SlideShare a Scribd company logo

RBADT: An RQA Based BGP Anomaly Detection Tool

APNIC
APNIC

This document summarizes a talk on RTBADT, a real-time BGP anomaly detection tool. It discusses how BGP traffic characteristics can indicate anomalies through recurrent patterns, and how recurrence quantification analysis (RQA) is applied to BGP data to detect deviations from normal behavior that may indicate disruptive events. The RTBADT software implements this approach of applying RQA to BGP updates to enable real-time anomaly detection and notification. An example of using RTBADT to monitor a peer autonomous system is also provided.

1 of 17
Download to read offline
APNIC2018 Real-Time BGP Anomaly Detection Tool (RTBADT) Associate Professor Philip Branch
Faculty of Science, Engineering and Technology Outline of Talk • Project overview • Border Gateway Protocol (BGP) • Characteristics of BGP Traffic • Recurrence Quantification Analysis (RQA) • Using RQA to detect BGP anomalies • Real-Time Detection of anomalies using RTBADT
Faculty of Science, Engineering and Technology Project Overview • RTBADT came out of Dr Bahaa Al-Musawi’s research work for his PhD • Was interested in detecting disruptive behaviour of BGP nodes • Made use of a technique from non-linear time series analysis called Recurrence Quantification Analysis • RTBADT is a software implementation of his research • Available at http://caia.swin.edu.au/tools/bgp/brt/downloads.html • Approach is lightweight and easy to implement
Faculty of Science, Engineering and Technology The Border Gateway Protocol (BGP) • A routing protocol for reachability information between Autonomous Systems (AS) • A path vector protocol • BGP Speakers • BGP Peers • Very few defensive mechanisms • Events are rare but can be very damaging when they occur 8-4
Faculty of Science, Engineering and Technology BGP Traffic Characteristics • BGP generates much traffic than would be expected • BGP events should be directly related to some change in the underlying topology or network engineering decision • Most BGP traffic unrelated to such events • BGP traffic dominated by an announcement followed soon after by a withdrawal • No single cause • Overlapping addresses, interaction of timer flags… • Some early studies (1990s) suggested more than 90% of BGP traffic is of this type
Faculty of Science, Engineering and Technology BGP Traffic Characteristics
Faculty of Science, Engineering and Technology BGP Anomaly Detection • If most traffic is unrelated to topology changes or network engineering, what then is a BGP anomaly? • In this sense, the vast majority of BGP traffic is ‘anomalous’ • How then to determine what is anomalous? • Why might we want to detect BGP anomalies • BGP failures are rare but tend to be devastating when they occur • TMNet event, Moscow Blackout, DoDo Telstra, Pakistan YouTube hijack… • Rapid identification of changes traffic behaviour an indicator of a serious event
Faculty of Science, Engineering and Technology BGP Anomaly Detection • BGP Traffic does have some structure • It is not ‘noise’ in the traditional sense of the word • That structure can be used to identify true anomalies that may indicate a destructive event • BGP background traffic is persistent • Our analysis shows that some AS have generated the same sequences of announcement and withdrawal for years • BGP background traffic is recurrent • The patterns of announcements and withdrawals recur • Our analysis shows it consists of unsynchronised announcements and withdrawals of different periods
Faculty of Science, Engineering and Technology Recurrence Quantification Analysis • Systems where there is some recurring sequence of events can be analysed using Recurrence Quantification Analysis (RQA) • RQA models a system as having a trajectory through a multidimensional phase space • Can obtain some measure of the extent to which a system state recurs • Large number of metrics including • Recurrence Rate • Determinism • Entropy • Trapping Time From mathworks.com
Faculty of Science, Engineering and Technology Applying RQA to BGP • BGP is well modelled using RQA • Update volumes and path lengths have a recurrent pattern • Path announcements and withdrawals also usually have (perhaps several) recurrent sequences. • This behaviour can be captured using RQA • Deviations from it probably indicate some disruptive event
Faculty of Science, Engineering and Technology Applying RQA to BGP • RQA is based on measuring structures within a Recurrence Plot (RP) • An RP captures the recurring behaviour of a system • Shown is an RP for top ten noisy Autonomous Systems • (from Al-Musawi, Branch, Armitage “Detecting BGP Instability using Recurrence Quantification Analysis (RQA), IPCC, December 2016
Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • Implemented these ideas in software • Real-Time BGP Anomaly Detection Tool (RTBADT) • http://caia.swin.edu.au/tools/bgp/brt/downloads.html • A system made up of scripts and modules to extract RQA measurements and present them in graphical or text form
Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • Perl, bash, gnuplot • Uses the TISEAN package for RQA routines • TISEAN = “Non Linear Time Series Analysis” • Takes as input BGP updates from BGP speaker • Includes email notification capabilities • Lots of options • Can scan peer Autonomous System or Systems • Can replay events • Can present in graphical or text
Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • A simple example of using RTBADT to monitor the peer AS65002 • Enables the options of sending an e-mail notification when an anomaly is detected and enabling a real-time plot of BGP features and alarm detection • Very light weight and easy to use
Faculty of Science, Engineering and Technology Example
Faculty of Science, Engineering and Technology Conclusion • Developed software that implements some of our research work in applying RQA to BGP • Can replay events • Can display RQA measurements in graphical or text form
Faculty of Science, Engineering and Technology Acknowledgment We gratefully acknowledge support from the “APNIC Internet Operations Research Grant“ under the ISIF Asia 2016 grant scheme

Recommended

Решения WANDL и NorthStar для операторов
Решения WANDL и NorthStar для операторовРешения WANDL и NorthStar для операторов
Решения WANDL и NorthStar для операторов
TERMILAB. Интернет - лаборатория
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
Summit 16: The Hitchhiker/Hacker's Guide to NFV Benchmarking
Summit 16: The Hitchhiker/Hacker's Guide to NFV BenchmarkingSummit 16: The Hitchhiker/Hacker's Guide to NFV Benchmarking
Summit 16: The Hitchhiker/Hacker's Guide to NFV Benchmarking
OPNFV
 
Opentracing jaeger
Opentracing jaegerOpentracing jaeger
Opentracing jaeger
Oracle Korea
 
Distributed Tracing with Jaeger
Distributed Tracing with JaegerDistributed Tracing with Jaeger
Distributed Tracing with Jaeger
Inho Kang
 
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaInternet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
MyNOG
 
From Zero to Nextflow 2017
From Zero to Nextflow 2017From Zero to Nextflow 2017
From Zero to Nextflow 2017
Luca Cozzuto
 

Recommended

Решения WANDL и NorthStar для операторов
Решения WANDL и NorthStar для операторовРешения WANDL и NorthStar для операторов
Решения WANDL и NorthStar для операторов
TERMILAB. Интернет - лаборатория
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
HKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC
 
Summit 16: The Hitchhiker/Hacker's Guide to NFV Benchmarking
Summit 16: The Hitchhiker/Hacker's Guide to NFV BenchmarkingSummit 16: The Hitchhiker/Hacker's Guide to NFV Benchmarking
Summit 16: The Hitchhiker/Hacker's Guide to NFV Benchmarking
OPNFV
 
Opentracing jaeger
Opentracing jaegerOpentracing jaeger
Opentracing jaeger
Oracle Korea
 
Distributed Tracing with Jaeger
Distributed Tracing with JaegerDistributed Tracing with Jaeger
Distributed Tracing with Jaeger
Inho Kang
 
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj UpadhayaInternet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
Internet Measurement Tools & Their Usefulness by Gaurab Raj Upadhaya
MyNOG
 
From Zero to Nextflow 2017
From Zero to Nextflow 2017From Zero to Nextflow 2017
From Zero to Nextflow 2017
Luca Cozzuto
 
Intro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdfIntro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdf
AshokGovindarajan1
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
Ankur Tyagi
 
nextcomputing-cyberpro
nextcomputing-cyberpronextcomputing-cyberpro
nextcomputing-cyberpro
blabadini
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
Steven Shim
 
Different Routing protocols
Different Routing protocolsDifferent Routing protocols
Different Routing protocols
Thesis Scientist Private Limited
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
APNIC
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
Altinity Ltd
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Shantanu's Resume
Shantanu's ResumeShantanu's Resume
Shantanu's Resume
Shantanu Telharkar
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
Pace IT at Edmonds Community College
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
Fei Ji Siao
 
Analysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTCAnalysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTC
Boni García
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
APNIC
 
nextcomputing-packet-continuum
nextcomputing-packet-continuumnextcomputing-packet-continuum
nextcomputing-packet-continuum
blabadini
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
Shawn Zandi
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
Kazushi Yamashina
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
APNIC
 
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
Jonah Kowall
 
Building a Router
Building a RouterBuilding a Router
Building a Router
Hannes Gredler
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 

More Related Content

Similar to RBADT: An RQA Based BGP Anomaly Detection Tool

Intro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdfIntro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdf
AshokGovindarajan1
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
Ankur Tyagi
 
nextcomputing-cyberpro
nextcomputing-cyberpronextcomputing-cyberpro
nextcomputing-cyberpro
blabadini
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
Steven Shim
 
Different Routing protocols
Different Routing protocolsDifferent Routing protocols
Different Routing protocols
Thesis Scientist Private Limited
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
APNIC
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
Altinity Ltd
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Shantanu's Resume
Shantanu's ResumeShantanu's Resume
Shantanu's Resume
Shantanu Telharkar
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
Pace IT at Edmonds Community College
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
Fei Ji Siao
 
Analysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTCAnalysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTC
Boni García
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
APNIC
 
nextcomputing-packet-continuum
nextcomputing-packet-continuumnextcomputing-packet-continuum
nextcomputing-packet-continuum
blabadini
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
Shawn Zandi
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
Kazushi Yamashina
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
APNIC
 
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
Jonah Kowall
 
Building a Router
Building a RouterBuilding a Router
Building a Router
Hannes Gredler
 

Similar to RBADT: An RQA Based BGP Anomaly Detection Tool (20)

Intro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdfIntro_to_data_analysis_sample_slides.pdf
Intro_to_data_analysis_sample_slides.pdf
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
 
nextcomputing-cyberpro
nextcomputing-cyberpronextcomputing-cyberpro
nextcomputing-cyberpro
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
 
Different Routing protocols
Different Routing protocolsDifferent Routing protocols
Different Routing protocols
 
NANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI EffectivenessNANOG 80: Measuring RPKI Effectiveness
NANOG 80: Measuring RPKI Effectiveness
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Shantanu's Resume
Shantanu's ResumeShantanu's Resume
Shantanu's Resume
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
 
Analysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTCAnalysis of video quality and end-to-end latency in WebRTC
Analysis of video quality and end-to-end latency in WebRTC
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
 
nextcomputing-packet-continuum
nextcomputing-packet-continuumnextcomputing-packet-continuum
nextcomputing-packet-continuum
 
LinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data CenterLinkedIn's Approach to Programmable Data Center
LinkedIn's Approach to Programmable Data Center
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
 
Routing Security Roadmap
Routing Security RoadmapRouting Security Roadmap
Routing Security Roadmap
 
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key#Fstoco - Monitoring and Instrumentation, why Tracing is Key
#Fstoco - Monitoring and Instrumentation, why Tracing is Key
 
Building a Router
Building a RouterBuilding a Router
Building a Router
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
AanSulistiyo
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 

Recently uploaded (20)

制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Azure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdfAzure EA Sponsorship - Customer Guide.pdf
Azure EA Sponsorship - Customer Guide.pdf
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 

RBADT: An RQA Based BGP Anomaly Detection Tool

  • 1. APNIC2018 Real-Time BGP Anomaly Detection Tool (RTBADT) Associate Professor Philip Branch
  • 2. Faculty of Science, Engineering and Technology Outline of Talk • Project overview • Border Gateway Protocol (BGP) • Characteristics of BGP Traffic • Recurrence Quantification Analysis (RQA) • Using RQA to detect BGP anomalies • Real-Time Detection of anomalies using RTBADT
  • 3. Faculty of Science, Engineering and Technology Project Overview • RTBADT came out of Dr Bahaa Al-Musawi’s research work for his PhD • Was interested in detecting disruptive behaviour of BGP nodes • Made use of a technique from non-linear time series analysis called Recurrence Quantification Analysis • RTBADT is a software implementation of his research • Available at http://caia.swin.edu.au/tools/bgp/brt/downloads.html • Approach is lightweight and easy to implement
  • 4. Faculty of Science, Engineering and Technology The Border Gateway Protocol (BGP) • A routing protocol for reachability information between Autonomous Systems (AS) • A path vector protocol • BGP Speakers • BGP Peers • Very few defensive mechanisms • Events are rare but can be very damaging when they occur 8-4
  • 5. Faculty of Science, Engineering and Technology BGP Traffic Characteristics • BGP generates much traffic than would be expected • BGP events should be directly related to some change in the underlying topology or network engineering decision • Most BGP traffic unrelated to such events • BGP traffic dominated by an announcement followed soon after by a withdrawal • No single cause • Overlapping addresses, interaction of timer flags… • Some early studies (1990s) suggested more than 90% of BGP traffic is of this type
  • 6. Faculty of Science, Engineering and Technology BGP Traffic Characteristics
  • 7. Faculty of Science, Engineering and Technology BGP Anomaly Detection • If most traffic is unrelated to topology changes or network engineering, what then is a BGP anomaly? • In this sense, the vast majority of BGP traffic is ‘anomalous’ • How then to determine what is anomalous? • Why might we want to detect BGP anomalies • BGP failures are rare but tend to be devastating when they occur • TMNet event, Moscow Blackout, DoDo Telstra, Pakistan YouTube hijack… • Rapid identification of changes traffic behaviour an indicator of a serious event
  • 8. Faculty of Science, Engineering and Technology BGP Anomaly Detection • BGP Traffic does have some structure • It is not ‘noise’ in the traditional sense of the word • That structure can be used to identify true anomalies that may indicate a destructive event • BGP background traffic is persistent • Our analysis shows that some AS have generated the same sequences of announcement and withdrawal for years • BGP background traffic is recurrent • The patterns of announcements and withdrawals recur • Our analysis shows it consists of unsynchronised announcements and withdrawals of different periods
  • 9. Faculty of Science, Engineering and Technology Recurrence Quantification Analysis • Systems where there is some recurring sequence of events can be analysed using Recurrence Quantification Analysis (RQA) • RQA models a system as having a trajectory through a multidimensional phase space • Can obtain some measure of the extent to which a system state recurs • Large number of metrics including • Recurrence Rate • Determinism • Entropy • Trapping Time From mathworks.com
  • 10. Faculty of Science, Engineering and Technology Applying RQA to BGP • BGP is well modelled using RQA • Update volumes and path lengths have a recurrent pattern • Path announcements and withdrawals also usually have (perhaps several) recurrent sequences. • This behaviour can be captured using RQA • Deviations from it probably indicate some disruptive event
  • 11. Faculty of Science, Engineering and Technology Applying RQA to BGP • RQA is based on measuring structures within a Recurrence Plot (RP) • An RP captures the recurring behaviour of a system • Shown is an RP for top ten noisy Autonomous Systems • (from Al-Musawi, Branch, Armitage “Detecting BGP Instability using Recurrence Quantification Analysis (RQA), IPCC, December 2016
  • 12. Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • Implemented these ideas in software • Real-Time BGP Anomaly Detection Tool (RTBADT) • http://caia.swin.edu.au/tools/bgp/brt/downloads.html • A system made up of scripts and modules to extract RQA measurements and present them in graphical or text form
  • 13. Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • Perl, bash, gnuplot • Uses the TISEAN package for RQA routines • TISEAN = “Non Linear Time Series Analysis” • Takes as input BGP updates from BGP speaker • Includes email notification capabilities • Lots of options • Can scan peer Autonomous System or Systems • Can replay events • Can present in graphical or text
  • 14. Faculty of Science, Engineering and Technology Real Time BGP Anomaly Detection Tool • A simple example of using RTBADT to monitor the peer AS65002 • Enables the options of sending an e-mail notification when an anomaly is detected and enabling a real-time plot of BGP features and alarm detection • Very light weight and easy to use
  • 15. Faculty of Science, Engineering and Technology Example
  • 16. Faculty of Science, Engineering and Technology Conclusion • Developed software that implements some of our research work in applying RQA to BGP • Can replay events • Can display RQA measurements in graphical or text form
  • 17. Faculty of Science, Engineering and Technology Acknowledgment We gratefully acknowledge support from the “APNIC Internet Operations Research Grant“ under the ISIF Asia 2016 grant scheme