Feature extraction and visual feature fusion for the detection of concurrent prefix hijacks

Abstract

This paper presents a method for visualizing and analyzing Multiple Origin Autonomous System (MOAS) incidents on Border Gateway Protocol (BGP), for the purpose of detecting concurrent prefix hijack. Concurrent prefix hijacks happen when an unauthorized network originates prefixes that belong to multiple other networks. Towards the goal of accurately identifying such events, multiple features are extracted from the BGP records and visualized using parallel coordinates enhanced with visual querying capabilities. The proposed visual queries enable the analyst to select a significant subset of the initial dataset for further analysis, based on the values of multiple features. This procedure allows for the efficient visual fusion of the proposed features and the accurate identification of prefix hijacks. Most of the previous approaches on BGP hijack detection depend on static methods in order to fuse the information from multiple features and identify anomalies. The proposed visual feature fusion, however, allows the human operator to incorporate his expert knowledge into the analysis, so as to dynamically investigate the observed events, and accurately identify anomalies. The efficiency of the proposed approach is demonstrated on state-of-the-art BGP events.