CN116112418A - Positioning method and device for route leakage, electronic equipment and storage medium - Google Patents
Positioning method and device for route leakage, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116112418A CN116112418A CN202310079065.9A CN202310079065A CN116112418A CN 116112418 A CN116112418 A CN 116112418A CN 202310079065 A CN202310079065 A CN 202310079065A CN 116112418 A CN116112418 A CN 116112418A
- Authority
- CN
- China
- Prior art keywords
- autonomous system
- route
- triplet
- leakage
- codes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/08—Learning-based routing, e.g. using neural networks or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/021—Ensuring consistency of routing table updates, e.g. by using epoch numbers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/14—Routing performance; Theoretical aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/28—Routing or path finding of packets in data switching networks using route fault recovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application relates to the technical field of abnormal routing positioning, in particular to a positioning method, a device, electronic equipment and a storage medium for routing leakage, wherein the method comprises the following steps: acquiring an update message of a border gateway protocol; extracting codes consisting of autonomous system numbers in the update message, generating autonomous system triples according to the codes, and extracting autonomous system triplet characteristics corresponding to the autonomous system triples; inputting the autonomous system triplets and the corresponding autonomous system triplet characteristics into a trained random forest classifier, and outputting the actual positions of route leakage. Therefore, the problems that the route leakage position cannot be accurately positioned, the positioning time is long and the like in the related technology are solved.
Description
Technical Field
The present disclosure relates to the field of routing anomaly positioning technologies, and in particular, to a method and apparatus for positioning routing leakage, an electronic device, and a storage medium.
Background
BGP (Border Gateway Protocol ) is the only currently truly used inter-domain routing protocol that connects various networks around the world, namely autonomous systems (AS, autonomous System). Each autonomous system learns reachability to each destination network by exchanging BGP update messages. BGP update messages contain as_path to the destination network along which the autonomous system receiving the update message may go. AS_PATH may be understood AS an encoding consisting of ASNs (Autonomous System Number, autonomous system numbers) of a set of autonomous systems. Route leakage may occur if the autonomous system does not announce a route in compliance with the correct routing policy, but announces a route to the wrong autonomous system. Route leakage may cause traffic to be monitored or discarded by an attacker, and large-scale route leakage often causes long-term network performance degradation on a global scale and even paralysis of large-scale network applications.
The importance of the internet to human society is self-evident. In recent years, a number of serious route leakage accidents occur on the internet, and corresponding network security becomes important. The accurate real-time positioning method of the route leakage can help a network administrator to find the route leakage position in time, position a fault autonomous system, generate a corresponding route filter and maximally reduce adverse effects caused by route leakage accidents.
Researchers have proposed a real-time routing leakage locating method based on autonomous system business relationships. The method checks whether the autonomous system business relationship on the AS_PATH violates the no-valley principle, namely extracts autonomous system triples in the AS_PATH, and checks whether each autonomous system triplet violates the no-valley principle one by one. Such methods, while designing algorithms that can infer business relationships between a pair of autonomous systems with greater accuracy, are unable to accurately locate route leakage. The positioning route leakage needs to acquire the business relationship between two pairs of autonomous systems at the same time, and the accuracy of acquiring the business relationship between the two pairs of autonomous systems at the same time is greatly reduced according to the principle of probability multiplication. Furthermore, such methods cannot locate route leakage that occurs on the edge of the autonomous system where it is not visible in advance.
Another type of method is to apply machine learning directly to the statistical features of a large number of BGP update messages to detect route leakage. Although the method realizes accurate route leakage detection, the method can not locate the position of route leakage, namely, the leakage autonomous system, the autonomous system receiving the leakage route and the triad formed by the leakage route source autonomous system. Thus, BGP security specialists still take a long time to locate route leakage. Furthermore, such methods require a long time to periodically collect and calculate statistics, which results in a large detection delay. To sum up, it is currently difficult to achieve both accurate and real-time route leakage localization.
Disclosure of Invention
The application provides a positioning method, a device, electronic equipment and a storage medium for route leakage, which are used for solving the problems that the route leakage position cannot be accurately positioned in the related technology, the positioning time is long and the like.
An embodiment of a first aspect of the present application provides a method for positioning route leakage, including the following steps: acquiring an update message of a border gateway protocol; extracting codes consisting of autonomous system numbers in the update message, generating autonomous system triples according to the codes, and extracting autonomous system triplet characteristics corresponding to the autonomous system triples; and inputting the autonomous system triplets and the corresponding autonomous system triplet characteristics into a trained random forest classifier, and outputting the actual position of route leakage.
Optionally, the training of the random forest classifier includes: acquiring a route leakage event, wherein the route leakage event comprises an autonomous system triplet with route leakage and an autonomous system triplet without route leakage; generating positive and negative samples according to the autonomous system triplets with route leakage, the autonomous system triplets without route leakage and the respective corresponding autonomous system triplet characteristics; and training the random forest classifier by utilizing the positive and negative samples until the training stopping condition is met, so as to obtain the random forest classifier after training.
Optionally, the extracting the autonomous system triplet feature corresponding to the autonomous system triplet includes: and inquiring a pre-established database by taking the autonomous system triplet as an index, and outputting the autonomous system triplet characteristics.
Optionally, the database stores autonomous system features updated at intervals for a preset time period, wherein the autonomous system distance, the autonomous system degree and the autonomous system type in the autonomous system features are updated through a first route data source, the autonomous system address space in the autonomous system features is updated through a second route data source and a third route data source, and the autonomous system geographic position in the autonomous system features is updated through the first route data source and a fourth route data source.
Optionally, the generating an autonomous system triplet according to the encoding includes: identifying preset codes, repetition numbers and target fields in the codes; discarding or removing the preset codes, deleting the repeated codes, and generating corresponding autonomous system triples for autonomous systems corresponding to the autonomous system numbers contained in the target field, wherein the autonomous system triples corresponding to the codes are discarded for the preset codes meeting preset conditions.
Optionally, after outputting the actual location of the route leakage, further comprising: generating alarm information of route leakage and sending the alarm information to a preset terminal.
An embodiment of a second aspect of the present application provides a positioning device for routing leakage, including: the acquisition module is used for acquiring the update message of the border gateway protocol; the extraction module is used for extracting codes consisting of autonomous system numbers in the update message, generating autonomous system triples according to the codes, and extracting autonomous system triplet characteristics corresponding to the autonomous system triples; and the output module is used for inputting the autonomous system triplets and the corresponding autonomous system triplet characteristics into the trained random forest classifier and outputting the actual position of route leakage.
Optionally, the output module is further configured to: acquiring a route leakage event, wherein the route leakage event comprises an autonomous system triplet with route leakage and an autonomous system triplet without route leakage; generating positive and negative samples according to the autonomous system triplets with route leakage, the autonomous system triplets without route leakage and the respective corresponding autonomous system triplet characteristics; and training the random forest classifier by utilizing the positive and negative samples until the training stopping condition is met, so as to obtain the random forest classifier after training.
Optionally, the extraction module is further configured to: and inquiring a pre-established database by taking the autonomous system triplet as an index, and outputting the autonomous system triplet characteristics.
Optionally, the database stores autonomous system features updated at intervals for a preset time period, wherein the autonomous system distance, the autonomous system degree and the autonomous system type in the autonomous system features are updated through a first route data source, the autonomous system address space in the autonomous system features is updated through a second route data source and a third route data source, and the autonomous system geographic position in the autonomous system features is updated through the first route data source and a fourth route data source.
Optionally, the extraction module is further configured to: identifying preset codes, repetition numbers and target fields in the codes; discarding or removing the preset codes, deleting the repeated codes, and generating corresponding autonomous system triples for autonomous systems corresponding to the autonomous system numbers contained in the target field, wherein the autonomous system triples corresponding to the codes are discarded for the preset codes meeting preset conditions.
Optionally, the method further comprises: and the sending module is used for generating the alarm information of the route leakage after outputting the actual position of the route leakage and sending the alarm information to a preset terminal.
An embodiment of a third aspect of the present application provides an electronic device, including: the route leakage locating device comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the program to realize the route leakage locating method according to the embodiment.
An embodiment of a fourth aspect of the present application provides a computer-readable storage medium having stored thereon a computer program that is executed by a processor for implementing the route leakage localization method as described in the above embodiment.
Therefore, the application has at least the following beneficial effects:
according to the embodiment of the application, the route leakage can be positioned from the AS_PATH in the BGP update message by acquiring the triple characteristics of the autonomous system and training the random forest classifier; extracting AS_PATH from single BGP update message to generate multiple autonomous system triplets, and judging whether route leakage occurs to each autonomous system triplet; the autonomous system triplet feature can accurately distinguish route leakage and normal route; the method has the advantages that the method is relatively stable, the frequently collected autonomous system triplet characteristics are not needed, the positioning time is saved, and the route leakage position can be positioned in real time based on the lightweight random forest classifier. Therefore, the technical problems that the route leakage position cannot be accurately positioned, the positioning time is long and the like in the related technology are solved.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
fig. 1 is a flowchart of a method for locating route leakage according to an embodiment of the present application;
fig. 2 is a schematic diagram of a method for locating route leakage according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a delay accumulation profile for locating leakage provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a locating device for routing leaks according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the drawings are exemplary and intended for the purpose of explaining the present application and are not to be construed as limiting the present application.
The following describes a method, an apparatus, an electronic device, and a storage medium for locating route leakage according to embodiments of the present application with reference to the accompanying drawings. Aiming at the problems that the current positioning method for route leakage cannot accurately position the route leakage and takes a long time to periodically collect and calculate statistical characteristics, which are mentioned in the background art, the application provides a positioning method for route leakage, in which the route leakage and normal routes can be accurately distinguished by obtaining the characteristics of the autonomous system triplets and training a random forest classifier to position the route leakage, and the characteristics of the autonomous system triplets which are relatively stable and do not need to be collected frequently are used. Therefore, the problems that the route leakage position cannot be accurately positioned, the positioning time is long and the like in the related technology are solved.
Specifically, fig. 1 is a flow chart of a positioning method of route leakage provided in an embodiment of the present application.
As shown in fig. 1, the method for locating the route leakage includes the following steps:
in step S101, an update message of the border gateway protocol is acquired.
Among other things, the border gateway protocol (BGP, border Gateway Protocol) is a path vector routing protocol that enables reachability information exchange between autonomous systems AS (Autonomous System), which propagates routing information primarily through update messages.
Autonomous system (AS, autonomous System): the internet is a vast network consisting of hundreds of thousands of small networks called autonomous systems (ases). These autonomous systems are each essentially a large pool of routers operated by a single organization, and the autonomous systems are large networks or groups of networks managed by a single organization. An autonomous system may have many subnets, but all share the same routing policy. Each autonomous system is assigned its own Autonomous System Number (ASN) to easily identify them.
It can be appreciated that the embodiments of the present application may obtain updated information of the border gateway protocol from the route collectors of the RIPE NCC and RouteView for subsequent locating the location of route leakage.
The RIPE NCC is regional Internet registrars in Europe, the middle east and part of the middle subunit, and provides a route collector, a collected inter-domain route table and route update data for the network research community; routeViews is an item established by the advanced network technology center of the university of oregon, and provides a route collector and a collected inter-domain routing table and route update data for a network research community.
In step S102, a code consisting of autonomous system numbers in the update message is extracted, an autonomous system triplet is generated according to the code, and autonomous system triplet features corresponding to the autonomous system triplet are extracted.
It can be understood that, in the embodiment of the present application, the code (as_path) formed by the autonomous system numbers may be obtained from the update information in the border gateway protocol, and the autonomous system triples are generated according to the code, and feature extraction is performed on the autonomous system triples.
It should be noted that, each time the BGP update message passes through an autonomous system, its autonomous system number is added to the own as_path. As_set for route aggregation may occur in the as_path, which contains a plurality of autonomous system numbers.
In an embodiment of the present application, generating an autonomous system triplet according to an encoding includes: presetting codes, repeated numbers and target fields in the identification codes; discarding or removing the preset codes, deleting the repeated codes, and generating corresponding autonomous system triples for the autonomous systems corresponding to the autonomous system numbers contained in the target fields, wherein the autonomous system triples corresponding to the codes are discarded for the preset codes meeting preset conditions.
Wherein, the preset code can be abnormal code or code containing a ring, etc.; the target field may be 23456; the preset condition means that preset codes, repetition codes and codes of target fields exist.
It can be understood that, in the embodiment of the present application, the obtained as_path may be preprocessed, and illegal PATHs and abnormal autonomous system numbers may be filtered to generate an autonomous system triplet, which specifically includes the following steps:
1. the AS_PATH containing the ring is discarded.
2. Processing PATH filling, deleting the repeated autonomous system numbers in the AS_PATH, and only leaving one of the repeated autonomous system numbers.
3. And processing the AS_SET in the AS_PATH, and generating respective corresponding autonomous system triples for the autonomous systems in the AS_SET.
4. And removing the reserved autonomous system number in the AS_PATH. Wherein for a particular autonomous system number, such as 23456, the autonomous system triplet containing that number is discarded.
In the embodiment of the application, extracting the autonomous system triplet feature corresponding to the autonomous system triplet includes: and inquiring a pre-established database by taking the autonomous system triplet as an index, and outputting the characteristic of the autonomous system triplet.
The database is used for storing relations between the autonomous system triplets and the autonomous system triplet features.
It can be appreciated that the embodiments of the present application may query the database for corresponding autonomous system triplet features for autonomous system triples.
It should be noted that, the present application needs to periodically collect autonomous system features from a routing data source and store the autonomous system features in a database, where the routing data source is: RIPE NCC, routeViews, CAIDA and PeeringDB.
The RIPE NCC and RouteViews are described in the above embodiments, and are not described here. The CAIDA is an application Internet data analysis center and provides Internet measurement data for a network research community; the PeeringDB is a web-based internet connection information database.
In the embodiment of the application, the database stores autonomous system characteristics updated at intervals of a preset time length, wherein autonomous system distances, autonomous system degrees and autonomous system types in the autonomous system characteristics are updated through a first route data source, autonomous system address spaces in the autonomous system characteristics are updated through a second route data source and a third route data source, and autonomous system geographic positions in the autonomous system characteristics are updated through the first route data source and a fourth route data source.
The preset interval duration may be set according to specific situations, which is not limited.
It will be appreciated that embodiments of the present application may periodically collect autonomous system features from a routing data source and store them in a database.
Taking a first routing data source as CAIDA, a second routing data source as RIPE NCC, a third routing data source as RouteViews and a fourth routing data source as PeeringDB as an example, the embodiment of the invention collects the characteristics of an autonomous system as follows:
1. obtaining the autonomous system distance, the autonomous system degree and the autonomous system type from the routing data source CAIDA. Wherein the autonomous system distance refers to the average hop count from the autonomous system to each layer of autonomous system; autonomous system types fall into three categories, namely content providers, enterprise networks, and access and transport service providers. The method is represented by 0 for the content provider, 1 for the enterprise network and 2 for the transport service provider.
2. Autonomous system address space is obtained from the route data sources RIPE NCC and RouteViews.
3. Autonomous system geographic locations are obtained from routing data sources CAIDA and PeeringDB. Wherein the geographic location of the autonomous system refers to the country to which the autonomous system belongs and the IXP to which the autonomous system belongs. The method uses 1-5 to respectively represent the geographic position relations of 3 autonomous systems in < AS1, AS2, AS3 >. AS1 geographic location is the same AS AS2 geographic location and both are different from AS3 geographic location, denoted 1; AS1 geographic location is the same AS AS3 geographic location and both are different from AS2 geographic location, denoted AS 2; the AS2 geographic location is the same AS the AS3 geographic location and both are different from the AS1 geographic location, denoted 3; the geographic positions of AS1, AS2 and AS3 are respectively different and are denoted AS 4; AS1, AS2 and AS3 are all geographically co-located and are denoted AS 5.
4. The autonomous system features obtained above are stored in a database and updated periodically.
It should be noted that IXP is an internet switching center, which is one of the physical infrastructures of the internet, and can help the autonomous system to efficiently switch internet traffic.
In step S103, the autonomous system triplets and the corresponding autonomous system triplet features are input into the trained random forest classifier, and the actual positions of the route leakage are output.
It can be understood that the embodiment of the application can input the trained random forest classifier through the obtained autonomous system triplets and the corresponding autonomous system triplets to locate the actual position of the route leakage.
It should be noted that route leakage refers to that propagation of BGP update messages violates the no-valley principle, which results in route leakage, i.e., an autonomous system cannot announce routes from one provider or peer to another provider or peer. The no-valley principle is a rule followed by BGP update message propagation. Autonomous systems are classified into hierarchical levels in inter-domain routing, and generally, the provider of an autonomous system is higher than its hierarchical level, and the peers of an autonomous system and their hierarchical level are substantially equal, and the clients of an autonomous system are lower than their hierarchical level. The path formed by the autonomous system through which BGP update messages propagate cannot form a valley shape, i.e., update messages cannot propagate from a higher-level autonomous system to a lower-level autonomous system and then to a higher-level autonomous system. In particular, the autonomous system may announce routes from clients to any other neighbors, may announce routes from its own peer to any client neighbors, and may announce routes from its provider to any client neighbors.
Specifically, the trained random forest classifier locates route leakage according to the input autonomous system triples and corresponding triples, for example, the autonomous system of the leakage route is AS2 when the autonomous system triples < AS1, AS2, AS3> are located, and the leakage route receiver is AS1, and the leakage route of AS2 comes from AS3.
In an embodiment of the present application, training of the random forest classifier includes: acquiring a route leakage event, wherein the route leakage event comprises an autonomous system triplet with route leakage and an autonomous system triplet without route leakage; generating positive and negative samples according to the autonomous system triplets with route leakage and the autonomous system triplets without route leakage and the respective corresponding autonomous system triplet characteristics; and training the random forest classifier by utilizing the positive and negative samples until the training stopping condition is met, so as to obtain the random forest classifier after training.
It can be appreciated that the embodiments of the present application can collect route leakage events from a route leakage event data source, train a random forest classifier, and then use the random forest classifier to locate route leakage events according to autonomous system triplet features.
It is understood that the training steps of the random forest classifier specifically include:
1. and collecting the route leakage event from a route leakage event data source BGPSstream platform to obtain an autonomous system triplet and a normal autonomous system triplet with the route leakage.
2. And training a random forest classifier by using the obtained autonomous system triplets with route leakage and the obtained normal autonomous system triplets and the corresponding triplet characteristics as positive and negative samples.
Wherein BGPStream is an alert platform that provides information about hijacking, leakage, and failure in BGP.
In the embodiment of the present application, after outputting the actual location of the route leakage, the method further includes: generating alarm information of route leakage and sending the alarm information to a preset terminal.
The preset terminal may be a display, etc., which is not limited thereto.
It can be understood that after outputting the actual position of the route leakage, the embodiment of the application can generate corresponding alarm information for the located route leakage and send the alarm information to a preset terminal (such as a display screen), so that a corresponding network administrator is timely notified to find out the problem of the route leakage.
The following describes a method for locating route leakage by a specific implementation, as shown in fig. 2, including the following steps:
and step 1, preprocessing BGP update messages. And obtaining the AS_PATH in the BGP update message from the route collector, filtering out illegal PATHs and abnormal autonomous system numbers, and generating an autonomous system triplet.
And 2, extracting the characteristics of the triplet of the autonomous system. Periodically collecting autonomous system characteristics from a routing data source and storing the autonomous system characteristics in a database, and generating corresponding autonomous system triplet characteristics according to autonomous system triples.
And 3, route leakage positioning. Collecting route leakage events from a route leakage event data source, training a random forest classifier, then using the random forest classifier to locate route leakage and generate an alarm according to the characteristics of the autonomous system triplets,
the following describes a positioning method of route leakage by a specific embodiment, specifically as follows:
1. BGP update message preprocessing. Obtaining AS_PATH from the route collector AS [4637, 4775, 4766, 174, 3491, 65000], filtering out abnormal autonomous system numbers 65000, generating autonomous system triplets: <4637, 4775, 4766>, <4775, 4766, 174> and <4766, 174, 3491>.
2. And extracting the characteristics of the triplet of the autonomous system. Periodically collecting and obtaining the characteristics of the autonomous system from the routing data source, and generating corresponding triplet characteristics according to the triples of the autonomous system as shown in table 1. The characteristic contents of the triplet of the autonomous system are respectively as follows: < AS1 distance, AS2 distance, AS3 distance >, < AS1 address space, AS2 address space, AS3 address space >, < AS1 degree, AS2 degree, AS3 degree >, < AS1 type, AS2 type, AS3 type >, national relationships to which 3 autonomous systems belong, and IXP relationships to which 3 autonomous systems belong.
TABLE 1
3. Route leakage location. The AS_PATH for collecting the route leakage event from the route leakage event data source BGPSstream is AS follows: [53432, 13994, 7029, 6461, 37662, 37204, 5511, 174, 25818], wherein 37204 is a leaky autonomous system that leaks routes to autonomous system 37662. The autonomous system triples <37662, 37204, 5511> where route leakage occurs are taken as positive samples for training and the normal autonomous system triples <53432, 13994, 7029>, <13994, 7029, 6461>, <7029, 6461, 37662>, <6461, 37662, 37204>, <37204, 5511, 174> and <5511, 174, 25818> are taken as negative samples for training. And similarly, respectively obtaining the triplet characteristics corresponding to the autonomous system triples. And training a random forest classifier by using the positive and negative samples after sample balancing and the corresponding triplet characteristics. The trained random forest classifier receives the autonomous system triplets <3320, 9002, 44628>, and the classifier detects that the triplets have route leakage according to the triplet characteristics corresponding to the autonomous system triplets, locates 9002 the autonomous system for leakage, leaks the route from the autonomous system 44628 to the autonomous system 3320, and finally generates corresponding alarms and timely informs relevant network administrators. When the implementation environment is a dyr PowerEdge R740 rack server equipped with intel to strong (R) Gold 6230RCPU@2.10GHz and 128GB RAM, the embodiments of the present application may locate route leakage within 7.86 milliseconds on average, as shown in fig. 3, and the accuracy of locating route leakage is shown in table 2, and may achieve a route leakage location accuracy of over 90%.
TABLE 2
| Rate of false positive | Recall rate of recall | Accuracy rate of | Accuracy rate of | F1 value | |
| The application | 0.11 | 0.92 | 0.90 | 0.91 | 0.91 |
According to the route leakage positioning method provided by the embodiment of the application, route leakage is positioned from AS_PATH in BGP update messages by acquiring the triple characteristics of an autonomous system and training a random forest classifier; extracting AS_PATH from single BGP update message to generate multiple autonomous system triplets, and judging whether route leakage occurs to each autonomous system triplet; the autonomous system triplet feature can accurately distinguish route leakage and normal route; the method has the advantages that the method is relatively stable, the frequently collected autonomous system triplet characteristics are not needed, positioning time is saved, and the route leakage position can be positioned in real time based on the lightweight random forest classifier.
Next, a positioning device for routing leakage according to an embodiment of the present application will be described with reference to the accompanying drawings.
Fig. 4 is a block schematic diagram of a positioning device for routing leakage according to an embodiment of the present application.
As shown in fig. 4, the positioning device 10 for routing leakage includes: an acquisition module 100, an extraction module 200 and an output module 300.
The acquiring module 100 is configured to acquire an update message of the border gateway protocol; the extraction module 200 is configured to extract a code consisting of autonomous system numbers in the update message, generate an autonomous system triplet according to the code, and extract an autonomous system triplet feature corresponding to the autonomous system triplet; the output module 300 is configured to input the autonomous system triplets and the corresponding autonomous system triplet features into the trained random forest classifier, and output the actual position of the route leakage.
In the embodiment of the present application, the output module 300 is further configured to: acquiring a route leakage event, wherein the route leakage event comprises an autonomous system triplet with route leakage and an autonomous system triplet without route leakage; generating positive and negative samples according to the autonomous system triplets with route leakage and the autonomous system triplets without route leakage and the respective corresponding autonomous system triplet characteristics; and training the random forest classifier by utilizing the positive and negative samples until the training stopping condition is met, so as to obtain the random forest classifier after training.
In the embodiment of the present application, the extraction module 200 is further configured to: and inquiring a pre-established database by taking the autonomous system triplet as an index, and outputting the characteristic of the autonomous system triplet.
In the embodiment of the application, the database stores autonomous system characteristics updated at intervals of a preset time length, wherein autonomous system distances, autonomous system degrees and autonomous system types in the autonomous system characteristics are updated through a first route data source, autonomous system address spaces in the autonomous system characteristics are updated through a second route data source and a third route data source, and autonomous system geographic positions in the autonomous system characteristics are updated through the first route data source and a fourth route data source.
In the embodiment of the present application, the extraction module 200 is further configured to: presetting codes, repeated numbers and target fields in the identification codes; discarding or removing the preset codes, deleting the repeated codes, and generating corresponding autonomous system triples for the autonomous systems corresponding to the autonomous system numbers contained in the target fields, wherein the autonomous system triples corresponding to the codes are discarded for the preset codes meeting preset conditions.
In an embodiment of the present application, the apparatus 10 of the present application further includes: and a transmitting module.
The sending module is used for generating the alarm information of the route leakage after outputting the actual position of the route leakage and sending the alarm information to the preset terminal.
It should be noted that the foregoing explanation of the embodiment of the method for positioning the route leakage is also applicable to the device for positioning the route leakage of this embodiment, which is not described herein.
According to the route leakage positioning device provided by the embodiment of the application, route leakage is positioned from the AS_PATH in the BGP update message by acquiring the triple characteristics of the autonomous system and training the random forest classifier; extracting AS_PATH from single BGP update message to generate multiple autonomous system triplets, and judging whether route leakage occurs to each autonomous system triplet; the autonomous system triplet feature can accurately distinguish route leakage and normal route; the method has the advantages that the method is relatively stable, the frequently collected autonomous system triplet characteristics are not needed, positioning time is saved, and the route leakage position can be positioned in real time based on the lightweight random forest classifier.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device may include:
The processor 502 implements the route leakage localization method provided in the above-described embodiment when executing a program.
Further, the electronic device further includes:
a communication interface 503 for communication between the memory 501 and the processor 502.
The memory 501 may include high speed RAM (Random Access Memory ) memory, and may also include non-volatile memory, such as at least one disk memory.
If the memory 501, the processor 502, and the communication interface 503 are implemented independently, the communication interface 503, the memory 501, and the processor 502 may be connected to each other via a bus and perform communication with each other. The bus may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component, external device interconnect) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 5, but not only one bus or one type of bus.
Alternatively, in a specific implementation, if the memory 501, the processor 502, and the communication interface 503 are integrated on a chip, the memory 501, the processor 502, and the communication interface 503 may perform communication with each other through internal interfaces.
The processor 502 may be a CPU (Central Processing Unit ) or ASIC (Application Specific Integrated Circuit, application specific integrated circuit) or one or more integrated circuits configured to implement embodiments of the present application.
The embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above method for locating route leakage.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or N embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "N" is at least two, such as two, three, etc., unless explicitly defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more N executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the N steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable gate arrays, field programmable gate arrays, and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
Although embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.
Claims (14)
1. A method of locating a route leak, comprising the steps of:
acquiring an update message of a border gateway protocol;
extracting codes consisting of autonomous system numbers in the update message, generating autonomous system triples according to the codes, and extracting autonomous system triplet characteristics corresponding to the autonomous system triples;
and inputting the autonomous system triplets and the corresponding autonomous system triplet characteristics into a trained random forest classifier, and outputting the actual position of route leakage.
2. The method of claim 1, wherein the training of the random forest classifier comprises:
acquiring a route leakage event, wherein the route leakage event comprises an autonomous system triplet with route leakage and an autonomous system triplet without route leakage;
generating positive and negative samples according to the autonomous system triplets with route leakage, the autonomous system triplets without route leakage and the respective corresponding autonomous system triplet characteristics;
and training the random forest classifier by utilizing the positive and negative samples until the training stopping condition is met, so as to obtain the random forest classifier after training.
3. The method of claim 1, wherein the extracting autonomous system triplet features corresponding to the autonomous system triplet comprises:
and inquiring a pre-established database by taking the autonomous system triplet as an index, and outputting the autonomous system triplet characteristics.
4. A method according to claim 3, wherein the database stores autonomous system features updated at intervals of a preset time period, wherein autonomous system distances, autonomous system degrees and autonomous system types in the autonomous system features are updated by a first routing data source, autonomous system address spaces in the autonomous system features are updated by a second routing data source and a third routing data source, and autonomous system geographical locations in the autonomous system features are updated by the first routing data source and a fourth routing data source.
5. The method of claim 1, wherein said generating an autonomous system triplet from said encoding comprises:
identifying preset codes, repetition numbers and target fields in the codes;
discarding or removing the preset codes, deleting the repeated codes, and generating corresponding autonomous system triples for autonomous systems corresponding to the autonomous system numbers contained in the target field, wherein the autonomous system triples corresponding to the codes are discarded for the preset codes meeting preset conditions.
6. The method of any of claims 1-5, further comprising, after outputting the actual location of the route leak:
generating alarm information of route leakage and sending the alarm information to a preset terminal.
7. A positioning device for routing leaks, comprising:
the acquisition module is used for acquiring the update message of the border gateway protocol;
the extraction module is used for extracting codes consisting of autonomous system numbers in the update message, generating autonomous system triples according to the codes, and extracting autonomous system triplet characteristics corresponding to the autonomous system triples;
and the output module is used for inputting the autonomous system triplets and the corresponding autonomous system triplet characteristics into the trained random forest classifier and outputting the actual position of route leakage.
8. The apparatus of claim 7, wherein the output module is further to:
acquiring a route leakage event, wherein the route leakage event comprises an autonomous system triplet with route leakage and an autonomous system triplet without route leakage;
generating positive and negative samples according to the autonomous system triplets with route leakage, the autonomous system triplets without route leakage and the respective corresponding autonomous system triplet characteristics;
and training the random forest classifier by utilizing the positive and negative samples until the training stopping condition is met, so as to obtain the random forest classifier after training.
9. The apparatus of claim 7, wherein the extraction module is further to:
and inquiring a pre-established database by taking the autonomous system triplet as an index, and outputting the autonomous system triplet characteristics.
10. The apparatus of claim 9, wherein the database stores autonomous system features updated at intervals of a preset time period, wherein autonomous system distances, autonomous system degrees, and autonomous system types in the autonomous system features are updated by a first routing data source, autonomous system address spaces in the autonomous system features are updated by a second routing data source and a third routing data source, and autonomous system geographic locations in the autonomous system features are updated by the first routing data source and a fourth routing data source.
11. The apparatus of claim 7, wherein the extraction module is further to:
identifying preset codes, repetition numbers and target fields in the codes;
discarding or removing the preset codes, deleting the repeated codes, and generating corresponding autonomous system triples for autonomous systems corresponding to the autonomous system numbers contained in the target field, wherein the autonomous system triples corresponding to the codes are discarded for the preset codes meeting preset conditions.
12. The apparatus according to any one of claims 7-11, further comprising:
and the sending module is used for generating the alarm information of the route leakage after outputting the actual position of the route leakage and sending the alarm information to a preset terminal.
13. An electronic device, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to implement the method of localization of route leakage as claimed in any one of claims 1-6.
14. A computer readable storage medium having stored thereon a computer program, characterized in that the program is executed by a processor for implementing a method of localization of route leakage according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310079065.9A CN116112418A (en) | 2023-01-17 | 2023-01-17 | Positioning method and device for route leakage, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310079065.9A CN116112418A (en) | 2023-01-17 | 2023-01-17 | Positioning method and device for route leakage, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116112418A true CN116112418A (en) | 2023-05-12 |
Family
ID=86265089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310079065.9A Pending CN116112418A (en) | 2023-01-17 | 2023-01-17 | Positioning method and device for route leakage, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116112418A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116436844A (en) * | 2023-06-13 | 2023-07-14 | 苏州浪潮智能科技有限公司 | Routing oscillation positioning method and device, storage medium and electronic equipment |
-
2023
- 2023-01-17 CN CN202310079065.9A patent/CN116112418A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116436844A (en) * | 2023-06-13 | 2023-07-14 | 苏州浪潮智能科技有限公司 | Routing oscillation positioning method and device, storage medium and electronic equipment |
| CN116436844B (en) * | 2023-06-13 | 2023-09-08 | 苏州浪潮智能科技有限公司 | Routing oscillation positioning method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210021501A1 (en) | Methods, systems, and apparatus to generate information transmission performance alerts | |
| US20200389535A1 (en) | Methods, systems, and apparatus for geographic location using trace routes | |
| CN1677940B (en) | High-speed traffic measurement and analysis methodologies and protocols | |
| CN107683586A (en) | Method and apparatus for rare degree of the calculating in abnormality detection based on cell density | |
| CN116112418A (en) | Positioning method and device for route leakage, electronic equipment and storage medium | |
| CN107404728A (en) | A kind of method and device of network problem positioning | |
| Green et al. | Leveraging inter-domain stability for bgp dynamics analysis | |
| US7301910B2 (en) | Methods and systems for automated analysis of signaling link utilization | |
| CN110535699B (en) | Infrastructure determination method and device, electronic equipment and readable storage medium | |
| CN110351148A (en) | A kind of three layers of forward-path diagnostic method of network and system | |
| CN106059850A (en) | Link abnormity detection method, system, apparatus, and chip in IS-IS network | |
| CN110995587A (en) | Method and device for positioning routing instability event source | |
| CN113271286B (en) | Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection | |
| CN112887208B (en) | Route leakage detection method, device and equipment | |
| CN112073971A (en) | Pseudo base station trajectory tracking method and device based on ticket | |
| Lad et al. | Inferring the origin of routing changes using link weights | |
| CN106603418B (en) | Network topology updating method and traffic analysis equipment | |
| CN115514663B (en) | Dial testing method, system, device, electronic equipment and storage medium | |
| CN110932878A (en) | Management method, equipment and system of distributed network | |
| Lin et al. | Correlation of cyber threat intelligence with sightings for intelligence assessment and augmentation | |
| CN115460110B (en) | Abnormal AS _ PATH detection method and device based on link prediction | |
| Becker et al. | Large scale outage visibility on the control plane | |
| Han et al. | Overview of Network Outage Detection Technology in 5G | |
| Ariemma et al. | Long-lasting sequences of BGP updates | |
| Kabala | Understanding the internet AS topology and its applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |