Security Lab Seminar

Wed., Feb. 19, 2003

On Detection of Anomalous Routing Dynamics in BGP

presented by Ke Zhang

Abstract:
An anomaly detection system based on statistical long-term profiling techniques can effectively detect statistically unusual behavior or behavioral changes in a complex dynamic system such as the Internet. We use the NIDES anomaly detection algorithm to develop a methodology for identifying unusual event spots (or "anomalies") in BGP routing updates. We have chosen two statistical measures for the long-term profiles, the inter-arrival time of BGP update messages and the number of distinctive AS paths. We have also devised a set of signatures to classify BGP update patterns. We evaluated the design by applying the algorithm against BGP update logs over 9 months. The results show that the accuracy of our detection system is reasonably high. Furthermore, by classifying the detected instances into different types, we showed the relative frequency and distribution among BGP anomalies in today's Internet.