Public Review for An Internet Routing Forensics Framework for Discovering Rules of Abnormal BGP Events a c m s i g c o m m
- ISSN: 01464833
- DOI: 10.1145/1096536.1096542
Abstract
Abnormal BGP events such as attacks, misconfigurations, electricity failures, can cause anomalous or pathological rout- ing behavior at either global level or prefix level, and thus must be detected in their early stages. Instead of using ad hoc methods to analyze BGP data, in this paper we introduce an Internet Routing Forensics framework to systemat- ically process BGP routing data, discover rules of abnormal BGP events, and apply these rules to detect the occurrences of these events. In particular, we leverage data mining techniques to train the framework to learn rules of abnormal BGP events, and our results from two case studies show that these rules are effective. In one case study, rules of worm events discovered from the BGP data during the outbreaks of the CodeRed and Nimda worms were able to successfully detect worm impact on BGP when an independent worm, the Slammer, subsequently occurred. Similarly, in another case study, rules of electricity blackout events obtained using BGP data from the 2003 East Coast blackout were able to detect the BGP impact from the Florida blackout caused by Hurricane Frances in 2004.
Public Review for An Internet Routing Forensics Framework for Discovering Rules of Abnormal BGP Events a c m s i g c o m m
Public Review for
An Internet Routing Forensics
Framework for Discovering Rules
of Abnormal BGP Events
Jun Li, Dejing Dou, Zhen Wu, Shiwoong Kim,
and Vikash Agarwal
There is an emergent interest in using statistical and Machine Learning techniques to mine network data. Papers that
use neural networks, Bayesian analysis, SVM, PCA, are increasingly common. They aim to move beyond direct
measurements to more sophisticated tasks such as anomaly detection or root cause analysis. Though it might take
some time before this area of research matures, the initial results are promising and deserve to be encouraged.
This paper uses BGP updates to detect Internet anomalies. The paper formalizes the problem as a multi-label classi-
fication, where the labels are: normal, blackout, worm, misconfiguration. The objective is to tag a BGP event (i.e., a
series of BGP updates) with one of these labels. The paper discusses a set of relevant features such as the number of
withdrawals, the number of announcements of a recently withdrawn prefix, etc. it shows that combinations of these
features can be used effectively to distinguish worm and blackout events from normal events.
Though the paper is innovative and interesting to read, the value of the reported performance results is limited. The
results in the paper focus on detecting normal BGP behavior from an abnormal behavior caused by either a major
worm or a blackout. In practice, this task is fairly simple and usually does not require any advanced statistical tech-
niques. The paper would have been much stronger if it focused on distinguishing various abnormalities form one
another - i.e., can we identify whether an abnormal BGP event is caused by a worm, a blackout, or a misconfigura-
tion? Yet, to answer this question, one needs a potentially large number of labeled examples of worm, blackout, and
misconfiguration events. Unfortunately the number of known such events is relatively small making it hard to come
up with a robust classifier.
Public review written by
Dina Katabi
MIT, Cambridge,
Massachusetts, USA
a c m s i g c o m m
ACM SIGCOMM Computer Communication Review 55 Volume 35, Number 5, October 2005
Sign up today - FREE
Mendeley saves you time finding and organizing research. Learn more
- All your research in one place
- Add and import papers easily
- Access it anywhere, anytime