ELISHA: A Visual-Based Anomaly Detection System - PowerPoint PPT Presentation

About This Presentation
Title:

ELISHA: A Visual-Based Anomaly Detection System

Description:

Title: PowerPoint Presentation Last modified by: S. Felix Wu Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 27
Provided by: webCsUcd
Category:

less

Transcript and Presenter's Notes

Title: ELISHA: A Visual-Based Anomaly Detection System


1
ELISHA A Visual-Based Anomaly Detection System
2
Outline
  • Visual-based Anomaly Detection
  • The BGP/MOAS Problem
  • ELISHA and demo
  • Conclusion/Future Works

3
A Few Research Objectives
  • Limitations on Anomaly Detection
  • We need to convey the alerts (or their
    abstraction) to the human users or experts
  • Not only detecting the problem, but also, via an
    interactive process, finding more details about
    it
  • Root cause analysis
  • Event Correlation
  • Human versus Machine Intelligence

4
Visual-based Anomaly Detection
  • Utilize humans cognitive pattern matching
    capability and techniques from information
    visualization.
  • Visual Anomalies
  • Something catches your eyes

5
An Interactive Process
  • Methodology
  • Build an interactive interface between network
    management and operators, so they can visualize
    the data
  • Features help operators quickly perceive anomalies

6
BGP Autonomous Systems
AS6192 (UCDavis)
AS11423 (UC)
169.237/16
AS11537 (CENIC)
7
6192 UCDavis 11423 UC, the origin
ID is CENIC 11537 is admined by University
Corporation for Advanced Internet Development,
origin ID UCAID-1 513 is admined CERN -
European Organization for Nuclear Research
3356 is admined by Level 3 Communications, LLC,
origin ID is L3CL-1 6461 is admined by
Abovenet Communications, Inc 13129 is RIPE
Network Coordination Centre 209 is
admined by Qwest, origin ID is QWEST-4 3320
is RIPE Network Coordination Centre 9177
is admined by NEXTRANET, T-Systems Multilink AG
Switzerland. 4637 , 1221 and 4608 are
admined by APNIC , but I can't find who they are
in APNIC whois database. 3549 is admined
by Global Crossing, it is locate at Phoenix AZ
. 3257 and 3333, 1103 are RIPE Network
Coordination Centre 2914 is admined by
Verio, Inc 7018 is admined by ATT
8
Origin AS in an AS Path
  • UCDavis (AS-6192) owns 169.237/16 and AS-6192 is
    the origin AS
  • AS Path 2194?209?11423? 6192
  • 12654 513 11537 11423 6192
  • 12654 13129 6461 3356 11423 6192
  • 12654 9177 3320 209 11423 6192
  • 12654 4608 1221 4637 11423 6192
  • 12654 777 2497 209 11423 6192
  • 12654 3549 3356 11423 6192
  • 12654 3257 3356 11423 6192
  • 12654 1103 11537 11423 6192
  • 12654 3333 3356 11423 6192
  • 12654 7018 209 11423 6192
  • 12654 2914 209 11423 6192
  • 12654 3549 209 11423 6192
  • Observation Points in the Internet collecting BGP
    AS Path Updates
  • RIPE AS-12654

9
BGP MOAS/OASC Events
  • Observable Changes in IP Address Ownership
  • OASC Origin AS Changes
  • Example 1
  • Multiple ASes announce the same block of IP
    addresses.
  • MOAS stands for Multiple Origin AS.
  • Example 2
  • Punch Holes in the Address Space.
  • AS-7777 announced 169.237.6/24
  • Maybe legitimate or faulty.
  • Many different types of MOAS/OASC events

10
BGP MOAS/OASC Events
Max 10226 (9177 from a single AS)
11
ELISHA/MOAS
  • Low level events BGP Route Updates
  • High level events MOAS/OASC
  • Still 1000 per day and max 10226 per day
  • IP address blocks
  • Origin AS in BGP Update Messages
  • Different Types of MOAS conflicts

12
Quad-Tree Representation
13
MOAS Event Types
  • Using different colors to represent types of MOAS
    events
  • C type CSS, CSM, CMS, CMM
  • H type H
  • B type B
  • O type OS, OM

14
Example CSM (Change S?M)
victim
one CSM instance
suspect
15
AS-7777 Punched a Hole
Which AS against which And which address blocks?
16
Interesting ASs to watch
  • AS7777
  • August 14, 2000 H, OS
  • AS15412
  • April 6-19, 2001 CSM, CMS
  • AS4740
  • August 18, 2001 CSM, CMS
  • September 27, 2001 CSM, CMS
  • AS701
  • May 02, 2001 H (63.0/10)
  • 00 11 11 11 00 March 1, 2000, July 11, 200,
    September 26, 2001...
  • AS64518
  • September 18, 2001-Nimda Hed from many ASes.

17
Demo time!!
18
08/14/2000 04/2001
19
Remarks
  • Preliminary but encouraging results
  • Root cause analysis
  • Event correlation
  • Integration of Information Visualization,
    Interactive Investigation Process, and Data
    Mining
  • Examining several other problems
  • BGP Route Path Dynamics and Stability
  • TCP/IP and HTTP Traffic
  • Availability (source code, papers, ppt)
  • http//www.cs.ucdavis.edu/wu/Elisha/
  • Sponsored by DARPA and NSF

20
August 14, 2000 (larger)
21
2-D versus 3-D on August 14, 2000
22
(No Transcript)
23
BGP AS Path Dynamics (1)
24
BGP AS Path Dynamics (2)
25
Address Appearing Frequency
Normal
26
DDoS Attack
Write a Comment
User Comments (0)
About PowerShow.com