CN115460110B - Abnormal AS _ PATH detection method and device based on link prediction - Google Patents

Abnormal AS _ PATH detection method and device based on link prediction Download PDF

Info

Publication number
CN115460110B
CN115460110B CN202211414924.7A CN202211414924A CN115460110B CN 115460110 B CN115460110 B CN 115460110B CN 202211414924 A CN202211414924 A CN 202211414924A CN 115460110 B CN115460110 B CN 115460110B
Authority
CN
China
Prior art keywords
link
detected
type
path
suspicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211414924.7A
Other languages
Chinese (zh)
Other versions
CN115460110A (en
Inventor
王继龙
张承万
安常青
祖林美
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202211414924.7A priority Critical patent/CN115460110B/en
Publication of CN115460110A publication Critical patent/CN115460110A/en
Application granted granted Critical
Publication of CN115460110B publication Critical patent/CN115460110B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to the field of network communication technologies, and in particular, to a method and an apparatus for detecting an abnormal AS _ PATH based on link prediction. The abnormal AS _ PATH detection method based on the link prediction comprises the following steps: acquiring an AS link to be tested; detecting the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected; and determining an abnormal reason corresponding to the AS link to be detected according to the detection result, and outputting an abnormal event corresponding to the AS link to be detected. By adopting the method and the device, the abnormal AS _ PATH can be detected.

Description

Abnormal AS _ PATH detection method and device based on link prediction
Technical Field
The present disclosure relates to the field of network communication technologies, and in particular, to a method and an apparatus for detecting an abnormal AS _ PATH based on link prediction.
Background
Border Gateway Protocol (BGP) is a routing Protocol for an autonomous system running over TCP (Transmission Control Protocol). Security is not considered at the beginning of BGP design, autonomous Systems (AS) can mutually trust unconditionally, and any AS can forge routing information, but no effective mechanism is currently available to verify the authenticity of the routing information.
AS _ PATH is an important PATH attribute in BGP messages that characterizes the sequence of ASs to be traversed by a destination Internet Protocol (IP) prefix. In the process of routing information transfer, each AS adds its own AS number to the header of the AS _ PATH when it announces the routing information outwards. The AS _ PATH may be used to prevent the generation of routing loops, while the AS _ PATH may reflect the connection relationship between the ASs.
When an abnormal AS _ PATH occurs that does not comply with the standard usage of the BGP protocol, serious network problems may arise. Resource Public Key Infrastructure (RPKI) and BGPsec can solve some of the above problems, but their deployment process is slow, and it needs to rely on an abnormal AS _ PATH detection method to solve the above problems.
Disclosure of Invention
The disclosure provides a method and a device for detecting an abnormal AS _ PATH based on link prediction, and mainly aims to realize detection of the abnormal AS _ PATH.
According to an aspect of the present disclosure, there is provided an abnormal AS _ PATH detection method based on link prediction, including:
acquiring an AS link to be detected;
detecting the AS link to be detected according to a target link predictor and/or a detection strategy to obtain a detection result corresponding to the AS link to be detected;
and determining an abnormal reason corresponding to the AS link to be detected according to the detection result, and outputting an abnormal event corresponding to the AS link to be detected.
Optionally, before the detecting the AS link to be detected according to the target link predictor, the method further includes:
routing data according to history constructing a reliable AS link library;
acquiring an AS information set, wherein the AS information set comprises AS scale information, AS type information, AS attribution information and AS geographic position information;
and training an initial link predictor according to the reliable AS link library and the AS information set to obtain the target link predictor.
Optionally, the constructing a reliable AS link library according to the historical routing data includes:
extracting an AS _ PATH field from the historical routing data to obtain an AS link set;
and determining the reliable AS link library according to the AS link set based on a reliable link construction method.
Optionally, the acquiring the AS link to be tested includes:
acquiring updated routing data, and extracting an AS _ PATH field from the updated routing data to obtain an updated AS link corresponding to the updated routing data;
and if the updated AS link does not exist in the reliable AS link library, determining the updated AS link AS the AS link to be tested.
Optionally, the to-be-detected AS link is a first-class to-be-detected link, where the first-class to-be-detected link includes at least one unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a first rule set, and the detecting is performed on the to-be-detected AS link according to a target link predictor and/or a detection policy to obtain a detection result corresponding to the to-be-detected AS link, and includes:
detecting the first type of link to be detected according to the first rule set;
and if the first class of links to be detected meets any rule in the first rule set, determining that the first class of links to be detected is a first class suspicious AS link, and determining that the AS _ PATH corresponding to the first class of links to be detected is a first class suspicious AS _ PATH.
Optionally, the first rule set includes at least one of the following rules:
the AS contained in the first type of link to be detected cannot be found in AS registration data of the RIR;
the AS contained in the first type of link to be detected belongs to the special purpose ASN specified by RFC;
the first type of link to be detected is not composed of the last two hops of AS in AS _ PATH, and the AS attribution countries at the two ends of the first type of link to be detected are different.
Optionally, the to-be-detected AS link is a second-class to-be-detected link, the second-class to-be-detected link does not include an unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a second rule set, and the detecting is performed on the to-be-detected AS link according to a target link predictor and/or a detection policy to obtain a detection result corresponding to the to-be-detected AS link, including:
inputting the second type of link to be detected to the target link predictor, and if the predicted value output by the target link predictor is smaller than the abnormal AS link threshold value, determining the second type of link to be detected AS a second type of suspicious AS link;
detecting the AS _ PATH corresponding to the second type of suspicious AS link according to the second rule set;
if the AS _ PATH corresponding to the second type of suspicious AS link meets any rule in the second rule set, determining that the AS _ PATH corresponding to the second type of suspicious AS link is a second type of highly suspicious AS _ PATH; otherwise, determining that the AS _ PATH corresponding to the second type of suspicious AS link is the second type of general suspicious AS _ PATH.
Optionally, the second rule set includes at least one of the following rules:
the length of the AS _ PATH corresponding to the second type of suspicious AS link exceeds a length threshold;
the AS _ PATH corresponding to the second type of suspicious AS link comprises an AS loop and the second type of suspicious AS link is contained in the AS loop;
in the AS _ PATH corresponding to the second type of suspicious AS link, an AS sequence without an AS serial number serving AS IXP does not meet the valley-free principle;
the same country exists in a sequence formed by countries corresponding to AS in AS _ PATH corresponding to the second type of suspicious AS link, and the sequence number corresponding to the same country has discontinuous position in the sequence formed by the countries corresponding to AS.
Optionally, the determining, according to the detection result, an abnormal reason corresponding to the AS link to be detected, and outputting an abnormal event corresponding to the AS link to be detected includes:
determining a seven-element group corresponding to the AS link to be detected according to the detection result, wherein the seven-element group comprises start time, prefix, abnormal AS _ PATH, abnormal AS link, suspicious AS, abnormal category and abnormal reason;
and determining and outputting the abnormal event corresponding to the AS link to be detected according to the seven-element group.
According to another aspect of the present disclosure, there is provided an abnormal AS _ PATH detection apparatus based on link prediction, including:
a link obtaining unit, configured to obtain an AS link to be tested;
the link detection unit is used for detecting the AS link to be detected according to a target link predictor and/or a detection strategy to obtain a detection result corresponding to the AS link to be detected;
and the event output unit is used for determining the abnormal reason corresponding to the AS link to be detected according to the detection result and outputting the abnormal event corresponding to the AS link to be detected.
Optionally, the apparatus further includes a link library constructing unit, a set obtaining unit, and a predictor training unit, before the target link predictor detects the AS link to be detected:
the link library construction unit is used for constructing a reliable AS link library according to historical routing data;
the set acquiring unit is used for acquiring an AS information set, wherein the AS information set comprises AS scale information, AS type information, AS attribution information and AS geographic position information;
and the predictor training unit is used for training the initial link predictor according to the reliable AS link library and the AS information set to obtain the target link predictor.
Optionally, when the link library constructing unit is configured to construct the reliable AS link library according to the historical routing data, the link library constructing unit is specifically configured to:
extracting an AS _ PATH field from the historical routing data to obtain an AS link set;
and determining the reliable AS link library according to the AS link set based on a reliable link construction method.
Optionally, when the link obtaining unit is configured to obtain an AS link to be tested, the link obtaining unit is specifically configured to:
acquiring updated routing data, and extracting an AS _ PATH field from the updated routing data to obtain an updated AS link corresponding to the updated routing data;
and if the updating AS link does not exist in the reliable AS link library, determining the updating AS link AS the AS link to be tested.
Optionally, the to-be-detected AS link is a first-class to-be-detected link, where the first-class to-be-detected link includes at least one unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a first rule set, and the link detection unit is configured to, when detecting the to-be-detected AS link according to a target link predictor and/or a detection policy, obtain a detection result corresponding to the to-be-detected AS link, specifically:
detecting the first type of link to be detected according to the first rule set;
and if the first class of links to be detected meets any rule in the first rule set, determining that the first class of links to be detected is a first class suspicious AS link, and determining that the AS _ PATH corresponding to the first class of links to be detected is a first class suspicious AS _ PATH.
Optionally, the first rule set includes at least one of the following rules:
the AS contained in the first type of link to be detected cannot be found in AS registration data of the RIR;
the AS contained in the first type of link to be detected belongs to the special purpose ASN specified by RFC;
the first type of link to be detected is not composed of the last two hops of AS in AS _ PATH, and the AS attribution countries at the two ends of the first type of link to be detected are different.
Optionally, the to-be-detected AS link is a second-class to-be-detected link, the second-class to-be-detected link does not include an unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a second rule set, and the link detection unit is configured to, when detecting the to-be-detected AS link according to a target link predictor and/or a detection policy, obtain a detection result corresponding to the to-be-detected AS link, specifically configured to:
inputting the second type of link to be detected to the target link predictor, and if the predicted value output by the target link predictor is smaller than the abnormal AS link threshold value, determining that the second type of link to be detected is a second type of suspicious AS link;
detecting the AS _ PATH corresponding to the second type of suspicious AS link according to the second rule set;
if the AS _ PATH corresponding to the second type of suspicious AS link meets any rule in the second rule set, determining that the AS _ PATH corresponding to the second type of suspicious AS link is a second type of highly suspicious AS _ PATH; otherwise, determining that the AS _ PATH corresponding to the second type of suspicious AS link is the second type of general suspicious AS _ PATH.
Optionally, the second rule set includes at least one of the following rules:
the length of the AS _ PATH corresponding to the second type of suspicious AS link exceeds a length threshold;
the AS _ PATH corresponding to the second type of suspicious AS link comprises an AS loop, and the second type of suspicious AS link is contained in the AS loop;
in the AS _ PATH corresponding to the second type of suspicious AS link, an AS sequence without an AS serial number serving AS IXP does not meet the valley-free principle;
the same country exists in a sequence formed by countries corresponding to AS in AS _ PATH corresponding to the second type of suspicious AS link, and the sequence number corresponding to the same country has discontinuous position in the sequence formed by the countries corresponding to AS.
Optionally, the event output unit is configured to, when determining, according to the detection result, an abnormal reason corresponding to the AS link to be detected and outputting an abnormal event corresponding to the AS link to be detected, specifically configured to:
determining a seven-element group corresponding to the AS link to be detected according to the detection result, wherein the seven-element group comprises start time, prefix, abnormal AS _ PATH, abnormal AS link, suspicious AS, abnormal category and abnormal reason;
and determining and outputting the abnormal event corresponding to the AS link to be detected according to the seven-element group.
According to another aspect of the present disclosure, there is provided a terminal including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of the preceding aspects.
According to another aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of the preceding aspects.
According to another aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method of any one of the preceding aspects.
In one or more embodiments of the present disclosure, by acquiring an AS link to be tested; detecting the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected; and determining an abnormal reason corresponding to the AS link to be detected according to the detection result, and outputting an abnormal event corresponding to the AS link to be detected. Therefore, the BGP abnormal AS _ PATH can be effectively detected by adopting the target link predictor and combining the detection strategy.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a schematic flowchart illustrating a first abnormal AS _ PATH detection method based on link prediction according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart illustrating a second abnormal AS _ PATH detection method based on link prediction according to an embodiment of the present disclosure;
FIG. 3 illustrates a training flow diagram of a link predictor provided by an embodiment of the present disclosure;
fig. 4 shows a detection flowchart of an AS link to be detected according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram illustrating an output of an exception event provided by an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram illustrating a first abnormal AS _ PATH detection apparatus based on link prediction according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a second abnormal AS _ PATH detection apparatus based on link prediction according to an embodiment of the present disclosure;
fig. 8 is a block diagram of a terminal for implementing the abnormal AS _ PATH detection method based on link prediction according to an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the related art, ideally, the AS PATH (AS _ PATH) satisfies the following constraints:
1. the Autonomous System Number (ASN) in the AS _ PATH is registered in the five-domain Internet registration authority (RIR);
2. AS _ PATH is loop-free;
3. AS links (ASlink) in the AS _ PATH are actually present, that is, adjacent Autonomous Systems (AS) are present with actual links;
4. the AS _ PATH is to comply with the routing policy of the AS, i.e. to satisfy the valley-free principle.
However, in practical networks, many situations may cause the AS _ PATH to violate the above constraints. For example, an administrator misconfiguration may result in some unregistered ASNs in the AS _ PATH; a wrong configuration or some intentional traffic engineering may cause the AS _ PATH to loop; BGP routing hijacking, error configuration and the like can introduce an actual nonexistent AS link into the AS _ PATH; route leakage may cause the AS _ PATH to violate the AS's routing policy.
It will be readily appreciated that the above-described abnormal AS _ PATH does not conform to the standard usage of the BGP protocol and may cause serious network problems. The Resource Public Key Infrastructure (RPKI) and the BGPsec may solve some of the above problems, but the deployment process is slow, and the problem needs to be solved by an abnormal AS _ PATH detection method.
The present disclosure is described in detail below with reference to specific examples.
In a first embodiment, AS shown in fig. 1, fig. 1 shows a flowchart of a first abnormal AS _ PATH detection method based on link prediction provided by the embodiment of the present disclosure, which may be implemented by relying on a computer program and may be run on an apparatus for performing the abnormal AS _ PATH detection method based on link prediction. The computer program may be integrated into the application or may run as a separate tool-like application.
The abnormal AS _ PATH detection device based on link prediction may be a terminal having an abnormal AS _ PATH detection function based on link prediction, and the terminal includes but is not limited to: wearable devices, handheld devices, personal computers, tablet computers, in-vehicle devices, smart phones, computing devices or other processing devices connected to a wireless modem, and the like. Terminals can be called different names in different networks, for example: user equipment, access terminal, subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless Communication device, user agent or subscriber device, cellular telephone, cordless telephone, personal Digital Assistant (PDA), fifth Generation Mobile Communication technology (5G) network, fourth Generation Mobile Communication technology (4G) network, terminal in a 3rd-Generation,3G network or future evolution network, and the like.
Specifically, the abnormal AS _ PATH detection method based on link prediction includes:
s101, acquiring an AS link to be tested;
according to some embodiments, the AS link to be tested refers to an AS link that needs to be detected whether the AS link is abnormal. The AS link does not refer specifically to a fixed link.
It is easy to understand that when the terminal performs abnormal AS _ PATH detection based on link prediction, the terminal may acquire an AS link to be detected.
S102, detecting the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected;
according to some embodiments, the target link predictor refers to a trained link predictor. The target link predictor does not refer to a fixed predictor.
In some embodiments, the detection policy refers to a policy adopted for detecting the AS link to be detected. The detection strategy does not refer to a fixed strategy. For example, when the AS link to be tested changes, the detection policy may change.
It is easy to understand that when the terminal acquires the to-be-detected AS link, the terminal may detect the to-be-detected AS link according to the target link predictor and/or the detection policy, so AS to obtain a detection result corresponding to the to-be-detected AS link.
S103, determining an abnormal reason corresponding to the AS link to be detected according to the detection result, and outputting an abnormal event corresponding to the AS link to be detected.
According to some embodiments, the exception event does not specify a fixed event. The exception event may be, for example, a BGP exception AS _ PATH.
It is easy to understand that when the terminal obtains the detection result corresponding to the AS link to be detected, the terminal may determine the abnormal reason corresponding to the AS link to be detected according to the detection result, and output the abnormal event corresponding to the AS link to be detected.
In summary, the method provided by the embodiment of the present disclosure obtains the AS link to be tested; detecting the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected; and determining an abnormal reason corresponding to the AS link to be detected according to the detection result, and outputting an abnormal event corresponding to the AS link to be detected. Therefore, the BGP abnormal AS _ PATH can be effectively detected by adopting the target link predictor and combining the detection strategy.
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating a second abnormal AS _ PATH detection method based on link prediction according to an embodiment of the present disclosure. Specifically, the abnormal AS _ PATH detection method based on link prediction includes:
s201, establishing a reliable AS link library according to historical routing data;
according to some embodiments, the historical routing data may be obtained by a historical routing data disclosure platform. Specifically, the routing Information can be obtained by an open routing data collection platform such as european IP Network resource Coordination center routing Information Service (RIPE RIS), network space Governance Technology Forum routing Information Sharing (Cyberspace godernance Technology form Route Information Sharing, CGTF RIS), oregon university Route browsing (Route Views), and the like.
In some embodiments, when building a reliable AS link library from historical routing data, the AS _ PATH field may be extracted from the historical routing data to obtain an AS link set, and then the reliable AS link library may be determined from the AS link set based on a reliable link building method.
In some embodiments, the AS linkset does not refer specifically to a fixed linkset. For example, the AS linkset may be a union of links extracted from the past six months of Applied Internet Data Analysis Center (CAIDA) AS business Relationship (Relationship) Data. It should be noted that six months are parameters determined through experiments, and the time of six months can ensure that the reliable AS link library can cover enough AS links and can ensure that too many failed AS links are not introduced.
In some embodiments, the reliable AS link library refers to a link set formed after excluding AS links detected AS abnormal in the past in the AS link set. The reliable AS link pool does not refer specifically to a fixed link pool. For example, the reliable AS link library may change when the AS link set changes. The reliable AS link library may be constructed by using historical routing data or using traceroute (traceroute) data, and the quality of the reliable AS link library directly affects the detection effect of the method provided by the embodiment of the present disclosure.
In some embodiments, the routing data includes a route snapshot and a route update packet, and the AS _ PATH may be extracted from the route snapshot and the route update packet, so AS to obtain the AS link.
It is easy to understand that when abnormal AS _ PATH detection based on link prediction is performed, a reliable AS link library can be constructed according to historical routing data.
S202, acquiring an AS information set;
according to some embodiments, the AS information set includes AS size information, AS type information, AS home information, AS geographical location information. The AS attribution information may be, for example, country information to which the AS belongs. The AS type information may be, for example, whether the AS is a first-class (Tier 1) AS, whether the AS is an Internet Exchange Point (IXP) AS, or not.
In some embodiments, when the AS information set is obtained, AS link information may also be obtained. The AS link information includes, but is not limited to, link type, link bandwidth information, and the like. Link types include, but are not limited to, peer-to-peer (P2P) links, provider-to-customer (P2C) links, and the like.
In some embodiments, the AS information set and the AS link information may be obtained from File Transfer Protocol (FTP) sites of five-large RIRs, internet interworking db (Peer DB), routing Arbitration Database (RADB), and the like.
It is easy to understand that when abnormal AS _ PATH detection based on link prediction is performed, AS information set can also be obtained.
S203, training the initial link predictor according to the reliable AS link library and the AS information set to obtain a target link predictor;
according to some embodiments, when the initial link predictor is trained according to the reliable AS link library and the AS information set, first, the reliable AS link library and the AS information set may be configured into an AS topology with node information, and the AS topology may be referred to AS a reliable AS topology. Then, the initial link predictor can learn the potential law of the AS topology by means of the reliable AS topology to obtain a target link predictor.
In some embodiments, the reliable AS topology is only a part of the real AS topology and contains noise. The acquisition of the real AS topology is itself an open problem, and the reliable AS topology constructed above is only to be AS close AS possible to the real AS topology.
In some embodiments, fig. 3 shows a training flow diagram of a link predictor provided by an embodiment of the present disclosure. As shown in fig. 3, the initial link predictor uses a graph neural network-based link prediction model that requires positive and negative sample links as inputs. The positive sample link refers to a link existing in the real AS topology, the constructed reliable AS topology can be used AS a positive sample, and the negative sample link refers to a link not existing in the real AS topology, and can be randomly sampled from the link not existing in the constructed reliable AS topology.
The link prediction model may be, for example, a link prediction model SEAL.
It is easy to understand that, when the AS information set is obtained, the initial link predictor can be trained according to the reliable AS link library and the AS information set to obtain the target link predictor.
S204, acquiring updated routing data, and extracting an AS _ PATH field from the updated routing data to obtain an updated AS link corresponding to the updated routing data;
according to some embodiments, the updated routing data refers to real-time routing data obtained from a BGP Route collection platform, such as Route Views, CGTF RIS, RIPE RIS, or the like.
For example, the updated routing data may be a real-time BGP route UPDATE packet (i.e., UPDATE packet), and then, the AS link may be extracted from an AS _ PATH field in the BGP UPDATE packet to obtain an updated AS link.
It is easy to understand that, when abnormal AS _ PATH detection based on link prediction is performed, updated routing data may be obtained, and the AS _ PATH field is extracted from the updated routing data to obtain an updated AS link corresponding to the updated routing data.
S205, if the reliable AS link library does not have an updated AS link, determining the updated AS link AS the AS link to be tested;
according to some embodiments, when an updated AS link is obtained, the reliable AS link may be filtered using the reliable AS link library, while the unreliable AS link enters the next phase. That is, if there is no updated AS link in the reliable AS link library, it may be determined that the updated AS link is the AS link to be tested
In some embodiments, if an AS link is considered to be a reliable link, then that link will be treated AS a true link, on the one hand the AS link will be used to construct a reliable AS link library; on the other hand, the AS link is also used for the abnormal AS _ PATH detection procedure.
Therefore, the reliable AS link library may include both historically verified AS links and links obtained by the reliable AS link library construction method. The AS links in the library of reliable AS links may be considered to be truly reliable. The reliable AS link library has two functions, namely serving AS a basis for link predictor training and directly skipping detection on the reliable AS link in a detection stage.
It is easy to understand that, when the updated AS link is obtained, if the updated AS link does not exist in the reliable AS link library, the updated AS link may be determined AS the AS link to be detected.
S206, detecting the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected;
according to some embodiments, the AS link to be tested does not refer specifically to a fixed link. For example, the AS link to be detected includes, but is not limited to, a first type link to be detected, a second type link to be detected, and the like.
In some embodiments, when a link is not in the reliable AS link library, and there is at least one AS that constitutes the link that is also not in the reliable AS link library, the link is a first type of link to be detected. In particular, the first class of links to be detected refers to links comprising at least one unknown AS node. Wherein, the unknown AS node refers to an AS node which is not in the reliable AS link library. It should be noted that the first type of link to be detected needs to be detected by using a first rule set in the detection policy.
In some embodiments, when a link is not in the reliable AS link library, but both ases that constitute the link are in the reliable AS link library, the link is a second type of link to be detected. Specifically, the second type of link to be detected refers to a link that does not include an unknown AS node. The second type of link to be detected needs to be detected by using a second rule set in the target link predictor and the detection strategy.
According to some embodiments, when the first type of link to be detected is detected according to the first rule set, if the first type of link to be detected satisfies any rule in the first rule set, it may be determined that the first type of link to be detected is an abnormal (illegal) AS link, specifically, a first type of suspicious AS link, and determine an AS _ PATH corresponding to the first type of link to be detected, that is, an AS _ PATH including the first type of link to be detected is an abnormal AS _ PATH, specifically, a first type of suspicious AS _ PATH.
In some embodiments, if the first type of link to be detected does not satisfy all rules in the first rule set, it may be determined that the first type of link to be detected is a legitimate AS link.
In some embodiments, the first set of rules includes at least one of the following rules:
AS contained in the first type of link to be detected cannot be found in AS registration data of the RIR;
AS contained in a first type of link to be detected belongs to special-purpose ASN specified by RFC;
the first type of link to be detected is not composed of the last two hops of AS in AS _ PATH, and the AS attribution countries at the two ends of the first type of link to be detected are different.
According to some embodiments, when the AS link to be detected is the second type link to be detected, the second type link to be detected may be input to the target link predictor, and if the predicted value output by the target link predictor is smaller than the abnormal AS link threshold value, the second type link to be detected is determined to be the second type suspicious AS link. Then, the AS _ PATH corresponding to the second type of suspicious AS link can be detected according to a second rule set, if the AS _ PATH corresponding to the second type of suspicious AS link meets any rule in the second rule set, the AS _ PATH corresponding to the second type of suspicious AS link is determined to be a second type of highly suspicious AS _ PATH, and the second type of suspicious AS link is determined to be a second type of highly suspicious AS link; otherwise, determining that the AS _ PATH corresponding to the second type of suspicious AS link is the second type of general suspicious AS _ PATH, and determining that the second type of suspicious AS link is the second type of general suspicious AS link.
It should be noted that both the second type general suspicious AS link and the second type highly suspicious AS _ PATH serve AS the output of the exception event.
In some embodiments, if the predicted value output by the target link predictor is not less than the abnormal AS link threshold, it may be determined that the second type of link to be detected is a legitimate AS link.
In some embodiments, the second set of rules includes at least one of the following rules:
the length of the AS _ PATH corresponding to the second type of suspicious AS link exceeds a length threshold;
the AS _ PATH corresponding to the second type of suspicious AS link comprises an AS loop and the second type of suspicious AS link is contained in the AS loop;
in the AS _ PATH corresponding to the second type of suspicious AS link, an AS sequence without an AS serial number serving AS IXP does not meet the valley-free principle, specifically, the AS _ PATH where the second type of suspicious AS link is located has more than one Tier 1 AS, and the Tier 1 AS do not appear continuously;
the same country exists in a sequence formed by countries corresponding to the AS in the AS _ PATH corresponding to the second type of suspicious AS link, and the sequence number corresponding to the same country is discontinuous in position in the sequence formed by the countries corresponding to the AS; for example, when the AS _ PATH is 4134 9808 6939 4538, the country sequence corresponding to the AS _ PATH is: country a, country B, country a, the sequence contains three countries a, but not consecutive.
It is easy to understand that fig. 4 shows a detection flowchart of an AS link to be detected according to an embodiment of the present disclosure. AS shown in fig. 4, when it is determined that the updated AS link is the to-be-detected AS link, the to-be-detected AS link may be detected according to the target link predictor and/or the detection policy, so AS to obtain a detection result corresponding to the to-be-detected AS link.
S207, determining a seven-element group corresponding to the AS link to be detected according to the detection result;
according to some embodiments, the seven-tuple includes start time, prefix, abnormal AS _ PATH, abnormal AS link, suspect AS, abnormal class, abnormal cause.
In some embodiments, in the first class of suspicious links, the suspicious AS is an AS that is not in the reliable link library; in the second type of suspicious link, the suspicious AS is the AS to the left of the suspicious AS link.
In some embodiments, the exception categories include a first category of suspicious AS links, a second category of generally suspicious AS links, and a second category of highly suspicious AS links.
In some embodiments, the anomaly cause is a rule in a detection policy matched with the AS link to be detected or a predicted value output by the target link predictor.
It is easy to understand that when the detection result corresponding to the AS link to be detected is obtained, the seven-element group corresponding to the AS link to be detected may be determined according to the detection result.
And S208, determining and outputting the abnormal event corresponding to the AS link to be detected according to the seven-tuple.
According to some embodiments, fig. 5 illustrates an output schematic diagram of an abnormal event provided by the embodiments of the present disclosure. AS shown in fig. 5, first, the abnormal AS _ PATH module may extract the updated AS link from the UPDATE message. Then, the link prediction value 300-400 of the link is detected to be smaller than the abnormal AS link threshold value, so that the updated AS link is identified AS a second type of general suspicious AS link, and finally a corresponding abnormal event is output. It should be noted that the abnormal AS _ PATH module may be configured to execute the embodiment of the method disclosed herein, and is not described in detail herein.
In some embodiments, the component form of the exception event may be, for example, < start time, prefix, exception AS _ PATH, exception AS link, suspect AS, exception category, exception cause >.
It is easy to understand that when the seven-tuple corresponding to the AS link to be detected is obtained, the abnormal event corresponding to the AS link to be detected can be determined and output according to the seven-tuple.
In summary, in the method provided by the embodiment of the present disclosure, the reliable AS link library is constructed according to the historical routing data; acquiring an AS information set; training the initial link predictor according to the reliable AS link library and the AS information set to obtain a target link predictor; acquiring updated routing data, and extracting an AS _ PATH field from the updated routing data to obtain an updated AS link corresponding to the updated routing data; if the reliable AS link library does not have an updated AS link, determining the updated AS link AS the AS link to be tested; detecting the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected; determining a seven-element group corresponding to the AS link to be detected according to the detection result; and determining and outputting the abnormal event corresponding to the AS link to be detected according to the seven-element group. Therefore, a reliable AS link library is constructed by using historical routing data AS a basis, then a model is used for learning a potential constraint relation satisfied by an AS link from historical routing and AS related information data to judge the authenticity of the AS link which does not appear in a previous BGP message, the internal rule of the AS link is learned from the historical reliable AS link library by a link prediction algorithm, so that the possibility that a newly appearing link is an abnormal link is inferred, and meanwhile, BGP abnormal AS _ PATH introduced by factors such AS error configuration, route hijacking, route leakage, flow engineering and the like can be effectively detected by combining a plurality of check rules.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations and do not violate the good customs of the public order.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Please refer to fig. 6, which illustrates a schematic structural diagram of a first abnormal AS _ PATH detection apparatus based on link prediction according to an embodiment of the present disclosure. The abnormal AS _ PATH detection device based on the link prediction can be realized by software, hardware or a combination of the software and the hardware to form all or part of the device. The abnormal AS _ PATH detection apparatus 600 based on link prediction includes a link acquisition unit 601, a link detection unit 602, and an event output unit 603, where:
a link obtaining unit 601, configured to obtain an AS link to be detected;
a link detection unit 602, configured to detect the AS link to be detected according to the target link predictor and/or the detection policy, and obtain a detection result corresponding to the AS link to be detected;
and the event output unit 603 is configured to determine, according to the detection result, an abnormal reason corresponding to the AS link to be detected, and output an abnormal event corresponding to the AS link to be detected.
Optionally, fig. 7 is a schematic structural diagram of a second abnormal AS _ PATH detection apparatus based on link prediction according to an embodiment of the present disclosure. AS shown in fig. 7, the abnormal AS _ PATH detection apparatus 600 based on link prediction further includes a link library construction unit 604, a set acquisition unit 605, and a predictor training unit 606, which are used before detecting the AS link to be detected according to the target link predictor:
a link library construction unit 604, configured to construct a reliable AS link library according to the historical routing data;
a set obtaining unit 605, configured to obtain an AS information set, where the AS information set includes AS scale information, AS type information, AS attribution information, and AS geographic location information;
and the predictor training unit 606 is used for training the initial link predictor according to the reliable AS link library and the AS information set to obtain a target link predictor.
Optionally, when the link library constructing unit 604 is configured to construct the reliable AS link library according to the historical routing data, the link library constructing unit is specifically configured to:
extracting an AS _ PATH field from historical routing data to obtain an AS link set;
and determining a reliable AS link library according to the AS link set based on the reliable link construction method.
Optionally, when the link obtaining unit 601 is configured to obtain an AS link to be detected, the link obtaining unit is specifically configured to:
acquiring updated routing data, and extracting an AS _ PATH field from the updated routing data to obtain an updated AS link corresponding to the updated routing data;
and if the reliable AS link library does not have the updated AS link, determining the updated AS link AS the AS link to be tested.
Optionally, the AS link to be detected is a first-class link to be detected, where the first-class link to be detected includes at least one unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a first rule set, and the link detection unit 602 is configured to detect the AS link to be detected according to the target link predictor and/or the detection policy, and when a detection result corresponding to the AS link to be detected is obtained, specifically configured to:
detecting a first type of link to be detected according to a first rule set;
and if the first-class link to be detected meets any rule in the first rule set, determining that the first-class link to be detected is a first-class suspicious AS link, and determining that the AS _ PATH corresponding to the first-class link to be detected is a first-class suspicious AS _ PATH.
Optionally, the first rule set includes at least one of the following rules:
AS contained in the first type of link to be detected cannot be found in AS registration data of the RIR;
AS contained in the first type of link to be detected belongs to special purpose ASN specified by RFC;
the first type of link to be detected is not composed of the last two hops of AS in AS _ PATH, and the AS attribution countries at the two ends of the first type of link to be detected are different.
Optionally, the AS link to be detected is a second type of link to be detected, the second type of link to be detected does not include an unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a second rule set, and the link detection unit 602 is configured to, when detecting the AS link to be detected according to the target link predictor and/or the detection policy, obtain a detection result corresponding to the AS link to be detected, specifically:
inputting a second type of link to be detected into the target link predictor, and if the predicted value output by the target link predictor is smaller than the abnormal AS link threshold value, determining that the second type of link to be detected is a second type of suspicious AS link;
detecting the AS _ PATH corresponding to the second type of suspicious AS link according to a second rule set;
if the AS _ PATH corresponding to the second type of suspicious AS link meets any rule in the second rule set, determining the AS _ PATH corresponding to the second type of suspicious AS link to be a second type of highly suspicious AS _ PATH; otherwise, determining the AS _ PATH corresponding to the second type of suspicious AS link AS a second type of general suspicious AS _ PATH.
Optionally, the second rule set includes at least one of the following rules:
the length of the AS _ PATH corresponding to the second type of suspicious AS link exceeds a length threshold;
the AS _ PATH corresponding to the second type of suspicious AS link comprises an AS loop, and the second type of suspicious AS link is contained in the AS loop;
in the AS _ PATH corresponding to the second type of suspicious AS link, an AS sequence without an AS serial number serving AS IXP does not meet the valley-free principle;
the same country exists in the sequence formed by the countries corresponding to the AS in the AS _ PATH corresponding to the second type of suspicious AS link, and the position of the serial number corresponding to the same country in the sequence formed by the countries corresponding to the AS is discontinuous.
Optionally, the event output unit 603 is configured to, according to the detection result, determine an abnormal reason corresponding to the AS link to be detected, and when outputting an abnormal event corresponding to the AS link to be detected, specifically configured to:
determining a seven-element group corresponding to the AS link to be detected according to the detection result, wherein the seven-element group comprises start time, prefix, abnormal AS _ PATH, abnormal AS link, suspicious AS, abnormal category and abnormal reason;
and determining and outputting the abnormal event corresponding to the AS link to be detected according to the seven-element group.
It should be noted that, when the abnormal AS _ PATH detection apparatus based on link prediction provided in the foregoing embodiment executes the abnormal AS _ PATH detection method based on link prediction, only the division of the above functional modules is taken AS an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules, so AS to complete all or part of the functions described above. In addition, the link prediction based abnormal AS _ PATH detection apparatus provided in the above embodiment and the link prediction based abnormal AS _ PATH detection method embodiment belong to the same concept, and the detailed implementation process thereof is referred to AS the method embodiment, and is not described herein again.
In summary, in the apparatus provided in the embodiment of the present disclosure, the link obtaining unit obtains the AS link to be tested; the link detection unit detects the AS link to be detected according to the target link predictor and/or the detection strategy to obtain a detection result corresponding to the AS link to be detected; and the event output unit determines the abnormal reason corresponding to the AS link to be detected according to the detection result and outputs the abnormal event corresponding to the AS link to be detected. Therefore, the BGP abnormal AS _ PATH can be effectively detected by adopting the target link predictor and combining the detection strategy.
In the technical scheme of the disclosure, the processes of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the common customs of public order.
The present disclosure also provides a terminal, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
Fig. 8 shows a schematic block diagram of an example terminal 800 that can be used to implement embodiments of the present disclosure. Terminals are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Terminals may also represent various forms of mobile devices, such as personal digital processors, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 8, the terminal 800 includes a computing unit 801 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 802 or a computer program loaded from a storage unit 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the terminal 800 can also be stored. The calculation unit 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
A number of components in the terminal 800 are connected to the I/O interface 805, including: an input unit 806, such as a keyboard, a mouse, or the like; an output unit 807 such as various types of displays, speakers, and the like; a storage unit 808, such as a magnetic disk, optical disk, or the like; and a communication unit 809 such as a network card, modem, wireless communication transceiver, etc. The communication unit 809 allows the terminal 800 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
Computing unit 801 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 801 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The calculation unit 801 performs the respective methods and processes described above, such AS the abnormal AS _ PATH detection method based on link prediction. For example, in some embodiments, the link prediction based anomalous AS _ PATH detection method may be implemented AS a computer software program tangibly embodied in a machine-readable medium, such AS the storage unit 808. In some embodiments, some or all of the computer program can be loaded and/or installed onto terminal 800 via ROM 802 and/or communications unit 809. When loaded into RAM 803 and executed by the computing unit 801, the computer program may perform one or more steps of the abnormal AS _ PATH detection method based on link prediction described above. Alternatively, in other embodiments, the computing unit 801 may be configured to perform the abnormal AS _ PATH detection method based on link prediction in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), the internet, and blockchain networks.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The Server can be a cloud Server, also called a cloud computing Server or a cloud host, and is a host product in a cloud computing service system, so as to solve the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service ("Virtual Private Server", or simply "VPS"). The server may also be a server of a distributed system, or a server incorporating a blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (8)

1. An abnormal AS _ PATH detection method based on link prediction is characterized by comprising the following steps:
acquiring an AS link to be tested;
detecting the AS link to be detected according to a target link predictor and a detection strategy to obtain a detection result corresponding to the AS link to be detected;
determining an abnormal reason corresponding to the AS link to be detected according to the detection result, and outputting an abnormal event corresponding to the AS link to be detected;
before the detecting the AS link to be detected according to the target link predictor, the method further comprises the following steps:
establishing a reliable AS link library according to historical routing data;
acquiring an AS information set, wherein the AS information set comprises AS scale information, AS type information, AS attribution information and AS geographic position information;
forming an AS topology with node information according to the reliable AS link library and the AS information set, and training an initial link predictor according to a potential rule of the AS topology learned by the AS topology to obtain the target link predictor;
the detecting method comprises the following steps that the AS link to be detected is a second type of link to be detected, the second type of link to be detected does not comprise an unknown AS node, the unknown AS node is not in the reliable AS link library, the detecting strategy comprises a second rule set, the AS link to be detected is detected according to a target link predictor and the detecting strategy, and a detecting result corresponding to the AS link to be detected is obtained, and the detecting method comprises the following steps:
inputting the second type of link to be detected to the target link predictor, and if the predicted value output by the target link predictor is smaller than the abnormal AS link threshold value, determining the second type of link to be detected AS a second type of suspicious AS link;
detecting the AS _ PATH corresponding to the second type of suspicious AS link according to the second rule set;
if the AS _ PATH corresponding to the second type of suspicious AS link meets any rule in the second rule set, determining that the AS _ PATH corresponding to the second type of suspicious AS link is a second type of highly suspicious AS _ PATH; otherwise, determining that the AS _ PATH corresponding to the second type of suspicious AS link is the second type of general suspicious AS _ PATH.
2. The method of claim 1, wherein the building a reliable AS link library from historical routing data comprises:
extracting an AS _ PATH field from the historical routing data to obtain an AS link set;
and determining the reliable AS link library according to the AS link set based on a reliable link construction method.
3. The method of claim 1, wherein the obtaining the AS link to be tested comprises:
acquiring updated routing data, and extracting an AS _ PATH field from the updated routing data to obtain an updated AS link corresponding to the updated routing data;
and if the updated AS link does not exist in the reliable AS link library, determining the updated AS link AS the AS link to be tested.
4. The method according to claim 1, wherein the AS link to be detected is a first type of link to be detected, the first type of link to be detected includes at least one unknown AS node, the unknown AS node is not in the reliable AS link library, the detection policy includes a first rule set, and the detecting the AS link to be detected according to a target link predictor and/or a detection policy to obtain a detection result corresponding to the AS link to be detected includes:
detecting the first type of link to be detected according to the first rule set;
and if the first class of links to be detected meets any rule in the first rule set, determining that the first class of links to be detected is a first class suspicious AS link, and determining that the AS _ PATH corresponding to the first class of links to be detected is a first class suspicious AS _ PATH.
5. The method of claim 4, wherein the first set of rules comprises at least one of the following:
the AS contained in the first type of link to be detected cannot be found in AS registration data of the RIR;
the AS contained in the first type of link to be detected belongs to the special purpose ASN specified by RFC;
the first-class link to be detected is not formed by the last two hops of AS in AS _ PATH, and the AS attributive countries at two ends of the first-class link to be detected are different.
6. The method of claim 1, wherein the second set of rules comprises at least one of the following:
the length of the AS _ PATH corresponding to the second type of suspicious AS link exceeds a length threshold;
the AS _ PATH corresponding to the second type of suspicious AS link comprises an AS loop, and the second type of suspicious AS link is contained in the AS loop;
in the AS _ PATH corresponding to the second type of suspicious AS link, an AS sequence without an AS serial number serving AS IXP does not meet the valley-free principle;
the same country exists in the sequence formed by the countries corresponding to the AS in the AS _ PATH corresponding to the second type of suspicious AS link, and the position of the serial number corresponding to the same country in the sequence formed by the countries corresponding to the AS is discontinuous.
7. The method according to claim 1, wherein the determining, according to the detection result, an abnormal cause corresponding to the AS link to be detected and outputting an abnormal event corresponding to the AS link to be detected comprises:
determining a seven-element group corresponding to the AS link to be detected according to the detection result, wherein the seven-element group comprises start time, prefix, abnormal AS _ PATH, abnormal AS link, suspicious AS, abnormal category and abnormal reason;
and determining and outputting the abnormal event corresponding to the AS link to be detected according to the seven-element group.
8. An abnormal AS _ PATH detection device based on link prediction is characterized by comprising:
a link obtaining unit, configured to obtain an AS link to be tested;
the link detection unit is used for detecting the AS link to be detected according to a target link predictor and/or a detection strategy to obtain a detection result corresponding to the AS link to be detected;
the event output unit is used for determining an abnormal reason corresponding to the AS link to be detected according to the detection result and outputting an abnormal event corresponding to the AS link to be detected;
the link detection unit is further configured to:
establishing a reliable AS link library according to historical routing data;
acquiring an AS information set, wherein the AS information set comprises AS scale information, AS type information, AS attribution information and AS geographic position information;
forming an AS topology with node information according to the reliable AS link library and the AS information set, and training an initial link predictor according to a potential rule of the AS topology learned by the AS topology to obtain the target link predictor;
the AS link to be detected is a second type of link to be detected, the second type of link to be detected does not include an unknown AS node, the unknown AS node is not in the reliable AS link library, the detection strategy includes a second rule set, and the detection of the AS link to be detected according to the target link predictor and the detection strategy to obtain a detection result corresponding to the AS link to be detected includes:
inputting the second type of link to be detected to the target link predictor, and if the predicted value output by the target link predictor is smaller than the abnormal AS link threshold value, determining that the second type of link to be detected is a second type of suspicious AS link;
detecting the AS _ PATH corresponding to the second type of suspicious AS link according to the second rule set;
if the AS _ PATH corresponding to the second type of suspicious AS link meets any rule in the second rule set, determining that the AS _ PATH corresponding to the second type of suspicious AS link is a second type of highly suspicious AS _ PATH; otherwise, determining that the AS _ PATH corresponding to the second type of suspicious AS link is the second type of general suspicious AS _ PATH.
CN202211414924.7A 2022-11-11 2022-11-11 Abnormal AS _ PATH detection method and device based on link prediction Active CN115460110B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211414924.7A CN115460110B (en) 2022-11-11 2022-11-11 Abnormal AS _ PATH detection method and device based on link prediction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211414924.7A CN115460110B (en) 2022-11-11 2022-11-11 Abnormal AS _ PATH detection method and device based on link prediction

Publications (2)

Publication Number Publication Date
CN115460110A CN115460110A (en) 2022-12-09
CN115460110B true CN115460110B (en) 2023-04-18

Family

ID=84295444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211414924.7A Active CN115460110B (en) 2022-11-11 2022-11-11 Abnormal AS _ PATH detection method and device based on link prediction

Country Status (1)

Country Link
CN (1) CN115460110B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764122A (en) * 2004-10-22 2006-04-26 中国人民解放军国防科学技术大学 Route between fields abnormity detecting method based on multi view
CN111698189A (en) * 2019-03-11 2020-09-22 华为技术有限公司 BGP route identification method, device and equipment
CN112737885A (en) * 2020-12-28 2021-04-30 鹏城实验室 Self-managed BGP abnormity detection method in autonomous domain
CN113271286A (en) * 2020-02-14 2021-08-17 华为技术有限公司 Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection
CN114143085A (en) * 2021-11-30 2022-03-04 中国人民解放军国防科技大学 BGP community attribute abnormity detection method and system based on self-encoder

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8327444B2 (en) * 2009-04-13 2012-12-04 Verizon Patent And Licensing Inc. Suspicious autonomous system path detection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764122A (en) * 2004-10-22 2006-04-26 中国人民解放军国防科学技术大学 Route between fields abnormity detecting method based on multi view
CN111698189A (en) * 2019-03-11 2020-09-22 华为技术有限公司 BGP route identification method, device and equipment
CN113271286A (en) * 2020-02-14 2021-08-17 华为技术有限公司 Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection
CN112737885A (en) * 2020-12-28 2021-04-30 鹏城实验室 Self-managed BGP abnormity detection method in autonomous domain
CN114143085A (en) * 2021-11-30 2022-03-04 中国人民解放军国防科技大学 BGP community attribute abnormity detection method and system based on self-encoder

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Detecting forged AS paths from BGP graph features using Recurrent Neural Networks;Kevin Hoarau等;《2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC)》;20220210;全文 *

Also Published As

Publication number Publication date
CN115460110A (en) 2022-12-09

Similar Documents

Publication Publication Date Title
CN112019575B (en) Data packet processing method and device, computer equipment and storage medium
US8799189B2 (en) Multiple hypothesis tracking
WO2017112015A1 (en) Accurate real-time identification of malicious bgp hijacks
US8515881B2 (en) Multiple hypothesis tracking
CN113408948A (en) Network asset management method, device, equipment and medium
CN113452676A (en) Detector allocation method and Internet of things detection system
CN112737885A (en) Self-managed BGP abnormity detection method in autonomous domain
CN114615066A (en) Target path determination method and device
Prashar et al. Blockchain‐Based Automated System for Identification and Storage of Networks
Sen et al. Towards an approach to contextual detection of multi-stage cyber attacks in smart grids
CN115460110B (en) Abnormal AS _ PATH detection method and device based on link prediction
CN115396320B (en) Port connection relation determination method, device, equipment and storage medium
CN115834229A (en) Message security detection method, device and storage medium
CN113114588B (en) Data processing method and device, electronic equipment and storage medium
CN110768934A (en) Method and device for checking network access rule
US10277468B2 (en) Method and system for determining reachability between one or more nodes in a graph
CN113271286B (en) Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection
Peng et al. Eagle: An agile approach to automaton updating in cloud security services
CN117424764B (en) System resource access request information processing method and device, electronic equipment and medium
CN113591088B (en) Identification recognition method and device and electronic equipment
Ahuja et al. Identification of DDoS Attack on IoT Network Using SDN
Kousalya et al. Detection and Categorization of Conflict Flows Within SDN Environments using Machine Learning Approach
CN115752496A (en) Path searching method and device, electronic equipment and storage medium
CN117879858A (en) Safe interaction method and device for reversely screening derivative features
CN117081821A (en) Route leakage detection method, device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant