IP Prefix Hijack Detection Using BGP Attack Signatures and Connectivity Tracking |
In spite of significant on-going research, the Border Gateway Protocol (BGP) still suffers vulnerability issues specially regarding impersonating the ownership of IP prefixes of ASes (Autonomous Systems). In this context, a number of research studies focused on securing the BGP through historical-based and statistical-based behavioural models. This paper proposes a novel method aiming to detect IP prefix hijacking incidents based on tracking the behaviour of suspicious ASes. The detection method uses signaturebased technique as a pre- process phase to separate suspicious announces (BGP updates) from benign announces. From a processing perspective, the outputs of signature-based algorithm are used as inputs for the detection method. Nine feature will be extracted from the ASpath attributes of potentially suspicious ASes. The features are considered a combination of the behavioral characteristics of the routers in relation to their connectivity. Based on these features and the best five supervised learning classifiers, we identify the hijacks. Under different learning algorithms, the detection method is able to detect the hijacks with a high accuracy especially with J48, which can detect the hijacks with 96%.
Alshamrani H, Ghita BV