Design And Implementation Of Malicious As Detection System Based On Routing Behavior Analysis

Cyberspace is composed of thousands of Autonomous systems(AS).Each Autonomous System is a set of devices with the same routing policy and managed by the same organization.As the basic unit of cyberspace,it is also the basic information hub for network interconnection.Because the Border Gateway Protocol(BGP)used for AS communication lacks the route authentication mechanism and AS management is closed and independent,some network attackers take advantage of the lack of path or source authentication for information exchange between AS to maliciously forge route prefixes for declaration.Therefore,the hij acked address blocks are used to carry out malicious activities,which brings great challenges to the maintenance of Internet inter-domain routing security.These attackers are often clustered,so it is of great significance to detect malicious organizations with AS granularity for Internet security.Malicious AS detection is usually discussed from the data plane and the control plane.Research based on the data plane cannot effectively distinguish legal AS from malicious AS whose address blocks are abused.Research based on the control plane uses the routing behavior characteristics of malicious AS for detection.However,research based on the control plane doesn’t make full use of routing data,and feature extraction is based on a long time scale,ignoring the short-term malicious AS that easily disappeared in the Internet.This thesis mines more routing characteristics from routing data,and designs detection schemes for longterm malicious AS and short-term malicious AS respectively according to the time span characteristics of malicious AS routing behavior.For longterm malicious AS,the routing information accumulated in a long time is used for feature extraction.The routing behaviors are analyzed and compared from seven perspectives,including prefix hijacking,prefix reachabilities and address fragmentation.The importance of routing features is evaluated by the ExtraTree method,and then malicious scores are calculated based on the eigenvalues and importance evaluation values.Finally,the AS set with the highest ranking is selected as the long-term malicious AS blacklist.For short-term malicious AS,the routing information accumulated in a short time is used for feature extraction.The rules filtering and malicious scores calculation are carried out according to low network connectivity,high network activity and prefix hijacking these three characteristics,and then the short-term malicious AS blacklist is obtained.Based on the above routing behavior characteristics research and detection methods design,this thesis constructs a malicious AS detection system,which provides malicious AS blacklist and AS details query services.In addition,the experimental results show that the detection method can capture the malicious AS published online in advance,and can detect the short-term malicious AS easily ignored.Therefore,the system has certain foresight and timeliness.The system detection results provide reference for BGP route filtering rules and make it possible for related organizations to take proactive measures to defend against malicious AS attacks.