10/17/2002raid 2002, zurich1 elisha: a visual-based anomaly detection system soon-tee teoh, kwan-liu...
Post on 21-Dec-2015
215 views
TRANSCRIPT
10/17/2002 RAID 2002, Zurich 1
ELISHA: A Visual-Based Anomaly Detection System
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu
University of California, Davis
Dan Massey, Xiao-Liang ZhaoAllison Mankin
USC/ISI
Dan Pei, Lan Wang, Lixia ZhangUCLA
Randy BushIIJ
10/17/2002 RAID 2002, Zurich 2
Outline
• Visual-based “Anomaly Detection”• The BGP/MOAS Problem• ELISHA and demo• Conclusion/Future Works
10/17/2002 RAID 2002, Zurich 3
A Few Research Objectives
• Limitations on “Anomaly Detection”– We need to convey the alerts (or their
abstraction) to the “human” users or experts
• Not only detecting the problem, but also, via an interactive process, finding more details about it– Root cause analysis– Event Correlation
• Human versus Machine Intelligence
10/17/2002 RAID 2002, Zurich 4
Visual-based “Anomaly Detection”
• Utilize human’s cognitive pattern matching capability and techniques from information visualization.
• “Visual” Anomalies– Something catches your eyes…
10/17/2002 RAID 2002, Zurich 5
An Interactive Process
• Methodology– Build an interactive
interface between network management and operators, so they can visualize the data
– Features help operators quickly perceive anomalies
Data Collection
Filtering
Mapping
Rendering
Viewing
10/17/2002 RAID 2002, Zurich 6
BGP & Autonomous Systems
AS6192 (UCDavis) AS11423 (UC)
AS11537 (CENIC)
169.237/16
10/17/2002 RAID 2002, Zurich 7
6192 UCDavis 11423 UC, the origin ID is CENIC 11537 is admined by University Corporation for Advanced InternetDevelopment, origin ID UCAID-1 513 is admined CERN - European Organization for Nuclear Research
3356 is admined by Level 3 Communications, LLC, origin ID is L3CL-1 6461 is admined by Abovenet Communications, Inc 13129 is RIPE Network Coordination Centre
209 is admined by Qwest, origin ID is QWEST-4 3320 is RIPE Network Coordination Centre 9177 is admined by NEXTRANET, T-Systems Multilink AG Switzerland.
4637 , 1221 and 4608 are admined by APNIC , but I can't find who theyare in APNIC whois database.
3549 is admined by Global Crossing, it is locate at Phoenix AZ .
3257 and 3333, 1103 are RIPE Network Coordination Centre
2914 is admined by Verio, Inc 7018 is admined by AT&T
10/17/2002 RAID 2002, Zurich 8
Origin AS in an AS Path
• UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• AS Path: 219420911423 6192– 12654 513 11537 11423 6192– 12654 13129 6461 3356 11423 6192– 12654 9177 3320 209 11423 6192– 12654 4608 1221 4637 11423 6192– 12654 777 2497 209 11423 6192– 12654 3549 3356 11423 6192– 12654 3257 3356 11423 6192– 12654 1103 11537 11423 6192– 12654 3333 3356 11423 6192– 12654 7018 209 11423 6192– 12654 2914 209 11423 6192– 12654 3549 209 11423 6192
• Observation Points in the Internet collecting BGP AS Path Updates– RIPE: AS-12654
10/17/2002 RAID 2002, Zurich 9
BGP MOAS/OASC Events
• Observable Changes in IP Address Ownership– OASC: Origin AS Changes
• Example 1:– Multiple ASes announce the same block of IP
addresses.– MOAS stands for Multiple Origin AS.
• Example 2:– Punch Holes in the Address Space.– AS-7777 announced 169.237.6/24
• Maybe legitimate or faulty.• Many different types of MOAS/OASC events
10/17/2002 RAID 2002, Zurich 10
BGP MOAS/OASC Events
year Median number increase rate #BGP table entries increase rate1998 683 520001999 810.5 18.7% 60000 15.40%2000 951 17.3% 80000 33.30%2001 1294 34.8% 109000 36%
Max: 10226(9177 from a single AS)
10/17/2002 RAID 2002, Zurich 11
ELISHA/MOAS
• Low level events: BGP Route Updates• High level events: MOAS/OASC
– Still 1000+ per day and max 10226 per day
• IP address blocks• Origin AS in BGP Update Messages• Different Types of MOAS conflicts
10/17/2002 RAID 2002, Zurich 12
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110
AS#
Quad-Tree Representation
10/17/2002 RAID 2002, Zurich 13
MOAS Event Types
• Using different colors to represent types of MOAS events
• C type: CSS, CSM, CMS, CMM• H type: H• B type: B• O type: OS, OM
10/17/2002 RAID 2002, Zurich 14
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110
oneCSMinstance
victim
suspect
Example: CSM (Change SM)
10/17/2002 RAID 2002, Zurich 15
AS-7777 Punched a Hole
Which AS against whichAnd which address blocks?
10/17/2002 RAID 2002, Zurich 16
Interesting ASs to watch
• AS7777– August 14, 2000 H, OS
• AS15412– April 6-19, 2001 CSM, CMS
• AS4740– August 18, 2001 CSM, CMS– September 27, 2001 CSM, CMS
• AS701– May 02, 2001 H (63.0/10)
• 00 11 11 11 00 ***** March 1, 2000, July 11, 200, September 26, 2001...
• AS64518– September 18, 2001-Nimda H’ed from many ASes.
10/17/2002 RAID 2002, Zurich 17
Demo time!!
10/17/2002 RAID 2002, Zurich 18
08/14/2000 & 04/2001
10/17/2002 RAID 2002, Zurich 19
Remarks
• Preliminary but encouraging results– Root cause analysis– Event correlation
• Integration of Information Visualization, Interactive Investigation Process, and Data Mining
• Examining several other problems:– BGP Route Path Dynamics and Stability– TCP/IP and HTTP Traffic
• Availability (source code, papers, ppt)– http://www.cs.ucdavis.edu/~wu/Elisha/
• Sponsored by DARPA and NSF
10/17/2002 RAID 2002, Zurich 20
August 14, 2000 (larger)
10/17/2002 RAID 2002, Zurich 21
2-D versus 3-D on August 14, 2000
10/17/2002 RAID 2002, Zurich 22
10/17/2002 RAID 2002, Zurich 23
BGP AS Path Dynamics (1)
10/17/2002 RAID 2002, Zurich 24
BGP AS Path Dynamics (2)
10/17/2002 RAID 2002, Zurich 25
Address Appearing Frequency
Normal
10/17/2002 RAID 2002, Zurich 26
DDoSAttack