* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Anomaly Detection in Inter-Domain Routing Information
Survey
Document related concepts
Zero-configuration networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Net neutrality law wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
U NIVERSITY OF P ISA P H D T HESIS P ROPOSAL Anomaly Detection in Inter-Domain Routing Information Ph.D. Student: Massimiliano B ERTOLUCCI October 3, 2016 Supervisor: Prof. Laura R ICCI Dr. Enrico Gregori 1 Chapter 1 Introduction The Internet is a complex system of interconnections among computer networks positioned all over the world. The network of networks making up the Internet, in the last few decades, has evolved from a small U.S network - i.e ARPANET, 1969 [18]- to the current worldwide network, which is composed by thousands and thousands of private, public, academic and business networks. The winning key of this growth has been the development of a set of protocols which enable multiple separate networks to join into a network of networks, the Internet. The Internet carries an extensive range of services, such as the web, electronic mail, telephony services, peer-to-peer networks and more. Nowadays the Internet reaches 20 billion devices connected [27], and thanks to it, it is possible to do things such as communicating with people from the other side of the world, retrieving any kind of information at any time, managing the light, the temperature and the security of our own house remotely, and many of the things that just a couple of decades ago would have been impossible. Today the Internet is still growing, driven by greater and greater amounts of on-line information, commerce, entertainment, streaming video on-demand, social networking and so on. The Internet can be viewed as an ecosystem composed by Autonomous Systems (ASes) that compete and co-operate with one another in order to guarantee the global connectivity to end users. In this context, the term compete means that different ASes could have the same core business therefore they could compete the same customers. At the same time, each AS only manages a little section of the IP addresses on Internet and, in order to guarantee the global connectivity, all ASes must exchange routing information to select the right routes. The direct consequence of this is that the decision on how the packets flow through the Internet is made in a decentralised way. BGP [32] is the inter-domain routing protocol used for routing packages among ASes and, since the version 4 it deploys a Classless Inter-Domain Routing (CIDR) in order to decrease the size of routing table. BGP was created when the number of ASes involved was much smaller than now and for this reason it was not developed with a perspective of security. Consequently, the BGP protocol does not have any mechanism of security against deliberate or accidental errors. The trust between the ASes is the basis of this protocol. The reachability information exchange among one another is always considered right by all ASes. As a result, faulty, not well configured or deliberately malicious sources can disrupt overall Internet behaviour by injecting bogus routing information into the BGP distributed routing table. Bogus information can create, change or delete some 2 Chapter 1. Introduction routing information producing different effects on routing behaviour. For example, a network can became unreachable due to the deletion of one or more segments of routing information. Until today, the use of an unsafe protocol like BGP makes the Internet vulnerable to different anomalies. In particular, BGP is vulnerable to a number of damaging attacks, often arisen from operator misconfiguration which can have serious global consequences. Recent reports have highlighted incidents of massive Internet traffic interception executed by routing BGP paths across the globe, affecting banks, governments, etc.. The potential impact of these attacks can range from massive eavesdropping to identify spoofing or selective content modification. A famous example is the incident happened in the 1997 [26] when a small ISP originated the first class-C subnet of every IP prefix1 . This created reachability problems for every network and crashed routers around the world by overflowing their route tables. In the 2006, Con Edison originated many prefixes it did not own, causing outages for several networks2 . Another important example is the BGP hijacking [2]. BGP hijacking (sometimes referred to as IP hijacking, prefix hijacking or route hijacking) is the illegitimate takeover of groups of IP addresses through the propagation of bogus information. Researchers and network operators have documented and studied BGP hijacks that impact network reachability. Such events either create a traffic black hole or illicitly use the victim’s address block (e.g. to execute spamming campaigns). A major case happens on February [34, 40], 2008, when YouTube, the popular video sharing web site, became unreachable to most people on the Internet. The Pakistan government had ordered all its ISPs to block access to YouTube. To accomplish this, Pakistan Telecom’s AS 17557 launched a subprefix hijack by originating the subprefix 208.65.153.0/24 of YouTube’s prefix 208.65.153.0/22 to its customer ASes in Pakistan. This meant traffic destined for YouTube’s servers in AS 36561 would instead be forwarded to the longer IP prefix originated by Pakistan Telecom’s AS 17557, where traffic could then be dropped. For 18 minutes, on April 8, 2010 [14], China Telecom’s (AS 23724), announced approximately 50,000 prefixes registered to other ASes demonstrating that large scale traffic interception can also occur on the Internet [14]. China Telecom is the 11th largest ISP on the Internet and maintains multiple ASes partitioning their resources into different geographic regions (e.g., provinces) and types (e.g., data centers vs. regional networks). Many of these ASes are found as customers of AS 4134 in the AS-graph and can be further identified using whois data. Indeed, the erroneous BGP updates originate from AS 23724 which is actually an AS owned by China Telecom and is located in Beijing. Using traceroute, Renesys Corporation was also able to show that network traffic was able to pass into China Telecom’s network and back out to the intended destination. Finally, as reported by Renesys Corporation in November of 20133 , there is evidence that traffic interception events are growing more frequent, but there are no validates methods to immediately detect them or evaluate their impact. Although 1 http://seclists.org/nanog/1997/Apr/444 http://research.dyn.com/2006/01/coned-steals-the-net/ 3 http://research.dyn.com/2013/11/mitm-Internet-hijacking/ 2 Chapter 1. Introduction 3 the vulnerability of the BGP protocol is well known and widely studied, nowadays there are no validation methods to immediately detect them or evaluate their impact. Because of their complex dynamics, and the number of different actors involved on a global scale, devising effective methodologies for the detection and characterization of traffic interception events requires empirical and timely data. The aim of this proposal is to define a set of methodologies for the detection of inter-domain routing anomalies both in a off-line and in a real-time context and to apply them for the development of a set of tools within the Isolario4 project. Our main idea is to apply solutions that are, in some cases, adopted in different contexts, such as machine learning, lexical representation of natural language, stigmergy and so on, in our context. We will investigate the following issues: • model identification: two models have been currently adopted for the representation of the BGP data, the Graph and the Route Automaton model. The Graph model tends to oversimplify the real situation, whereas the elaboration of so high amount of data produced by Route Automaton in a real-time context is challenging. The first issue that needs to be investigated is the identification of the most suitable model in according to the application context (off-line or real-time). • Stigmergy: this is a mechanism of indirect and distributed coordination. It has been used as an analysis tool to recognise the normal from the anomalous activities. We believe that a stigmergic approach can be a useful tool to highlight the route anomalies in a routing interdomain context. • Centrality indexes: we think that the use of a centrality index in a routing graph and how these values shift over the time can be useful to highlight some routes anomalies. We will investigate some variation based on the Current Flow Betweenness where the degree of all indices depends on how the information flows on the network. • Machine learning: we will investigate how to automatically find a good predictor based on the past routing histories. We believe that this approach can be a useful tool to timely detect any form of anomaly such as misconfigurations and hijacking attacks. 4 https://www.isolario.it/ 4 Chapter 2 State of the Art The Internet is the most incisive technology of the information age and, thanks to the explosion of mobile device and wireless communication, it is becoming more and more important for human society. During the last decades, the Internet has evolved from a small network (i.e ARPANET) to the current complex network. Internet can be defined as a complex system of interconnections among computer networks that use an Internet Protocol Suite to link billions of devices worldwide. Despite its increasing widespread, the knowledge about its real structure is still incomplete. This is an important issue because it is impossible to detect structural problems of the network unless an outage occur. To address this problem, several researches started to investigate the Internet topological perspectives at any level such as the physical level, overlay level and network level. Often each of these topological levels is modelled as a graph to describe the relationships between the entities and to improve the efficiency of the analysis of this complex structure. The network level is very important to understand and to perform the analysis about inter-domain relationships existent on the Internet, and it can be divided in four different levels of abstraction: 1. IP interface level: each node of the graph represents an IP interface of the network, while the edges are the connections between pairs of interfaces. This representation can be obtained by gathering the results achieved by Traceroute probes. 2. Router level: each node of the graph represents a router, while each edge represents the connection between them. To get this representation, a heuristic method is generally used to aggregate IP interfaces. 3. PoP level: each node represents a collection of routers located in the same Points of Present (PoPs), while the edges are the connections between pairs of PoPs. To obtain this level, a reverse DNS lookups technique is used or the peculiar characteristics of IP interfaces at IP interface level are looked for. 4. AS level: each node represents an Autonomous System (AS), an organization or part of it that manages one or more blocks of IP prefixes, while each edge represents one business relationships between two adjacent ASes, established through the Border Gateway Protocol (BGP - ver4). In order to obtain an accurate topology of this level, data is typically gathered via Route Collectors or by IP-to-AS methods to infer an AS from the IP interface level. 2.1. Towards the Autonomous System Architecture 5 Even if all these levels of abstraction have been widely studied in the recent past by a rich community of researchers, due to the poor knowledge of the real Internet characteristics, we are still far from obtaining a real topological representation of the network. Indeed, the real Internet structure is not driven merely by scientific metric but mostly by economic and geographic factors and the main problem of the partial knowledge is due to the reluctance of ISPs to provide their internal routing information. Last consideration is the main reason of why we will focus on AS level. In this section we will focus on how the Internet’s AS structure is composed and why it has taken this form. A forwards we face the problem of detecting of anomalous events in the routing Internet. 2.1 Towards the Autonomous System Architecture In the recent past, several researchers have proposed different approaches in order to obtain major information on the topological structure of the Internet. Although these different approaches have improved the amount of useful information that describes the route packets, nowadays we have to accept that the real topological structure of the Internet is incomplete. To explain this data incompleteness it is necessary to understand how the Internet is composed and how it works. As already mentioned, the Internet is a network composed by distinct thousands of networks joined with the same exterior routing protocol. All the different networks that build the Internet are grouped under the administrative control of about 55,000 different Autonomous Systems (ASes) [10]. Autonomous System design. The idea at the basis of AS design consists in providing an additional tool to aggregate, in a hierarchical way, the routing information to improve the scalability of the system. Moreover, AS architecture decouples the routing inter-domain between different ASes. Each AS can used one or more of the existent inter-domain routing protocol in autonomy way respect to other. Indeed, the main key of the AS architecture is autonomy. An AS [31] is an organization that manages a set of routers, using an interior Border Gateway Protocol (iBGP) to choose how to route packets within the AS, and an exterior Border Routing Protocol (eBGP) to choose how to route packets to other ASes. An AS manages a set of IP addresses and it is identified by a global identification number called AS Number (ASN). Both ASN and block of IP addresses are assigned by appropriate Regional Internet Registries (RIRs) in relation of their country, for instance ARIN for the U.S. and Canada, and RIPE [6] for Europe, Central Asia and the Middle East. In detail, the ASN is a number of 16 or 32 bits that identify uniquely each AS. For instance, the companies Youtube, Facebook, and Google are all ASes and theirs ASNs are respectively 36561, 32934, 36384. At the same time, together with ASN, groups of one or more IP prefix block are assigned to each AS. The IP prefix block represents an address subspace of Internet and it is usually expressed by a compact representation of sequential IP addresses called CIDR notation. The CIDR notation is a pattern which matches the 6 Chapter 2. State of the Art first n binary bits of an IP address. The syntax of this notation is a dotteddecimal address, followed by a slash, then a number from 0 to 32, i.e., a.b.c.d/n. The last number is inversely proportional to the size of the block addresses. Indeed, the last number identify the length of the prefix that is fixed. For example, a.b.c.d/32 prefix block p represents only one IP ad0 dress a.b.c.d, while a.b.c.0/24 prefix block p is a block of 256 sequential IP addresses that start from a.b.c.0 to a.b.c.255. Moreover, if the prefix a.b.c is the same for both two IP prefix blocks, the first prefix block is more constricting than the second one. It is easy to show that the first prefix block a.b.c.d/32 is contained inside the second one a.b.c.d/24 prefix block. If two prefix have a set of destinations overlap, the prefix describing a smaller set of destinations (a longer prefix, e.g /32) is said to be more specific than a IP prefix describing a larger set of destinations (a shorted prefix, e.g /24). Vice 0 versa it is said to be less specific. In other words, the prefixes p and p exhibit 0 a subset relationship p ⊂ p . The structure of any AS. Each AS usually has a hardware infrastructure composed by computers, routers and other devices connected together in a private network. Network administrators of ASes are able to control the company network: by deciding the topology of the network and which routing policy to use within. This development is usually driven by the company policies designed to improve the efficiency of the resources and reduce the cost for the company. Furthermore, it acts in complete independence with respect to the other ASes. The choice of the internal routing algorithm and the route packets are carefully selected because they have a direct impact on the performance of all routing system of the company. All routers are usually configured by hand. The network administrators often use different traffic engineering methods to increase the routing speed. Among the most important internal routing protocols used today by administrators, there are the Routing Information Protocol (RIP) and the Open Shortest Path First (OSPF). Each AS tends to hide to other ASes how their own networks are managed and organized. This aspect represents the main reason of the lack of topological information of the Internet and of the difficulty to describe the complete structure of the Internet network. The ASes have a crucial role in the routing packets on the Internet. An AS manages in autonomous way the routing table that allows the communication from any Internet end host to internal AS end host and vice versa. An AS has one or more routers called border routers used to connect the internal network to the Internet world. These routers must have all necessary information to address any Internet packet. To make up the fundamental routing table, each AS exchanges routing and reachability information among one another with the same exterior routing protocol. Today, it is not possible to maintain all routing information of the Internet in a single centralized point, because it requires the resolution of several challenges in term of amount of memory, maintaining a high speed of routing. To overcome this limitation a distributed routing algorithm was used and is currently still used. The distributed algorithms are responsible to send all or some portion of its routing table only to its neighbours. Each AS has a partial knowledge of the whole address system of the Internet, but they cooperate with one another in order to find the right route to follow. 2.2. Overview of BGP protocol 7 Often the routes found are not the best, but the use of such limited knowledge, and consequently a limited use of the amount of memory, permits a fast decision routing. The standard protocol used to exchange the aforementioned information, and widely accepted by all ASes, is the Border Gateway Protocol (BGP). Thanks to the exterior routing protocol among ASes, a single centralized point of routing packets is not necessary. As a result, the decision of how to route packets is completely decentralized. Indeed, how a route is found depends on how the ASes are connected one another and what type of relationship exist among them. The AS classification. Each AS can establish one or more neighbourhood relationships with different ASes. The neighbourhood relationships are driven by the business. An AS decides to connect with another AS if it has a convenience, in economy terms. As a consequence, the economy aspect is most important to describe and explain the relationships between ASes and relative feasible routes existences. For this reason, the ecosystem of all ASes will describe in major details in the section 2.3. The ASes are usually classified according to their connectivity and operating policy [22]: Stub AS: it is an AS that is connected to only another AS. A vast number of ASes falls in this type. From the point of view of these ASes, only one connection with another AS is required to reach the Internet. The latter, usually called Internet Service Provider (ISP), provides (usually sells) access to the Internet. Stub ASes are often required to commit to a minimum volume of bandwidth. Transit AS: it is an AS that provides connections through itself to other ASes. It has two or more connections to others ASes and communicates both local and transit traffic. The transit service is typically priced per megabit per second per month. Multi homed AS: it is an AS that has two or more connections to other ASes. This can be done in order to increase reliability or performance, or to reduce cost. However, unlike a transit AS, this type of AS would not provide transit traffic from one AS to another AS. 2.2 Overview of BGP protocol The Internet can be viewed as an ecosystem composed by autonomous players that compete and co-operate with one and another in order to guarantee the global connectivity to end users. The direct consequence of this is that the decision on how the packets flow through the Internet is made in a decentralised way. As just explained before, BGP is the main protocol used for routing packets among ASes. Currently, BGP version 4 is the accepted standard for Internet routing and it is de facto the inter-domain routing protocol that maintains and exchanges routing information among ASes. In this proposal, the acronym BGP refer to the version 4 of the BGP protocol. 8 Chapter 2. State of the Art The BGP protocol is often classified as a Path Vector protocol and, as any Distance Vector algorithm, knows only about its neighbours. Border routers of each AS are directly connected with one or more border routers of other ASes. Adjacent BGP routers exchange all or a portion of reachability information on the respective networks. As a result, we can consider the ASes as the unit of routing policy in the Internet. Usually, BGP is referred as eBGP to distinguish it from iBGP used within the same AS. There are some differences between eBGP and iBGP, but the important ones are that iBGP routers do not need to be directly connected and the way how the routes received from a router and propagated to other routers are different. BGP nodes use TCP to establish the communication among them and to exchange all messages. As referred in [32], BGP uses 4 messages: • Open Message. After a TCP connection is established between two BGP systems, they exchange BGP open messages to create a BGP connection between them. • Update Message. BGP systems send update messages to exchange network reachability information. They use this information to construct a graph that describes the relationships among all known ASes. • Keepalive Message. BGP systems exchange keepalive messages to determine whether a link or host has failed or is no longer available. Keepalive messages are exchanged often enough so that the hold timer does not expire. These messages consist only of the BGP header. • Notification Message. BGP systems send notification messages when an error condition is detected. After the message is sent, the BGP session and the TCP connection between the BGP systems are closed. Notification messages consist of the BGP header plus the error code and subcode, and data that describes the error. All of these messages use a fixed-size header which includes a type field that indicates what the type of the message. The primary function of the exchange of such messages is to propagate the Network Layer Reachability Information (NLRI) creating network paths without loops. To achieve that, the BGP routers use the UPDATE message either announcing or withdrawing a list non-empty of routes made up of IP prefixes and several attributes. In details, from the table 2.1 we can see a list of mandatory attributes present in the UPDATE message. Let us give a brief description of all these attributes. Origin is a mandatory attribute that defines the origin of the the associated routing information. It can specify if the NLRI is product by AS or not. The NLRI attribute is a set of IP prefix blocks having a length and a IP prefix (CIDR notation, e.g /25, 204.149.16.128). AS-Path is a mandatory attribute that is composed of a sequence of AS Numbers. The Next-Hop is a mandatory attribute that defines the IP address where will send the UPDATE message. Although all these attributes are very important for a correct exchange of routing information, in the following we are going to analyse only a subset of them. For simplicity we imagine an example of UPDATE messages like 10.0.0/24 222 333 444. We can split this message in two part, the fist 2.2. Overview of BGP protocol Attributes Origin NLRI Prefix AS-Path Next-Hop 9 Example IGP 1 10.0.0.0/22, 10.0.1.0/24 111 222 333 444 10.0.0.2 TABLE 2.1: List of attributes of a UPDATE massage one is the IP prefix, whereas the second one is an important attribute called AS-PATH. The AS-PATH can be defined as the most interesting mandatory path attribute and it contains a sequence of ASes numbers which is a feasible route to reach any address contained in the given IP prefix. This attribute is originated by the AS Border Router (ASBR) that owns the announced prefixed and it is modified every time another ASBR propagates the route on the Internet. This simple message shows that, in order to communicate with any address contained in the IP prefix block, the data passes through the ASes 222, 333 and stops in the AS 444. The AS 444 represents the first AS that has announced the UPDATE message. From only this message, we cannot say it such IP prefix belongs to the AS 444. The AS might be either the owner or a spokesperson for the owner. In the latter case, the AS 444 knows how to reach the real owner but does not want to show it. The ASBR that received this message, on the basis of its own criteria, selects the best way to reach prefix 10.0.0/24. If the path of this message results the best, the ASBR will then propagate the UPDATE message by prepending its AS number in the AS-PATH attribute. By considering the previous example, if the AS Number of AS is 111 the UPDATE message propagate will be 10.0.0/24 111 222 333 444. Moreover, the AS-PATH has a fundamental role in the prevention of routing loops. Indeed, it is possible to use the AS-PATH attribute to prune routing loops by excluding from the final phase of the decision process all those route that carry an AS-PATH attribute where is present the AS number of the local system. For instance, we suppose that the previous UPDATE message is received by a BGP router of the AS 333. The full AS-PATH of such message is analysed in order to find the number 333. The presence of this number in the AS-PATH attribute means that the acceptance of this route involves the creation of a loop in the path. As a consequence, in this case the route is discarded to prevent a routing loop. 2.2.1 Decision Process of the BGP protocol Such operations described above are computed locally by the Decision Process (DP) of each router. For each new UPDATE message received each BGP speaker2 has a local DP to decide the (local) routing according to policy. The DP selects routes by applying the policies in the local Policy Information Base (PIB). The result of this process is a set of routes locally used by the speaker and advertised to other routers. When BGP speaker receives a new UPDATE message, its own local DP determines a degree of preference of each routes based on preconfigured 2 We identify with the term BGP speaker the BGP routers that speak the BGP language 10 Chapter 2. State of the Art policy information. Moreover, this phase will determine whether the route is eligible or ineligible (e.g existence of loops). For sake of reading, we list the major criteria used by the DP in order to select the best path for each AS: 1. Weight is a specific parameter that defines a degree of preference path. The path with the highest weight is usually preferred. 2. If Weight is not set, choose the route with the highest local preference. 3. Choose routes that this router originated. 4. Since the AS-PATH attribute respects a number of transversal ASes, it provides a natural way to compare two equivalent paths and therefore to choose the best route. In general, given two different routes, the preferred route is the one where the AS-PATH is shorter. 5. Choose more specific routes. In general, given two or more overlapping routes, the preferred route is that where the block prefix is more specific. F IGURE 2.1: Ex. Loop prevention F IGURE 2.2: Ex. Decision based by length of paths F IGURE 2.3: Ex. More specific path In the figures 2.1, 2.2 and 2.3 we show an example of three different scenarios from the point of view of the AS 2222 when three different UPDATE messages are received. The figure 2.1 shows the rejection of the path from AS 2222 avoiding a loop. It is worth noting that the AS number 2222 is contained inside the received message. The figure 2.2 shows the rejection of the path from AS 2222 selecting the best path of his point of view. Note that, the best path selected is the shortest in term of ASes to get through. Last scenario in figure 2.3 shows that the AS 2222 accepts the new path because it is more specific than that it already has. In this case we can see that we have two rules with the same prefix but with different lengths (/17 ⊂ /16). 2.3 Inter-AS economic relationships The BGP protocol has had a great success because it is a policy-based interdomain routing protocol. The highly flexibility of the protocol allows accuracy policies of outbound route filters in according to economic agreement 2.3. Inter-AS economic relationships 11 established among the parties. In this section we will analyse the business relationships at the basis of interaction and linking between different ASes. Two ASes enter in communication if and only if exist a business relationship between them. The communication among ASes carries out an important role to define the routes of the packets on Internet with the aforementioned external protocol BGP. A generic router BGP exchanges all or a portion of network reachability information with its neighbours. The knowledge of reachability that a router of a generic AS must communicate to others is accurately filtered depending on the type of the economic agreement established among them. Despite the large number of possible economic agreements, inter-AS relationships can be categorized into three main classes: provider-to-customer (p2c) | customer-to-provider (c2p). The provider announces to the customer the necessary routes to reach every Internet destination. The provider obtains all the routes from its customers, providers and peers (if any) plus the routes owned by the provider itself. The core business of these provides are usually the sale of the Internet service to the customers. In order to provide this service, the providers accurately select a subset of these route according to their model business. The customers, on the other hand, announces back only its own IP routes (eventually obtained from its customers). provider-to-provider (p2p). The provides reciprocally provide access to each their customer. In other words, each of the ASes announces the routes obtained from its customers to the other ASes. The relationship is typically free-of-charge with each side deriving about the same benefit from the reciprocally arrangement. sibling-to-sibling (s2s). Each sibling acts as a provider for the other by announcing its all routes. The different ASes typically belong to the same organization. F IGURE 2.4: Inter-AS economic relationships 12 Chapter 2. State of the Art In figure 2.4, a representation of the feasible business relationships among the ASes above described is shown. The figure identifies the typical announcement exchange according to the type of the relationship occurring between the ASes. Sometime, in the real world, ASes may also exchange messages containing routes which violate the business relationship agreement. In detail, an AS sends to its neighbours an announce that it should not be sent because it violates the commercial agreement between them. Theses bogus announces are then propagated through the Internet. When occurs that we talk about of the violation of the valley-free principle described in [9]. The valley free principle is the one of the most important concept related to the BGP routing path. The valley-free principle defines patterns of routing paths that allow the Internet AS to minimize their routing costs through selective announcement of BGP routes. After traversing a provider-to-customer (p2c) or peer-to-peer (p2p) edge, the AS path cannot traverse a customerto-provider (c2p) or p2p edge. Formally, an AS path is valley-free if and only if the following conditions hold true: • A p2c edge can be followed by only p2c or s2s edges. • A p2p edge can be followed by only p2p or s2s edges. The human error in defined BGP export policies on ASBR is typically the most common cause of valley-free principle violation. 2.4 Inferring the Internet AS-level topology The knowledge of the Internet AS-level topology, together with its economical and geographical characterization, could be useful for many different users and goals. For example, Internet governance and network operators could exploit the topology to assess the resilience of the Internet AS-level in response to attacks. Moreover, this knowledge could be used to identify critical failures points in the Internet structure which may be crucial for political, economical, commercial and strategical purposes about the Internet AS-level ecosystem [12, 13]. Due to the distributed nature of the Internet, there not exists trusted third-party repositories containing an up-to-date available Internet AS-level topology that can be downloaded. The only available repositories are the Internet Routing Registry databases, but it is still difficult to distinguish fresh and complete connectivity information from stale or mistaken one, since they are manually maintained on a voluntary basis [7]. Researchers, thus, tried to infer the AS-level topology by exploiting collateral effects of the BGP protocol. Specifically, the AS_PATH attribute can be used to extract AS connectivity information. To infer the AS-level topology researchers exploited BGP data made available by route collector (RC) projects such as Route Views and RIPE-RIS, which collects BGP data from routers belonging to ASes willing to participate [28]. Researchers started to infer an Internet AS-level topology from these data and used this topology as the basis for their research studies, without concerning too much on its completeness [8, 39]. Recently, there have been efforts to analyse the (in)completeness of 2.5. An overview of BGP Vulnerabilities 13 data obtained through BGP RC projects [29, 35], however there have not been any study to quantify it. Several sources are used to collect raw data about BGP routes. They fall into four categories [41]: BGP route collectors, route servers, looking glasses, and the Internet Routing Registry (IRR) databases. A BGP route collector receives BGP messages from its ASes, but it does not advertise any prefixes back to them. Periodically or in real time, the collector dumps its full routing tables and routing updates received from its feeders. A collector has a point of view of the Internet from each AS connected with it. The more feeders a collector has, the more topological information it can collect. RouteViews and RIPE RIS are two major measurement projects that deploy collectors and make BGP trace data publicly available. Route servers, instead, are routers made publicly accessible by some ISP networks to help troubleshoot network problems. Users can interact with a route server with particular commands. Unlike BGP route collectors, route servers do not provide routing updates, nor do they provide an archive of past data. Looking glasses are accessible remotely through a web interface for running a very limited set of commands on routers. They allow users to check the route to a particular prefix, but do not allow downloading entire routing tables, nor do they provide routing updates. A looking glass is usually owned and operated by organizations or network operators and acts as read-only portal. Finally, the IRR are distributed databases with the purpose of ensuring the stability and consistency of Internet-wide routing by sharing information between network operators. The IRR actually consists of several databases where network operators publish their routing policies and routing announcements so that other network operators can use this data. The databases that form the IRR are manually maintained by operators, mostly on a voluntary basis. Information therein may be incorrect, incomplete, or out-dated. During the past, there has been an increase related to studying and modelling the AS-level topology. Some of the most well-known activities include the definition of measurements to infer the Internet’s AS connectivity graph to describe its properties [8], building topology generators to produce graph or other specific structures to model the AS connectivity graph [16, 15], studying the effectiveness for detection/prevention of attacks on the network infrastructure. This proposal aims to focus on the problem of anomalies detection and inferring the AS-level topology. The incompleteness of the BGP data currently makes previous tasks really big challenges. 2.5 An overview of BGP Vulnerabilities BGP protocol was created when the number of ASes involved was much smaller than now and for this reason it was not developed with a perspective of security. Consequently, it does not have any mechanism of security against deliberate or accidental errors. The trust between the ASes is the basis of this protocol. The reachability information exchanged among one another is always considered correct by all ASes. As a result, faulty, not well configured or deliberately malicious sources, can disrupt overall Internet 14 Chapter 2. State of the Art behaviour by injecting bogus routing information into the BGP distributed routing table. Bogus information can create, change or delete some routing information producing different effects on routing behaviour. For example, a network can became unreachable due to the deletion of one or more pieces of routing information. Instead, a change of routing information can produce a delay by a longer than a necessary path. Finally, the creation of new routing information makes an AS network visible even when it does not. Summing up, a fake announcement produced by any AS can produce a fragmentation of the Internet network and also cause routing information problems for other networks through the propagation of theses bogus announcement to the Internet. These bogus information can cause a communication failure and today, considering the increase amount of applications on Internet, this represents a crucial aspect that has to be faced. The sources of these bogus routing informations can be either outsiders or true ASes. In the following we will present some international incident widely known. Then, for each one, we will examine the cause which have led the disturb of the normal activity on Internet. AS 7007 Incident. The most known incident of misconfiguration of routes was the case MAI Network Services (AS7007) on April 25 1997 [26]. The AS 7007 flooded in the Internet incorrect advertisements that cover essentially the entire Internet. A part of the entire route table accidentally leaked outside of AS7007 creating a routing black hole. As a result, AS7007 quickly disrupted reachability to many networks for several hours. The case of Pakistan Telecom. Another classic and widely popularized incident is a a few years ago by a Pakistan service provider (2008) [34, 40]. The Pakistan government wanted to block access to YouTube internally. The service provides Pakistan Telecom (AS17557), in response to government order, started advertising a route for 208.65.153.0/24 to its provider PCCW (AS 3491). In details, the route announced is a more specific route than the ones usually used by YouTube (208.65.152.0/22). This route somehow leaked outside of Pakistan, and was carried by many service providers across the Internet. As a consequence, most routers would choose to send traffic to Pakistan Telecom for this slice of YouTube’s network. As a result, a part of YouTube was out of reach from a part of the Internet. It is easy to identify in this scenario that the announcement of illegitimate routes are the basis of this incident. In this case, PCCW (3491) accepts this wrong route then propagated in the rest of the world. It is worth noting that since it was a more specific route it represented the best route for many AS. 2.5.1 The identification of vulnerability. In the following we define the three main vulnerabilities recognized and suggested by Murphy [23]: 1. BGP protocol does not have any strong mechanism against the integrity and source entity violation of the messages exchange between ASes. For instance, any device in the middle of the connection between two ASes can secretly send or alter the messages. 2. BGP does not have any mechanism to validate an AS’s authority to announce reachability information. For instance an AS can announce an IP prefix of other ASes. 2.5. An overview of BGP Vulnerabilities 15 3. BGP does not have any mechanism to ensure the authenticity of the path attribute announced by an AS. For instance an AS can send a UPDATE message with a bogus information. These vulnerabilities are the fundamental risk situations present in the interdomain routing system. Moreover, they provide an open door from attacks on the Internet by spiteful persons. As a result of these vulnerabilities, the BGP protocol is subject to the following attacks: • confidentiality violations: All BGP messages exchange among ASes are written down in clear text, so eavesdropping is a possible attack against routing data confidentiality. • replay: The same message can be sent more than once. • message insertion: The use of clear message and the use of a TCP connection give the opportunity to insert any BGP message. • message deletion: Again, the use of a TCP connection give the opportunity to delete any BGP message. • message modification: A modification that was syntactically correct and did not change the length of the TCP payload would in general not be detectable. • man-in-the-middle: BGP does not provide any mechanism of authentication so as a man-in-the-middle attack is child’s play. • denial of service: A bogus information can represent a denial of service on the BGP routing protocol. 2.5.2 Understanding the BGP anomalies It is easy to take down portions of the Internet by announcing illegitimate routes to those parts. The disruption of the Internet routing can occur either as a result of accidental misconfiguration (e.g policy violation) by network operators or malicious route announcements. In the following, we are going to present a classification of the set of anomalies within inter-domain routing. We can define an inter-domain anomaly as an unexpected event respects the BGP specification [32] that occur in one or more attributes of a BGP message or also a direct incorrect UPDATE/WITHDRAWAL message. We have separated the anomalies in accordance to the feasible cause. Anomaly type Path Loops AS padding Private AS Example 3561 26821 3561 2747 3561 26821 27474 27474 27474 65533 3561 26821,3561 2747 TABLE 2.2: Example of path anomaly present in the ASPath attribute. This first classification considers the anomaly voluntarily produced by ASes. 16 Chapter 2. State of the Art • Non origin AS padding. It is a technique to achieve some control over the path selection of upstream domains. The idea is to inject into the AS-PATH attribute, the AS number more one time, so to create a bad path (e.g second row in the table 2.2). Moreover, these rules are set manually by administrator and thus the misconfiguration of some router can generated a fake path. • Path Loops. As describe in Section 2.2, a fundamental motivations of a path vector protocol, such as BGP, is the prevention of routing loops. Nevertheless, some loops can be found in AS-Path attribute as the BGP data shown. Indeed, a number of ASes do not implement the check of filtering loops (e.g first row in the table 2.2). • Private AS announcements. The IANA reserved a well defined set of AS numbers (64512- 65535) that should not be announced in the Internet. However, some of them are erroneously announced in the Internet (e.g third row in the table 2.2). F IGURE 2.5: Example of MOAS In the following, we present a set of anomalies involuntarily produced by ASes. Sometime these routing anomaly are labelled as misconfiguration to distinguish from the anomalies above describe. • Route Export Anomalies. The contract between domains must be satisfied. Export anomalies often involve accidental leakage of routes and incorrect announcements in violation of the policies. • Violation of the Valley-Free property. An AS is willing to advertise a path for which it does not obtain revenue, violating the valley-free property (cap. 2.3). Before to explain the lasts anomalies, we will present the Origin AS conflict. A Multiple Origin Autonomous System (MOAS) conflict occurs when more than one AS claims to be the owner of a given prefix p. More precisely, we suppose a prefix p and two route like p = (AS1, AS2, AS3) and p = (AS4, AS5, AS6). We say a MOAS conflict occurs if AS6 6= AS3 [42]. In fig. 2.5 we can see a simple event of MOAS where two AS that say to be to owner of the prefix 10.0.0.0/24. This conflict can be produced by the normal activities trough a traffic engineering, or by the misconfiguration of some router so as also by malicious activities such as IP Hijacking. 2.5. An overview of BGP Vulnerabilities 17 Finally, in the following we present the main anomalies voluntarily produced by either malicious agent outsiders or true ASes: the IP Hijacking. The IP hijacking is an attack to steal IP addresses belonging to other networks. • Hijack a prefix with (or without) its AS. A full IP prefix belonging to AS victim is announced by another AS in order to carry out some malicious intent. This type of attack has the same characteristics of an anomaly MOAS. An attacker can decide to hide its true identity by not adding its AS number to AS-Path. Moreover it can also add other AS numbers such as the AS number owner of the IP prefix. • Hijack a subnet of a prefix with (or without) its AS. A subnet of the IP prefix belonging to AS victim is announced by another AS. In fig. 2.6,2.7 we can show the inter-domain routing before and after that a IP hijacking attack occur. In fig. 2.6, we represent with edges the right direction in which the packets through the network. An attacker, in the example AS 7007, propagates different BGP announces in order to receive traffic destined to the victim, in the example AS 877. In fig. 2.7, we can see how things change. F IGURE 2.6: Ex. Hijacking (Before) 2.5.3 F IGURE 2.7: Ex. Hijacking (After) Possible damages. All the anomalies above presented may lead to different damages on the whole routing information of the Internet. For simplicity’s sake, we are going to list the feasible damages [23]: 1. Starvation: a node receives a traffic data destined to a part of the network. That node cannot known how to delivery the traffic. 2. Network congestion: a network node is carrying more data than it can handle. As a consequence, typical effects produced are the queueing delay, packet loss, etc. 3. Blackhole: a network node is carrying with a large amount of packets that cannot handle. This case produces a portion of the Internet unreachable because many/most/all packets are dropped. 4. Delay: data traffic pass through a longer and more indirect route increasing the delay.a 18 Chapter 2. State of the Art 5. Looping: the data is never delivered for the existence of the loops. 6. Eavesdrop: the data traffic pass through some node that would otherwise not see the traffic, affording an opportunity. 7. Partition: a portion of the Internet is partitioned from the rest of the network or it believes that. 8. Cut: a portion of Internet has no route to reach some network or it believes that. 9. Churn: The forwarding in the network changes at a rapid pace, resulting in large variations in the data delivery patterns (and adversely affecting congestion control techniques). 10. Instability: BGP becomes unstable in such a way that convergence on a global forwarding state is not achieved. 11. Overload: The BGP messages themselves become a significant portion of the traffic the network carries. 12. Resource exhaustion: The BGP messages themselves cause exhaustion of critical router resources, such as table space. 13. Address-spoofing: Data traffic is forwarded through some router or network that is spoofing the legitimate address, thus enabling an active attack by affording the opportunity to modify the data. 2.6 Current concerns in routing anomaly detection To improve the security of BGP, several methods have been proposed, which fall into three categories: cryptographic based prevention, anomaly mitigation, and anomaly detection [37]. Cryptographic Based Prevention. The cryptographic technique provides a secure communication channel among the BGP speakers in order to guarantee the authentication of routing announcements. It usually uses the Public Key Infrastructure (PKI) to verify the identity of any entity via digital signatures. Due to its complexity it consumes significant router resources, which makes it unsuitable. The most well-known approach is called the Secure Border Gateway Protocol (S-BGP) [17] and operates as follows. S-BGP implements security by validating path attributes in BGP UPDATE messages. During the propagation of an UPDATE message, each member on the path appends its information to the message and cryptographically signs the result before passing it along. Unfortunately, this solution requires a public key infrastructure that assigns public keys to all participating ASes. Another solution is ASRAP (Autonomous System Routing Authority Protocol) [11] which does not require modifications to the existing protocol and can be deployed incrementally. Similar to S-BGP, this protocol allows AS to verify routing updates. Unlike S-BGP, however, the UPDATE messages themselves are not modified. Instead, each participating AS has to 2.6. Current concerns in routing anomaly detection 19 provide an ASRAP service that can be queried by others to verify transmitted routing updates. The weak point of this solution is that, AS administrators have to install such services and maintain an additional database, initially without receiving any obvious benefit. Ng et al. [25] propose secure origin BGP (soBGP) where the origin of any BGP advertisement can be verified and authenticated, preventing origin advertisement by unauthorized ASes. Furthermore, soBGP ensures that the final destination in an advertised path is actually within the AS to which the packets are routed. soBGP uses certificates and a new SECURITY message to carry security information within the BGP protocol and ensure above properties. A comparison between S-BGP and soBGP has been proposed in [43]. Authors explain that S-BGP is far more complete than soBGP, because it provides clear security requirements that work well theoretically. However, S-BGP is too complex and it suffers of slow performance and convergence. Although soBGP is lightweight and overcomes some of these performance issues and it provides full path authentication. The most recent and promising solutions to overcome BGP’s vulnerabilities are the Resource Public Key Infrastructure (RPKI) [5] and BGSEC [19]. RPKI is a hierarchical public key infrastructure designed to certify ownership of IP prefixes by ASes implemented by the Regional Internet Registries (RIRs). Using the RPKI and a chain of valid certificates from a trust anchor, network operators can determine if the AS originating an IP prefix has been authorized to do so. BGSEC uses the RPKI to manage cryptographic keys which are used by ASes deploying the protocol to sign and validate BGP routing announcements. Anomaly Mitigation. The anomaly mitigation technique consists in removing or demoting any suspect route once it has been found. The main problem is that the deletion of a right route may disturb the routing system. Anomaly Detection. In this proposal, we focus our attention to the third category, the anomaly detection technique, which identifies the suspect routes and for each one raises an alarm. The identification of anomaly can be done in three different ways: those based on the control-plane, those based on the data-plane and finally those based on their combination. Detection techniques from the Control-plane involves the creation of some models that represent the expected behaviour of a network. The core idea of these techniques is to compare the current view of the network with the model and if they have some differences, it raises an alert. The complexity and accuracy of the model is the key element to obtain good anomaly detection. Typically, the use of this methodology produces a large amount of events detected with a high number of false positive. As a consequence, we need a manual analysis by an human operator in order to identify the real anomaly events regarding to routine traffic engineering. Moreover another important issue of this methodology is that it requires timely information of all new feasible routes in the Internet. Instead such data made from several BGP Route collectors collect BGP data and make them publicly available on web providing a (batch) view of Internet (e.g RIPE releases BGP UPDATE 20 Chapter 2. State of the Art messages every 15 minutes [6]). For instance, both RIPE and RISE offer binary dump of BGP UPDATE messages exchanged by their routers, as well as snapshots of their routing tables. On the contrary, the detection techniques from the Data-plane produce an active action such as traceroute commands between an observer and the source in order to find any significant topology changes. The way how these elements are measured, as well as their diversity, ensures a good detection. These techniques can result faster than those based on Controlplane. However the scalability of this approach is challenging and as a result it is not possible to do a global analysis. With a hybrid approach it is possible identify the anomaly routing with a Control-plane approach and then it triggers a Data-plane approach to obtain different measures of topological network. The use of a hybrid approach can improve accuracy in the anomaly detection. 21 Chapter 3 Proposal Internet is a vulnerable network due to the usage of Until today, the use of an unsafe protocol like BGP, makes the internet vulnerable to different anomalies. BGP is vulnerable to a number of damaging attacks, which can have serious global consequences, often arisen from operator misconfigurations. A famous example is the incident happened in the 1997 in which a small ISP originated the first class-C subnet of every IP prefix1 . This created reachability problems for every network and crashed routers around the world by overflowing their route tables. In the 2006, Con Edison originated many prefixes it did not own, causing outages for several networks2 . Although the vulnerability of the BGP protocol is well known and widely studied, nowadays there are no validated methods to immediately detect them or evaluate their impact. The main goal of this thesis proposal is to define a set of methodologies for the detection of inter-domain routing anomalies [cap. 2.1] both in a offline and in a real-time context. We believe that the Isolario system (Section 3.1) can be a useful tool to identify anomaly events both in a off-line and a real-time context. Our main idea is to apply solutions that are, in some cases, adopted in other different contexts, such as machine learning, lexical representation of natural language, stigmergy and so on in a new context. This chapter is structured as follows. First, we will to introduce the Isolario tools which we are going to use because they are needed, in our opinion, to detect any anomaly path immediately. Finally we will present our ideas to face these issues. 3.1 Isolario: a real-time environment From the point of view of an AS, these anomalies may represent an economic damage. Often this damage is proportional to the time elapsed from the beginning of the anomaly to its termination. Despite the identification of the anomalies as quickly as possible is the target of a several companies, the approaches used recently still result slow leaving the critical communication exposed. To overcome the slowness of this process it is necessary to have some tools to enable the real-time monitoring of BGP routing information. Recently Isolario, a real-time BGP collector, has been developed at Institute of Informatics and Telematics of CNR, Pisa. Isolario increases the number of ASes feeding and the principle of the project is based on the paradigm Do-ut-des, which defines a reciprocal convenience of the interested parties. 1 2 http://seclists.org/nanog/1997/Apr/444 http://research.dyn.com/2006/01/coned-steals-the-net/ 22 Chapter 3. Proposal The project offers to network administrators different services in exchange for sharing their routing information. The Isolario’s service could be useful to manage the network in real-time and also to look for network issues with a historical routing data. Isolario is a distributed system devised to collect, parse, and elaborate BGP data sent from the AS Border Routers (ASBRs) of its participants also called feeders. From a high level perspective Isolario on the one side must establish and maintain a BGP session with the feeders collecting routing information, on the other side, it must provide a responsive service through the input request of its users. The design of Isolario follows a modular philosophy therefore the system can be logically split in three main parts: i)Web Core, ii) System Core and iii) Enhanced Route Collectors (ERCs). In order to allow the deployment part system in distinct machines possibly geographically dispersed in the world, components communicate with one another with a TCP connection. The web core is the part that proposes useful services to Isolario users passing through a simple web page. When a user selects an available service on the web page, the browser web creates a dedicated WebSocket session with the web core back-end that manages the service request and provides the data as soon as possible. The system core component then handles that request. This component is composed by a set of service modules to satisfy both historical and realtime data requests. The historic services fetch data from the Historic Data Storage and Retrieval System (HDSRS) opportunely developed to provide a fast access to stored routing data. Instead the real-time services dispatch the user requests and filter the messages to the relative modules located in different ERCs component. Moreover it manages the data aggregation coming from two or more distinct ERCs (if required). Finally the task made by the ERCs is to establish and maintain active BGP sessions with the set of feeders. The novelty of this project is represented by Man In the Middle (MIM) module. This module provides a BGP data streaming between each feeder and the Route Collector Engine (RCE) module which stores all received data and the whole Routing Information Base (RIB) into several files at different interval time. The MIM is accurately designed in order to inject the incoming messages into the system as soon as possible. 3.2 Identifying anomaly routes: some proposals Although the vulnerability of the BGP protocol is well known and widely studied, nowadays there are no validated methods to immediately detect them or evaluate their impact. In this section we are going to describe different possible approaches for the detection of inter-domain routing anomalies both in a off-line and in a real-time context. 3.2.1 Different models to represent BGP data Recently, a new formal model has been proposed to describe BGP data. A common way to describe the Internet topology at AS level is the use of the Graph model. Thanks to this model, the ASes sre represented with nodes, while with the edges model the relationships between them. To improve 3.2. Identifying anomaly routes: some proposals 23 the accuracy of the model, the used data to describe the topology comes from BGP routing table. As described in [36, 15], the network graph adequately shows the connectivity between the ASes (Upstream, Peering) but tends to oversimplify the real routing situation. In the real internet world the routing paths are selected on a pre-prefix basis. The granularity of the graph model does not allow to show these details, therefore it cannot diagnose policy violations, such as route leaking, or complex anomalies as hijacking attacks. The main intuition of the work in [36, 15] considers the BGP announces, and more specifically the IP prefix with the AS-PATH attribute, as well as a formal language with syntactic role that defines the normal routing path. Therefore, a bogus route creates a contradiction to existing announcements. In details, AS paths towards prefix (e.g 444 333 222 111 10.0.0.0/24) represent words of the Finite Route Language L (FRL) P where the alphabet is composed by a set of ASes AS and a set of all preQ P Q fixes . The phrases of this language can be defined as r = wp ∈ ∗AS × P∗ Q representing an arbitrary concatenation of ASes AS to a prefix . In this language all the feasible phrases identify all the admissible routes. Obviously, this language can be extended so as to make it possible to create new routes. Moreover, given that Finite Route Language, it is possible to create a Route Automaton able to accept any reasonable correct route and to discard all P Q other routes. The Route Automaton is defined as M = (Q, AS ∪ , δ, q0 , F ) P Q with Q a finite set of state, δ : Q × AS ∪ → Q transition function, q0 ∈ Q the start state and F ⊂ Q a set of terminal states. In [15, 37] also describe how to deploy this model in practice in order to analyse BGP data to detect route leak and interception data. In both cases they before formally construct a complete description of the issue identifying the patter and then uses to match the anomalies. In figure 3.1 we can see the comparison between the graph model and the finite state automaton with the same BGP data. The values corresponding to the automaton are the result of a minimization of the automaton in order to reduce the states number. Despite the reduction, it is worth notice that the transitions number remain still much higher than the edges number. It is reasonable to expect that a so high transitions number is challenging in a real-rime context. BGP data Graph Automaton 600.216 IP, 52.396 ASes 652.612 nodes 302.598 states 2.875.026 AS paths 725.425 edges 10.355.671 transitions TABLE 3.1: Comparison between Automaton and Graph The first approach to investigate may be the identification model more suitable in according to the application context. For instance, in a historical context, where it is preferable a more accuracy of the events detected, may prefer the automaton rather the graph model because it provides a rigorous formalism to implement patterns of research. Instead, in a real-time context, where the efficiency in term of response times, may prefer a more slim model. 24 Chapter 3. Proposal 3.2.2 Different Approaches to look for Anomalies Section 2.6 described the main concerns existing to identify the routing anomalies. As above said, the detection techniques from the control-plane are based on the comparison of two different data representations described by some models. This detection methods typically detects the Multiple Origin AS (MOAS) conflicts, where a single prefix is originated by multiple ASes. We believe that different approaches are possibles in order to identify more over anomalies types and/or to improve the accuracy of the obtained results. We new present three different ideas we plan to investigate during the thesis: Stigmergy, Current Flow, Machine Learning. 3.2.3 A novel Stigmergic Approach Stigmergy is a mechanism of indirect coordination and it was originally articulated in the study of social insects [30]. In the last years, the study of stigmergy has characterised a number of different research fields. For instance, the stigmergy study has been proposed as a model of analysing some robotics systems, multi-agent systems and communication in computer networks [33]. Recently, stigmergic approaches are proposed for monitoring elderly people living alone in their own homes. The new approach detects behavioural deviations of the routine indoor activities. More specifically, a complex system of indoor localization creates a spatio-temporal tracks used by marker-based stigmergy in order to recognise the normal activities of the entities [3]. At a second level of processing, similarity evaluation is performed between stigmergic marks over different time periods in order to assess deviations. In a context as a inter-domain routing, we think that a normal routing can be recognised so as to identify any route anomaly thanks to a stigmergic approach. We plan to analyse this approach in more details, in order to: 1. To understand how to handle BGP data, in order to be able to use the new stigmergic technology. 2. To identify the similarity functions with one or more patterns in relation to different anomalies and or known attacks. 3. To estimate the goodness of this solution in term of time and resources required for the computation. 4. To understand if this solution is feasible in a real-time context. 3.2.4 Exploiting centrality indexes The identification of the most central nodes of a graph is a fundamental task of data analysis. The current flow betweenness [24, 4] is a centrality index which considers how the information flows along all the paths of a graph. The main intuition of this centrality derived from considering a graph as a electric circuit where the edges represents the resistors and the nodes are the point of junction between two or more resistors. Finding the exact value of the current flow betweenness is computationally expensive 3.2. Identifying anomaly routes: some proposals 25 for large graphs, so the definition of algorithms returning an approximation of this measure is mandatory. Duckweed [20, 21] is a new distributed approach that provides an approximation for the current flow betweenness centrality exploiting the Kirchoff’s law of current conservation. This computational model is suitable for a distributed execution of the algorithm because the computation is described from the point of view of the node and requires only its local knowledge. The centrality indexes are expected to provide a ranking which identifies the most important nodes in a network. We are not interesting in an anomaly routing context to identify the most important nodes but we can exploited this information to obtain how these values shift over the time. Any value index changed in the topological graph indicates some route changes. Last consideration suggests that the feasible anomalies may be recognised identify some index change pattern. Moreover, we may understand an approximation of the impact of traffic interception on the Internet by looking for all indexes changed. To address this solution we plan to investigate following points: 1. to adapt the existent algorithm Duckweed in a dynamic context where is possible recompute the index when a route change occur. 2. To identify the similarity functions with one or more patterns in relation to different anomalies and or attacks known. 3. To estimate the goodness of this solution in term of time and resources required for the computation. 4. To understand if this solution is adaptable in a real-time context. 3.2.5 Machine Learning Approach Machine learning looks for to tell how to automatically find a good predictor based on past experiences. Researchers have in a recent past used the machine learning techniques to detect unusual patterns in datasets from a variety of fields. In [1], for instance, describes how these techniques can be used to classify and detect BGP anomalies. The BGP anomaly detection classifier is a machine learning model that learns how to change its internal structure based on external feedback. In details, BGP anomalies are UPDATE BGP messages that show unusual patterns, also referred to as outliers. Hourly or Daily statistics and features are extracted from the parse of such BGP data. A feature is a measurable property of the system that may be observed. They then are used as a input for classification models. In the first phase, the machine learning tool may provide unsatisfactory anomalies classification models but providing a sufficient and related set of features it can improve the classification of the data with the least error rate. The paper shows the recognition of three anomalies come from the spread of three worms Slammer, Nimda and Code Red I using both Support Vector Machine (SVM) and Hidden Markov Models (HMMs). We believe that this approach can be a useful tool in a real-time context in order to timely detect any other form of anomaly such as misconfiguration and hijacking attack. [38] 26 Chapter 3. Proposal Massimilano Bertolucci’s pubblications • Static and Dynamic Big Data Partitioning on Apache Spark, M. Bertolucci, E. Carlini, P. Dazzi, A. Lulli, L. Ricci, Proceedings of PARCO 2015, pages 489–498, Advances in Parallel Computing 27, IOS Press 2016 • Current flow betweenness centrality with Apache Spark, Bertolucci M., Lulli A. ,Ricci L., Proceedings of 16th International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP 2016), Spain, December 2016. 27 Bibliography [1] Nabil M Al-Rousan and Ljiljana Trajković. “Machine learning models for classification of BGP anomalies”. In: 2012 IEEE 13th International Conference on High Performance Switching and Routing. IEEE. 2012, pp. 103– 108. [2] Hitesh Ballani, Paul Francis, and Xinyang Zhang. “A study of prefix hijacking and interception in the Internet”. In: ACM SIGCOMM Computer Communication Review. Vol. 37. 4. ACM. 2007, pp. 265–276. [3] Paolo Barsocchi et al. “Monitoring elderly behavior via indoor positionbased stigmergy”. In: Pervasive and Mobile Computing 23 (2015), pp. 26– 42. [4] Ulrik Brandes and Daniel Fleischer. Centrality measures based on current flow. Springer, 2005. [5] Randy Bush and Rob Austein. “The RPKI/Router Protocol”. In: work in progress (Internet Draft) (2011). [6] RIPE Network Coordination Center. RIPE Routing Information Service. 2014. [7] Hyunseok Chang et al. “Towards Capturing Representative AS-level Internet Topologies”. In: Comput. Netw. 44.6 (2004), pp. 737–755. [8] Michalis Faloutsos, Petros Faloutsos, and Christos Faloutsos. “On Powerlaw Relationships of the Internet Topology”. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. SIGCOMM ’99. 1999, pp. 251–262. [9] Lixin Gao. “On inferring autonomous system relationships in the Internet”. In: IEEE/ACM Transactions on Networking (ToN) 9.6 (2001), pp. 733– 745. [10] Pietro Giardina et al. “Isolario: a Do-ut-des Approach to Improve the Appeal of BGP Route Collecting”. In: (). [11] Geoffrey Goodell et al. “Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing.” In: NDSS. 2003. [12] Enrico Gregori et al. “BGP and inter-AS economic relationships”. In: International Conference on Research in Networking. Springer. 2011, pp. 54– 67. [13] Chris Hall et al. “Resilience of the internet interconnection ecosystem”. In: Economics of Information Security and Privacy III. Springer, 2013, pp. 119–148. [14] Rahul Hiran, Niklas Carlsson, and Phillipa Gill. “Characterizing largescale routing anomalies: A case study of the china telecom incident”. In: International Conference on Passive and Active Network Measurement. Springer. 2013, pp. 229–238. 28 BIBLIOGRAPHY [15] Ralph Holz et al. “HEAP: Reliable assessment of BGP subprefix hijacking attacks”. In: IEEE Journal on Selected Areas in Communication 34.6 (2016), pp. 1849–1861. [16] Cheng Jin, Qian Chen, and Sugih Jamin. “Inet: Internet topology generator”. In: (2000). [17] Stephen Kent, Charles Lynn, and Karen Seo. “Secure border gateway protocol (S-BGP)”. In: IEEE Journal on Selected areas in Communications 18.4 (2000), pp. 582–592. [18] Barry M Leiner et al. “A brief history of the Internet”. In: ACM SIGCOMM Computer Communication Review 39.5 (2009), pp. 22–31. [19] Matthew Lepinski. “BGPSEC protocol specification”. In: (2015). [20] Alessandro Lulli et al. “Distributed Current Flow Betweenness Centrality”. In: Self-Adaptive and Self-Organizing Systems (SASO), 2015 IEEE 9th International Conference on. IEEE. 2015, pp. 71–80. [21] P. Dazzi A. Lulli L. Ricci M. Bertolucci E. Carlini. “Static and Dynamic Big Data Partitioning on Apache Spark”. In: (2015), pp. 489–498. [22] Damien Magoni and Jean Jacques Pansiot. “Analysis of the autonomous system network topology”. In: ACM SIGCOMM Computer Communication Review 31.3 (2001), pp. 26–37. [23] Sandra L. Murphy. BGP Security Vulnerabilities Analysis. RFC 4272. 2013. [24] Mark EJ Newman. “A measure of betweenness centrality based on random walks”. In: Social networks 27.1 (2005), pp. 39–54. [25] James Ng et al. Extensions to BGP to support secure origin BGP (soBGP). Tech. rep. Internet Draft, Apr, 2004. [26] Ola Nordström and Constantinos Dovrolis. “Beware of BGP attacks”. In: ACM SIGCOMM Computer Communication Review 34.2 (2004), pp. 1– 8. [27] Number of connected devices worldwide. http : / / www . statista . com / statistics / 471264 / iot - number - of - connected devices-worldwide/. [28] Ricardo Oliveira et al. BGP Monitoring projects such as RouteViews and RIPE RIS. [29] Ricardo Oliveira et al. “The (in)Completeness of the Observed Internet AS-level Structure”. In: IEEE/ACM Trans. Netw. 18.1 (2010), pp. 109– 122. [30] H Van Dyke Parunak. “A survey of environments and mechanisms for human-human stigmergy”. In: International Workshop on Environments for Multi-Agent Systems. Springer. 2005, pp. 163–186. [31] E. Chen Q. Vohra. BGP Support for Four-octet AS Number Space. RFC 4893. 2007, pp. 1–8. URL: https://www.rfc-editor.org/rfc/ rfc4893.txt. [32] Y. Rekhter, T. Li, and S. Hares. RFC 4271: A Border Gateway Protocol 4 (BGP-4). Tech. rep. IETF, 2006. URL: www . ietf . org / rfc / rfc4271.txt. BIBLIOGRAPHY 29 [33] Alessandro Ricci et al. “Cognitive Stigmergy: Towards a Framework Based on Agents and Artifacts”. In: Environments for Multi-Agent Systems III: Third International Workshop, E4MAS 2006, Hakodate, Japan, May 8, 2006, Selected Revised and Invited Papers. Ed. by Danny Weyns, H. Van Dyke Parunak, and Fabien Michel. Springer Berlin Heidelberg, 2007, pp. 124–140. [34] NCC RIPE. YouTube Hijacking: A RIPE NCC RIS case study (2008). 2009. [35] Matthew Roughan et al. “10 lessons from 10 years of measuring and modeling the internet’s autonomous systems”. In: IEEE Journal on Selected Areas in Communications 29.9 (2011), pp. 1810–1821. [36] Johann Schlamp et al. “CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP”. In: arXiv preprint arXiv:1605.00618 (2016). [37] Xingang Shi et al. “Detecting Prefix Hijackings in the Internet with Argus”. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference. IMC ’12. ACM, 2012, pp. 15–28. [38] Taeshik Shon et al. “A machine learning framework for network anomaly detection using SVM and GA”. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop. IEEE. 2005, pp. 176–183. [39] Walter Willinger, David Alderson, and John C Doyle. Mathematics and the internet: A source of enormous confusion and great potential. Defense Technical Information Center, 2009. [40] Yang Xiang et al. “Argus: An accurate and agile system to detecting IP prefix hijacking”. In: 2011 19th IEEE International Conference on Network Protocols. IEEE. 2011, pp. 43–48. [41] Beichuan Zhang et al. “Collecting the Internet AS-level Topology”. In: SIGCOMM Comput. Commun. Rev. 35.1 (2005), pp. 53–61. ISSN: 01464833. [42] Xiaoliang Zhao et al. “An analysis of BGP multiple origin AS (MOAS) conflicts”. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. ACM. 2001, pp. 31–35. [43] Rostom Zouaghi et al. Interdomain Routing Security (BGP-4) A Comparison between S-BGP and soBGP. 2009.