CN116112418A - Locating method, device, electronic equipment and storage medium for route leakage - Google Patents

Abstract

This application relates to the technical field of route anomaly positioning, and in particular to a route leakage positioning method, device, electronic equipment, and storage medium, wherein the method includes: obtaining the update message of the Border Gateway Protocol; extracting the update message composed of the autonomous system number Encoding, generate autonomous system triplets according to the encoding, and extract autonomous system triplet features corresponding to autonomous system triplets; input autonomous system triplets and corresponding autonomous system triplet features into the trained random forest classifier , outputs the actual location of the route leak. As a result, the problems in the related art that the location of the route leakage cannot be accurately located, and the location takes a long time are solved.

Description

Locating method, device, electronic equipment and storage medium for route leakage

technical field

The present application relates to the technical field of routing anomaly positioning, and in particular to a routing leakage positioning method, device, electronic equipment, and storage medium.

Background technique

BGP (Border Gateway Protocol, Border Gateway Protocol) is currently the only real inter-domain routing protocol used, which connects various networks around the world, that is, autonomous systems (AS, Autonomous System). Each autonomous system learns the reachability of each destination network by exchanging BGP update messages. The BGP update message contains the AS_PATH to the destination network, and the autonomous system that receives the update message can go to the destination network along the AS_PATH in the message. AS_PATH can be understood as a code composed of ASN (Autonomous System Number, Autonomous System Number) of a group of autonomous systems. If the autonomous system does not follow the correct routing policy to advertise the route, but advertises the route to the wrong autonomous system, route leakage may occur. Route leaks may cause traffic to be monitored or discarded by attackers. Large-scale route leaks often cause long-term global network performance degradation and even paralysis of large-scale network applications.

The importance of the Internet to human society is self-evident. In recent years, there have been many major route leakage accidents on the Internet, and corresponding network security has become a top priority. The accurate real-time location method of route leakage can help network administrators find the location of route leakage in time, locate faulty autonomous systems, generate corresponding route filters, and minimize the adverse effects of route leakage accidents.

The researchers proposed a real-time location method for routing leaks based on autonomous system business relationships. This type of method checks whether the autonomous system business relationship on AS_PATH violates the no-valley principle, that is, extracts the autonomous system triples in AS_PATH, and checks whether each autonomous system triplet violates the no-valley principle one by one. Although such methods design algorithms that can more accurately infer the commercial relationship between a pair of autonomous systems, they cannot accurately locate route leaks. Locating route leaks needs to know the business relationship between two pairs of autonomous systems at the same time. According to the principle of probability multiplication, the accuracy of this method to accurately know the business relationship between two pairs of autonomous systems at the same time will be greatly reduced. Furthermore, such methods cannot locate route leaks that occur on the side of autonomous systems that they have not seen beforehand.

Another method is to apply machine learning directly to the statistical characteristics of a large number of BGP update packets to detect route leaks. Although such methods have achieved accurate route leak detection, they cannot locate the location of the route leak, that is, the triplet composed of the leaked autonomous system, the receiving autonomous system of the leaked route, and the source autonomous system of the leaked route. Therefore, BGP security experts still need to spend a long time to locate route leaks. In addition, such methods take a long time to periodically collect and calculate statistical features, which will lead to large detection delays. To sum up, the existing work is difficult to achieve accurate and real-time routing leak location at the same time.

Contents of the invention

The present application provides a location method, device, electronic equipment, and storage medium for route leakage, so as to solve the problems in related technologies that the position of route leakage cannot be accurately located, and the location takes a long time.

The embodiment of the first aspect of the present application provides a method for locating route leaks, including the following steps: obtaining an update message of the Border Gateway Protocol; extracting a code composed of an autonomous system number in the update message, and generating an autonomous system 3 according to the code tuple, and extract the autonomous system triplet feature corresponding to the autonomous system triplet; input the autonomous system triplet and the corresponding autonomous system triplet feature into the trained random forest classifier, and output route leakage actual location.

Optionally, the training of the random forest classifier includes: obtaining route leakage events, wherein the route leakage events include autonomous system triplets with route leakage and autonomous system triplets without route leakage; The autonomous system triplets with route leakage, the autonomous system triplets without route leakage, and their corresponding autonomous system triplet features generate positive and negative samples; use the positive and negative samples to perform random forest classifier Train until the training stop condition is satisfied, and the trained random forest classifier is obtained.

Optionally, the extracting the feature of the autonomous system triplet corresponding to the autonomous system triplet includes: using the autonomous system triplet as an index, querying a pre-established database, and outputting the autonomous system triplet feature.

Optionally, the database stores autonomous system features that are updated at preset intervals, wherein the autonomous system distance, autonomous system degree, and autonomous system type in the autonomous system features are updated through the first routing data source, and are updated through the second routing data source. The routing data source and the third routing data source update the autonomous system address space in the autonomous system feature, and update the autonomous system geographic location in the autonomous system feature through the first routing data source and the fourth routing data source.

Optionally, the generating the autonomous system triplet according to the code includes: identifying a preset code, a repeated number, and a target field in the code; discarding or removing the preset code, and deleting the repeated code, For the autonomous systems corresponding to the autonomous system numbers included in the target field, corresponding autonomous system triplets are generated, wherein, for preset codes that meet preset conditions, the autonomous system triplets corresponding to the codes are discarded.

Optionally, after outputting the actual location of the leaked route, the method further includes: generating an alarm message of the leaked route, and sending the alarm message to a preset terminal.

The embodiment of the second aspect of the present application provides a device for locating route leaks, including: an acquisition module, configured to acquire an update message of the Border Gateway Protocol; an extraction module, configured to extract a code composed of an autonomous system number in the update message, Generate an autonomous system triplet according to the encoding, and extract the autonomous system triplet feature corresponding to the autonomous system triplet; an output module, configured to combine the autonomous system triplet and the corresponding autonomous system triplet The feature input is the trained random forest classifier, and the actual location of the route leak is output.

Optionally, the output module is further configured to: obtain a route leakage event, wherein the route leakage event includes an autonomous system triplet in which route leakage occurs and an autonomous system triplet in which route leakage does not occur; The autonomous system triplet of route leakage, the autonomous system triplet without route leakage, and the corresponding autonomous system triplet feature generate positive and negative samples; use the positive and negative samples to train the random forest classifier, Until the training stop condition is satisfied, the trained random forest classifier is obtained.

Optionally, the extracting module is further configured to: use the autonomous system triplet as an index, query a pre-established database, and output the characteristics of the autonomous system triplet.

Optionally, the database stores autonomous system features that are updated at preset intervals, wherein the autonomous system distance, autonomous system degree, and autonomous system type in the autonomous system features are updated through the first routing data source, and are updated through the second routing data source. The routing data source and the third routing data source update the autonomous system address space in the autonomous system feature, and update the autonomous system geographic location in the autonomous system feature through the first routing data source and the fourth routing data source.

Optionally, the extracting module is further used to: identify a preset code, a repeated number, and a target field in the code; discard or remove the preset code, delete the repeated code, and include in the target field The autonomous systems corresponding to the autonomous system numbers of the generated corresponding autonomous system triplets, wherein, for the preset codes that meet the preset conditions, the autonomous system triplets corresponding to the codes are discarded.

Optionally, it further includes: a sending module, configured to generate an alarm message of route leak after outputting the actual location of the route leak, and send the alarm message to a preset terminal.

The embodiment of the third aspect of the present application provides an electronic device, including: a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor executes the program to realize The method for locating route leaks as described in the above-mentioned embodiments.

The embodiment of the fourth aspect of the present application provides a computer-readable storage medium, on which a computer program is stored, and the program is executed by a processor, so as to implement the method for locating a route leak as described in the above-mentioned embodiment.

Thus, the application at least has the following beneficial effects:

In the embodiment of the present application, AS_PATH location routing leakage in the BGP update message can be obtained by obtaining the characteristics of the autonomous system triplet and training a random forest classifier; extracting AS_PATH from a single BGP update message, generating multiple autonomous system triplets, and then Judge each autonomous system triplet whether there is a route leakage; the characteristics of the autonomous system triplet can accurately distinguish the route leakage from the normal route; use the relatively stable autonomous system triplet characteristics that do not need to be collected frequently, save the positioning time, and based on A lightweight random forest classifier that can locate routing leaks in real time. As a result, the technical problems in the related art that it is impossible to accurately locate the location of the route leakage, and the location takes a long time are solved.

Additional aspects and advantages of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.

Description of drawings

The above and/or additional aspects and advantages of the present application will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

FIG. 1 is a flow chart of a method for locating a route leak according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a routing leak location method provided according to an embodiment of the present application;

FIG. 3 is a schematic diagram of the cumulative distribution of delays in positioning leaks provided according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a device for locating route leaks according to an embodiment of the present application;

Fig. 5 is a schematic structural diagram of an electronic device provided according to an embodiment of the present application.

Detailed ways

Embodiments of the present application are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary, and are intended to explain the present application, and should not be construed as limiting the present application.

The method, device, electronic device, and storage medium for locating route leaks according to the embodiments of the present application are described below with reference to the accompanying drawings. Aiming at the problem that the current routing leakage location method mentioned in the above background technology cannot accurately locate the routing leakage, and it takes a long time to regularly collect and calculate statistical features, this application provides a routing leakage location method. In the method, by obtaining autonomous system triplet features and training a random forest classifier to locate route leaks, it is possible to accurately distinguish route leaks from normal routes, and use relatively stable autonomous system triplet features that do not require frequent collection. As a result, the problems in the related art that the location of the route leakage cannot be accurately located, and the location takes a long time are solved.

Specifically, FIG. 1 is a schematic flowchart of a method for locating route leaks provided in an embodiment of the present application.

As shown in Figure 1, the method for locating route leaks includes the following steps:

In step S101, an update message of the Border Gateway Protocol is obtained.

Among them, Border Gateway Protocol (BGP, Border Gateway Protocol) is a path vector routing protocol that realizes the exchange of reachability information between autonomous systems AS (Autonomous System), and the protocol mainly propagates routing information through update messages.

Autonomous System (AS, Autonomous System): The Internet is a giant network consisting of hundreds of thousands of small networks called autonomous systems (AS). Each of these autonomous systems is essentially a large pool of routers run by a single organization, and an autonomous system is a large network or group of networks managed by a single organization. An autonomous system may have many subnets, but all share the same routing policy. Each autonomous system is assigned its own autonomous system number (ASN) so that they can be easily identified.

It can be understood that, in this embodiment of the present application, the update information of the Border Gateway Protocol can be obtained from the route collectors of RIPE NCC and RouteView, so as to locate the location of the route leakage subsequently.

Among them, RIPE NCC is a regional Internet registrar in Europe, the Middle East and some Central Asia, providing route collectors and inter-domain routing tables and routing update data collected for the network research community; RouteViews is a project established by the Advanced Network Technology Center of the University of Oregon , providing routing collectors and the interdomain routing tables and routing update data they collect to the network research community.

In step S102, the code composed of the AS number in the update message is extracted, an AS triple is generated according to the code, and the AS triple feature corresponding to the AS triple is extracted.

It can be understood that in this embodiment of the present application, the code (AS_PATH) composed of the autonomous system number can be obtained from the update information in the border gateway protocol, the autonomous system triplet is generated according to the code, and the feature of the autonomous system triplet is extracted.

It should be noted that every time a BGP update message passes through an autonomous system, its autonomous system number will be added to its own AS_PATH. AS_SET used for route aggregation may appear in AS_PATH, and this field contains multiple autonomous system numbers.

In the embodiment of this application, the autonomous system triplet is generated according to the code, including: identifying the preset code, repeated number, and target field in the code; discarding or removing the preset code, deleting the repeated code, and correcting the autonomous The autonomous systems corresponding to the system numbers generate their corresponding autonomous system triplets, wherein, for the preset codes that meet the preset conditions, the autonomous system triplets corresponding to the codes are discarded.

Among them, the preset code can be an abnormal code or a code containing a ring, etc.; the target field can be 23456; the preset condition refers to the existence of a preset code, a repeated code, and a code of the target field.

It can be understood that the embodiment of the present application can preprocess the acquired AS_PATH, filter out illegal paths and abnormal autonomous system numbers, and generate autonomous system triples. The specific steps are as follows:

1. Discard AS_PATH containing rings.

2. Process the path filling, delete the repeated autonomous system numbers in AS_PATH, and only one of the repeated autonomous system numbers remains.

3. Process the AS_SET in the AS_PATH, and generate the corresponding autonomous system triples for the autonomous systems in the AS_SET.

4. Remove the reserved autonomous system number from AS_PATH. Wherein, for a specific AS number, such as 23456, etc., the AS triplet containing the number is discarded.

In the embodiment of the present application, extracting the characteristics of the autonomous system triplet corresponding to the autonomous system triplet includes: using the autonomous system triplet as an index, querying a pre-established database, and outputting the characteristics of the autonomous system triplet.

Wherein, the database is used to store the relationship between the autonomous system triplet and the characteristics of the autonomous system triplet.

It can be understood that, in the embodiment of the present application, the characteristics of the autonomous system triplet corresponding to the autonomous system triplet may be searched in the database.

It should be noted that this application needs to periodically collect autonomous system characteristics from routing data sources and store them in the database. The routing data sources are: RIPE NCC, RouteViews, CAIDA and PeeringDB.

Wherein, RIPE NCC and RouteViews have been described in the foregoing embodiments, and will not be repeated here. CAIDA is the Applied Internet Data Analysis Center, which provides Internet measurement data for the network research community; PeeringDB is a web-based Internet connection information database.

In the embodiment of the present application, the database stores the autonomous system features updated at preset intervals, wherein the autonomous system distance, autonomous system degree and autonomous system type in the autonomous system features are updated through the first routing data source, and the autonomous system characteristics are updated through the second routing data source. The data source and the third routing data source update the autonomous system address space in the autonomous system feature, and update the autonomous system geographic location in the autonomous system feature through the first routing data source and the fourth routing data source.

Wherein, the preset interval length can be set according to specific circumstances, and there is no limitation on this.

It can be understood that, in this embodiment of the present application, the characteristics of the autonomous system may be periodically collected from the routing data source and stored in the database.

Taking the first routing data source as CAIDA, the second routing data source as RIPE NCC, the third routing data source as RouteViews, and the fourth routing data source as PeeringDB as an example, the specific steps for collecting autonomous system characteristics in this embodiment of the application are as follows:

1. Obtain the autonomous system distance, autonomous system degree, and autonomous system type from the routing data source CAIDA. The autonomous system distance refers to the average number of hops from the autonomous system to each layer-autonomous system; the types of autonomous systems are divided into three categories, namely, content providers, enterprise networks, and access and transmission service providers. This method uses 0 for the content provider, 1 for the enterprise network and 2 for the transport service provider.

2. Obtain the autonomous system address space from the routing data source RIPE NCC and RouteViews.

3. Obtain the geographic location of the autonomous system from the routing data sources CAIDA and PeeringDB. The geographic location of the autonomous system refers to the country to which the autonomous system belongs and the IXP to which it belongs. In this method, 1-5 are used to represent the geographic location relationship of the three autonomous systems in <AS1, AS2, AS3> respectively. The geographical location of AS1 is the same as that of AS2 and different from that of AS3, denoted as 1; the geographical location of AS1 is the same as that of AS3 and different from that of AS2, denoted as 2; the geographical location of AS2 is the same as that of AS3 And the two are different from AS1 in geographical location, denoted as 3; AS1, AS2 and AS3 are all different in geographical location, denoted as 4; AS1, AS2 and AS3 are all in the same geographical location, denoted as 5.

4. Store the autonomous system characteristics obtained above in the database and update it periodically.

It should be noted that IXP is an Internet exchange center, one of the physical infrastructures of the Internet, which can help autonomous systems exchange Internet traffic efficiently.

In step S103, the autonomous system triplet and the corresponding autonomous system triplet features are input into the trained random forest classifier, and the actual location of the route leakage is output.

It can be understood that in this embodiment of the present application, the obtained autonomous system triplet and the corresponding autonomous system triplet feature can be input into the trained random forest classifier to locate the actual location of the route leakage.

It should be noted that route leakage means that the propagation of BGP update messages violates the principle of no-valley, and route leakage occurs, that is, an autonomous system cannot announce the route from its own provider or peer to its own another provider or peer. Etc. Among them, the no-valley principle is a rule followed by BGP update message propagation. Autonomous systems have different hierarchical positions in inter-domain routing. Generally speaking, the provider of the autonomous system is higher than its hierarchical position, and the peer of the autonomous system is roughly equivalent to its hierarchical position. Clients are lower than their hierarchical position. The path formed by the autonomous systems through which BGP update messages propagate cannot form a valley shape, that is, update messages cannot be propagated from high-level autonomous systems to low-level autonomous systems and then to high-level autonomous systems. Specifically, an autonomous system can advertise routes from its own customers to any other neighbor, routes from its own peers to any customer neighbor, and routes from its own provider to any customer neighbor.

Specifically, the trained random forest classifier locates route leaks according to the input autonomous system triplet and the corresponding triplet features, for example, locates a route leak in the autonomous system triplet <AS1, AS2, AS3> , then the AS of the leaked route is AS2, the recipient of the leaked route is AS1, and the route leaked by AS2 comes from AS3.

In the embodiment of the present application, the training of the random forest classifier includes: obtaining route leakage events, wherein the route leakage events include autonomous system triplets with route leakage and autonomous system triplets without route leakage; The leaked autonomous system triplet, the autonomous system triplet without route leakage, and the corresponding autonomous system triplet features generate positive and negative samples; use the positive and negative samples to train the random forest classifier until the training stop condition is met , to get the trained random forest classifier.

It can be understood that, in this embodiment of the present application, route leakage events may be collected from a route leakage event data source, and a random forest classifier may be trained, so that the random forest classifier may be subsequently used to locate route leakage events according to autonomous system triplet characteristics.

It can be understood that the training steps of the random forest classifier specifically include:

1. Collect route leakage events from the BGStream platform, the data source of route leakage events, and obtain the triples of autonomous systems where route leaks occurred and the normal triples of autonomous systems.

2. Use the acquired autonomous system triplets with route leakage, normal autonomous system triplets and their corresponding triplet features as positive and negative samples to train the random forest classifier.

Among them, BGStream provides an alarm platform for hijacking, leakage and failure in BGP.

In the embodiment of the present application, after outputting the actual location of the route leak, it further includes: generating alarm information of the route leak, and sending the alarm information to the preset terminal.

Wherein, the preset terminal may be a monitor or the like, which is not limited.

It can be understood that the embodiment of the present application can generate corresponding alarm information for the located route leak after outputting the actual location of the route leak, and send it to a preset terminal (such as a display screen), so as to notify the corresponding network administrator in time , found the problem of route leakage.

The method for locating route leaks will be described below through a specific implementation, as shown in Figure 2, including the following steps:

Step 1, BGP update message preprocessing. Obtain the AS_PATH in the BGP update message from the routing collector, filter out illegal paths and abnormal autonomous system numbers, and generate autonomous system triples.

Step 2, autonomous system triplet feature extraction. The autonomous system characteristics are periodically collected from the routing data source and stored in the database, and the corresponding autonomous system triplet characteristics are generated according to the autonomous system triplet.

Step 3, routing leak location. Collect route leakage events from the data source of route leakage events, train a random forest classifier, and then use the random forest classifier to locate route leaks and generate alarms according to the characteristics of autonomous system triples.

The method for locating route leaks is described below through a specific embodiment, as follows:

1. BGP update message preprocessing. Get the AS_PATH from the route collector as [4637, 4775, 4766, 174, 3491, 65000], filter out the abnormal autonomous system number 65000, and generate the autonomous system triplet: <4637, 4775, 4766>, <4775, 4766, 174 > and <4766, 174, 3491>.

2. Autonomous system triplet feature extraction. The characteristics of the autonomous system are periodically collected from the routing data source, and the corresponding triplet characteristics are generated according to the triplet of the autonomous system, as shown in Table 1. The characteristics of the autonomous system triplet are: <AS1 distance, AS2 distance, AS3 distance>, <AS1 address space, AS2 address space, AS3 address space>, <AS1 degree, AS2 degree, AS3 degree>, <AS1 type, AS2 type, AS3 type>, 3 autonomous systems belong to country relations and 3 autonomous systems belong to IXP relations.

Table 1

3. Routing leak location. The AS_PATH for collecting route leak events from the route leak event data source BGStream is: [53432, 13994, 7029, 6461, 37662, 37204, 5511, 174, 25818], where 37204 is the leaked autonomous system, which leaked the route to the autonomous system 37662. The autonomous system triplet <37662, 37204, 5511> with route leakage is used as a positive sample for training, and the normal autonomous system triplet <53432, 13994, 7029>, <13994, 7029, 6461>, <7029, 6461 , 37662>, <6461, 37662, 37204>, <37204, 5511, 174> and <5511, 174, 25818> as negative samples for training. Similarly, triplet features corresponding to these autonomous system triplets are respectively obtained. Then use the balanced positive and negative samples and their corresponding triplet features to train a random forest classifier. The trained random forest classifier receives the autonomous system triplet <3320, 9002, 44628>, and the classifier detects that the triplet has route leakage according to the triplet characteristics corresponding to the autonomous system triplet, and locates To 9002 is the leaked autonomous system, which leaks the route from the autonomous system 44628 to the autonomous system 3320, and finally generates a corresponding alarm and notifies the relevant network administrator in time. When the implementation environment is a Dell PowerEdge R740 rack server equipped with Intel Xeon (R) Gold 6230RCPU@2.10GHz and 128GB RAM, the embodiment of the present application can locate the routing leak within an average of 7.86 milliseconds, as shown in Figure 3. The accuracy of routing leaks is shown in Table 2, and more than 90% of routing leak location accuracy can be achieved.

Table 2

false positive rate recall rate Accuracy Accuracy F1 value this application 0.11 0.92 0.90 0.91 0.91

According to the location method of routing leakage proposed in the embodiment of the present application, by obtaining the autonomous system triplet feature and training the random forest classifier from the AS_PATH location routing leakage in the BGP update message; extracting AS_PATH from a single BGP update message to generate multiple Autonomous system triplets, and then judge whether there is a route leak for each autonomous system triplet; the characteristics of the autonomous system triplet can accurately distinguish route leaks from normal routes; use relatively stable autonomous system triplets that do not need to be collected frequently Features, save the location time and based on the lightweight random forest classifier, it can locate the route leakage location in real time.

Next, a device for locating route leaks proposed according to an embodiment of the present application will be described with reference to the accompanying drawings.

Fig. 4 is a schematic block diagram of an apparatus for locating route leaks according to an embodiment of the present application.

As shown in FIG. 4 , the device 10 for locating route leakage includes: an acquisition module 100 , an extraction module 200 and an output module 300 .

Among them, the acquisition module 100 is used to obtain the update message of the border gateway protocol; the extraction module 200 is used to extract the code composed of the autonomous system number in the update message, generate an autonomous system triple according to the code, and extract the corresponding Autonomous system triplet feature; the output module 300 is used to input the autonomous system triplet and the corresponding autonomous system triplet feature into the trained random forest classifier, and output the actual location of the route leakage.

In the embodiment of the present application, the output module 300 is further used to: acquire route leakage events, wherein the route leakage events include autonomous system triplets in which route leakage occurs and autonomous system triplets in which route leakage does not occur; The autonomous system triplets, the autonomous system triplets without route leakage, and the corresponding autonomous system triplet features generate positive and negative samples; use the positive and negative samples to train the random forest classifier until the training stop condition is met, Get the trained random forest classifier.

In the embodiment of the present application, the extraction module 200 is further configured to: use the autonomous system triplet as an index, query a pre-established database, and output the characteristics of the autonomous system triplet.

In the embodiment of the present application, the database stores the autonomous system features updated at preset intervals, wherein the autonomous system distance, autonomous system degree and autonomous system type in the autonomous system features are updated through the first routing data source, and the autonomous system characteristics are updated through the second routing data source. The data source and the third routing data source update the autonomous system address space in the autonomous system feature, and update the autonomous system geographic location in the autonomous system feature through the first routing data source and the fourth routing data source.

In the embodiment of the present application, the extraction module 200 is further used to: identify the preset code, the repeated number and the target field in the code; discard or remove the preset code, delete the repeated code, and the corresponding autonomous system number contained in the target field The autonomous systems generate respective autonomous system triplets, wherein, for preset codes that meet the preset conditions, the corresponding autonomous system triplets are discarded.

In the embodiment of the present application, the device 10 of the present application further includes: a sending module.

Wherein, the sending module is used to generate the alarm information of the route leakage after outputting the actual location of the route leakage, and send the alarm information to the preset terminal.

It should be noted that the foregoing explanations of the embodiment of the method for locating route leaks are also applicable to the device for locating route leaks in this embodiment, and will not be repeated here.

According to the location device for routing leakage proposed in the embodiment of the present application, the AS_PATH location routing leakage from the AS_PATH in the BGP update message is obtained by obtaining the autonomous system triplet feature and training the random forest classifier; the AS_PATH is extracted from a single BGP update message to generate multiple Autonomous system triplets, and then judge whether there is a route leak for each autonomous system triplet; the characteristics of the autonomous system triplet can accurately distinguish route leaks from normal routes; use relatively stable autonomous system triplets that do not need to be collected frequently Features, save the location time and based on the lightweight random forest classifier, it can locate the route leakage location in real time.

FIG. 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present application. This electronic equipment can include:

A memory 501 , a processor 502 , and computer programs stored in the memory 501 and executable on the processor 502 .

When the processor 502 executes the program, the method for locating route leaks provided in the foregoing embodiments is implemented.

Further, the electronic equipment also includes:

The communication interface 503 is used for communication between the memory 501 and the processor 502 .

The memory 501 is used to store computer programs that can run on the processor 502 .

The memory 501 may include a high-speed RAM (Random Access Memory, random access memory) memory, and may also include a non-volatile memory, such as at least one disk memory.

If the memory 501, the processor 502, and the communication interface 503 are implemented independently, the communication interface 503, the memory 501, and the processor 502 may be connected to each other through a bus to complete mutual communication. The bus can be an ISA (Industry Standard Architecture, industry standard architecture) bus, a PCI (Peripheral Component, external device interconnection) bus or an EISA (Extended Industry Standard Architecture, extended industry standard architecture) bus, etc. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 5 , but it does not mean that there is only one bus or one type of bus.

Optionally, in specific implementation, if the memory 501, processor 502, and communication interface 503 are integrated on one chip, then the memory 501, processor 502, and communication interface 503 can communicate with each other through the internal interface.

The processor 502 may be a CPU (Central Processing Unit, central processing unit), or an ASIC (Application Specific Integrated Circuit, specific integrated circuit), or one or more integrated circuits configured to implement the embodiments of the present application.

The embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the above method for locating route leaks is implemented.

In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present application. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Moreover, the described specific features, structures, materials or characteristics may be combined in any one or N embodiments or examples in an appropriate manner. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.

In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present application, "N" means at least two, such as two, three, etc., unless otherwise specifically defined.

Any process or method description in a flowchart or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing a custom logical function or step of a process , and the scope of preferred embodiments of the present application includes additional implementations in which functions may be performed out of the order shown or discussed, including in substantially simultaneous fashion or in reverse order depending on the functions involved, which shall It should be understood by those skilled in the art to which the embodiments of the present application belong.

It should be understood that each part of the present application may be realized by hardware, software, firmware or a combination thereof. In the above embodiments, the N steps or methods may be implemented by software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware as in another embodiment, it can be implemented by any one or a combination of the following techniques known in the art: a discrete Logic circuits, ASICs with suitable combinational logic gates, programmable gate arrays, field programmable gate arrays, etc.

Those of ordinary skill in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium. During execution, one or a combination of the steps of the method embodiments is included.

Although the embodiments of the present application have been shown and described above, it can be understood that the above embodiments are exemplary and should not be construed as limitations on the present application, and those skilled in the art can make the above-mentioned The embodiments are subject to changes, modifications, substitutions and variations.

Claims (14)

1. A location method for route leakage, characterized in that, comprising the following steps: Obtain the update message of the Border Gateway Protocol; extracting the code formed by the autonomous system number in the update message, generating an autonomous system triplet according to the code, and extracting an autonomous system triplet feature corresponding to the autonomous system triplet; Input the autonomous system triplet and the corresponding autonomous system triplet feature into the trained random forest classifier, and output the actual location of the route leakage. 2. method according to claim 1, is characterized in that, the training of described random forest classifier comprises: Obtaining a route leaking event, wherein the route leaking event includes an autonomous system triplet in which route leaking occurs and an autonomous system triplet in which route leaking does not occur; Generating positive and negative samples according to the autonomous system triplets in which route leakage occurs, the autonomous system triplets in which route leakage does not occur, and the characteristics of their corresponding autonomous system triplets; The random forest classifier is trained by using the positive and negative samples until the training stop condition is met, and the trained random forest classifier is obtained. 3. The method according to claim 1, wherein the extracting the autonomous system triplet feature corresponding to the autonomous system triplet comprises: Using the autonomous system triplet as an index, query a pre-established database, and output the characteristics of the autonomous system triplet. 4. The method according to claim 3, wherein the database stores autonomous system features updated at preset intervals, wherein the autonomous system distance in the autonomous system features is updated through the first routing data source, Autonomous system degree and autonomous system type, updating the autonomous system address space in the autonomous system feature through the second routing data source and the third routing data source, updating the The autonomous system geographic location in the autonomous system characteristic. 5. The method according to claim 1, wherein said generating autonomous system triples according to said coding comprises: Identify preset codes, repeat numbers and target fields in said code; Discarding or removing the preset code, deleting the repeated code, and generating respective autonomous system triplets for the autonomous systems corresponding to the autonomous system numbers contained in the target field, wherein, for the preset Set a code, and discard the autonomous system triplet corresponding to the code. 6. The method according to any one of claims 1-5, characterized in that, after outputting the actual location of route leakage, further comprising: Generate alarm information about route leakage, and send the alarm information to a preset terminal. 7. A location device for routing leaks, comprising: An acquisition module, configured to acquire an update message of the Border Gateway Protocol; An extracting module, configured to extract a code composed of an autonomous system number in the update message, generate an autonomous system triple according to the code, and extract an autonomous system triple feature corresponding to the autonomous system triple; An output module, configured to input the autonomous system triplet and the corresponding autonomous system triplet features into the trained random forest classifier, and output the actual location of the route leakage. 8. The device according to claim 7, wherein the output module is further used for: Obtaining a route leaking event, wherein the route leaking event includes an autonomous system triplet in which route leaking occurs and an autonomous system triplet in which route leaking does not occur; Generating positive and negative samples according to the autonomous system triplets in which route leakage occurs, the autonomous system triplets in which route leakage does not occur, and the characteristics of their corresponding autonomous system triplets; The random forest classifier is trained by using the positive and negative samples until the training stop condition is met, and the trained random forest classifier is obtained. 9. The device according to claim 7, wherein the extraction module is further used for: Using the autonomous system triplet as an index, query a pre-established database, and output the characteristics of the autonomous system triplet. 10. The device according to claim 9, wherein the database stores autonomous system features updated at preset intervals, wherein the autonomous system distance in the autonomous system features is updated through the first routing data source, Autonomous system degree and autonomous system type, updating the autonomous system address space in the autonomous system feature through the second routing data source and the third routing data source, updating the The autonomous system geographic location in the autonomous system characteristic. 11. The device according to claim 7, wherein the extraction module is further used for: Identify preset codes, repeat numbers and target fields in said code; Discarding or removing the preset code, deleting the repeated code, and generating respective autonomous system triplets for the autonomous systems corresponding to the autonomous system numbers contained in the target field, wherein, for the preset Set a code, and discard the autonomous system triplet corresponding to the code. 12. The device according to any one of claims 7-11, further comprising: The sending module is configured to generate the alarm information of the route leak after outputting the actual location of the route leak, and send the alarm information to the preset terminal. 13. An electronic device, characterized in that it comprises: a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor executes the program to realize the The method for locating route leaks described in any one of requirements 1-6. 14. A computer-readable storage medium, on which a computer program is stored, wherein the program is executed by a processor to implement the method for locating route leaks according to any one of claims 1-6.

Images