SlideShare a Scribd company logo
APNIC2018
Real-Time BGP Anomaly
Detection Tool (RTBADT)
Associate Professor Philip Branch
Faculty of Science, Engineering and Technology
Outline of Talk
• Project overview
• Border Gateway Protocol (BGP)
• Characteristics of BGP Traffic
• Recurrence Quantification Analysis (RQA)
• Using RQA to detect BGP anomalies
• Real-Time Detection of anomalies using RTBADT
Faculty of Science, Engineering and Technology
Project Overview
• RTBADT came out of Dr Bahaa Al-Musawi’s research work for
his PhD
• Was interested in detecting disruptive behaviour of BGP
nodes
• Made use of a technique from non-linear time series analysis
called Recurrence Quantification Analysis
• RTBADT is a software implementation of his research
• Available at
http://caia.swin.edu.au/tools/bgp/brt/downloads.html
• Approach is lightweight and easy to implement
Faculty of Science, Engineering and Technology
The Border Gateway Protocol (BGP)
• A routing protocol for reachability information between
Autonomous Systems (AS)
• A path vector protocol
• BGP Speakers
• BGP Peers
• Very few defensive mechanisms
• Events are rare but can be very damaging when they occur
8-4
Faculty of Science, Engineering and Technology
BGP Traffic Characteristics
• BGP generates much traffic than would be expected
• BGP events should be directly related to some change in the
underlying topology or network engineering decision
• Most BGP traffic unrelated to such events
• BGP traffic dominated by an announcement followed soon
after by a withdrawal
• No single cause
• Overlapping addresses, interaction of timer flags…
• Some early studies (1990s) suggested more than 90% of BGP
traffic is of this type
Faculty of Science, Engineering and Technology
BGP Traffic Characteristics
Faculty of Science, Engineering and Technology
BGP Anomaly Detection
• If most traffic is unrelated to topology changes or network
engineering, what then is a BGP anomaly?
• In this sense, the vast majority of BGP traffic is ‘anomalous’
• How then to determine what is anomalous?
• Why might we want to detect BGP anomalies
• BGP failures are rare but tend to be devastating when they occur
• TMNet event, Moscow Blackout, DoDo Telstra, Pakistan
YouTube hijack…
• Rapid identification of changes traffic behaviour an indicator of
a serious event
Faculty of Science, Engineering and Technology
BGP Anomaly Detection
• BGP Traffic does have some structure
• It is not ‘noise’ in the traditional sense of the word
• That structure can be used to identify true anomalies that may indicate
a destructive event
• BGP background traffic is persistent
• Our analysis shows that some AS have generated the same
sequences of announcement and withdrawal for years
• BGP background traffic is recurrent
• The patterns of announcements and withdrawals recur
• Our analysis shows it consists of unsynchronised announcements and
withdrawals of different periods
Faculty of Science, Engineering and Technology
Recurrence Quantification Analysis
• Systems where there is some recurring
sequence of events can be analysed
using Recurrence Quantification
Analysis (RQA)
• RQA models a system as having a
trajectory through a multidimensional
phase space
• Can obtain some measure of the
extent to which a system state recurs
• Large number of metrics including
• Recurrence Rate
• Determinism
• Entropy
• Trapping Time
From mathworks.com
Faculty of Science, Engineering and Technology
Applying RQA to BGP
• BGP is well modelled using
RQA
• Update volumes and path
lengths have a recurrent pattern
• Path announcements and
withdrawals also usually have
(perhaps several) recurrent
sequences.
• This behaviour can be captured
using RQA
• Deviations from it probably
indicate some disruptive event
Faculty of Science, Engineering and Technology
Applying RQA to BGP
• RQA is based on
measuring structures within
a Recurrence Plot (RP)
• An RP captures the
recurring behaviour of a
system
• Shown is an RP for top ten
noisy Autonomous Systems
• (from Al-Musawi, Branch, Armitage “Detecting
BGP Instability using Recurrence Quantification
Analysis (RQA), IPCC, December 2016
Faculty of Science, Engineering and Technology
Real Time BGP Anomaly Detection Tool
• Implemented these ideas in software
• Real-Time BGP Anomaly Detection Tool (RTBADT)
• http://caia.swin.edu.au/tools/bgp/brt/downloads.html
• A system made up of scripts and modules to extract RQA
measurements and present them in graphical or text form
Faculty of Science, Engineering and Technology
Real Time BGP Anomaly Detection Tool
• Perl, bash, gnuplot
• Uses the TISEAN package for RQA routines
• TISEAN = “Non Linear Time Series Analysis”
• Takes as input BGP updates from BGP speaker
• Includes email notification capabilities
• Lots of options
• Can scan peer Autonomous System or Systems
• Can replay events
• Can present in graphical or text
Faculty of Science, Engineering and Technology
Real Time BGP Anomaly Detection Tool
• A simple example of using RTBADT to monitor the peer
AS65002
• Enables the options of sending an e-mail notification when an
anomaly is detected and enabling a real-time plot of BGP
features and alarm detection
• Very light weight and easy to use
Faculty of Science, Engineering and Technology
Example
Faculty of Science, Engineering and Technology
Conclusion
• Developed software that implements some of our research
work in applying RQA to BGP
• Can replay events
• Can display RQA measurements in graphical or text form
Faculty of Science, Engineering and Technology
Acknowledgment
We gratefully acknowledge support from the “APNIC Internet
Operations Research Grant“ under the ISIF Asia 2016 grant
scheme

More Related Content

Similar to RBADT: An RQA Based BGP Anomaly Detection Tool

Intro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdfIntro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdf
AshokGovindarajan1
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
Ankur Tyagi
 
nextcomputing-cyberpro
nextcomputing-cyberpronextcomputing-cyberpro
nextcomputing-cyberpro
blabadini
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
Steven Shim
 
Different Routing protocols
Different Routing protocolsDifferent Routing protocols
Different Routing protocols
Thesis Scientist Private Limited
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
APNIC
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
Altinity Ltd
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Shantanu's Resume
Shantanu's ResumeShantanu's Resume
Shantanu's Resume
Shantanu Telharkar
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
Pace IT at Edmonds Community College
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
Fei Ji Siao
 
Analysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTCAnalysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTC
Boni García
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
APNIC
 
nextcomputing-packet-continuum
nextcomputing-packet-continuumnextcomputing-packet-continuum
nextcomputing-packet-continuum
blabadini
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
Shawn Zandi
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool  for ROS-Compliant FPGA Component cReComp : Automated Design Tool  for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
Kazushi Yamashina
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
APNIC
 
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco  - Monitoring and Instrumentation, why Tracing is Key#Fstoco  - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
Jonah Kowall
 
Building a Router
Building a RouterBuilding a Router
Building a Router
Hannes Gredler
 

Similar to RBADT: An RQA Based BGP Anomaly Detection Tool (20)

Intro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdfIntro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdf
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
 
nextcomputing-cyberpro
nextcomputing-cyberpronextcomputing-cyberpro
nextcomputing-cyberpro
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
 
Different Routing protocols
Different Routing protocolsDifferent Routing protocols
Different Routing protocols
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Shantanu's Resume
Shantanu's ResumeShantanu's Resume
Shantanu's Resume
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
 
Analysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTCAnalysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTC
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
 
nextcomputing-packet-continuum
nextcomputing-packet-continuumnextcomputing-packet-continuum
nextcomputing-packet-continuum
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool  for ROS-Compliant FPGA Component cReComp : Automated Design Tool  for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco  - Monitoring and Instrumentation, why Tracing is Key#Fstoco  - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
 
Building a Router
Building a RouterBuilding a Router
Building a Router
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
AanSulistiyo
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 

Recently uploaded (20)

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 

RBADT: An RQA Based BGP Anomaly Detection Tool

  • 1. APNIC2018 Real-Time BGP Anomaly Detection Tool (RTBADT) Associate Professor Philip Branch
  • 2. Faculty of Science, Engineering and Technology Outline of Talk • Project overview • Border Gateway Protocol (BGP) • Characteristics of BGP Traffic • Recurrence Quantification Analysis (RQA) • Using RQA to detect BGP anomalies • Real-Time Detection of anomalies using RTBADT
  • 3. Faculty of Science, Engineering and Technology Project Overview • RTBADT came out of Dr Bahaa Al-Musawi’s research work for his PhD • Was interested in detecting disruptive behaviour of BGP nodes • Made use of a technique from non-linear time series analysis called Recurrence Quantification Analysis • RTBADT is a software implementation of his research • Available at http://caia.swin.edu.au/tools/bgp/brt/downloads.html • Approach is lightweight and easy to implement
  • 4. Faculty of Science, Engineering and Technology The Border Gateway Protocol (BGP) • A routing protocol for reachability information between Autonomous Systems (AS) • A path vector protocol • BGP Speakers • BGP Peers • Very few defensive mechanisms • Events are rare but can be very damaging when they occur 8-4
  • 5. Faculty of Science, Engineering and Technology BGP Traffic Characteristics • BGP generates much traffic than would be expected • BGP events should be directly related to some change in the underlying topology or network engineering decision • Most BGP traffic unrelated to such events • BGP traffic dominated by an announcement followed soon after by a withdrawal • No single cause • Overlapping addresses, interaction of timer flags… • Some early studies (1990s) suggested more than 90% of BGP traffic is of this type
  • 6. Faculty of Science, Engineering and Technology BGP Traffic Characteristics
  • 7. Faculty of Science, Engineering and Technology BGP Anomaly Detection • If most traffic is unrelated to topology changes or network engineering, what then is a BGP anomaly? • In this sense, the vast majority of BGP traffic is ‘anomalous’ • How then to determine what is anomalous? • Why might we want to detect BGP anomalies • BGP failures are rare but tend to be devastating when they occur • TMNet event, Moscow Blackout, DoDo Telstra, Pakistan YouTube hijack… • Rapid identification of changes traffic behaviour an indicator of a serious event
  • 8. Faculty of Science, Engineering and Technology BGP Anomaly Detection • BGP Traffic does have some structure • It is not ‘noise’ in the traditional sense of the word • That structure can be used to identify true anomalies that may indicate a destructive event • BGP background traffic is persistent • Our analysis shows that some AS have generated the same sequences of announcement and withdrawal for years • BGP background traffic is recurrent • The patterns of announcements and withdrawals recur • Our analysis shows it consists of unsynchronised announcements and withdrawals of different periods
  • 9. Faculty of Science, Engineering and Technology Recurrence Quantification Analysis • Systems where there is some recurring sequence of events can be analysed using Recurrence Quantification Analysis (RQA) • RQA models a system as having a trajectory through a multidimensional phase space • Can obtain some measure of the extent to which a system state recurs • Large number of metrics including • Recurrence Rate • Determinism • Entropy • Trapping Time From mathworks.com
  • 10. Faculty of Science, Engineering and Technology Applying RQA to BGP • BGP is well modelled using RQA • Update volumes and path lengths have a recurrent pattern • Path announcements and withdrawals also usually have (perhaps several) recurrent sequences. • This behaviour can be captured using RQA • Deviations from it probably indicate some disruptive event
  • 11. Faculty of Science, Engineering and Technology Applying RQA to BGP • RQA is based on measuring structures within a Recurrence Plot (RP) • An RP captures the recurring behaviour of a system • Shown is an RP for top ten noisy Autonomous Systems • (from Al-Musawi, Branch, Armitage “Detecting BGP Instability using Recurrence Quantification Analysis (RQA), IPCC, December 2016
  • 12. Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • Implemented these ideas in software • Real-Time BGP Anomaly Detection Tool (RTBADT) • http://caia.swin.edu.au/tools/bgp/brt/downloads.html • A system made up of scripts and modules to extract RQA measurements and present them in graphical or text form
  • 13. Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • Perl, bash, gnuplot • Uses the TISEAN package for RQA routines • TISEAN = “Non Linear Time Series Analysis” • Takes as input BGP updates from BGP speaker • Includes email notification capabilities • Lots of options • Can scan peer Autonomous System or Systems • Can replay events • Can present in graphical or text
  • 14. Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • A simple example of using RTBADT to monitor the peer AS65002 • Enables the options of sending an e-mail notification when an anomaly is detected and enabling a real-time plot of BGP features and alarm detection • Very light weight and easy to use
  • 15. Faculty of Science, Engineering and Technology Example
  • 16. Faculty of Science, Engineering and Technology Conclusion • Developed software that implements some of our research work in applying RQA to BGP • Can replay events • Can display RQA measurements in graphical or text form
  • 17. Faculty of Science, Engineering and Technology Acknowledgment We gratefully acknowledge support from the “APNIC Internet Operations Research Grant“ under the ISIF Asia 2016 grant scheme