CN113472740A - BGP hijacking detection method, device and equipment based on MOAS conflict event - Google Patents
BGP hijacking detection method, device and equipment based on MOAS conflict event Download PDFInfo
- Publication number
- CN113472740A CN113472740A CN202110553490.8A CN202110553490A CN113472740A CN 113472740 A CN113472740 A CN 113472740A CN 202110553490 A CN202110553490 A CN 202110553490A CN 113472740 A CN113472740 A CN 113472740A
- Authority
- CN
- China
- Prior art keywords
- moas
- event
- prefix
- conflict
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The present disclosure provides a BGP hijacking detection method, apparatus, device and medium based on an MOAS collision event, the method comprising: acquiring real-time routing data, and detecting an MOAS conflict event based on the real-time routing data; obtaining an MOAS matrix based on the timestamp and the observation point of the MOAS conflict event; judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS matrix; and determining that BGP prefix hijacking occurs in response to the MOAS conflict event being an abnormal MOAS conflict event. According to the method and the device, whether the MOAS conflict event is abnormal or not is judged through behavior characteristics shown in the MOAS conflict event, and then occurrence of BGP prefix hijacking is detected. And a third-party authentication mechanism is not required, so that the deployment cost is reduced.
Description
Technical Field
The disclosure relates to the technical field of communication, in particular to a BGP hijacking detection technology.
Background
Border Gateway Protocol (BGP) is a routing Protocol that enables routing reachability between Autonomous Systems (AS) and selects a distance vector for an optimal route. However, the BGP protocol lacks security considerations at the beginning of design, and there are many security vulnerabilities, for example, there is no authorization and identity verification mechanism, the received BGP routing information is not authenticated, and it cannot be guaranteed that the routing information is not tampered during the route propagation, that is, the AS completely trusts the route reachable information from the neighbor, including false routing information due to configuration error or malicious falsification. The BGP protocol thus becomes the target of many cyber crimes, and an attacker can effectively spoof other networks by using BGP hijacking to mislead internet traffic so as to obtain the interests of the attacker, such as snooping, phishing or other purposes.
The existing BGP hijacking detection is to detect BGP prefix hijacking from the control plane, usually by detecting whether a certain prefix announced by a source AS in a message is authorized, and if the validity of the mapping relationship between a prefix address and the source AS is to be ensured, this requires support of an RPKI authentication mechanism. However, the deployment degree of the existing RPKI authentication mechanism is not high, and the number of protected prefixes is only one fifth of the number of all prefixes, so that the range of the existing BGP hijacking detection is greatly limited, and meanwhile, a possibility that a malicious attacker impersonates a prefix owner exists.
Disclosure of Invention
In view of this, the present disclosure is directed to a BGP hijacking detection method based on an MOAS collision event.
Based on the above object, according to a first aspect of the present disclosure, a BGP hijacking detection method based on an MOAS collision event is provided, including:
acquiring real-time routing data, and detecting an MOAS conflict event based on the real-time routing data;
obtaining an MOAS matrix based on the timestamp and the observation point of the MOAS conflict event;
judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS matrix;
and determining that BGP prefix hijacking occurs in response to the MOAS conflict event being an abnormal MOAS conflict event.
Optionally, the detecting a MOAS collision event based on the real-time routing data includes:
obtaining an initial routing table based on BGP routing table data in the real-time routing data, and establishing a prefix information table and a conflict relation table;
updating the prefix information table and recording route state change based on BGP updating message data in the real-time route data to obtain a prefix information table in the current state;
and detecting whether an MOAS conflict event occurs or not based on the prefix information table in the current state, updating the conflict relationship table to obtain a conflict relationship table in the current state and determining the starting time and the ending time of the MOAS conflict event in response to the detection of the occurrence of the MOAS conflict event.
Optionally, the obtaining a MOAS matrix based on the timestamp and the observation point of the MOAS collision event includes:
acquiring all observation points and timestamps in the MOAS conflict event;
constructing the MOAS event matrix [ AS ] by taking the observation points AS columns and the sequentially arranged timestamps AS rowsij]n×mWherein i is 1, 2, … …, n; j is 1, 2, … …, m; n is the number of the time stamps; m is the number of the observation points; ASijIndicating that the source AS number was observed from observation point j at time i.
Optionally, the determining, based on the behavior characteristics of the MOAS matrix, whether the MOAS collision event is an abnormal MOAS collision event includes:
extracting features based on the MOAS event matrix to obtain the change rate of a source AS, the invariant rate of the source AS and a MOAS event visible observation point set; wherein the content of the first and second substances,
the change rate of the source AS is the change times of the source AS/the switching times of the source AS;
the invariable rate of the source AS is the invariable times of the source AS/the switching times of the source AS;
the MOAS event visible observation point set represents a set of observation points observing different ASs at different time points for the MOAS conflict event;
and judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the change rate of the source AS, the invariable rate of the source AS, the MOAS event visible observation point set and a preset rule.
Optionally, the performing feature extraction based on the MOAS event matrix to obtain a change rate of a source AS, a constant rate of the source AS, and a set of MOAS event visible observation points includes:
calculating the switching times of a source AS based on the MOAS event matrix;
calculating the change rate of the source AS and the constant rate of the source AS based on the columns of the MOAS event matrix and the switching times of the source AS;
and calculating the observation points of the visible MOAS conflict events based on the rows of the MOAS event matrix to obtain a visible observation point set.
Optionally, before obtaining a MOAS matrix based on the timestamps and observation points of the MOAS collision events, the method further includes:
judging whether a prefix-moasn mapping relation in the MOAS conflict event effectively exists in a preset prefix-moasn mapping relation database;
and responding to the fact that the prefix-moasn mapping relation of the MOAS conflict event does not effectively exist in the preset prefix-moasn mapping relation database, and obtaining an MOAS event matrix based on the MOAS conflict event and different observation points.
Optionally, the preset prefix-moasn mapping relation database includes a normal prefix-moasn mapping relation database and an abnormal prefix-moasn mapping relation database; the method further comprises the following steps:
responding to that the prefix-moasn mapping relation of the MOAS conflict event effectively exists in the preset prefix-moasn mapping relation database, and judging whether the MOAS conflict event is abnormal or not based on that the prefix-moasn mapping relation of the MOAS conflict event exists in a normal prefix-moasn mapping relation database or an abnormal prefix-moasn mapping relation database;
and responding to the fact that the prefix-moasn mapping relation of the MOAS conflict event exists in an abnormal prefix-moasn mapping relation database, and determining that the MOAS conflict event is an abnormal MOAS conflict event and BGP prefix hijacking occurs.
According to a second aspect of the present disclosure, there is provided a BGP hijacking detection apparatus based on a MOAS collision event, including:
the acquisition module is used for acquiring real-time routing data;
the event restoration module is used for detecting an MOAS conflict event based on the real-time routing data;
the matrix module is used for obtaining an MOAS matrix based on the timestamp and the observation point of the MOAS conflict event;
the judging module is used for judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS matrix;
and the hijacking detection module is used for responding to the MOAS conflict event as an abnormal MOAS conflict event and determining that BGP prefix hijacking occurs.
According to a third aspect of the present disclosure, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method according to the first aspect when executing the program.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of the first aspects.
As can be seen from the foregoing, according to the method, device, equipment, and medium for detecting BGP hijacking based on an MOAS collision event provided by the present disclosure, whether the MOAS collision event is abnormal is determined according to behavioral characteristics expressed in the MOAS collision event, so as to detect occurrence of BGP prefix hijacking. And a third-party authentication mechanism is not required, so that the deployment cost is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the present disclosure or related technologies, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting hijacking based on a MOAS collision event according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart diagram of detecting a MOAS collision event according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of detecting a MOAS collision event according to an embodiment of the present disclosure;
FIG. 4 is another schematic flow chart of a method for detecting hijacking based on a MOAS conflict event according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a MOAS event matrix according to an embodiment of the present disclosure;
fig. 6 is a schematic block diagram of a kidnapping detection device based on a MOAS collision event according to an embodiment of the present disclosure;
fig. 7 is a more specific hardware structure diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that technical terms or scientific terms used in the embodiments of the present disclosure should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in the embodiments of the disclosure is not intended to indicate any order, quantity, or importance, but rather to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
BGP prefix hijacking may refer to a hijacking attacker AS1 announcing externally that it owns some IP prefix address 1 that does not belong to it, resulting in traffic arriving at that prefix address 1 on the internet being routed to that AS1, i.e., the traffic is hijacked to the wrong destination AS 1. While it is likely that many BGP hijacking events are benign, many cases in the past have shown that an attacker is abusing BGP on a large scale due to incorrect configuration. BGP hijacking occurs when an internet operator mistakenly publishes an IP address block of another network. The traditional BGP hijacking detection technology mainly aims at the affiliated relationship between a source AS and an IP prefix to judge the validity of conflict, needs to change a route notification message and is troublesome to deploy; or the user is required to actively apply for monitoring the prefix needing to be protected, the monitoring range is limited by the registered user, and the possibility that a malicious attacker impersonates a prefix owner exists.
The traditional BGP prefix hijacking detection from the control plane is mainly to detect MOAS conflict events, and the MOAS conflict events are divided into normal MOAS conflict events and abnormal MOAS conflict events, wherein the abnormal MOAS conflict events are caused by BGP prefix hijacking. The applicant of the present disclosure finds that the variation conditions of the source AS observed from different observation points during the course of the MOAS conflict event have certain characteristics, and these characteristics can distinguish the normal MOAS conflict event from the abnormal MOAS conflict event.
Based on the above consideration, the embodiment of the present disclosure provides a hijacking detection method based on an MOAS collision event. Referring to fig. 1, fig. 1 shows a schematic flow chart of a method for detecting hijacking based on a MOAS collision event according to an embodiment of the present disclosure. As shown in fig. 1, a BGP hijacking detection method based on a MOAS collision event includes:
step S110, acquiring real-time routing data, and detecting an MOAS conflict event based on the real-time routing data;
step S120, obtaining an MOAS event matrix based on the time stamp and the observation point of the MOAS conflict event;
step S130, judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS event matrix;
step S140, responding to the MOAS conflict event as an abnormal MOAS conflict event, and determining that BGP prefix hijacking occurs.
The embodiment of the disclosure monitors the MOAS conflict event from the real-time routing data in the network, and then judges whether the MOAS conflict event is abnormal or not according to the behavior characteristics expressed in the MOAS conflict event, so as to achieve the purpose of detecting the abnormal MOAS conflict event and further detect the occurrence of BGP prefix hijacking. Compared with the traditional hijack detection, the method does not need to rely on a third-party authentication mechanism, and reduces the deployment cost. The method is suitable for being widely applied to the fields of inter-domain routing and the like.
According to the embodiment of the present disclosure, in step S110, real-time routing data is obtained, and a MOAS collision event is extracted based on the routing data.
The real-time routing data may refer to real-time data of BGP routers in the network. Based on the real-time monitoring of the BGP router, the MOAS conflict event can be timely extracted, and the BGP hijacking detection can be rapidly carried out.
Optionally, the real-time routing data may include: BGP routing table data and/or BGP update message data.
In some embodiments, obtaining BGP routing table data and/or BGP update message data may include: the Routing Information Service (RIS) entry is obtained from the european IP europe (RIPE).
The RIS is an item of the pipe NCC (Network Coordination center) and is used for collecting and storing internet routing data, and BGP update messages and RIB dump messages are collected and stored. These data are available to internet operators for troubleshooting and research. The RIS deploys 22 Remote Route Collectors (RRC) in the global internet switching center, and these Collectors use a Quagga analog router to establish peer relationship with a local router, collect update and withdrawal messages through a BGP protocol, and store them in an MRT format. The RIS provides route snapshots updated every eight hours and route update message raw data updated every five minutes.
Specifically, a routing information table updated every eight hours and/or a BGP UPDATE (UPDATE) packet updated every five minutes may be obtained from the pipe RIS project, and one or both of them may be saved in a local server designated folder.
Optionally, referring to fig. 2, fig. 2 shows a schematic flow chart of detecting a MOAS collision event according to an embodiment of the present disclosure. As shown in fig. 2, the detecting a MOAS collision event based on the real-time routing data in step S110 may include:
step S111, obtaining an initial routing table based on BGP routing table data in the real-time routing data, and establishing a prefix information table and a conflict relation table;
step S112, updating the prefix information table and recording the route state change based on BGP updating message data in the real-time route data to obtain a prefix information table in the current state;
step S113, detecting whether an MOAS conflict event occurs or not based on the prefix information table in the current state, and in response to detecting that the MOAS conflict event occurs, updating the conflict relationship table to obtain a conflict relationship table in the current state and determining the starting time and the ending time of the MOAS conflict event.
In some embodiments, referring to fig. 3, fig. 3 shows a schematic diagram of detecting a MOAS collision event according to an embodiment of the present disclosure. As shown in fig. 2 and 3, in step S111, obtaining an initial routing table based on BGP routing table data in the real-time routing data, and establishing a prefix information table and a conflict relationship table, which may further include:
extracting an initial routing table from BGP routing table data in the real-time routing data;
extracting record information of each record based on the initial routing table;
forming a prefix information table and a conflict relationship table based on the record information of each record, wherein the prefix information table comprises the mapping relationship between each prefix in the initial routing table and the source AS information corresponding to the prefix, and the conflict relationship table comprises the mapping relationship between the prefixes corresponding to a plurality of source ASs and the plurality of source ASs.
In some embodiments, extracting record information of each record based on the initial routing table may further include:
performing first preprocessing on the record of the initial routing table to obtain a processed record;
record information of each record is extracted based on the processed record.
In some embodiments, the first preprocessing may include removing a missing record in the initial routing table or extracting a record of the initial routing table according to a first preset format to obtain the processed record.
Specifically, the records in the initial routing table may not all be complete records, and some incomplete records cannot extract valid information, so that the incomplete records can be removed, the effectiveness of the initial routing record is improved, the calculation amount is reduced, the calculation cost is saved, and the response speed and the detection efficiency are further improved. For example, a record in the initial routing table may be considered a qualified record when its length is greater than or equal to a first preset length (e.g., 7); when the length of the record in the initial routing table is smaller than the first preset length, the record is considered not to be a qualified record and can be removed. The length of the record greater than or equal to the first preset length can be used as a first preset format, the record whose length is greater than or equal to the first preset length is directly extracted from the initial routing table, and the processed record is obtained and used as a data basis of subsequent recording information.
In some embodiments, the recording information of each record may include: the generation time of the record, the prefix and AS path corresponding to the record, the observation point AS number of the record and the source AS number announcing the prefix.
In some embodiments, in step S111, the method may further include: and saving the record information of each record as a route state snapshot of the current state.
Further, in some embodiments, the observation point AS number of the record and the source AS number announcing the prefix may be extracted according to the content of the AS path corresponding to the record.
Specifically, in step S111, a routing information table may be selected as an initial routing table; further, a routing information table can be selected according to needs, for example, a routing information table in a preset time period is selected; specifically, when detecting a MOAS collision event after a first time (for example, month B of a year), a routing information table generated a period of time before the first time (for example, one day before 0 point on month B1 of a year) may be selected. And processing the initial routing table according to the following method:
and preprocessing the record of the initial routing table to obtain the processed record information. The method comprises the following steps: reading each record in the initial routing table, removing the incomplete record therein, or extracting the record information meeting the conditions according to the file format, wherein the record information can comprise the generation time of the record, the prefix corresponding to the record and the AS path, and taking out the AS number of the observation point and the source AS number for announcing the prefix according to the content of the AS path. And storing the processed record information as a routing state snapshot table of the current state.
And establishing a prefix information table for recording the mapping relation between the prefix and the source AS. And classifying the processed record information according to prefixes, recording information such AS a source AS number, generation time, an AS path and the like corresponding to each prefix, and forming a prefix information table.
And establishing a conflict relation table for recording the information of a plurality of source AS corresponding to one prefix. That is, the conflict relationship table records the mapping relationship between the prefixes corresponding to the plurality of source ases and the plurality of source ases. In the initial state, the record in the conflict relationship table is the mapping relationship information of prefix-multisource AS in the prefix information table.
In some embodiments, as shown in fig. 2 and 3, in step S112, updating the prefix information table and recording a routing state change based on BGP update packet data in the real-time routing data, so as to obtain a prefix information table in a current state, which may further include:
updating message data based on the BGP to obtain at least one message record;
comparing each message record with records in the prefix information table according to the time sequence;
responding to the message record as a withdrawal message, deleting path information observed by prefixes in the withdrawal message at corresponding observation points in the prefix information table, and recording the change of a routing state;
responding to the message record as an announcement message, and judging whether corresponding information of prefixes in the announcement message exists in the prefix information table or not;
responding to the prefix information table without corresponding information of the prefix in the announcement message, adding the prefix in the announcement message and corresponding source AS information to the prefix information table, and recording the change of a routing state;
and updating the prefix information table based on the observation data of the observation point in response to the prefix information table having the corresponding information of the prefix in the announcement message.
Further, in some embodiments, updating the prefix information table based on the observation data of the observation point may further include:
responding to other announcement messages with respect to prefixes in the announcement messages observed by a new observation point, adding the prefixes in the announcement messages and corresponding source AS information to the prefix information table, and recording the change of a routing state;
and responding to the observation point that the AS path changes, adding the prefix in the announcement message and the corresponding source AS information to the prefix information table, and recording the change of the routing state.
In some embodiments, obtaining at least one message record based on the BGP update message data may further include:
and performing second preprocessing on the records of the BGP updated message data to obtain the at least one processed message record.
In some embodiments, the second preprocessing may include removing a defective record in the record of the BGP update packet data, or extracting the record content of the BGP update packet data according to a second preset format, to obtain the processed at least one packet record.
Specifically, when the length of the record in the BGP update message data is greater than or equal to a second preset length, the record is considered as a eligible record; when the length of the record in the BGP update message data is smaller than the second preset length, it is considered that it is not a qualified record, and it may be removed. The length of the record greater than or equal to the second preset length may be used as a second preset format, and the record having the length greater than or equal to the second preset length is directly extracted from the BGP update packet data, so as to obtain at least one processed packet record.
It should be understood that the first predetermined length and the second predetermined length may be the same or different, and may be set as required, and are not limited herein.
In some embodiments, in step S112, BGP UPDATE message data after the initial routing table, that is, UPDATE messages, may be processed in sequence, and for each UPDATE message, each record in the UPDATE message may be compared with a record in the prefix information table, and if an UPDATE is found, a change is recorded, specifically:
and processing the UPDATE message according to the time sequence. For each UPDATE message, the content of the UPDATE message can be analyzed, each row of records in the UPDATE message is read, the incomplete records in the UPDATE message are removed, the content of the records meeting the conditions is split, and the timestamp, the prefix, the marker bit and AS path information in each record are taken out.
If the UPDATE message is a withdrawal message, checking and updating the content in the prefix information table, deleting the path information observed by the prefix at the corresponding observation point in the prefix information table, and recording the change of the routing state once.
If the UPDATE message is an announcement message, checking whether a message corresponding to the prefix exists in a prefix information table, if the message corresponding to the prefix does not exist, initializing relevant information in the message, adding the information into the prefix information table, and recording a change.
If the UPDATE message is an announcement message and the prefix information table has a message corresponding to the prefix, firstly checking the condition of an observation point, if a new observation point observes the announcement message about the prefix, adding the message into the prefix information table and recording the change once; if the AS path is observed to change from a certain observation point, the content in the prefix information table is modified and the change is recorded once.
In some embodiments, as shown in fig. 2 and 3, step S113, detecting whether a MOAS collision event occurs based on the prefix information table of the current state, and in response to detecting that the MOAS collision event occurs, updating the collision relation table to obtain the collision relation table of the current state and determining a start time and an end time of the MOAS collision event may further include:
based on the prefix information table of the current state, extracting the route change time when the route state changes and all AS path information corresponding to the route change time;
extracting source AS numbers observed by different observation points based on all AS path information;
judging whether the MOAS conflict event occurs in the current state or not based on the number of the source AS numbers;
responding to the MOAS conflict event of the current state, and checking whether the MOAS conflict event occurs in the previous state;
responding to the previous state that no MOAS conflict event occurs, determining that a new MOAS conflict event occurs in the current state, recording the current time as the starting time of the new MOAS conflict event, and adding the new MOAS conflict event into the conflict relationship table;
responding to the MOAS conflict event in the previous state, determining that the conflict state of the MOAS conflict event in the previous state changes, and adding the current conflict state into the conflict relation table;
responding to the current state without the MOAS conflict event, and judging whether the previous state has the MOAS conflict event or not;
responding to the previous state that no MOAS conflict event occurs, and determining that no MOAS conflict event occurs;
responding to the occurrence of the MOAS conflict event in the previous state, determining that the conflict state of the MOAS conflict event in the previous state disappears, recording the ending time of the MOAS conflict event with the current time in the previous state, and adding the current conflict state into the conflict relation table.
When processing a latest BGP update message, modifying the prefix information table according to the BGP update message, then checking whether a newly generated conflict exists in the prefix information table, and if a new conflict is detected, putting all information about the prefix into a conflict relationship table so as to update the conflict relationship table to obtain a conflict relationship table in the current state. Therefore, the conflict relationship table may at least include information about whether the previous state and the current state have the MOAS conflict event, and the conflict relationship table may check whether the previous state has the MOAS conflict event.
In some embodiments, determining whether a MOAS collision event occurs in the current state based on the number of the source AS numbers may further include:
responding to the situation that the number of the source AS numbers is larger than 1, and determining that an MOAS conflict event occurs in the current state;
and in response to the number of the source AS numbers being equal to 1, determining that no MOAS conflict event occurs in the current state.
In some embodiments, step S110 may further include:
and storing all AS path information observed from different observation points in the MOAS conflict events into an MOAS event database.
Specifically, in step S113, the content in the prefix information table may be monitored, and if the routing state snapshot table changes at a certain time, all the AS path information corresponding to the prefix at the time may be extracted, the source AS numbers observed from different observation points may be extracted, and the number of the source AS numbers may be checked.
If the number of the source AS is more than one, the prefix in the current state is subjected to MOAS conflict, and the state of the prefix in the previous state is considered. If the prefix is not conflicted in the former state, the confliction is a new confliction, the current time is recorded as the starting time of the confliction event, and the beginning time is added into the confliction relation table; if the prefix is in the conflict state in the former state, the transition of the conflict state is generated, and the state at the moment is added into the conflict relation table.
If the number of the source AS is one, the prefix does not have MOAS conflict in the current state, and whether the prefix has a conflict phenomenon in the previous state is considered. If the prefix is not conflicted in the former state, the state change does not cause the MOAS confliction phenomenon, and the processing is not carried out; if the prefix has the conflict phenomenon in the former state, the conflict phenomenon disappears at the moment, a conflict event is ended, the current time is recorded as the end time of the conflict event, and the state at the moment is added into the conflict relation table.
And if the end of one MOAS conflict event is detected, storing all path information observed from different observation points into an MOAS conflict event database in the process from the beginning to the end of the event.
Referring to fig. 4, according to an embodiment of the present disclosure, fig. 4 shows another schematic flowchart of a method for detecting hijacking based on a MOAS collision event according to an embodiment of the present disclosure. As shown in fig. 4, between step S110 and step S120, the method may further include:
step S150, judging whether the prefix-moasn mapping relation in the MOAS conflict event is effectively existed in a preset prefix-moasn mapping relation database.
The prefix-moasn mapping relation may represent a mapping relation between a prefix and a multi-source AS number moasn. The prefix-moasn mapping relationship of the MOAS collision event may be extracted based on the prefix information table in step S110.
The preset prefix-moasn mapping relation database can be constructed by periodically and synchronously downloading verification data (such AS certificates and signatures) from an RPKI database, so that the validity of the origin of the route can be verified based on an RPKI certificate authentication system, and the real authorization relation between the IP prefix and the multi-source AS number is obtained. The router may determine, based on this data, the authenticity of the BGP routing message, i.e., whether the originating AS in the routing message has a legitimate authority to advertise this IP prefix. If the prefix-moasn mapping relation in the MOAS conflict event exists in a preset prefix-moasn mapping relation database, the MOAS conflict event can be directly judged to be an abnormal MOAS conflict event or a normal MOAS conflict event according to the information stored in the preset prefix-moasn mapping relation database.
In some embodiments, the preset prefix-moasn mapping relationship database may include a normal prefix-moasn mapping relationship database and an abnormal prefix-moasn mapping relationship database. For example, the normal prefix-moasn mapping relationship database may include: IP prefix and corresponding multi-source AS numbers ASN-1 and ASN-2. The exception prefix-moasn mapping relationship database may include: IP prefix B and corresponding multi-source AS numbers ASN-3, ASN-4 and ASN-5. It should be understood that the mapping relationships in the normal prefix-moasn mapping relationship database and the abnormal prefix-moasn mapping relationship database are only examples and are not intended to be limiting, and the normal prefix-moasn mapping relationship database and the abnormal prefix-moasn mapping relationship database may include any number of mapping relationships, and the number of the multi-source AS numbers in each mapping relationship may be one or more, which is not limited herein.
Optionally, before the step S150, the method may further include:
acquiring route source verification data and historical BGP hijacking event data;
and constructing the preset prefix-moasn mapping relation database based on the route source verification data and the historical BGP hijacking event data.
In some embodiments, obtaining the route source verification data may include: collecting RPKI (Resource Public Key Infrastructure) authentication information of each continent around the world, and acquiring routing source verification data in the authentication information. Further, the route source verification data may be saved to a local server designated folder.
In some embodiments, obtaining historical BGP hijacking event data may include: and accessing the BGP routing abnormal message disclosed in the BGP Stream project, and acquiring the prefix hijacking message in the BGP routing abnormal message. Further, the prefix hijacking message may be saved to a local server.
In some embodiments, constructing a normal prefix-moasn mapping relationship database may include:
acquiring route source verification data of different areas and time, and summarizing the route source verification data into a route source verification table;
extracting prefixes and corresponding multi-source AS numbers based on the routing source verification table to obtain at least one authorized prefix-moasn mapping relation;
for each authorized prefix-moasn mapping relation, recalculating the effective time of the authorized prefix-moasn mapping relation based on the routing source verification table to obtain the effective period corresponding to the authorized prefix-moasn mapping relation;
and obtaining the normal prefix-moasn mapping relation database based on each authorized prefix-moasn mapping relation and the corresponding validity period.
In some embodiments, for each authorized prefix-moasn mapping relationship, recalculating, based on the route source verification table, the valid time of the authorized prefix-moasn mapping relationship to obtain a valid period corresponding to the authorized prefix-moasn mapping relationship may include:
taking the minimum effective starting time in the authorized prefix-moasn mapping relation as the starting time of the corresponding effective period;
and taking the maximum valid end time in the authorized prefix-moasn mapping relation as the end time of the corresponding valid period.
The authorized prefix-moasn mapping relationship may include multiple time periods, and a union of these time periods may be used as a validity period of the authorized prefix-moasn mapping relationship. Specifically, the RPKI authentication information of different regions and time may be summarized into a table, and the prefix-moasn mapping relationship may be extracted from the summarized table to obtain one or more prefix-moasn mapping relationships. And then recalculating the validity periods of the prefix-moasn mapping relations, and for each prefix-moasn mapping relation, taking the smaller validity period starting time as the validity period starting time of the prefix-moasn mapping relation, and taking the larger validity period ending time as the validity period ending time of the prefix-moasn mapping relation. And writing the prefix-moasn mapping relations and the corresponding validity periods into a normal prefix-moasn mapping relation library.
In some embodiments, constructing an exception prefix-moasn mapping relationship database may include:
acquiring historical BGP hijacking event data within a preset time range;
extracting BGP hijack event information and a corresponding prefix in the BGP hijack event data;
and forming an abnormal prefix-moasn mapping relation based on the BGP hijack event information and the corresponding prefix to obtain an abnormal prefix-moasn mapping relation database.
In some embodiments, the BGP hijacking event information may include: the prefix, the correct source AS number, the abnormal source AS number and the generation time of the historical BGP hijacking event.
Specifically, in order to establish the abnormal prefix-moasn mapping relation database, historical BGP hijacking event information in a time range may be read first, a prefix of the hijacking event, a correct source ASN, an abnormal source ASN, and a generation time of the event are extracted, and an abnormal prefix-moasn mapping relation is constructed. And storing the abnormal prefix-moasn mapping relation and the validity period thereof into a database to form an abnormal prefix-moasn mapping relation database. The validity period of the abnormal prefix-moasn mapping relation comprises the starting time to the ending time of the historical hijacking event in the mapping relation.
Optionally, in step S150, determining whether the prefix-moasn mapping relationship of the MOAS collision event is valid in a preset prefix-moasn mapping relationship database may include:
inquiring whether a prefix-moasn mapping relation of the MOAS conflict event exists in a preset prefix-moasn mapping relation database;
responding to the fact that the prefix-moasn mapping relation of the MOAS conflict event exists in the preset prefix-moasn mapping relation database, and judging whether the prefix-moasn mapping relation of the MOAS conflict event is expired;
and in response to that the prefix-moasn mapping relation of the MOAS conflict event is not expired, determining that the prefix-moasn mapping relation of the MOAS conflict event is effectively present in a preset prefix-moasn mapping relation database.
In some embodiments, in step S150, the method may further include:
and responding to the expiration of the prefix-moasn mapping relation of the MOAS conflict event, and determining that the prefix-moasn mapping relation of the MOAS conflict event does not exist in a preset prefix-moasn mapping relation database effectively.
In some embodiments, in step S150, the method may further include:
and in response to that the prefix-moasn mapping relation of the MOAS conflict event does not exist in the preset prefix-moasn mapping relation database, determining that the prefix-moasn mapping relation of the MOAS conflict event does not effectively exist in the preset prefix-moasn mapping relation database.
In some embodiments, in step S150, the method may further include:
responding to that the prefix-moasn mapping relation of the MOAS conflict event effectively exists in the preset prefix-moasn mapping relation database, and judging whether the MOAS conflict event is abnormal or not based on that the prefix-moasn mapping relation of the MOAS conflict event exists in a normal prefix-moasn mapping relation database or an abnormal prefix-moasn mapping relation database.
Further, in some embodiments, determining whether the MOAS collision event is abnormal based on the fact that the prefix-moasn mapping relationship of the MOAS collision event exists in the normal prefix-moasn mapping relationship database or the abnormal prefix-moasn mapping relationship database may include:
responding to the fact that a prefix-moasn mapping relation of the MOAS conflict event exists in a normal prefix-moasn mapping relation database, and determining that the MOAS conflict event is a normal MOAS conflict event;
and responding to the fact that the prefix-moasn mapping relation of the MOAS conflict event exists in an abnormal prefix-moasn mapping relation database, and determining that the MOAS conflict event is an abnormal MOAS conflict event.
Further, in some embodiments, if it is determined that the MOAS collision event is an abnormal MOAS collision event, it may be determined that BGP prefix hijacking occurs.
Optionally, in step S150, the method may further include: and in response to that the prefix-moasn mapping relationship of the MOAS conflict event does not effectively exist in the preset prefix-moasn mapping relationship database, executing step S120, and obtaining a MOAS event matrix based on the MOAS conflict event and different observation points.
According to the embodiment of the present disclosure, in step S120, obtaining a MOAS event matrix based on the MOAS collision event and different observation points may include:
acquiring all observation points and timestamps in the MOAS conflict event;
constructing the MOAS event matrix [ AS ] by taking the observation points AS columns and the sequentially arranged timestamps AS rowsij]n×mWherein i is 1, 2, … …, n; j is 1, 2, … …, m; n is the number of the time stamps; m is the number of the observation points; ASijIndicating that the source AS number was observed from observation point j at time i.
Specifically, in step S120, referring to fig. 5, for the MOAS collision event detected from step S110, fig. 5 shows a schematic diagram of a MOAS event matrix according to an embodiment of the present disclosure. As shown in FIG. 5, first, all VP observation points where MOAS conflict events are observed need to be counted and marked as VP1、VP2、……VPm(ii) a All the time stamps from the beginning of the event to the end of the event are counted and recorded as T1、T2、……、Tn。
And taking all VP points AS columns and all timestamps AS rows, wherein the timestamps are sequentially arranged according to the sequence, establishing a matrix with n rows and m columns, and storing AS numbers in the cells of the matrix.
Slave eventsThe method obtains the conditions of the source AS observed from each observation point at different time points in the process of the occurrence of the conflict event. And checking the AS path condition according to the time sequence, extracting observation points and source AS information from the AS path, and filling AS numbers into corresponding cells of the matrix. For example, assume at TiAt the moment from VPjThe acquisition point observes that the source AS number is ASkThen AS will bekFilling the matrix cell corresponding to the ith row and the jth column of the matrix.
According to the method, all AS observed at different observation points at different time are filled into the matrix cells, and the MOAS event matrix of the MOAS conflict event is constructed for the event.
According to the embodiment of the present disclosure, in step S130, determining whether the MOAS collision event is an abnormal MOAS collision event based on the behavior characteristics of the MOAS event matrix may include:
extracting features based on the MOAS event matrix to obtain the change rate of a source AS, the invariant rate of the source AS and a MOAS event visible observation point set;
and judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the change rate of the source AS, the invariable rate of the source AS, the MOAS event visible observation point set and a preset rule.
In some embodiments, performing feature extraction based on the MOAS event matrix to obtain a change rate of a source AS, a constant rate of the source AS, and a set of MOAS event visible observation points, may further include:
calculating the switching times of a source AS based on the MOAS event matrix;
calculating the change rate of the source AS and the constant rate of the source AS based on the columns of the MOAS event matrix and the switching times of the source AS;
and calculating the observation points of the visible MOAS conflict events based on the rows of the MOAS event matrix to obtain a visible observation point set.
In some embodiments, based on the MOAS event matrix [ AS ]ij]n×mCalculating the number of source AS switching times switch _ num may include: switch _ num is (n-1) × m, where n is a row and m is a column. Further, n may representThe number of times the MOAS collision event is observed (i.e. the number of timestamps); m may represent the number of observation points.
Specifically, for a multi-source AS event matrix corresponding to a certain prefix, the total times of source AS switching in a single event matrix are calculated. The event matrix model is set as a matrix Anm which is provided with n rows and m columns, the observed times of the events described by the matrix are n times, and the number of the observed points is m. Then the original AS switch total number of times in the event matrix switch _ num is (n-1) × m.
In some embodiments, calculating the change rate of the source AS and the invariant rate of the source AS based on the columns of the MOAS event matrix and the number of times of source AS switching may include:
counting the sum of the times of the change of the adjacent source AS of each row in the MOAS event matrix to obtain the change times of the source AS;
counting the sum of times that the adjacent source AS of each row in the MOAS event matrix is not changed to obtain the invariable times of the source AS;
and calculating the change rate and the invariant rate of the source AS based on the change times, the invariant times and the source AS switching times of the source AS.
In some embodiments, calculating the change rate and the invariant rate of the source AS based on the change times, the invariant times and the source AS switching times of the source AS may include:
the change rate of the source AS is the change times of the source AS/the switching times of the source AS;
the invariant rate of the source AS is the invariant times of the source AS/the times of source AS switching.
Specifically, referring to fig. 5, when calculating the change rate of the source AS in the MOAS collision event, the column of the MOAS collision event matrix corresponding to a certain prefix is viewed from TkTo Tk+1At the moment, if the corresponding source AS in the matrix is a slave ASAChange to ASBIf yes, recording the source ASAA change occurs if the corresponding source AS in the matrix is a slave ASBChange to ASAThen, it is recorded AS ASBA change occurs. According to the method, the total times of change of a certain source AS in a multi-source AS matrix is calculated, and the total times is set AS change _ num, thenThe rate of change of the source AS in the event is change _ rate ═ change _ num)/(switch _ num.
When the invariance rate of the source AS in the MOAS conflict event is calculated, for the multisource AS matrix corresponding to a certain prefix, from the column view, from TkTo Tk+1At the moment, if the corresponding source AS in the matrix remains unchanged, TkAt the moment ASA,Tk+1The time also remains ASAThen source AS is countedAOne time of invariable switching occurs, if the corresponding source AS slave AS in the process of switching the matrix timeBRemain ASBThen, it is recorded AS ASBAn invariant handover occurs. In this way, the total number of times that a source AS remains unchanged in a multisource AS matrix is calculated, and is set to constant _ num, and the invariance rate of the source AS in the event is (constant _ num)/(switch _ num).
In some embodiments, calculating observation points where the MOAS collision event can be seen based on the rows of the MOAS event matrix to obtain a set of observation points where the MOAS event can be seen may include:
and counting a set of observation points of the MOAS conflict events corresponding to the source ASs observed in each row of the MOAS event matrix to obtain a set of visible observation points of the MOAS events.
In some embodiments, the set of MOAS event visible observation points may represent a set of observation points that observe different ASs at different points in time for the MOAS conflict event.
That is, for a MOAS event, if a different AS is observed from an observation point at a different time point, that observation point is added to the set of visible observation points. Specifically, when calculating the visibility, which is the set of visible observation points of the MOAS collision event, from a certain observation point (that is, from the perspective of the matrix column), at all time points T1 to Tn, if two source ASs corresponding to the collision event are seen, the collision is counted to be visible to the observation point. Recording the set visiblevp _ set of the event visible observation points, for example, the visible observation points of the conflict events corresponding to a certain event matrix are: VP1, VP3, VP4, the set of visible observation points for this event is visiblevp _ set { VP1, VP3, VP4 }.
In some embodiments, the determining, based on the change rate of the source AS, the invariant rate of the source AS, and the set of MOAS event visible observation points and the preset rule, whether the MOAS collision event is an abnormal MOAS collision event may include:
calculating an absolute value of a difference value of the change rates of the two source ASs in the MOAS collision event, and recording the absolute value AS change _ rate _ distance | -change _ rate AS 1-change _ rate AS2 |;
calculating the absolute value of the constant-rate difference value of two source ASs in the MOAS collision event, and recording the absolute value AS constant _ rate _ distance | -constant _ rate AS 1-constant _ rate AS2 |;
judging whether the absolute value of the difference value of the change rates of the two source AS, the absolute value of the difference value of the constant change rates of the two source AS and the set of the MOAS event visible observation points meet the preset rule or not;
determining the MOAS collision event as an abnormal MOAS collision event in response to change _ rate _ distance < α & & constant _ rate _ distance > β, or change _ rate _ distance < α & & constant _ rate _ distance < β & & kinetic _ set ∈ visiblevp _ setX;
wherein, α and β are preset thresholds, visiblevp _ set is a MOAS event visible observation point set, and visiblevp _ setX is a preset visible observation point set.
According to the embodiment of the present disclosure, in step S140, in response to the abnormality of the MOAS collision event, it is determined that BGP prefix hijacking occurs.
Optionally, in step S140, the method may further include: and responding to the normal MOAS conflict event, and determining that BGP prefix hijacking does not occur.
It should be noted that the method of the embodiments of the present disclosure may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may only perform one or more steps of the method of the embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above describes some embodiments of the disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, corresponding to the method of any embodiment, the disclosure also provides a BGP hijacking detection device based on the MOAS conflict event.
Referring to fig. 6, the apparatus for detecting BGP hijacking based on MOAS collision event includes:
the acquisition module is used for acquiring real-time routing data;
the event restoration module is used for detecting an MOAS conflict event based on the real-time routing data;
the matrix module is used for obtaining an MOAS matrix based on the timestamp and the observation point of the MOAS conflict event;
the judging module is used for judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS matrix;
and the hijacking detection module is used for responding to the MOAS conflict event as an abnormal MOAS conflict event and determining that BGP prefix hijacking occurs.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the various modules may be implemented in the same one or more software and/or hardware implementations of the present disclosure.
The apparatus in the foregoing embodiment is used to implement the corresponding method for detecting BGP hijacking based on an MOAS collision event in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to the method of any embodiment described above, the present disclosure further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and operable on the processor, where the processor implements the method for detecting a BGP hijacking based on an MOAS collision event according to any embodiment when executing the program.
Fig. 7 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device in the foregoing embodiment is used to implement the corresponding method for detecting BGP hijacking based on an MOAS collision event in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above embodiments, the present disclosure further provides a non-transitory computer-readable storage medium storing a computer instruction for causing the computer to execute the method for detecting BGP hijacking based on an MOAS collision event according to any of the above embodiments.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the method for detecting BGP hijacking based on an MOAS collision event according to any of the foregoing embodiments, and have the beneficial effects of corresponding method embodiments, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the present disclosure, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the present disclosure, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present disclosure are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that the embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalents, improvements, and the like that may be made within the spirit and principles of the embodiments of the disclosure are intended to be included within the scope of the disclosure.
Claims (10)
1. A BGP hijacking detection method based on MOAS conflict events comprises the following steps:
acquiring real-time routing data, and detecting an MOAS conflict event based on the real-time routing data;
obtaining an MOAS matrix based on the timestamp and the observation point of the MOAS conflict event;
judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS matrix;
and determining that BGP prefix hijacking occurs in response to the MOAS conflict event being an abnormal MOAS conflict event.
2. The method of claim 1, wherein the detecting a MOAS collision event based on the real-time routing data comprises:
obtaining an initial routing table based on BGP routing table data in the real-time routing data, and establishing a prefix information table and a conflict relation table;
updating the prefix information table and recording route state change based on BGP updating message data in the real-time route data to obtain a prefix information table in the current state;
and detecting whether an MOAS conflict event occurs or not based on the prefix information table in the current state, updating the conflict relationship table to obtain a conflict relationship table in the current state and determining the starting time and the ending time of the MOAS conflict event in response to the detection of the occurrence of the MOAS conflict event.
3. The method of claim 1, wherein the deriving a MOAS matrix based on timestamps and observation points of the MOAS collision events comprises:
acquiring all observation points and timestamps in the MOAS conflict event;
constructing the MOAS event matrix [ AS ] by taking the observation points AS columns and the sequentially arranged timestamps AS rowsij]n×mWherein i is 1, 2, … …, n; j is 1, 2, … …, m; n is the number of the time stamps; m is the number of the observation points; ASijIndicating that the source AS number was observed from observation point j at time i.
4. The method of claim 1, wherein the determining whether the MOAS collision event is an abnormal MOAS collision event based on the behavior characteristics of the MOAS matrix comprises:
extracting features based on the MOAS event matrix to obtain the change rate of a source AS, the invariant rate of the source AS and a MOAS event visible observation point set; wherein the content of the first and second substances,
the change rate of the source AS is the change times of the source AS/the switching times of the source AS;
the invariable rate of the source AS is the invariable times of the source AS/the switching times of the source AS;
the MOAS event visible observation point set represents a set of observation points observing different ASs at different time points for the MOAS conflict event;
and judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the change rate of the source AS, the invariable rate of the source AS, the MOAS event visible observation point set and a preset rule.
5. The method of claim 4, wherein the extracting features based on the MOAS event matrix to obtain a change rate of a source AS, a constant rate of the source AS, and a MOAS event visible observation point set comprises:
calculating the switching times of a source AS based on the MOAS event matrix;
calculating the change rate of the source AS and the constant rate of the source AS based on the columns of the MOAS event matrix and the switching times of the source AS;
and calculating the observation points of the visible MOAS conflict events based on the rows of the MOAS event matrix to obtain a visible observation point set.
6. The method of claim 1, wherein before the obtaining a MOAS matrix based on the timestamps and observation points of the MOAS collision events, further comprising:
judging whether a prefix-moasn mapping relation in the MOAS conflict event effectively exists in a preset prefix-moasn mapping relation database;
and responding to the fact that the prefix-moasn mapping relation of the MOAS conflict event does not effectively exist in the preset prefix-moasn mapping relation database, and obtaining an MOAS event matrix based on the MOAS conflict event and different observation points.
7. The method of claim 6, wherein the preset prefix-moasn mapping relationship database includes a normal prefix-moasn mapping relationship database and an abnormal prefix-moasn mapping relationship database; the method further comprises the following steps:
responding to that the prefix-moasn mapping relation of the MOAS conflict event effectively exists in the preset prefix-moasn mapping relation database, and judging whether the MOAS conflict event is abnormal or not based on that the prefix-moasn mapping relation of the MOAS conflict event exists in a normal prefix-moasn mapping relation database or an abnormal prefix-moasn mapping relation database;
and responding to the fact that the prefix-moasn mapping relation of the MOAS conflict event exists in an abnormal prefix-moasn mapping relation database, and determining that the MOAS conflict event is an abnormal MOAS conflict event and BGP prefix hijacking occurs.
8. A BGP hijacking detection device based on MOAS conflict event comprises:
the acquisition module is used for acquiring real-time routing data;
the event restoration module is used for detecting an MOAS conflict event based on the real-time routing data;
the matrix module is used for obtaining an MOAS matrix based on the timestamp and the observation point of the MOAS conflict event;
the judging module is used for judging whether the MOAS conflict event is an abnormal MOAS conflict event or not based on the behavior characteristics of the MOAS matrix;
and the hijacking detection module is used for responding to the MOAS conflict event as an abnormal MOAS conflict event and determining that BGP prefix hijacking occurs.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 7 when executing the program.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110553490.8A CN113472740B (en) | 2021-05-20 | 2021-05-20 | BGP hijacking detection method, device and equipment based on MOAS conflict event and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110553490.8A CN113472740B (en) | 2021-05-20 | 2021-05-20 | BGP hijacking detection method, device and equipment based on MOAS conflict event and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113472740A true CN113472740A (en) | 2021-10-01 |
| CN113472740B CN113472740B (en) | 2022-08-05 |
Family
ID=77871053
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110553490.8A Active CN113472740B (en) | 2021-05-20 | 2021-05-20 | BGP hijacking detection method, device and equipment based on MOAS conflict event and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113472740B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412377A (en) * | 2022-11-02 | 2022-11-29 | 北京邮电大学 | Detection method of malicious autonomous system |
| CN117834298A (en) * | 2024-03-04 | 2024-04-05 | 北京中关村实验室 | Method and device for judging route source information conflict based on partial order relation |
| CN117834298B (en) * | 2024-03-04 | 2024-04-30 | 北京中关村实验室 | Method and device for judging route source information conflict based on partial order relation |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102315988A (en) * | 2011-09-15 | 2012-01-11 | 清华大学 | Efficient inter-domain routing protocol prefix hijacking detecting method |
| CN106060014A (en) * | 2016-05-18 | 2016-10-26 | 中国互联网络信息中心 | Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks |
| US20170180418A1 (en) * | 2015-12-21 | 2017-06-22 | Symantec Corporation | Accurate real-time identification of malicious bgp hijacks |
-
2021
- 2021-05-20 CN CN202110553490.8A patent/CN113472740B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102315988A (en) * | 2011-09-15 | 2012-01-11 | 清华大学 | Efficient inter-domain routing protocol prefix hijacking detecting method |
| US20170180418A1 (en) * | 2015-12-21 | 2017-06-22 | Symantec Corporation | Accurate real-time identification of malicious bgp hijacks |
| CN106060014A (en) * | 2016-05-18 | 2016-10-26 | 中国互联网络信息中心 | Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412377A (en) * | 2022-11-02 | 2022-11-29 | 北京邮电大学 | Detection method of malicious autonomous system |
| CN115412377B (en) * | 2022-11-02 | 2023-03-24 | 北京邮电大学 | Detection method of malicious autonomous system |
| CN117834298A (en) * | 2024-03-04 | 2024-04-05 | 北京中关村实验室 | Method and device for judging route source information conflict based on partial order relation |
| CN117834298B (en) * | 2024-03-04 | 2024-04-30 | 北京中关村实验室 | Method and device for judging route source information conflict based on partial order relation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113472740B (en) | 2022-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10867034B2 (en) | Method for detecting a cyber attack | |
| Liu et al. | Cloudy with a chance of breach: Forecasting cyber security incidents | |
| CN110798472B (en) | Data leakage detection method and device | |
| JP5987627B2 (en) | Unauthorized access detection method, network monitoring device and program | |
| US9641545B2 (en) | Methods, systems, and computer program products for detecting communication anomalies in a network based on overlap between sets of users communicating with entities in the network | |
| CN105046168A (en) | Network electron evidence processing system and processing method | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| CN110636068B (en) | Method and device for identifying unknown CDN node in CC attack protection | |
| CN112134893B (en) | Internet of things safety protection method and device, electronic equipment and storage medium | |
| CN107483407B (en) | Method and system for preventing hotlinking | |
| US20230370439A1 (en) | Network action classification and analysis using widely distributed honeypot sensor nodes | |
| CN113676449A (en) | Network attack processing method and device | |
| CN113328990B (en) | Internet route hijacking detection method based on multiple filtering and electronic equipment | |
| CN113472740B (en) | BGP hijacking detection method, device and equipment based on MOAS conflict event and readable storage medium | |
| US20230362142A1 (en) | Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing | |
| US11283812B2 (en) | Trustworthiness evaluation of network devices | |
| JP6813451B2 (en) | Anomaly detection system and anomaly detection method | |
| CN111800407B (en) | Network attack defense method and device, electronic equipment and storage medium | |
| CN109302381B (en) | Radius attribute extension method, device, electronic equipment and computer readable medium | |
| CN114157713B (en) | Method and system for capturing hidden service traffic | |
| CN115296891B (en) | Data detection system and data detection method | |
| Rajasinghe | INSecS: An Intelligent Network Security System | |
| CN116781353A (en) | Data acquisition method and device based on device fingerprint, electronic device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |