anomalies quite accurately and completely. The key detection techniques in our approach are described as follows:As routing table is the basis in traffic routing, we propose a table-based security detection mechanism. We classify various anomalies into two categories: format anomalies and semantic anomalies, and design single-view and multi-view detection models based-on this classification. The table-based detection mechanism is extendable, in which new detection models can be imported. This mechanism acts as a foundation detection measure and can be used to verify results detected by other means. Experiments show that this mechanism performs well in in-depth anomaly detection.To meet the real-time requirement in anomaly awareness, we propose a packet-based anomaly detection mechanism for inter-domain routing, which includes two techniques: the real-time anomaly detection model based on simplified validness detection rules and the model for detecting MOAS which uses a packet buffer to cache multi UPDATE packets for combined detecting. This mechanism can be used as a real-time measure for anomaly detection and give support to fixing network failure in time. We display its validity by showing the detection result related to YouTube.Aiming at the difficulty in data acquisition and the cost of computation resource in routing item-based detection, we also propose a novel approach for detecting BGP anomalies, the traffic-based detection mechanism. The Hurst exponent, which turns out to be in middle of 0.5 and 1, shows that BGP UPDATE traffic coincides with the pattern of self-similarity, which motivates us to choose discreet wavelet transforms in analyzing the traffic. By applying the wavelet analysis on BGP UPDATE traffic, we observe traffic anomalies. Moreover, we cluster these anomalies to assess the anomaly propagation scope. Finally, we monitor traffics for specified networks to detect prefix-hijacking, and the experiments show that our approach is effective in reducing the scale for prefix-hijacking detection.At last, we design and implement a multi-dimensional monitoring system based on the above techniques. This system includes four models in horizon: routing knowledge database, table-based detection model, packet-based detection model and traffic-based detection model. Vertically, this system is comprised of four layers: network monitoring layer, data-acquisition layer, core detection layer and service layer. As the complement of the system, we designed a multi-source routing information obtainment mechanism, which can effectively and steadily collect routing data and routing knowledge from various information sources to supply the running of monitoring system.