WO2021147320A1 - Routing abnormity detection method, apparatus and system, and computer storage medium - Google Patents

Routing abnormity detection method, apparatus and system, and computer storage medium Download PDF

Info

Publication number
WO2021147320A1
WO2021147320A1 PCT/CN2020/112147 CN2020112147W WO2021147320A1 WO 2021147320 A1 WO2021147320 A1 WO 2021147320A1 CN 2020112147 W CN2020112147 W CN 2020112147W WO 2021147320 A1 WO2021147320 A1 WO 2021147320A1
Authority
WO
WIPO (PCT)
Prior art keywords
routing
path
target
bgp
historical
Prior art date
Application number
PCT/CN2020/112147
Other languages
French (fr)
Chinese (zh)
Inventor
谢于明
赵宇萍
李野
丁善明
王仲宇
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021147320A1 publication Critical patent/WO2021147320A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities

Definitions

  • This application relates to the field of network technology, and in particular to a method, device and system for detecting routing abnormalities, and computer storage media.
  • BGP Border Gateway Protocol
  • IP Internet Protocol
  • Route leaks are usually caused by misconfigurations, leading to a route forwarding strategy that violates the business relationship between ASs. For example, a consumer AS erroneously forwards a BGP update (English: update) message of one provider AS to another provider AS, resulting in route leakage.
  • BGP update message is used to advertise routes.
  • anomaly detection is usually performed on the routes running in the BGP network in cloud services.
  • the routing database of the cloud service stores the global IP prefixes in the BGP network.
  • the cloud service collects, stores, and parses the BGP update messages collected by network devices in real time to track the running status of the routing in the BGP network and the status of the IP prefixes, and perform routing anomaly detection based on the negotiation consistency of the routing database.
  • the current cloud service needs to collect the BGP update message collected by each network device in the BGP network in real time, that is, whenever a network device receives a new BGP update message, it needs to send the BGP update message to the cloud service.
  • the cloud service and network equipment The amount of data transmission between them is large, resulting in large network overhead.
  • the present application provides a routing anomaly detection method, device and system, and computer storage medium, which can solve the problem of high network overhead in the current routing anomaly detection process.
  • a routing anomaly detection method includes: the network device receives the BGP update message.
  • the network device determines the BGP routing characteristics corresponding to the BGP update message.
  • the network device sends target routing information to the analysis device.
  • the target routing information includes BGP routing characteristics and/or routing abnormality detection results.
  • the route anomaly detection result is obtained based on the BGP routing feature, and the route anomaly detection result is used to indicate whether the BGP update message is normal or abnormal.
  • the network device After receiving the BGP routing information, the network device determines the BGP routing feature corresponding to the BGP routing information, and sends the BGP routing feature and/or routing abnormality detection result to the analysis device. Because the BGP routing feature and the routing abnormality detection result are different from Compared with the BGP update message, the data volume is smaller, so the data transmission volume between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the process for the network device to determine the BGP routing feature corresponding to the BGP update message includes: the network device obtains the target routing prefix and the target AS path according to the BGP update message, where the target routing prefix is the target source AS that advertises the BGP update message Announced IP prefix, the target AS path is the AS path from the target source AS to the AS where the network device is located.
  • the network device obtains the historical BGP update message carrying the target route prefix.
  • the network device obtains the historical AS path according to the historical BGP update message.
  • the network equipment determines the BGP routing characteristics according to the target AS path and the historical AS path.
  • the BGP update message received by the network device includes the IP prefix announced by the source AS that issued the BGP update message, and the AS path from the source AS to the AS where the network device is located. Therefore, the network device can retrieve the BGP update message from the received BGP update message. Obtain the target AS path, and obtain the historical AS path from the historical BGP update message.
  • the network device may obtain one or more historical BGP update messages that carry the target route prefix from the historical BGP update messages stored by the network device.
  • the number of historical BGP update messages carrying the target routing prefix obtained by the network device may be determined according to the message analysis configuration parameters sent by the analysis device.
  • the network device may also obtain all historical BGP update messages stored in the network device that carry the target route prefix.
  • BGP routing features include one or more of the following:
  • the centrality of the target AS path is determined; the rarity of the AS on the target AS path, the rarity of the AS is equal to the ratio of the number of occurrences of the AS in the historical AS path to the number of historical AS paths; the rarity of the target AS path, the target AS path The rarity of is equal to the rarity of the target AS.
  • the target AS is the AS with the least rarity on the path of the target AS; the number of source ASs that are different from the target source AS on the historical AS path; the occurrence probability value of the target source AS, the occurrence probability value It is equal to the ratio of the number of occurrences of the target source AS in the historical AS path to the number of historical AS paths; and, the stability of the target source AS, the stability of the target source AS and the historical AS path is different from the source AS of the target source AS
  • the number is negatively correlated, and is negatively correlated with the number of neighboring ASs on the historical AS path of the AS where the network device is located is different from the number of neighboring ASs on the target AS path of the AS where the network device is located.
  • the neighbor AS on the AS path where the network device is located refers to the previous AS on the AS path where the network device is located.
  • the path similarity between the target AS path and the historical AS path is mainly used to determine whether route leakage occurs.
  • the number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and the stability of the target source AS are mainly used to determine whether route hijacking occurs.
  • BGP routing features may also include other related features that can reflect route leakage, route hijacking, and/or route forgery, which is not limited in this application.
  • the BGP routing feature includes the hegemonic similarity between the target AS path and the historical AS path, and the network device determines the BGP routing feature according to the target AS path and the historical AS path, including:
  • the network device obtains the first centrality vector corresponding to the target AS path, and the first centrality vector includes the centrality of each AS on the target AS path; the network device obtains the second centrality vector corresponding to the historical AS path, and the second centrality vector
  • the degree vector includes the centrality of each AS on the historical AS path; the network device uses the similarity between the first centrality vector and the second centrality vector as the hegemonic similarity between the target AS path and the historical AS path.
  • the network device before the network device determines the BGP routing characteristics according to the target AS path and the historical AS path, the network device also receives the AS centrality list sent by the analysis device, and the centrality list includes the centrality of each AS in the network.
  • the process for the network device to obtain the first centrality vector corresponding to the target AS path includes: the network device obtains the centrality of each AS on the target AS path from the AS centrality list according to the identification of each AS on the target AS path, and generates the first The centrality vector.
  • the process for the network device to obtain the second centrality vector corresponding to the historical AS path includes: the network device obtains the centrality of each AS on the historical AS path from the AS centrality list according to the identification of each AS on the historical AS path, and generates the second The centrality vector.
  • the BGP routing feature includes the rarity of the AS on the target AS path.
  • the network device Before the network device determines the BGP routing feature according to the target AS path and the historical AS path, the network device also receives the AS identification list sent by the analysis device.
  • the identifier list includes the identifier of the operator AS.
  • the network equipment determines the BGP routing characteristics according to the target AS path and the historical AS path, including: the network equipment determines the rarity of other ASs on the target AS path except the operator AS, and the rarity of the AS on the target AS path is equal to this The ratio of the number of AS occurrences in historical AS paths to the number of historical AS paths.
  • the target routing information includes a routing anomaly detection result.
  • the network device determines the BGP routing feature corresponding to the BGP update message, the network device determines the routing anomaly detection result according to the BGP routing feature.
  • the network device generates a routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
  • the network device may receive the routing anomaly detection model sent by the analysis device.
  • the process of the network device generating the routing anomaly detection result according to the BGP routing feature includes: the network device inputs the BGP routing feature to the routing anomaly detection model to obtain the routing anomaly detection result output by the routing anomaly detection model.
  • the route anomaly detection result is also used to indicate the route abnormality type of the BGP update message.
  • the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
  • the routing exception type may also be other exception types, which is not limited in this application.
  • a routing anomaly detection method includes: analyzing the target routing information sent by the network device received by the analyzing device, and the target routing information includes the BGP routing feature and/or the routing anomaly detection result corresponding to the BGP update message received by the network device, and the routing anomaly detection result is based on the BGP routing
  • the characteristic is obtained, the route anomaly detection result is used to indicate that the BGP update message is normal or abnormal.
  • the analysis device performs abnormal analysis on the BGP update message according to the target routing information.
  • the target routing information includes BGP routing characteristics
  • the process of analyzing the abnormality of the BGP update message by the analyzing device according to the target routing information includes: the analyzing device determines the routing abnormality detection result according to the BGP routing characteristics; the analyzing device according to the abnormality of the routing The detection result analyzes the abnormality of the BGP update message.
  • the analysis device after the analysis device performs abnormal analysis on the BGP update message according to the target routing information, when the analysis device determines that the BGP update message is abnormal, the analysis device outputs the type of abnormal routing of the BGP update message.
  • the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
  • the routing abnormality type of the BGP update message output by the device by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network sex.
  • the analysis device may also send one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device.
  • the network-level BGP information includes an AS centrality list and/or an AS identification list.
  • the AS centrality list includes the centrality of each AS in the network, and the AS identification list includes the identity of the operator AS.
  • the routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics.
  • the message analysis configuration parameters include the size of the BGP update message analysis window.
  • a routing abnormality detection device in the third aspect, includes a plurality of functional modules, and the plurality of functional modules interact to implement the above-mentioned first aspect and the methods in various embodiments thereof.
  • the multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be combined or divided arbitrarily based on specific implementations.
  • a routing abnormality detection device in a fourth aspect, includes a plurality of functional modules, and the plurality of functional modules interact to implement the above-mentioned second aspect and the methods in various embodiments thereof.
  • the multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be combined or divided arbitrarily based on specific implementations.
  • a routing anomaly detection system including: network equipment and analysis equipment;
  • the network equipment includes the routing abnormality detection device according to the third aspect, and the analysis equipment includes the routing abnormality detection device according to the fourth aspect.
  • a network device including: a processor and a memory;
  • the memory is used to store a computer program, and the computer program includes program instructions
  • the processor is configured to call the computer program to implement the routing abnormality detection method according to any one of the first aspect.
  • an analysis device including: a processor and a memory;
  • the memory is used to store a computer program, and the computer program includes program instructions
  • the processor is configured to call the computer program to implement the routing abnormality detection method according to any one of the second aspect.
  • a computer storage medium stores instructions, and when the instructions are executed by a processor of a network device, the routing anomaly detection method according to any one of the first aspects is implemented; When the instructions are executed by the processor of the analysis device, the routing abnormality detection method according to any one of the second aspect is implemented.
  • a chip in a ninth aspect, includes a programmable logic circuit and/or program instructions.
  • the method in the first aspect and its embodiments or the method in the second aspect and its embodiments are implemented when the chip is running. Methods.
  • the network device After receiving the BGP routing information, the network device determines the BGP routing feature corresponding to the BGP routing information, and sends the BGP routing feature and/or routing anomaly detection result to the analysis device. Because the BGP routing feature and the routing anomaly detection result are the same as the BGP update message Compared with, the amount of data is smaller, so the amount of data transmission between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
  • the network device by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network.
  • FIG. 1 is a schematic structural diagram of a routing anomaly detection system provided by an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a routing anomaly detection method provided by an embodiment of the present application
  • FIG. 3 is a flowchart of a method for network equipment to determine BGP routing characteristics according to an embodiment of the present application
  • FIG. 4 is a schematic structural diagram of a routing anomaly detection device provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a routing anomaly detection device provided by another embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of another routing abnormality detection device provided by another embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of yet another routing anomaly detection device provided by another embodiment of the present application.
  • Fig. 8 is a block diagram of a routing anomaly detection device provided by an embodiment of the present application.
  • Fig. 1 is a schematic structural diagram of a routing anomaly detection system provided by an embodiment of the present application.
  • the system includes an analysis device 101 and network devices 102a-102f (collectively referred to as network devices 102) in a communication network.
  • the network device 102a belongs to AS1
  • the network device 102b and the network device 102c belong to AS2
  • the network device 102d belongs to AS3
  • the network device 102e belongs to AS4
  • the network device 102f belongs to AS5.
  • the number of network devices and the division method of ASs in FIG. 1 are only for illustration, and not as a limitation on the communication network provided in the embodiment of the present application.
  • the analysis device 101 may be a server, or a server cluster composed of several servers, or a cloud computing service center.
  • the network device 102 may be a router, a switch, or the like.
  • the analysis device 101 and the network device 102 are connected through a wired network or a wireless network.
  • All network devices in the same AS are connected to each other, run the same routing protocol, and are assigned the same autonomous system number.
  • the link between ASs uses an external routing protocol.
  • the communication network provided in the embodiment of the present application can run BGP, and the routes between ASs can be reached through BGP.
  • the communication network running BGP can also be referred to as a BGP network.
  • the communication network may be a data center network (DCN), a metropolitan area network, a wide area network, a campus network, a virtual local area network (VLAN), or a virtual extended local area network (virtual extensive local area network). , VXLAN), etc.
  • DCN data center network
  • VLAN virtual local area network
  • VXLAN virtual extended local area network
  • the embodiments of this application do not limit the type of communication network.
  • FIG. 2 is a schematic flowchart of a method for detecting routing anomaly according to an embodiment of the present application. This method can be applied to the routing anomaly detection system shown in Figure 1. As shown in Figure 2, the method includes:
  • Step 201 The analysis device sends one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device.
  • the network-level BGP information includes an AS centrality list and/or an AS identification list.
  • the AS centrality list includes the centrality of each AS in the network.
  • the centrality of an AS is used to reflect the importance of the AS in the communication network. The greater the centrality of the AS, the more important the position of the AS in the communication network.
  • the AS identifier list includes the identifier of the operator AS.
  • the AS identification list includes the AS identification list of the Tier1 operator and/or the AS identification list of the Tier2 operator.
  • Tier1 and Tier2 are data center infrastructure tiered certification standards defined in the data center telecommunication infrastructure standard (Telecommunications Infrastructure Standard for Data Centers), which will not be repeated in this embodiment of the application.
  • Table 1 shows an AS centrality list
  • the AS centrality list includes the centralities of AS1-AS5 in the routing anomaly detection system shown in FIG. 1.
  • the AS identifier may be an AS number (ASN), which is usually a globally unique 16-digit number.
  • the routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics.
  • the routing anomaly detection model is generated based on a decision tree algorithm, a gradient boosting decision tree (Gradient Boosting Decision Tree, GBDT) algorithm, and/or an extreme gradient boosting (eXtreme Gradient Boosting, XGBoost) algorithm.
  • the analysis device uses a decision tree algorithm to generate a routing anomaly detection model.
  • a decision tree is a tree structure, such as a binary tree or a non-binary tree, where each non-leaf node represents a test on a feature attribute, and each branch represents the test output of a feature attribute on a certain value range.
  • Each leaf node stores a category.
  • the process of using a decision tree to make a decision includes: starting from the root node, testing the corresponding feature attributes in the items to be classified, and selecting the output branch according to its value until reaching the leaf node, and using the category stored in the leaf node as the decision result.
  • the items to be classified in the decision tree used to generate the routing anomaly detection model include BGP routing characteristics.
  • the decision tree may include four leaf nodes, and the categories stored in the four leaf nodes are route normal, route leakage, route hijacking, and route forgery.
  • the routing anomaly detection model can output four possible routing anomaly detection results according to the input BGP routing characteristics, including normal routing, routing leakage, routing hijacking, or routing forgery. Among them, route hijacking can also be called prefix hijacking.
  • the decision tree may also include two leaf nodes, and the categories stored in the two leaf nodes are normal routing and abnormal routing. Then the routing anomaly detection model can output two possible routing anomaly detection results according to the input BGP routing characteristics, including normal routing or abnormal routing.
  • the message analysis configuration parameters include the size of the BGP update message analysis window.
  • the size of the BGP update message analysis window is a positive integer.
  • the size of the BGP update message analysis window may be 5.
  • the analysis device periodically sends one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device. Or, when the network-level BGP information is updated, the analysis device sends the updated network-level BGP information to the network device; when the routing anomaly detection model is updated, the analysis device sends the updated routing anomaly detection model to the network device; When the analysis configuration parameter is updated, the analysis device sends the updated message to the network device to analyze the configuration parameter.
  • Step 202 The network device receives the BGP update message.
  • BGP update messages are used to advertise routes.
  • the BGP update message includes the IP prefix announced by the target source AS that publishes the BGP update message, and the AS path from the target source AS to the AS where the network device is located.
  • the IP prefix announced by the source AS is usually the network segment address.
  • the network device is a network device 102f belonging to AS5
  • the target source AS is AS1
  • the IP prefix announced by AS1 is 1.1.1.0/24
  • the BGP update issued by AS1 After the message passes through AS2, AS3, and AS4 in turn, it reaches the network device 102f in AS5.
  • the IP prefix carried in the BGP update message received by the network device 102f is 1.1.1.0/24
  • the AS path is: AS1-AS2-AS3-AS4 -AS5.
  • the BGP update message may be stored in the network device so as to be used for subsequent routing anomaly detection.
  • the network device can store up to M historical BGP update messages. For example, a queue of length M can be used to store historical BGP update messages. M is a positive integer greater than 1, such as M The value can be 100, which can avoid occupying too much memory resources.
  • the network device receives a new BGP update message, it can delete the oldest historical BGP update message that has been stored, and store the new BGP update message.
  • Step 203 The network device determines the BGP routing feature corresponding to the BGP update message.
  • FIG. 3 is a flowchart of a method for a network device to determine BGP routing characteristics according to an embodiment of the present application. As shown in Figure 3, the method includes the following steps 2031 to 2034:
  • Step 2031 The network device obtains the target routing prefix and the target AS path according to the BGP update message.
  • the target routing prefix is the IP prefix announced by the target source AS that advertises the BGP update message
  • the target AS path is the AS path from the target source AS to the AS where the network device is located.
  • the foregoing target routing prefix is 1.1.1.0/24
  • the target AS path is: AS1-AS2-AS3-AS4-AS5.
  • Step 2032 The network device obtains the historical BGP update message carrying the target routing prefix.
  • the network device obtains one or more historical BGP update messages that carry the target route prefix from the historical BGP update messages stored by the network device.
  • the number of historical BGP update messages carrying the target route prefix obtained by the network device can be determined according to the message analysis configuration parameters sent by the analysis device. For example, if the size of the BGP update message analysis window in the message analysis configuration parameter is 5, the network device obtains 5 Historical BGP update messages that carry the target route prefix. Alternatively, the network device may also obtain all historical BGP update messages stored in the network device that carry the target route prefix. The embodiment of the present application does not limit the number of historical BGP update messages that the network device obtains and carries the target routing prefix.
  • the network device obtains five historical BGP update messages carrying an IP prefix of 1.1.1.0/24.
  • the AS paths carried in the 5 historical BGP update messages are: AS1-AS2-AS3-AS5, AS1-AS2-AS3-AS4-AS5, AS2-AS3-AS4-AS5, AS1-AS2-AS4-AS5 and AS2 -AS3-AS5.
  • Step 2033 The network device obtains the historical AS path according to the historical BGP update message.
  • the historical BGP update message includes the historical AS path from the source AS to the AS where the network device is located.
  • the network device obtains the historical AS path carried in the historical BGP update message.
  • the historical AS path and the aforementioned target AS path may be referred to as the same prefix AS path.
  • the network device obtains 5 historical AS paths respectively according to 5 historical BGP update messages carrying the IP prefix of 1.1.1.0/24, including: AS1-AS2-AS3-AS5, AS1 -AS2-AS3-AS4-AS5, AS2-AS3-AS4-AS5, AS1-AS2-AS4-AS5 and AS2-AS3-AS5.
  • Step 2034 The network device determines the BGP routing characteristics according to the target AS path and the historical AS path.
  • BGP routing features include one or more of the following: path similarity between the target AS path and the historical AS path, hegemonic similarity between the target AS path and the historical AS path, the rarity of the AS on the target AS path, and the target AS
  • the rarity of the path the number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and the stability of the target source AS.
  • the hegemonic similarity between the target AS path and the historical AS path is determined based on the centrality of each AS on the target AS path and the centrality of each AS on the historical AS path.
  • the rarity of an AS is equal to the ratio of the number of occurrences of the AS in the historical AS path to the number of historical AS paths.
  • the rarity of the target AS path is equal to the rarity of the target AS
  • the target AS is the AS with the least rarity on the target AS path.
  • the occurrence probability value of the target source AS is equal to the ratio of the number of occurrences of the target source AS in the historical AS path to the number of historical AS paths.
  • the stability of the target source AS is negatively related to the number of source ASs that are different from the target source AS on the historical AS path, and is related to the neighbor AS of the AS where the network device is located on the historical AS path is different from the AS where the network device is located on the target AS path.
  • the number of neighbor ASs is negatively correlated.
  • the path similarity between the target AS path and the historical AS path is mainly used to determine whether route leakage occurs.
  • the number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and the stability of the target source AS are mainly used to determine whether route hijacking occurs.
  • the BGP routing feature may also include other related features that can reflect route leakage, route hijacking, and/or route forgery, which is not limited in the embodiment of the present application.
  • the BGP routing feature includes the path similarity between the target AS path and the historical AS path.
  • the network device may separately calculate the path similarity between the target AS path and each acquired historical AS path (same prefix), or the network device may calculate the target AS path and the acquired last historical AS path (same prefix) The similarity of the path.
  • Both the target AS path and the historical AS path can be represented by path vectors.
  • the path vector of the target AS path can be expressed as [AS1, AS2, AS3, AS4, AS5]
  • the path vector of the historical AS path AS2-AS3-AS5 can be expressed as [AS2 , AS3, AS5]
  • the similarity between the path vector of the target AS path and the path vector of the historical AS path is taken as the path similarity between the target AS path and the historical AS path.
  • the BGP routing characteristics include the hegemonic similarity between the target AS path and the historical AS path.
  • the network device may separately calculate the hegemonic similarity between the target AS path and each acquired historical AS path (same prefix), or the network device may calculate the target AS path and the acquired last historical AS path (same prefix) Similarity of the hegemony.
  • the implementation process of step 2034 includes step S11 to step S13:
  • step S11 the network device obtains a first centrality vector corresponding to the target AS path, where the first centrality vector includes the centrality of each AS on the target AS path.
  • the network device obtains the centrality of each AS on the target AS path from the AS centrality list sent by the analysis device according to the identification of each AS on the target AS path, and generates the first centrality vector.
  • the network device can obtain the centrality of AS1 on the target AS path as 0.1, the centrality of AS2 as 0.3, the centrality of AS3 as 0.4, and the centrality of AS4 as 0.2, the centrality of AS5 is 0.1, and the first centrality vector corresponding to the target AS path can be expressed as [0.1, 0.3, 0.4, 0.2, 0.1].
  • step S12 the network device obtains a second centrality vector corresponding to the historical AS path, where the second centrality vector includes the centrality of each AS on the historical AS path.
  • the network device obtains the centrality of each AS on the historical AS path from the AS centrality list sent by the analysis device according to the identifier of each AS on the historical AS path, and generates the second centrality vector.
  • the network device can obtain the historical AS path AS2-AS3-AS5 where the centrality of AS2 is 0.3, the centrality of AS3 is 0.4, and the centrality of AS5 is 0.1.
  • the second centrality vector corresponding to the historical AS path can be expressed as [0.3, 0.4, 0.1].
  • step S13 the network device uses the similarity between the first centrality vector and the second centrality vector as the hegemonic similarity between the target AS path and the historical AS path.
  • the hegemonic similarity between the target AS path and the historical AS path AS2-AS3-AS5 is the first centrality vector [0.1, 0.3, 0.4, 0.2, 0.1] and the second center The similarity of the degree vector [0.3, 0.4, 0.1].
  • BGP routing characteristics include the rarity of ASs on the target AS path.
  • the implementation process of step 2034 includes: the network device performs a rarity calculation process on the AS on the target AS path.
  • the rarity calculation process includes: the network device determines the number of occurrences of the AS on the target AS path in the historical AS path; The ratio of the number of occurrences to the number of historical AS paths is taken as the rarity of the AS.
  • the network device obtains a total of 5 historical BGP update messages.
  • the rarity of AS1 on the target AS path is equal to 3/5; the rarity of AS2 on the target AS path is equal to 1; the rarity of AS3 on the target AS path is equal to 4/5; the rarity of AS4 on the target AS path is equal to 3/5; the rarity of AS5 on the target AS path is equal to 1.
  • the network device may execute the rarity calculation process on all the ASs on the target AS path except the operator AS. That is, the network device does not need to calculate the rarity of the operator AS in the target AS path.
  • the network device may set the rarity of the operator AS to 1.
  • the BGP routing characteristics include the rarity of the target AS path.
  • the implementation process of step 2034 includes: the network device regards the rarity of the target AS as the rarity of the target AS path, and the target AS is the AS with the least rarity on the target AS path.
  • the network device first calculates the rarity of each AS on the target AS path, and then uses the rarity of the target AS with the smallest rarity as the rarity of the target AS path.
  • the rarity of each AS on the target AS path For the calculation method of the rarity of each AS on the target AS path, reference may be made to the above-mentioned third implementation method, which will not be repeated in this embodiment of the application.
  • the rarity of the target AS path is equal to 3/5.
  • the BGP routing characteristics include the number of source ASs that are different from the target source AS on the historical AS path.
  • the network device obtains a total of 5 historical AS paths.
  • the source AS of the 5 historical AS paths are AS1, AS1, AS2, AS1, and AS2, and the target source AS is AS1.
  • the source AS on the 5 historical AS paths that are different from the target source AS only includes AS2, so the 5 historical AS paths
  • the number of source ASs that differ from the target source AS on the historical AS path is 1.
  • the BGP routing feature includes the occurrence probability value of the target source AS.
  • the implementation process of step 2034 includes: the network device determines the number of occurrences of the target source AS in the historical AS path; the network device uses the ratio of the number of occurrences to the number of historical AS paths as the occurrence probability value of the target source AS.
  • the network device obtains a total of 5 historical AS paths.
  • the number of occurrences of the target source AS in the 5 historical AS paths is 3, so the occurrence probability value of the target source AS is equal to 3/5.
  • BGP routing features include the stability of the target source AS.
  • the implementation process of step 2034 includes: the network device obtains the number of source ASs on the historical AS path that are different from the target source AS (abbreviated as: the first number); the network device obtains the neighbor AS on the historical AS path of the AS where the network device is located is different The number of neighbor ASs on the path of the target AS where the network device is located (abbreviated as the second number); the network device determines the stability of the target source AS according to the first number and the second number.
  • the neighbor AS on the AS path where the network device is located refers to the previous AS on the AS path where the network device is located.
  • the network device obtains a total of 5 historical AS paths, the AS where the network device is located is AS5, and the neighbor ASs of the 5 historical AS paths where the network device is located are AS3 and AS4 respectively. , AS4, AS4, and AS3, the neighbor AS of the AS where the network device is located on the target AS path is AS4, and the neighbor AS of the AS where the network device is located on the 5 historical AS paths is different from the AS where the network device is located on the target AS path
  • the neighbor AS only includes AS3, so the second number mentioned above is 1.
  • Step 204 The network device sends target routing information to the analysis device.
  • the target routing information includes BGP routing characteristics and/or routing anomaly detection results.
  • the route anomaly detection result is obtained based on BGP routing characteristics, and the route anomaly detection result is used to indicate whether the BGP update message is normal or abnormal.
  • the routing anomaly detection result may be represented by an identification value. For example, when the route anomaly detection result is 0, it means that the BGP update message is normal; when the route anomaly detection result is 1, it means that the BGP update message is abnormal.
  • the routing abnormality detection result can also be represented by other numbers, letters, or character strings, which is not limited in the embodiment of the present application.
  • the network device after receiving the BGP routing information, determines the BGP routing feature corresponding to the BGP routing information, and sends the BGP routing feature and/or the routing anomaly detection result to the analysis device, due to the BGP routing feature and routing anomaly detection
  • the amount of data is smaller, so the amount of data transmission between the network device and the analysis device is reduced, thereby reducing the network overhead.
  • performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the route anomaly detection result is also used to indicate the route anomaly type of the BGP update message.
  • the route anomaly type includes one or more of route leakage, route hijacking, and route forgery.
  • the abnormality type may also be other abnormality types, which are not limited in the embodiment of the present application.
  • route anomaly detection result when the route anomaly detection result is 1, it means the BGP update message is abnormal, and the route anomaly type is route leakage; when the route anomaly detection result is 2, it means the BGP update message is abnormal, and the route anomaly type is route hijacking; When the routing anomaly detection result is 3, it means the BGP update message is abnormal, and the routing anomaly type is route forgery; when the routing anomaly detection result is 4, it means the BGP update message is abnormal, and the routing anomaly type is route leakage and route hijacking; etc. .
  • the network device when the target routing information sent by the network device to the analysis device includes the route anomaly detection result, after determining the BGP routing feature corresponding to the BGP update message, the network device needs to first determine the routing anomaly detection result according to the BGP routing feature.
  • the network device can determine the BGP update based on the path similarity between the target AS path and the historical AS path, the hegemonic similarity between the target AS path and the historical AS path, the rarity of the AS on the target AS path, and/or the rarity of the target AS path Whether the message has route leakage; the network device can also determine whether the BGP update message is routed according to the number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and/or the stability of the target source AS hijack.
  • the network device determines that the BGP update message is abnormal, and the route abnormality type of the BGP update message is route leakage.
  • the network device determines the BGP The update message is abnormal, and the abnormal route type of the BGP update message is route hijacking.
  • the network device adopts a decision tree algorithm, a GBDT algorithm, and/or an XGBoost algorithm to determine the routing anomaly detection result according to the above-mentioned BGP routing characteristics.
  • the process in which the network device generates routing anomaly detection results according to the BGP routing feature includes: the network device inputs the BGP routing feature to the routing anomaly detection model to obtain the route The routing anomaly detection result output by the anomaly detection model.
  • the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
  • the routing anomaly detection result also includes the IP prefix carried in the BGP update message.
  • Step 205 The analysis device performs abnormal analysis on the BGP update message according to the target routing information.
  • the implementation process of step 205 includes: the analysis device determines the routing abnormality detection result according to the BGP routing feature; the analysis device performs abnormal analysis on the BGP update message according to the routing abnormality detection result.
  • the implementation process of the analysis device determining the route anomaly detection result according to the BGP routing feature can refer to the implementation process of the network device determining the routing anomaly detection result according to the BGP routing feature in step 204, which will not be repeated in this embodiment of the application.
  • the analysis device determines whether the target source AS has normally advertised the target route prefix based on the BGP database. If the target source AS has advertised the target routing prefix normally, the analysis device determines that the BGP update message is normal; if the target source AS has not advertised the target routing prefix normally, the analysis device determines that the BGP update message is abnormal, and the routing exception type is route hijacking .
  • the BGP database of the analysis device includes one or more of an AS centrality list, an AS identification list, and received historical target routing information.
  • the analysis device when the routing abnormality detection result indicates that the BGP update message is abnormal, can also perform fault location based on the BGP database and based on the target routing information.
  • Step 206 When the analysis device determines that the BGP update message is abnormal, the analysis device outputs the route abnormality type of the BGP update message.
  • the analysis device determines that the BGP update message is abnormal, the analysis device outputs the routing exception type of the BGP update message to the operations support system (OSS) or other terminal devices connected to the analysis device for the OSS or terminal Device display.
  • OSS operations support system
  • the analysis device can also directly display the routing exception type of the BGP update message on its display interface.
  • the abnormal routing type of the BGP update message output by the device is analyzed for the operation and maintenance personnel to view, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety of the communication network And reliability.
  • step 201 may not be executed. Any person familiar with the technical field can easily think of a method of change within the technical scope disclosed in this application, which should be covered by the protection scope of this application, and therefore will not be repeated.
  • the network device after receiving the BGP routing information, determines the BGP routing characteristics corresponding to the BGP routing information, and sends the BGP routing characteristics and/or routes to the analysis device Anomaly detection results.
  • the data volume of BGP routing characteristics and routing anomaly detection results is smaller, which reduces the amount of data transmission between network equipment and analysis equipment, thereby reducing network overhead.
  • performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
  • the network device by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network.
  • Fig. 4 is a schematic structural diagram of a routing abnormality detection device provided by an embodiment of the present application.
  • the device can be applied to the network equipment 102 in the routing anomaly detection system shown in FIG. 1.
  • the device 40 includes:
  • the receiving module 401 is used to receive BGP update messages.
  • the processing module 402 is used to determine the BGP routing feature corresponding to the BGP update message.
  • the sending module 403 is used to send target routing information to the analysis device.
  • the target routing information includes BGP routing features and/or routing anomaly detection results.
  • the routing anomaly detection results are obtained based on the BGP routing features, and the routing anomaly detection results are used to indicate BGP update messages Normal or abnormal.
  • the network device after receiving the BGP routing information through the receiving module, determines the BGP routing characteristics corresponding to the BGP routing information through the processing module, and sends the BGP routing information to the analysis device through the sending module. Sending BGP routing characteristics and/or routing anomaly detection results.
  • BGP routing characteristics and routing anomaly detection results Compared with BGP update messages, BGP routing characteristics and routing anomaly detection results have a smaller amount of data, which reduces the amount of data transmission between network equipment and analysis equipment, thereby reducing Network overhead.
  • performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • a processing module for:
  • the target routing prefix is the Internet Protocol IP prefix announced by the target source AS that advertises the BGP update message.
  • the target AS path is the AS path from the target source AS to the AS where the network device is located. .
  • BGP routing features include one or more of the following:
  • the hegemonic similarity is determined based on the centrality of each AS on the target AS path and the centrality of each AS on the historical AS path;
  • the rarity of the AS on the AS path, the rarity of the AS is equal to the ratio of the number of AS occurrences in the historical AS path to the number of historical AS paths;
  • the rarity of the target AS path, the rarity of the target AS path is equal to the rarity of the target AS
  • the target AS is the least rare AS on the target AS path; the number of source ASs that are different from the target source AS on the historical AS path; the occurrence probability value of the target source AS, the occurrence probability value is equal to the target source AS in the historical AS path
  • the stability is negatively related to the number of source ASs on the historical AS path that are different from the target source AS, and is related to the AS where the network device is located in the historical AS path
  • the number of neighbor ASs on the target AS path is negatively related to the number of neighbor ASs on the path where the network device is located.
  • the BGP routing feature includes the hegemonic similarity between the target AS path and the historical AS path
  • the processing module is configured to: obtain a first centrality vector corresponding to the target AS path, and the first centrality vector includes each of the target AS paths.
  • the centrality of the AS obtain the second centrality vector corresponding to the historical AS path, the second centrality vector includes the centrality of each AS on the historical AS path; the similarity between the first centrality vector and the second centrality vector Degree as the degree of hegemony similarity.
  • the receiving module is also used to receive the AS centrality list sent by the analysis device, and the centrality list includes the centrality of each AS in the network; the processing module is also used to determine from the identity of each AS on the target AS path Obtain the centrality of each AS on the target AS path from the AS centrality list to generate the first centrality vector; the processing module is also used to obtain the historical AS path from the AS centrality list according to the identification of each AS on the historical AS path The centrality of each AS generates a second centrality vector.
  • the BGP routing feature includes the rarity of the AS on the target AS path; the receiving module is also used to receive the AS identification list sent by the analysis device, and the AS identification list includes the operator's AS identification; the processing module is also used to Determine the rarity of other ASs on the target AS path except for the operator AS.
  • the rarity of the AS on the target AS path is equal to the ratio of the number of AS occurrences in the historical AS path to the number of historical AS paths.
  • the target routing information includes a routing anomaly detection result; the processing module is also used to determine the routing anomaly detection result according to the BGP routing characteristics.
  • the receiving module is also used to receive the routing anomaly detection model sent by the analysis device; the processing module is also used to input BGP routing features to the routing anomaly detection model to obtain the routing anomaly detection result output by the routing anomaly detection model.
  • the route anomaly detection result is also used to indicate the route abnormality type of the BGP update message.
  • the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
  • the network device after receiving the BGP routing information through the receiving module, determines the BGP routing characteristics corresponding to the BGP routing information through the processing module, and sends the BGP routing information to the analysis device through the sending module. Sending BGP routing characteristics and/or routing anomaly detection results.
  • BGP routing characteristics and routing anomaly detection results have a smaller amount of data, which reduces the amount of data transmission between network equipment and analysis equipment, thereby reducing Network overhead.
  • performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
  • Fig. 5 is a schematic structural diagram of a routing abnormality detection device provided by another embodiment of the present application. This device can be applied to the analysis device 101 in the routing anomaly detection system shown in FIG. 1. As shown in Fig. 5, the device 50 includes:
  • the receiving module 501 is configured to receive target routing information sent by a network device.
  • the target routing information includes BGP routing characteristics and/or routing anomaly detection results corresponding to BGP update messages received by the network device.
  • the routing anomaly detection results are obtained based on the BGP routing characteristics ,
  • the route anomaly detection result is used to indicate whether the BGP update message is normal or abnormal.
  • the processing module 502 is configured to perform abnormal analysis on the BGP update message according to the target routing information.
  • the analysis device after receiving the target routing information sent by the network device through the receiving module, the analysis device performs anomaly analysis on the BGP update message according to the target routing information through the processing module.
  • the data volume of the BGP routing feature and/or the abnormal routing detection result in the target routing information is smaller, so the data transmission volume between the network device and the analysis device is reduced, thereby reducing the network overhead.
  • performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the processing module is further configured to: determine the routing anomaly detection result according to the BGP routing characteristics; and perform an abnormal analysis on the BGP update message according to the routing anomaly detection result.
  • the apparatus 50 further includes:
  • the output module 503 is used for outputting the abnormal routing type of the BGP update message when the analysis device determines that the BGP update message is abnormal.
  • the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
  • the apparatus 50 further includes:
  • the sending module 504 is used to send one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device.
  • the network-level BGP information includes an AS centrality list and/or an AS identification list, and AS centrality
  • the list includes the centrality of each AS in the network
  • the AS identification list includes the operator's AS identification
  • the routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics
  • the message analysis configuration parameters include the BGP update message analysis window the size of.
  • the analysis device after receiving the target routing information sent by the network device through the receiving module, the analysis device performs anomaly analysis on the BGP update message according to the target routing information through the processing module.
  • the data volume of the BGP routing feature and/or the abnormal routing detection result in the target routing information is smaller, so the data transmission volume between the network device and the analysis device is reduced, thereby reducing the network overhead.
  • performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
  • the routing abnormality type of the BGP update message output by the device it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network.
  • the embodiment of the present application also provides a routing anomaly detection system. Including: network equipment and analysis equipment.
  • the network equipment includes the routing anomaly detection device as shown in FIG. 4, and the analysis equipment includes the routing anomaly detection device as shown in any one of FIGS. 5 to 7.
  • the embodiment of the present application provides a network device, including: a processor and a memory;
  • the memory is used to store a computer program, and the computer program includes program instructions
  • the processor is configured to call the computer program to implement the steps executed by the network device in the above method embodiment.
  • the embodiment of the present application provides an analysis device, including: a processor and a memory;
  • the memory is used to store a computer program, and the computer program includes program instructions
  • the processor is configured to call the computer program to implement the steps executed by the analysis device in the foregoing method embodiment.
  • FIG. 8 is a block diagram of a routing abnormality detection device provided by an embodiment of the present application.
  • the routing abnormality detection device may be a network device or an analysis device.
  • the device 80 includes: a processor 801 and a memory 802.
  • the memory 802 is configured to store a computer program, where the computer program includes program instructions
  • the processor 801 is configured to call the computer program to implement the steps performed by the network device or the steps performed by the analysis device in the foregoing method embodiments.
  • the device 80 further includes a communication bus 803 and a communication interface 804.
  • the processor 801 includes one or more processing cores, and the processor 801 executes various functional applications and data processing by running a computer program.
  • the memory 802 can be used to store computer programs.
  • the memory may store an operating system and at least one application program unit required by the function.
  • the operating system can be a real-time operating system (Real Time eXecutive, RTX), LINUX, UNIX, WINDOWS, or OS X.
  • the communication interface 804 is used to communicate with other storage devices or network devices.
  • the communication interface 804 of the network device may be used to communicate with the analysis device.
  • the communication network may be a software defined network (software defined network, SDN) or a virtual extended local area network (virtual extensive local area network, VXLAN), etc.
  • the network device can be a switch or router.
  • the analysis device can be a server or cloud service.
  • the memory 802 and the communication interface 804 are respectively connected to the processor 801 through a communication bus 803.
  • the embodiment of the present application also provides a computer storage medium with instructions stored on the computer storage medium.
  • the instructions are executed by the processor of the network device, the steps performed by the network device in the above method embodiment are implemented;
  • the instructions are executed by the processor of the analysis device, the steps executed by the analysis device in the foregoing method embodiment are implemented.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the field of network technologies, and provides a routing abnormity detection method, apparatus and system, and a computer storage medium. After receiving a BGP update message, a network device determines a BGP routing feature corresponding to the BGP update message. Then the network device sends target routing information to an analysis device. The target routing information comprises the BGP routing feature and/or the routing abnormity detection result. The routing abnormity detection result is obtained based on the BGP routing feature, and the routing abnormity detection result is used for indicating that the BGP update message is normal or abnormal. Compared with BGP update message, the BGP routing feature and the routing abnormity detection result are smaller in data volume, and therefore, the data transmission amount between the network device and the analysis device is reduced, thereby reducing network overhead.

Description

路由异常检测方法、装置及系统、计算机存储介质Routing abnormality detection method, device and system, and computer storage medium
本申请要求于2020年01月21日提交的申请号为202010069782.X、发明名称为“路由异常检测方法、装置及系统、计算机存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on January 21, 2020 with the application number 202010069782.X and the invention title "Routing anomaly detection method, device and system, computer storage medium", the entire content of which is incorporated by reference In this application.
技术领域Technical field
本申请涉及网络技术领域,特别涉及一种路由异常检测方法、装置及系统、计算机存储介质。This application relates to the field of network technology, and in particular to a method, device and system for detecting routing abnormalities, and computer storage media.
背景技术Background technique
随着互联网的迅速发展,边界网关协议(Border Gateway Protocol,BGP)网络中的自治系统(autonomous system,AS)节点数量不断扩增,网络拓扑愈加复杂,导致BGP网络中频繁发生异常事件。BGP网络中常见的异常事件包括路由劫持和路由泄露。路由劫持也可称为前缀劫持,是一种网络攻击方式,攻击者非法宣告互联网协议(Internet Protocol,IP)前缀,导致到达原来AS的流量被重定向到攻击者所在的AS,造成路由劫持。路由泄露通常是由于配置错误,导致路由转发策略违反了AS之间的业务关系。例如,一个消费者AS错误地将一个提供者AS的BGP更新(英文:update)消息转发给另一个提供者AS,导致路由泄露。其中,BGP update消息用于通告路由。With the rapid development of the Internet, the number of autonomous system (AS) nodes in the Border Gateway Protocol (BGP) network continues to increase, and the network topology becomes more and more complex, resulting in frequent abnormal events in the BGP network. Common abnormal events in BGP networks include route hijacking and route leakage. Route hijacking, which can also be called prefix hijacking, is a type of network attack in which the attacker illegally declares Internet Protocol (IP) prefixes, causing traffic to the original AS to be redirected to the AS where the attacker is located, causing route hijacking. Route leaks are usually caused by misconfigurations, leading to a route forwarding strategy that violates the business relationship between ASs. For example, a consumer AS erroneously forwards a BGP update (English: update) message of one provider AS to another provider AS, resulting in route leakage. Among them, the BGP update message is used to advertise routes.
目前,通常在云服务中对BGP网络中运行的路由进行异常检测。云服务的路由数据库中存储有BGP网络中全局的IP前缀。云服务实时收集、存储和解析网络设备采集的BGP update消息,以跟踪BGP网络中路由的运行状况以及IP前缀的状态,并基于路由数据库的协商一致性,进行路由异常检测。Currently, anomaly detection is usually performed on the routes running in the BGP network in cloud services. The routing database of the cloud service stores the global IP prefixes in the BGP network. The cloud service collects, stores, and parses the BGP update messages collected by network devices in real time to track the running status of the routing in the BGP network and the status of the IP prefixes, and perform routing anomaly detection based on the negotiation consistency of the routing database.
但是,由于目前云服务需要实时收集BGP网络中各个网络设备采集的BGP update消息,即每当网络设备接收到新的BGP update消息,则需向云服务发送该BGP update消息,云服务与网络设备之间的数据传输量较大,导致网络开销较大。However, because the current cloud service needs to collect the BGP update message collected by each network device in the BGP network in real time, that is, whenever a network device receives a new BGP update message, it needs to send the BGP update message to the cloud service. The cloud service and network equipment The amount of data transmission between them is large, resulting in large network overhead.
发明内容Summary of the invention
本申请提供了一种路由异常检测方法、装置及系统、计算机存储介质,可以解决目前路由异常检测过程中网络开销较大的问题。The present application provides a routing anomaly detection method, device and system, and computer storage medium, which can solve the problem of high network overhead in the current routing anomaly detection process.
第一方面,提供了一种路由异常检测方法。该方法包括:网络设备接收BGP更新消息。网络设备确定BGP更新消息对应的BGP路由特征。网络设备向分析设备发送目标路由信息。该目标路由信息中包括BGP路由特征和/或路由异常检测结果。路由异常检测结果基于BGP路由特征得到,该路由异常检测结果用于指示BGP更新消息正常或异常。In the first aspect, a routing anomaly detection method is provided. The method includes: the network device receives the BGP update message. The network device determines the BGP routing characteristics corresponding to the BGP update message. The network device sends target routing information to the analysis device. The target routing information includes BGP routing characteristics and/or routing abnormality detection results. The route anomaly detection result is obtained based on the BGP routing feature, and the route anomaly detection result is used to indicate whether the BGP update message is normal or abnormal.
本申请中,网络设备在接收到BGP路由信息后,确定BGP路由信息对应的BGP路由特征,并向分析设备发送BGP路由特征和/或路由异常检测结果,由于BGP路由特征以及路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数 据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。In this application, after receiving the BGP routing information, the network device determines the BGP routing feature corresponding to the BGP routing information, and sends the BGP routing feature and/or routing abnormality detection result to the analysis device. Because the BGP routing feature and the routing abnormality detection result are different from Compared with the BGP update message, the data volume is smaller, so the data transmission volume between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
可选地,网络设备确定BGP更新消息对应的BGP路由特征的过程,包括:网络设备根据BGP更新消息,获取目标路由前缀以及目标AS路径,该目标路由前缀为发布该BGP更新消息的目标源AS宣告的IP前缀,该目标AS路径为从目标源AS到网络设备所在AS的AS路径。网络设备获取携带有目标路由前缀的历史BGP更新消息。网络设备根据历史BGP更新消息,获取历史AS路径。网络设备根据目标AS路径以及历史AS路径,确定BGP路由特征。Optionally, the process for the network device to determine the BGP routing feature corresponding to the BGP update message includes: the network device obtains the target routing prefix and the target AS path according to the BGP update message, where the target routing prefix is the target source AS that advertises the BGP update message Announced IP prefix, the target AS path is the AS path from the target source AS to the AS where the network device is located. The network device obtains the historical BGP update message carrying the target route prefix. The network device obtains the historical AS path according to the historical BGP update message. The network equipment determines the BGP routing characteristics according to the target AS path and the historical AS path.
网络设备接收到的BGP更新消息中包括发布该BGP更新消息的源AS宣告的IP前缀,以及从源AS到该网络设备所在AS的AS路径,因此,网络设备可以从接收到的BGP更新消息中获取目标AS路径,并从历史BGP更新消息中获取历史AS路径。The BGP update message received by the network device includes the IP prefix announced by the source AS that issued the BGP update message, and the AS path from the source AS to the AS where the network device is located. Therefore, the network device can retrieve the BGP update message from the received BGP update message. Obtain the target AS path, and obtain the historical AS path from the historical BGP update message.
网络设备可以在该网络设备存储的历史BGP更新消息中,获取一条或多条携带有目标路由前缀的历史BGP更新消息。网络设备获取的携带有目标路由前缀的历史BGP更新消息的数量可以根据分析设备发送的消息分析配置参数确定。或者,网络设备还可以获取该网络设备中存储的所有携带有目标路由前缀的历史BGP更新消息。The network device may obtain one or more historical BGP update messages that carry the target route prefix from the historical BGP update messages stored by the network device. The number of historical BGP update messages carrying the target routing prefix obtained by the network device may be determined according to the message analysis configuration parameters sent by the analysis device. Alternatively, the network device may also obtain all historical BGP update messages stored in the network device that carry the target route prefix.
可选地,BGP路由特征包括以下一个或多个:Optionally, BGP routing features include one or more of the following:
目标AS路径与历史AS路径的路径相似度;目标AS路径与历史AS路径的霸权(英文:hegemony)相似度,该霸权相似度基于目标AS路径上各个AS的中心度以及历史AS路径上各个AS的中心度确定;目标AS路径上的AS的罕见度,AS的罕见度等于该AS在历史AS路径中的出现次数与历史AS路径的数量的比值;目标AS路径的罕见度,该目标AS路径的罕见度等于目标AS的罕见度,目标AS为目标AS路径上罕见度最小的AS;历史AS路径上不同于目标源AS的源AS的数量;目标源AS的出现概率值,该出现概率值等于目标源AS在历史AS路径中的出现次数与历史AS路径的数量的比值;以及,目标源AS的稳定性,目标源AS的稳定性与历史AS路径上不同于目标源AS的源AS的数量负相关,且与网络设备所在AS在历史AS路径上的邻居AS不同于网络设备所在AS在目标AS路径上的邻居AS的数量负相关。其中,网络设备所在AS在AS路径上的邻居AS,指该网络设备所在AS在AS路径上的前一个AS。The path similarity between the target AS path and the historical AS path; the hegemony similarity between the target AS path and the historical AS path, which is based on the centrality of each AS on the target AS path and each AS on the historical AS path The centrality of the target AS path is determined; the rarity of the AS on the target AS path, the rarity of the AS is equal to the ratio of the number of occurrences of the AS in the historical AS path to the number of historical AS paths; the rarity of the target AS path, the target AS path The rarity of is equal to the rarity of the target AS. The target AS is the AS with the least rarity on the path of the target AS; the number of source ASs that are different from the target source AS on the historical AS path; the occurrence probability value of the target source AS, the occurrence probability value It is equal to the ratio of the number of occurrences of the target source AS in the historical AS path to the number of historical AS paths; and, the stability of the target source AS, the stability of the target source AS and the historical AS path is different from the source AS of the target source AS The number is negatively correlated, and is negatively correlated with the number of neighboring ASs on the historical AS path of the AS where the network device is located is different from the number of neighboring ASs on the target AS path of the AS where the network device is located. Among them, the neighbor AS on the AS path where the network device is located refers to the previous AS on the AS path where the network device is located.
其中,目标AS路径与历史AS路径的路径相似度、目标AS路径与历史AS路径的霸权相似度、目标AS路径上的AS的罕见度以及目标AS路径的罕见度主要用于确定是否发生路由泄露;历史AS路径上不同于目标源AS的源AS的数量、目标源AS的出现概率值以及目标源AS的稳定性主要用于确定是否发生路由劫持。当然,BGP路由特征还可以包括其它能够反映路由泄露、路由劫持和/或路由伪造的相关特征,本申请对此不做限定。Among them, the path similarity between the target AS path and the historical AS path, the hegemonic similarity between the target AS path and the historical AS path, the rarity of the AS on the target AS path, and the rarity of the target AS path are mainly used to determine whether route leakage occurs. ; The number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and the stability of the target source AS are mainly used to determine whether route hijacking occurs. Of course, BGP routing features may also include other related features that can reflect route leakage, route hijacking, and/or route forgery, which is not limited in this application.
可选地,BGP路由特征包括目标AS路径与历史AS路径的霸权相似度,则网络设备根据目标AS路径以及历史AS路径,确定BGP路由特征的过程,包括:Optionally, the BGP routing feature includes the hegemonic similarity between the target AS path and the historical AS path, and the network device determines the BGP routing feature according to the target AS path and the historical AS path, including:
网络设备获取目标AS路径对应的第一中心度向量,该第一中心度向量中包括目标AS路径上各个AS的中心度;网络设备获取历史AS路径对应的第二中心度向量,该第二中心度向量中包括历史AS路径上各个AS的中心度;网络设备将第一中心度向量与第二中心度向量之间的相似度作为目标AS路径与历史AS路径的霸权相似度。The network device obtains the first centrality vector corresponding to the target AS path, and the first centrality vector includes the centrality of each AS on the target AS path; the network device obtains the second centrality vector corresponding to the historical AS path, and the second centrality vector The degree vector includes the centrality of each AS on the historical AS path; the network device uses the similarity between the first centrality vector and the second centrality vector as the hegemonic similarity between the target AS path and the historical AS path.
可选地,在网络设备根据目标AS路径以及历史AS路径,确定BGP路由特征之前,网 络设备还接收分析设备发送的AS中心度列表,该中心度列表中包括网络中各个AS的中心度。网络设备获取目标AS路径对应的第一中心度向量的过程,包括:网络设备根据目标AS路径上各个AS的标识,从AS中心度列表中获取目标AS路径上各个AS的中心度,生成第一中心度向量。网络设备获取历史AS路径对应的第二中心度向量的过程,包括:网络设备根据历史AS路径上各个AS的标识,从AS中心度列表中获取历史AS路径上各个AS的中心度,生成第二中心度向量。Optionally, before the network device determines the BGP routing characteristics according to the target AS path and the historical AS path, the network device also receives the AS centrality list sent by the analysis device, and the centrality list includes the centrality of each AS in the network. The process for the network device to obtain the first centrality vector corresponding to the target AS path includes: the network device obtains the centrality of each AS on the target AS path from the AS centrality list according to the identification of each AS on the target AS path, and generates the first The centrality vector. The process for the network device to obtain the second centrality vector corresponding to the historical AS path includes: the network device obtains the centrality of each AS on the historical AS path from the AS centrality list according to the identification of each AS on the historical AS path, and generates the second The centrality vector.
可选地,BGP路由特征包括目标AS路径上的AS的罕见度,在网络设备根据目标AS路径以及历史AS路径,确定BGP路由特征之前,网络设备还接收分析设备发送的AS标识列表,该AS标识列表中包括运营商AS的标识。网络设备根据目标AS路径以及历史AS路径,确定BGP路由特征的过程,包括:网络设备确定目标AS路径上除运营商AS以外的其它AS的罕见度,目标AS路径上的AS的罕见度等于该AS在历史AS路径中的出现次数与历史AS路径的数量的比值。Optionally, the BGP routing feature includes the rarity of the AS on the target AS path. Before the network device determines the BGP routing feature according to the target AS path and the historical AS path, the network device also receives the AS identification list sent by the analysis device. The identifier list includes the identifier of the operator AS. The network equipment determines the BGP routing characteristics according to the target AS path and the historical AS path, including: the network equipment determines the rarity of other ASs on the target AS path except the operator AS, and the rarity of the AS on the target AS path is equal to this The ratio of the number of AS occurrences in historical AS paths to the number of historical AS paths.
可选地,目标路由信息中包括路由异常检测结果,在网络设备确定BGP更新消息对应的BGP路由特征之后,网络设备根据BGP路由特征,确定路由异常检测结果。Optionally, the target routing information includes a routing anomaly detection result. After the network device determines the BGP routing feature corresponding to the BGP update message, the network device determines the routing anomaly detection result according to the BGP routing feature.
本申请中,通过网络设备根据BGP路由特征生成路由异常检测结果,再向分析设备发送该路由异常检测结果,可以进一步减少分析设备的计算量。In this application, the network device generates a routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
可选地,网络设备可以接收分析设备发送的路由异常检测模型。则网络设备根据BGP路由特征,生成路由异常检测结果的过程,包括:网络设备向路由异常检测模型输入BGP路由特征,以获取路由异常检测模型输出的路由异常检测结果。Optionally, the network device may receive the routing anomaly detection model sent by the analysis device. The process of the network device generating the routing anomaly detection result according to the BGP routing feature includes: the network device inputs the BGP routing feature to the routing anomaly detection model to obtain the routing anomaly detection result output by the routing anomaly detection model.
可选地,当BGP更新消息异常时,该路由异常检测结果还用于指示BGP更新消息的路由异常类型。Optionally, when the BGP update message is abnormal, the route anomaly detection result is also used to indicate the route abnormality type of the BGP update message.
可选地,路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。当然,路由异常类型还可以是其它异常类型,本申请对此不做限定。Optionally, the route abnormality type includes one or more of route leakage, route hijacking, or route forgery. Of course, the routing exception type may also be other exception types, which is not limited in this application.
第二方面,提供了一种路由异常检测方法。该方法包括:分析设备接收网络设备发送的目标路由信息,该目标路由信息中包括网络设备接收到的BGP更新消息对应的BGP路由特征和/或路由异常检测结果,该路由异常检测结果基于BGP路由特征得到,该路由异常检测结果用于指示BGP更新消息正常或异常。分析设备根据目标路由信息对BGP更新消息进行异常分析。In the second aspect, a routing anomaly detection method is provided. The method includes: analyzing the target routing information sent by the network device received by the analyzing device, and the target routing information includes the BGP routing feature and/or the routing anomaly detection result corresponding to the BGP update message received by the network device, and the routing anomaly detection result is based on the BGP routing The characteristic is obtained, the route anomaly detection result is used to indicate that the BGP update message is normal or abnormal. The analysis device performs abnormal analysis on the BGP update message according to the target routing information.
可选地,目标路由信息中包括BGP路由特征,分析设备根据目标路由信息对BGP更新消息进行异常分析的过程,包括:分析设备根据BGP路由特征,确定路由异常检测结果;分析设备根据该路由异常检测结果对BGP更新消息进行异常分析。Optionally, the target routing information includes BGP routing characteristics, and the process of analyzing the abnormality of the BGP update message by the analyzing device according to the target routing information includes: the analyzing device determines the routing abnormality detection result according to the BGP routing characteristics; the analyzing device according to the abnormality of the routing The detection result analyzes the abnormality of the BGP update message.
可选地,在分析设备根据目标路由信息对BGP更新消息进行异常分析之后,当分析设备确定BGP更新消息异常时,分析设备输出BGP更新消息的路由异常类型。Optionally, after the analysis device performs abnormal analysis on the BGP update message according to the target routing information, when the analysis device determines that the BGP update message is abnormal, the analysis device outputs the type of abnormal routing of the BGP update message.
可选地,路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。Optionally, the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
本申请中,通过分析设备输出BGP更新消息的路由异常类型,供运维人员查看,以便于运维人员快速确定通信网络中的路由异常事件并进行维护,从而保证通信网络的运行安全性和可靠性。In this application, by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network sex.
可选地,分析设备还可以向网络设备发送网络级BGP信息、路由异常检测模型和消息分析配置参数中的一个或多个。网络级BGP信息包括AS中心度列表和/或AS标识列表。该 AS中心度列表中包括网络中各个AS的中心度,该AS标识列表中包括运营商AS的标识。路由异常检测模型用于基于输入的BGP路由特征输出路由异常检测结果。消息分析配置参数包括BGP更新消息分析窗口的大小。Optionally, the analysis device may also send one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device. The network-level BGP information includes an AS centrality list and/or an AS identification list. The AS centrality list includes the centrality of each AS in the network, and the AS identification list includes the identity of the operator AS. The routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics. The message analysis configuration parameters include the size of the BGP update message analysis window.
第三方面,提供了一种路由异常检测装置。所述装置包括多个功能模块,所述多个功能模块相互作用,实现上述第一方面及其各实施方式中的方法。所述多个功能模块可以基于软件、硬件或软件和硬件的结合实现,且所述多个功能模块可以基于具体实现进行任意组合或分割。In the third aspect, a routing abnormality detection device is provided. The device includes a plurality of functional modules, and the plurality of functional modules interact to implement the above-mentioned first aspect and the methods in various embodiments thereof. The multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be combined or divided arbitrarily based on specific implementations.
第四方面,提供了一种路由异常检测装置。所述装置包括多个功能模块,所述多个功能模块相互作用,实现上述第二方面及其各实施方式中的方法。所述多个功能模块可以基于软件、硬件或软件和硬件的结合实现,且所述多个功能模块可以基于具体实现进行任意组合或分割。In a fourth aspect, a routing abnormality detection device is provided. The device includes a plurality of functional modules, and the plurality of functional modules interact to implement the above-mentioned second aspect and the methods in various embodiments thereof. The multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be combined or divided arbitrarily based on specific implementations.
第五方面,提供了一种路由异常检测系统,包括:网络设备和分析设备;In a fifth aspect, a routing anomaly detection system is provided, including: network equipment and analysis equipment;
所述网络设备包括如第三方面所述的路由异常检测装置,所述分析设备包括如第四方面所述的路由异常检测装置。The network equipment includes the routing abnormality detection device according to the third aspect, and the analysis equipment includes the routing abnormality detection device according to the fourth aspect.
第六方面,提供了一种网络设备,包括:处理器和存储器;In a sixth aspect, a network device is provided, including: a processor and a memory;
所述存储器,用于存储计算机程序,所述计算机程序包括程序指令;The memory is used to store a computer program, and the computer program includes program instructions;
所述处理器,用于调用所述计算机程序,实现如第一方面任一所述的路由异常检测方法。The processor is configured to call the computer program to implement the routing abnormality detection method according to any one of the first aspect.
第七方面,提供了一种分析设备,包括:处理器和存储器;In a seventh aspect, an analysis device is provided, including: a processor and a memory;
所述存储器,用于存储计算机程序,所述计算机程序包括程序指令;The memory is used to store a computer program, and the computer program includes program instructions;
所述处理器,用于调用所述计算机程序,实现如第二方面任一所述的路由异常检测方法。The processor is configured to call the computer program to implement the routing abnormality detection method according to any one of the second aspect.
第八方面,提供了一种计算机存储介质,所述计算机存储介质上存储有指令,当所述指令被网络设备的处理器执行时,实现如第一方面任一所述的路由异常检测方法;当所述指令被分析设备的处理器执行时,实现如第二方面任一所述的路由异常检测方法。In an eighth aspect, a computer storage medium is provided, the computer storage medium stores instructions, and when the instructions are executed by a processor of a network device, the routing anomaly detection method according to any one of the first aspects is implemented; When the instructions are executed by the processor of the analysis device, the routing abnormality detection method according to any one of the second aspect is implemented.
第九方面,提供了一种芯片,芯片包括可编程逻辑电路和/或程序指令,当芯片运行时,实现上述第一方面及其各实施方式中的方法或第二方面及其各实施方式中的方法。In a ninth aspect, a chip is provided. The chip includes a programmable logic circuit and/or program instructions. When the chip is running, the method in the first aspect and its embodiments or the method in the second aspect and its embodiments are implemented when the chip is running. Methods.
本申请提供的技术方案带来的有益效果至少包括:The beneficial effects brought about by the technical solution provided by this application include at least:
网络设备在接收到BGP路由信息后,确定BGP路由信息对应的BGP路由特征,并向分析设备发送BGP路由特征和/或路由异常检测结果,由于BGP路由特征以及路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。其中,通过网络设备根据BGP路由特征生成路由异常检测结果,再向分析设备发送该路由异常检测结果,可以进一步减少分析设备的计算量。另外,通过分析设备输出BGP更新消息的路由异常类型,供运维人员查看,以便于运维人员快速确定通信网络中的路由异常事件并进行维护,从而保证通信网络的运行安全性和可靠性。After receiving the BGP routing information, the network device determines the BGP routing feature corresponding to the BGP routing information, and sends the BGP routing feature and/or routing anomaly detection result to the analysis device. Because the BGP routing feature and the routing anomaly detection result are the same as the BGP update message Compared with, the amount of data is smaller, so the amount of data transmission between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device. Among them, the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device. In addition, by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network.
附图说明Description of the drawings
图1是本申请实施例提供的一种路由异常检测系统的结构示意图;FIG. 1 is a schematic structural diagram of a routing anomaly detection system provided by an embodiment of the present application;
图2是本申请实施例提供的一种路由异常检测方法的流程示意图;FIG. 2 is a schematic flowchart of a routing anomaly detection method provided by an embodiment of the present application;
图3是本申请实施例提供的一种网络设备确定BGP路由特征的方法流程图;FIG. 3 is a flowchart of a method for network equipment to determine BGP routing characteristics according to an embodiment of the present application;
图4是本申请实施例提供的一种路由异常检测装置的结构示意图;FIG. 4 is a schematic structural diagram of a routing anomaly detection device provided by an embodiment of the present application;
图5是本申请另一实施例提供的一种路由异常检测装置的结构示意图;FIG. 5 is a schematic structural diagram of a routing anomaly detection device provided by another embodiment of the present application;
图6是本申请另一实施例提供的另一种路由异常检测装置的结构示意图;6 is a schematic structural diagram of another routing abnormality detection device provided by another embodiment of the present application;
图7是本申请另一实施例提供的又一种路由异常检测装置的结构示意图;FIG. 7 is a schematic structural diagram of yet another routing anomaly detection device provided by another embodiment of the present application;
图8是本申请实施例提供的一种路由异常检测装置的框图。Fig. 8 is a block diagram of a routing anomaly detection device provided by an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solutions, and advantages of the present application clearer, the following further describes the embodiments of the present application in detail with reference to the accompanying drawings.
图1是本申请实施例提供的一种路由异常检测系统的结构示意图。如图1所示,该系统中包括分析设备101以及通信网络中的网络设备102a-102f(统称为网络设备102)。其中,网络设备102a属于AS1,网络设备102b和网络设备102c属于AS2,网络设备102d属于AS3,网络设备102e属于AS4,网络设备102f属于AS5。图1中网络设备的数量以及所属AS的划分方式仅用作示意,不作为对本申请实施例提供的通信网络的限制。Fig. 1 is a schematic structural diagram of a routing anomaly detection system provided by an embodiment of the present application. As shown in Figure 1, the system includes an analysis device 101 and network devices 102a-102f (collectively referred to as network devices 102) in a communication network. Among them, the network device 102a belongs to AS1, the network device 102b and the network device 102c belong to AS2, the network device 102d belongs to AS3, the network device 102e belongs to AS4, and the network device 102f belongs to AS5. The number of network devices and the division method of ASs in FIG. 1 are only for illustration, and not as a limitation on the communication network provided in the embodiment of the present application.
可选地,分析设备101可以是一台服务器,或者由若干台服务器组成的服务器集群,或者是一个云计算服务中心。网络设备102可以是路由器或交换机等。分析设备101与网络设备102之间通过有线网络或无线网络连接。Optionally, the analysis device 101 may be a server, or a server cluster composed of several servers, or a cloud computing service center. The network device 102 may be a router, a switch, or the like. The analysis device 101 and the network device 102 are connected through a wired network or a wireless network.
同一个AS中的所有网络设备相互连接,运行相同的路由协议,同时分配同一个自治系统编号。AS之间的链接使用外部路由协议,例如本申请实施例提供的通信网络可以运行BGP,通过BGP实现AS之间的路由可达,运行BGP的通信网络也可称为BGP网络。可选地,该通信网络可以是数据中心网络(data center network,DCN)、城域网络、广域网络、园区网络、虚拟局域网(virtual local area network,VLAN)或虚拟扩展局域网(virtual extensible local area network,VXLAN)等,本申请实施例对通信网络的类型不做限定。All network devices in the same AS are connected to each other, run the same routing protocol, and are assigned the same autonomous system number. The link between ASs uses an external routing protocol. For example, the communication network provided in the embodiment of the present application can run BGP, and the routes between ASs can be reached through BGP. The communication network running BGP can also be referred to as a BGP network. Optionally, the communication network may be a data center network (DCN), a metropolitan area network, a wide area network, a campus network, a virtual local area network (VLAN), or a virtual extended local area network (virtual extensive local area network). , VXLAN), etc. The embodiments of this application do not limit the type of communication network.
图2是本申请实施例提供的一种路由异常检测方法的流程示意图。该方法可以应用于如图1所示的路由异常检测系统中。如图2所示,该方法包括:FIG. 2 is a schematic flowchart of a method for detecting routing anomaly according to an embodiment of the present application. This method can be applied to the routing anomaly detection system shown in Figure 1. As shown in Figure 2, the method includes:
步骤201、分析设备向网络设备发送网络级BGP信息、路由异常检测模型和消息分析配置参数中的一个或多个。Step 201: The analysis device sends one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device.
网络级BGP信息包括AS中心度列表和/或AS标识列表。AS中心度列表中包括网络中各个AS的中心度。AS的中心度用于反映该AS在通信网络中的重要程度,AS的中心度越大,表示该AS在通信网络中的位置越重要。AS标识列表中包括运营商AS的标识。示例地,该AS标识列表包括Tier1运营商的AS标识列表和/或Tier2运营商的AS标识列表。Tier1和Tier2为数据中心电信基础设施标准(Telecommunications Infrastructure Standard for Data Centers)中定义的数据中心基础设施分级认证的标准,本申请实施例对此不再赘述。The network-level BGP information includes an AS centrality list and/or an AS identification list. The AS centrality list includes the centrality of each AS in the network. The centrality of an AS is used to reflect the importance of the AS in the communication network. The greater the centrality of the AS, the more important the position of the AS in the communication network. The AS identifier list includes the identifier of the operator AS. For example, the AS identification list includes the AS identification list of the Tier1 operator and/or the AS identification list of the Tier2 operator. Tier1 and Tier2 are data center infrastructure tiered certification standards defined in the data center telecommunication infrastructure standard (Telecommunications Infrastructure Standard for Data Centers), which will not be repeated in this embodiment of the application.
示例地,表1示出了一种AS中心度列表,该AS中心度列表中包括如图1所示的路由异常检测系统中AS1-AS5的中心度。Illustratively, Table 1 shows an AS centrality list, and the AS centrality list includes the centralities of AS1-AS5 in the routing anomaly detection system shown in FIG. 1.
表1Table 1
AS标识AS logo 中心度Centrality
AS1AS1 0.10.1
AS2AS2 0.30.3
AS3AS3 0.40.4
AS4AS4 0.20.2
AS5AS5 0.10.1
其中,AS标识可以是AS号(ASN),该AS号通常为全局唯一的16位号码。Among them, the AS identifier may be an AS number (ASN), which is usually a globally unique 16-digit number.
路由异常检测模型用于基于输入的BGP路由特征输出路由异常检测结果。可选地,路由异常检测模型基于决策树算法、梯度提升决策树(Gradient Boosting Decision Tree,GBDT)算法和/或极端梯度提升(eXtreme Gradient Boosting,XGBoost)算法生成。The routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics. Optionally, the routing anomaly detection model is generated based on a decision tree algorithm, a gradient boosting decision tree (Gradient Boosting Decision Tree, GBDT) algorithm, and/or an extreme gradient boosting (eXtreme Gradient Boosting, XGBoost) algorithm.
示例地,分析设备采用决策树算法生成路由异常检测模型。决策树(decisiontree)是一种树形结构,例如可以是二叉树或非二叉树,其中每个非叶节点表示一个特征属性上的测试,每个分支代表特征属性在某个值域上的测试输出,每个叶节点存放一种类别。使用决策树进行决策的过程包括:从根节点开始,测试待分类项中相应的特征属性,并按照其值选择输出分支,直至到达叶节点,将叶节点中存放的类别作为决策结果。用于生成路由异常检测模型的决策树的待分类项包括BGP路由特征。该决策树可以包括四个叶节点,该四个叶节点存放的类别分别为路由正常、路由泄露、路由劫持和路由伪造。则路由异常检测模型可以根据输入的BGP路由特征,输出四种可能的路由异常检测结果,包括路由正常、路由泄露、路由劫持或路由伪造。其中,路由劫持也可称为前缀劫持。或者,该决策树也可以包括两个叶节点,该两个叶节点存放的类别分别为路由正常和路由异常。则路由异常检测模型可以根据输入的BGP路由特征,输出两种可能的路由异常检测结果,包括路由正常或路由异常。For example, the analysis device uses a decision tree algorithm to generate a routing anomaly detection model. A decision tree is a tree structure, such as a binary tree or a non-binary tree, where each non-leaf node represents a test on a feature attribute, and each branch represents the test output of a feature attribute on a certain value range. Each leaf node stores a category. The process of using a decision tree to make a decision includes: starting from the root node, testing the corresponding feature attributes in the items to be classified, and selecting the output branch according to its value until reaching the leaf node, and using the category stored in the leaf node as the decision result. The items to be classified in the decision tree used to generate the routing anomaly detection model include BGP routing characteristics. The decision tree may include four leaf nodes, and the categories stored in the four leaf nodes are route normal, route leakage, route hijacking, and route forgery. The routing anomaly detection model can output four possible routing anomaly detection results according to the input BGP routing characteristics, including normal routing, routing leakage, routing hijacking, or routing forgery. Among them, route hijacking can also be called prefix hijacking. Alternatively, the decision tree may also include two leaf nodes, and the categories stored in the two leaf nodes are normal routing and abnormal routing. Then the routing anomaly detection model can output two possible routing anomaly detection results according to the input BGP routing characteristics, including normal routing or abnormal routing.
消息分析配置参数包括BGP更新消息分析窗口的大小。BGP更新消息分析窗口的大小的取值为正整数,示例地,该BGP更新消息分析窗口的大小可以为5。The message analysis configuration parameters include the size of the BGP update message analysis window. The size of the BGP update message analysis window is a positive integer. For example, the size of the BGP update message analysis window may be 5.
可选地,分析设备周期性地向网络设备发送网络级BGP信息、路由异常检测模型和消息分析配置参数中的一个或多个。或者,当网络级BGP信息发生更新时,分析设备向网络设备发送更新后的网络级BGP信息;当路由异常检测模型发生更新时,分析设备向网络设备发送更新后的路由异常检测模型;当消息分析配置参数发生更新时,分析设备向网络设备发送更新后的消息分析配置参数。Optionally, the analysis device periodically sends one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device. Or, when the network-level BGP information is updated, the analysis device sends the updated network-level BGP information to the network device; when the routing anomaly detection model is updated, the analysis device sends the updated routing anomaly detection model to the network device; When the analysis configuration parameter is updated, the analysis device sends the updated message to the network device to analyze the configuration parameter.
步骤202、网络设备接收BGP更新消息。Step 202: The network device receives the BGP update message.
BGP更新消息用于通告路由。可选地,BGP更新消息中包括发布该BGP更新消息的目标源AS宣告的IP前缀,以及从目标源AS到该网络设备所在AS的AS路径。源AS宣告的IP前缀通常为网段地址。BGP update messages are used to advertise routes. Optionally, the BGP update message includes the IP prefix announced by the target source AS that publishes the BGP update message, and the AS path from the target source AS to the AS where the network device is located. The IP prefix announced by the source AS is usually the network segment address.
示例地,参考如图1所示的路由异常检测系统,假设该网络设备为属于AS5的网络设备102f,目标源AS为AS1,AS1宣告的IP前缀为1.1.1.0/24,AS1发布的BGP更新消息依次经过AS2、AS3和AS4后到达AS5中的网络设备102f,则网络设备102f接收到的BGP更新消息中携带的IP前缀为1.1.1.0/24,AS路径为:AS1-AS2-AS3-AS4-AS5。For example, referring to the routing anomaly detection system shown in Figure 1, suppose the network device is a network device 102f belonging to AS5, the target source AS is AS1, the IP prefix announced by AS1 is 1.1.1.0/24, and the BGP update issued by AS1 After the message passes through AS2, AS3, and AS4 in turn, it reaches the network device 102f in AS5. The IP prefix carried in the BGP update message received by the network device 102f is 1.1.1.0/24, and the AS path is: AS1-AS2-AS3-AS4 -AS5.
可选地,网络设备每接收到BGP更新消息,可以在该网络设备中存储该BGP更新消息,以便用于后续的路由异常检测。通过在网络设备中设置上限值M,使网络设备中最多可存储M条历史BGP更新消息,例如可以采用长度为M的队列存储历史BGP更新消息,M为大于 1的正整数,例如M的取值可以为100,可以避免占用过多的内存资源。当网络设备接收到新的BGP更新消息时,可以删除已存储的最早的历史BGP更新消息,并存储该新的BGP更新消息。Optionally, every time a network device receives a BGP update message, the BGP update message may be stored in the network device so as to be used for subsequent routing anomaly detection. By setting the upper limit value M in the network device, the network device can store up to M historical BGP update messages. For example, a queue of length M can be used to store historical BGP update messages. M is a positive integer greater than 1, such as M The value can be 100, which can avoid occupying too much memory resources. When the network device receives a new BGP update message, it can delete the oldest historical BGP update message that has been stored, and store the new BGP update message.
步骤203、网络设备确定BGP更新消息对应的BGP路由特征。Step 203: The network device determines the BGP routing feature corresponding to the BGP update message.
可选地,图3是本申请实施例提供的一种网络设备确定BGP路由特征的方法流程图。如图3所示,该方法包括以下步骤2031至步骤2034:Optionally, FIG. 3 is a flowchart of a method for a network device to determine BGP routing characteristics according to an embodiment of the present application. As shown in Figure 3, the method includes the following steps 2031 to 2034:
步骤2031、网络设备根据BGP更新消息,获取目标路由前缀以及目标AS路径。 Step 2031. The network device obtains the target routing prefix and the target AS path according to the BGP update message.
目标路由前缀为发布该BGP更新消息的目标源AS宣告的IP前缀,目标AS路径为从该目标源AS到该网络设备所在AS的AS路径。The target routing prefix is the IP prefix announced by the target source AS that advertises the BGP update message, and the target AS path is the AS path from the target source AS to the AS where the network device is located.
示例地,参考步骤202中的例子,上述目标路由前缀为1.1.1.0/24,目标AS路径为:AS1-AS2-AS3-AS4-AS5。For example, referring to the example in step 202, the foregoing target routing prefix is 1.1.1.0/24, and the target AS path is: AS1-AS2-AS3-AS4-AS5.
步骤2032、网络设备获取携带有目标路由前缀的历史BGP更新消息。 Step 2032. The network device obtains the historical BGP update message carrying the target routing prefix.
可选地,网络设备在该网络设备存储的历史BGP更新消息中,获取一条或多条携带有目标路由前缀的历史BGP更新消息。网络设备获取的携带有目标路由前缀的历史BGP更新消息的数量可以根据分析设备发送的消息分析配置参数确定,例如消息分析配置参数中BGP更新消息分析窗口的大小为5,则网络设备获取5条携带有目标路由前缀的历史BGP更新消息。或者,网络设备还可以获取该网络设备中存储的所有携带有目标路由前缀的历史BGP更新消息。本申请实施例对网络设备获取携带有目标路由前缀的历史BGP更新消息的数量不做限定。Optionally, the network device obtains one or more historical BGP update messages that carry the target route prefix from the historical BGP update messages stored by the network device. The number of historical BGP update messages carrying the target route prefix obtained by the network device can be determined according to the message analysis configuration parameters sent by the analysis device. For example, if the size of the BGP update message analysis window in the message analysis configuration parameter is 5, the network device obtains 5 Historical BGP update messages that carry the target route prefix. Alternatively, the network device may also obtain all historical BGP update messages stored in the network device that carry the target route prefix. The embodiment of the present application does not limit the number of historical BGP update messages that the network device obtains and carries the target routing prefix.
示例地,参考步骤2031中的例子,假设网络设备获取携带有IP前缀为1.1.1.0/24的5条历史BGP更新消息。该5条历史BGP更新消息中携带的AS路径分别为:AS1-AS2-AS3-AS5,AS1-AS2-AS3-AS4-AS5,AS2-AS3-AS4-AS5,AS1-AS2-AS4-AS5和AS2-AS3-AS5。For example, referring to the example in step 2031, it is assumed that the network device obtains five historical BGP update messages carrying an IP prefix of 1.1.1.0/24. The AS paths carried in the 5 historical BGP update messages are: AS1-AS2-AS3-AS5, AS1-AS2-AS3-AS4-AS5, AS2-AS3-AS4-AS5, AS1-AS2-AS4-AS5 and AS2 -AS3-AS5.
步骤2033、网络设备根据历史BGP更新消息,获取历史AS路径。Step 2033: The network device obtains the historical AS path according to the historical BGP update message.
历史BGP更新消息中包括源AS到网络设备所在AS的历史AS路径,步骤2033,也即是,网络设备获取历史BGP更新消息中携带的历史AS路径。该历史AS路径与上述目标AS路径可称为同前缀AS路径。The historical BGP update message includes the historical AS path from the source AS to the AS where the network device is located. In step 2033, that is, the network device obtains the historical AS path carried in the historical BGP update message. The historical AS path and the aforementioned target AS path may be referred to as the same prefix AS path.
示例地,参考步骤2032中的例子,网络设备根据携带有IP前缀为1.1.1.0/24的5条历史BGP更新消息,分别获取5条历史AS路径,包括:AS1-AS2-AS3-AS5,AS1-AS2-AS3-AS4-AS5,AS2-AS3-AS4-AS5,AS1-AS2-AS4-AS5和AS2-AS3-AS5。For example, referring to the example in step 2032, the network device obtains 5 historical AS paths respectively according to 5 historical BGP update messages carrying the IP prefix of 1.1.1.0/24, including: AS1-AS2-AS3-AS5, AS1 -AS2-AS3-AS4-AS5, AS2-AS3-AS4-AS5, AS1-AS2-AS4-AS5 and AS2-AS3-AS5.
步骤2034、网络设备根据目标AS路径以及历史AS路径,确定BGP路由特征。Step 2034: The network device determines the BGP routing characteristics according to the target AS path and the historical AS path.
可选地,BGP路由特征包括以下一个或多个:目标AS路径与历史AS路径的路径相似度、目标AS路径与历史AS路径的霸权相似度、目标AS路径上的AS的罕见度、目标AS路径的罕见度、历史AS路径上不同于目标源AS的源AS的数量、目标源AS的出现概率值以及目标源AS的稳定性。目标AS路径与历史AS路径的霸权相似度基于目标AS路径上各个AS的中心度以及历史AS路径上各个AS的中心度确定。AS的罕见度等于该AS在历史AS路径中的出现次数与历史AS路径的数量的比值。目标AS路径的罕见度等于目标AS的罕见度,目标AS为目标AS路径上罕见度最小的AS。目标源AS的出现概率值等于目标源AS在历史AS路径中的出现次数与历史AS路径的数量的比值。目标源AS的稳定性与历史AS路径上不同于目标源AS的源AS的数量负相关,且与网络设备所在AS在历史AS路径上的邻居AS不同于网络设备所在AS在目标AS路径上的邻居AS的数量负相关。Optionally, BGP routing features include one or more of the following: path similarity between the target AS path and the historical AS path, hegemonic similarity between the target AS path and the historical AS path, the rarity of the AS on the target AS path, and the target AS The rarity of the path, the number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and the stability of the target source AS. The hegemonic similarity between the target AS path and the historical AS path is determined based on the centrality of each AS on the target AS path and the centrality of each AS on the historical AS path. The rarity of an AS is equal to the ratio of the number of occurrences of the AS in the historical AS path to the number of historical AS paths. The rarity of the target AS path is equal to the rarity of the target AS, and the target AS is the AS with the least rarity on the target AS path. The occurrence probability value of the target source AS is equal to the ratio of the number of occurrences of the target source AS in the historical AS path to the number of historical AS paths. The stability of the target source AS is negatively related to the number of source ASs that are different from the target source AS on the historical AS path, and is related to the neighbor AS of the AS where the network device is located on the historical AS path is different from the AS where the network device is located on the target AS path. The number of neighbor ASs is negatively correlated.
其中,目标AS路径与历史AS路径的路径相似度、目标AS路径与历史AS路径的霸权相似度、目标AS路径上的AS的罕见度以及目标AS路径的罕见度主要用于确定是否发生路由泄露;历史AS路径上不同于目标源AS的源AS的数量、目标源AS的出现概率值以及目标源AS的稳定性主要用于确定是否发生路由劫持。当然,BGP路由特征还可以包括其它能够反映路由泄露、路由劫持和/或路由伪造的相关特征,本申请实施例对此不做限定。Among them, the path similarity between the target AS path and the historical AS path, the hegemonic similarity between the target AS path and the historical AS path, the rarity of the AS on the target AS path, and the rarity of the target AS path are mainly used to determine whether route leakage occurs. ; The number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and the stability of the target source AS are mainly used to determine whether route hijacking occurs. Of course, the BGP routing feature may also include other related features that can reflect route leakage, route hijacking, and/or route forgery, which is not limited in the embodiment of the present application.
本申请以下实施例分别对上述各种BGP路由特征的获取方式进行说明。The following embodiments of the present application respectively illustrate the acquisition methods of the various BGP routing features described above.
在第一种实现方式中,BGP路由特征包括目标AS路径与历史AS路径的路径相似度。In the first implementation manner, the BGP routing feature includes the path similarity between the target AS path and the historical AS path.
可选地,网络设备可以分别计算目标AS路径与获取的各条历史AS路径(同前缀)的路径相似度,或者,网络设备可以计算目标AS路径与获取的上条历史AS路径(同前缀)的路径相似度。目标AS路径和历史AS路径均可以采用路径向量表示。Optionally, the network device may separately calculate the path similarity between the target AS path and each acquired historical AS path (same prefix), or the network device may calculate the target AS path and the acquired last historical AS path (same prefix) The similarity of the path. Both the target AS path and the historical AS path can be represented by path vectors.
示例地,参考步骤2031至步骤2033中的例子,目标AS路径的路径向量可以表示为[AS1,AS2,AS3,AS4,AS5],历史AS路径AS2-AS3-AS5的路径向量可以表示为[AS2,AS3,AS5],本申请实施例中将目标AS路径的路径向量与历史AS路径的路径向量的相似度作为目标AS路径与历史AS路径的路径相似度。For example, referring to the example in step 2031 to step 2033, the path vector of the target AS path can be expressed as [AS1, AS2, AS3, AS4, AS5], and the path vector of the historical AS path AS2-AS3-AS5 can be expressed as [AS2 , AS3, AS5], in the embodiment of the present application, the similarity between the path vector of the target AS path and the path vector of the historical AS path is taken as the path similarity between the target AS path and the historical AS path.
在第二种实现方式中,BGP路由特征包括目标AS路径与历史AS路径的霸权相似度。In the second implementation manner, the BGP routing characteristics include the hegemonic similarity between the target AS path and the historical AS path.
可选地,网络设备可以分别计算目标AS路径与获取的各条历史AS路径(同前缀)的霸权相似度,或者,网络设备可以计算目标AS路径与获取的上条历史AS路径(同前缀)的霸权相似度。步骤2034的实现过程包括步骤S11至步骤S13:Optionally, the network device may separately calculate the hegemonic similarity between the target AS path and each acquired historical AS path (same prefix), or the network device may calculate the target AS path and the acquired last historical AS path (same prefix) Similarity of the hegemony. The implementation process of step 2034 includes step S11 to step S13:
在步骤S11中,网络设备获取目标AS路径对应的第一中心度向量,该第一中心度向量中包括目标AS路径上各个AS的中心度。In step S11, the network device obtains a first centrality vector corresponding to the target AS path, where the first centrality vector includes the centrality of each AS on the target AS path.
可选地,网络设备根据目标AS路径上各个AS的标识,从分析设备发送的AS中心度列表中获取目标AS路径上各个AS的中心度,生成第一中心度向量。Optionally, the network device obtains the centrality of each AS on the target AS path from the AS centrality list sent by the analysis device according to the identification of each AS on the target AS path, and generates the first centrality vector.
示例地,参考表1以及步骤2031至步骤2033中的例子,网络设备可以获取目标AS路径上AS1的中心度为0.1,AS2的中心度为0.3,AS3的中心度为0.4,AS4的中心度为0.2,AS5的中心度为0.1,目标AS路径对应的第一中心度向量可以表示为[0.1,0.3,0.4,0.2,0.1]。For example, referring to Table 1 and the examples in steps 2031 to 2033, the network device can obtain the centrality of AS1 on the target AS path as 0.1, the centrality of AS2 as 0.3, the centrality of AS3 as 0.4, and the centrality of AS4 as 0.2, the centrality of AS5 is 0.1, and the first centrality vector corresponding to the target AS path can be expressed as [0.1, 0.3, 0.4, 0.2, 0.1].
在步骤S12中,网络设备获取历史AS路径对应的第二中心度向量,该第二中心度向量中包括历史AS路径上各个AS的中心度。In step S12, the network device obtains a second centrality vector corresponding to the historical AS path, where the second centrality vector includes the centrality of each AS on the historical AS path.
可选地,网络设备根据历史AS路径上各个AS的标识,从分析设备发送的AS中心度列表中获取历史AS路径上各个AS的中心度,生成第二中心度向量。Optionally, the network device obtains the centrality of each AS on the historical AS path from the AS centrality list sent by the analysis device according to the identifier of each AS on the historical AS path, and generates the second centrality vector.
示例地,参考表1以及步骤2031至步骤2033中的例子,网络设备可以获取历史AS路径AS2-AS3-AS5上AS2的中心度为0.3,AS3的中心度为0.4,AS5的中心度为0.1,该历史AS路径对应的第二中心度向量可以表示为[0.3,0.4,0.1]。For example, referring to Table 1 and the examples in steps 2031 to 2033, the network device can obtain the historical AS path AS2-AS3-AS5 where the centrality of AS2 is 0.3, the centrality of AS3 is 0.4, and the centrality of AS5 is 0.1. The second centrality vector corresponding to the historical AS path can be expressed as [0.3, 0.4, 0.1].
在步骤S13中,网络设备将第一中心度向量与第二中心度向量之间的相似度作为目标AS路径与历史AS路径的霸权相似度。In step S13, the network device uses the similarity between the first centrality vector and the second centrality vector as the hegemonic similarity between the target AS path and the historical AS path.
示例地,参考步骤S11和步骤S12中的例子,目标AS路径与历史AS路径AS2-AS3-AS5的霸权相似度即第一中心度向量[0.1,0.3,0.4,0.2,0.1]与第二中心度向量[0.3,0.4,0.1]的相似度。For example, referring to the examples in step S11 and step S12, the hegemonic similarity between the target AS path and the historical AS path AS2-AS3-AS5 is the first centrality vector [0.1, 0.3, 0.4, 0.2, 0.1] and the second center The similarity of the degree vector [0.3, 0.4, 0.1].
在第三种实现方式中,BGP路由特征包括目标AS路径上的AS的罕见度。步骤2034的实现过程包括:网络设备对目标AS路径上的AS执行罕见度计算流程,该罕见度计算流程包括:网络设备确定目标AS路径上的AS在历史AS路径中的出现次数;网络设备将该出现次 数与历史AS路径的数量的比值作为该AS的罕见度。In the third implementation, BGP routing characteristics include the rarity of ASs on the target AS path. The implementation process of step 2034 includes: the network device performs a rarity calculation process on the AS on the target AS path. The rarity calculation process includes: the network device determines the number of occurrences of the AS on the target AS path in the historical AS path; The ratio of the number of occurrences to the number of historical AS paths is taken as the rarity of the AS.
示例地,参考步骤2031至步骤2033中的例子,网络设备共获取5条历史BGP更新消息。目标AS路径上的AS1的罕见度等于3/5;目标AS路径上的AS2的罕见度等于1;目标AS路径上的AS3的罕见度等于4/5;目标AS路径上的AS4的罕见度等于3/5;目标AS路径上的AS5的罕见度等于1。For example, referring to the example in step 2031 to step 2033, the network device obtains a total of 5 historical BGP update messages. The rarity of AS1 on the target AS path is equal to 3/5; the rarity of AS2 on the target AS path is equal to 1; the rarity of AS3 on the target AS path is equal to 4/5; the rarity of AS4 on the target AS path is equal to 3/5; the rarity of AS5 on the target AS path is equal to 1.
可选地,当网络设备接收到分析设备发送的包含运营商AS的标识的AS标识列表时,网络设备可以对目标AS路径上除运营商AS以外的其它所有AS分别执行罕见度计算流程。也即是,网络设备无需计算目标AS路径中运营商AS的罕见度。可选地,网络设备可以将运营商AS的罕见度设置为1。Optionally, when the network device receives the AS identifier list containing the identifier of the operator AS sent by the analysis device, the network device may execute the rarity calculation process on all the ASs on the target AS path except the operator AS. That is, the network device does not need to calculate the rarity of the operator AS in the target AS path. Optionally, the network device may set the rarity of the operator AS to 1.
在第四种实现方式中,BGP路由特征包括目标AS路径的罕见度。步骤2034的实现过程包括:网络设备将目标AS的罕见度作为目标AS路径的罕见度,该目标AS为目标AS路径上罕见度最小的AS。In the fourth implementation, the BGP routing characteristics include the rarity of the target AS path. The implementation process of step 2034 includes: the network device regards the rarity of the target AS as the rarity of the target AS path, and the target AS is the AS with the least rarity on the target AS path.
可选地,网络设备先计算出目标AS路径上各个AS的罕见度,再将罕见度最小的目标AS的罕见度作为该目标AS路径的罕见度。目标AS路径上各个AS的罕见度的计算方式可参考上述第三种实现方式,本申请实施例在此不再赘述。Optionally, the network device first calculates the rarity of each AS on the target AS path, and then uses the rarity of the target AS with the smallest rarity as the rarity of the target AS path. For the calculation method of the rarity of each AS on the target AS path, reference may be made to the above-mentioned third implementation method, which will not be repeated in this embodiment of the application.
示例地,参考上述第三种实现方式中的例子,目标AS路径的罕见度等于3/5。Illustratively, referring to the example in the third implementation manner above, the rarity of the target AS path is equal to 3/5.
在第五种实现方式中,BGP路由特征包括历史AS路径上不同于目标源AS的源AS的数量。In the fifth implementation manner, the BGP routing characteristics include the number of source ASs that are different from the target source AS on the historical AS path.
示例地,参考步骤2031至步骤2033中的例子,网络设备共获取5条历史AS路径。该5条历史AS路径的源AS分别为AS1、AS1、AS2、AS1和AS2,目标源AS为AS1,该5条历史AS路径上不同于目标源AS的源AS仅包括AS2,因此该5条历史AS路径上不同于目标源AS的源AS的数量为1。For example, referring to the example in step 2031 to step 2033, the network device obtains a total of 5 historical AS paths. The source AS of the 5 historical AS paths are AS1, AS1, AS2, AS1, and AS2, and the target source AS is AS1. The source AS on the 5 historical AS paths that are different from the target source AS only includes AS2, so the 5 historical AS paths The number of source ASs that differ from the target source AS on the historical AS path is 1.
在第六种实现方式中,BGP路由特征包括目标源AS的出现概率值。步骤2034的实现过程包括:网络设备确定目标源AS在历史AS路径中的出现次数;网络设备将该出现次数与历史AS路径的数量的比值作为目标源AS的出现概率值。In the sixth implementation manner, the BGP routing feature includes the occurrence probability value of the target source AS. The implementation process of step 2034 includes: the network device determines the number of occurrences of the target source AS in the historical AS path; the network device uses the ratio of the number of occurrences to the number of historical AS paths as the occurrence probability value of the target source AS.
示例地,参考步骤2031至步骤2033中的例子,网络设备共获取5条历史AS路径。目标源AS在该5条历史AS路径中的出现次数为3,因此目标源AS的出现概率值等于3/5。For example, referring to the example in step 2031 to step 2033, the network device obtains a total of 5 historical AS paths. The number of occurrences of the target source AS in the 5 historical AS paths is 3, so the occurrence probability value of the target source AS is equal to 3/5.
在第七种实现方式中,BGP路由特征包括目标源AS的稳定性。步骤2034的实现过程包括:网络设备获取历史AS路径上不同于目标源AS的源AS的数量(简称:第一数量);网络设备获取该网络设备所在AS在历史AS路径上的邻居AS不同于网络设备所在AS在目标AS路径上的邻居AS的数量(简称:第二数量);网络设备根据第一数量和第二数量确定目标源AS的稳定性。其中,网络设备所在AS在AS路径上的邻居AS,指该网络设备所在AS在AS路径上的前一个AS。网络设备获取第一数量的过程可参考上述第五种实现方式,本申请实施例在此不再赘述。In the seventh implementation, BGP routing features include the stability of the target source AS. The implementation process of step 2034 includes: the network device obtains the number of source ASs on the historical AS path that are different from the target source AS (abbreviated as: the first number); the network device obtains the neighbor AS on the historical AS path of the AS where the network device is located is different The number of neighbor ASs on the path of the target AS where the network device is located (abbreviated as the second number); the network device determines the stability of the target source AS according to the first number and the second number. Among them, the neighbor AS on the AS path where the network device is located refers to the previous AS on the AS path where the network device is located. For the process of obtaining the first quantity by the network device, reference may be made to the above-mentioned fifth implementation manner, and details are not described in the embodiment of the present application.
示例地,参考步骤2031至步骤2033中的例子,网络设备共获取5条历史AS路径,网络设备所在AS为AS5,网络设备所在AS在该5条历史AS路径上的邻居AS分别为AS3、AS4、AS4、AS4和AS3,网络设备所在AS在目标AS路径上的邻居AS为AS4,网络设备所在AS在该5条历史AS路径上的邻居AS不同于该网络设备所在AS在目标AS路径上的邻居AS仅包括AS3,因此上述第二数量为1。For example, referring to the example in step 2031 to step 2033, the network device obtains a total of 5 historical AS paths, the AS where the network device is located is AS5, and the neighbor ASs of the 5 historical AS paths where the network device is located are AS3 and AS4 respectively. , AS4, AS4, and AS3, the neighbor AS of the AS where the network device is located on the target AS path is AS4, and the neighbor AS of the AS where the network device is located on the 5 historical AS paths is different from the AS where the network device is located on the target AS path The neighbor AS only includes AS3, so the second number mentioned above is 1.
步骤204、网络设备向分析设备发送目标路由信息。Step 204: The network device sends target routing information to the analysis device.
目标路由信息中包括BGP路由特征和/或路由异常检测结果。路由异常检测结果基于BGP路由特征得到,路由异常检测结果用于指示BGP更新消息正常或异常。The target routing information includes BGP routing characteristics and/or routing anomaly detection results. The route anomaly detection result is obtained based on BGP routing characteristics, and the route anomaly detection result is used to indicate whether the BGP update message is normal or abnormal.
可选地,路由异常检测结果可以采用标识值表示。示例地,当路由异常检测结果为0时,表示BGP更新消息正常;当路由异常检测结果为1时,表示BGP更新消息异常。当然,路由异常检测结果还可以采用其它数字、字母或字符串等表示,本申请实施例对此不做限定。Optionally, the routing anomaly detection result may be represented by an identification value. For example, when the route anomaly detection result is 0, it means that the BGP update message is normal; when the route anomaly detection result is 1, it means that the BGP update message is abnormal. Of course, the routing abnormality detection result can also be represented by other numbers, letters, or character strings, which is not limited in the embodiment of the present application.
本申请实施例中,网络设备在接收到BGP路由信息后,确定BGP路由信息对应的BGP路由特征,并向分析设备发送BGP路由特征和/或路由异常检测结果,由于BGP路由特征以及路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。In the embodiment of the present application, after receiving the BGP routing information, the network device determines the BGP routing feature corresponding to the BGP routing information, and sends the BGP routing feature and/or the routing anomaly detection result to the analysis device, due to the BGP routing feature and routing anomaly detection As a result, compared with the BGP update message, the amount of data is smaller, so the amount of data transmission between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
可选地,当BGP更新消息异常时,路由异常检测结果还用于指示该BGP更新消息的路由异常类型,该路由异常类型包括路由泄露、路由劫持和路由伪造中的一个或多个,该路由异常类型还可以是其它异常类型,本申请实施例对此不作限定。示例地,当路由异常检测结果为1时,表示BGP更新消息异常,且路由异常类型为路由泄露;当路由异常检测结果为2时,表示BGP更新消息异常,且路由异常类型为路由劫持;当路由异常检测结果为3时,表示BGP更新消息异常,且路由异常类型为路由伪造;当路由异常检测结果为4时,表示BGP更新消息异常,且路由异常类型为路由泄露以及路由劫持;等等。Optionally, when the BGP update message is abnormal, the route anomaly detection result is also used to indicate the route anomaly type of the BGP update message. The route anomaly type includes one or more of route leakage, route hijacking, and route forgery. The abnormality type may also be other abnormality types, which are not limited in the embodiment of the present application. For example, when the route anomaly detection result is 1, it means the BGP update message is abnormal, and the route anomaly type is route leakage; when the route anomaly detection result is 2, it means the BGP update message is abnormal, and the route anomaly type is route hijacking; When the routing anomaly detection result is 3, it means the BGP update message is abnormal, and the routing anomaly type is route forgery; when the routing anomaly detection result is 4, it means the BGP update message is abnormal, and the routing anomaly type is route leakage and route hijacking; etc. .
可选地,当网络设备向分析设备发送的目标路由信息中包括路由异常检测结果时,网络设备在确定BGP更新消息对应的BGP路由特征之后,需要先根据该BGP路由特征确定路由异常检测结果。网络设备可以根据目标AS路径与历史AS路径的路径相似度、目标AS路径与历史AS路径的霸权相似度、目标AS路径上的AS的罕见度和/或目标AS路径的罕见度,确定BGP更新消息是否发生路由泄露;网络设备还可以根据历史AS路径上不同于目标源AS的源AS的数量、目标源AS的出现概率值和/或目标源AS的稳定性,确定BGP更新消息是否发生路由劫持。示例地,当目标AS路径与历史AS路径的路径相似度小于路径相似度阈值、目标AS路径与历史AS路径的霸权相似度小于霸权相似度阈值、目标AS路径上存在AS的罕见度低于AS罕见度阈值和/或目标AS路径的罕见度低于AS路径罕见度阈值时,网络设备确定该BGP更新消息异常,且该BGP更新消息的路由异常类型为路由泄露。当历史AS路径上不同于目标源AS的源AS的数量大于目标数值、目标源AS的出现概率值小于概率阈值和/或目标源AS的稳定性低于稳定性阈值时,网络设备确定该BGP更新消息异常,且该BGP更新消息的路由异常类型为路由劫持。Optionally, when the target routing information sent by the network device to the analysis device includes the route anomaly detection result, after determining the BGP routing feature corresponding to the BGP update message, the network device needs to first determine the routing anomaly detection result according to the BGP routing feature. The network device can determine the BGP update based on the path similarity between the target AS path and the historical AS path, the hegemonic similarity between the target AS path and the historical AS path, the rarity of the AS on the target AS path, and/or the rarity of the target AS path Whether the message has route leakage; the network device can also determine whether the BGP update message is routed according to the number of source ASs that are different from the target source AS on the historical AS path, the occurrence probability of the target source AS, and/or the stability of the target source AS hijack. For example, when the path similarity between the target AS path and the historical AS path is less than the path similarity threshold, the hegemonic similarity between the target AS path and the historical AS path is less than the hegemonic similarity threshold, and the rare degree of AS on the target AS path is lower than the AS When the rarity threshold and/or the rarity of the target AS path is lower than the AS path rarity threshold, the network device determines that the BGP update message is abnormal, and the route abnormality type of the BGP update message is route leakage. When the number of source ASs on the historical AS path that are different from the target source AS is greater than the target value, the occurrence probability of the target source AS is less than the probability threshold, and/or the stability of the target source AS is lower than the stability threshold, the network device determines the BGP The update message is abnormal, and the abnormal route type of the BGP update message is route hijacking.
可选地,网络设备采用决策树算法、GBDT算法和/或XGBoost算法,根据上述BGP路由特征确定路由异常检测结果。Optionally, the network device adopts a decision tree algorithm, a GBDT algorithm, and/or an XGBoost algorithm to determine the routing anomaly detection result according to the above-mentioned BGP routing characteristics.
可选地,当网络设备接收到分析设备发送的路由异常检测模型时,网络设备根据BGP路由特征生成路由异常检测结果的过程,包括:网络设备向路由异常检测模型输入BGP路由特征,以获取路由异常检测模型输出的路由异常检测结果。Optionally, when the network device receives the routing anomaly detection model sent by the analysis device, the process in which the network device generates routing anomaly detection results according to the BGP routing feature includes: the network device inputs the BGP routing feature to the routing anomaly detection model to obtain the route The routing anomaly detection result output by the anomaly detection model.
本申请实施例中,通过网络设备根据BGP路由特征生成路由异常检测结果,再向分析设备发送该路由异常检测结果,可以进一步减少分析设备的计算量。In the embodiment of the present application, the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
可选地,路由异常检测结果中还包括BGP更新消息中携带的IP前缀。Optionally, the routing anomaly detection result also includes the IP prefix carried in the BGP update message.
步骤205、分析设备根据目标路由信息对BGP更新消息进行异常分析。Step 205: The analysis device performs abnormal analysis on the BGP update message according to the target routing information.
可选地,当目标路由信息中包括BGP路由特征时,步骤205的实现过程包括:分析设备根据BGP路由特征,确定路由异常检测结果;分析设备根据路由异常检测结果对BGP更新消息进行异常分析。分析设备根据BGP路由特征确定路由异常检测结果的实现过程可参考步骤204中网络设备根据BGP路由特征确定路由异常检测结果的实现过程,本申请实施例在此不再赘述。Optionally, when the target routing information includes the BGP routing feature, the implementation process of step 205 includes: the analysis device determines the routing abnormality detection result according to the BGP routing feature; the analysis device performs abnormal analysis on the BGP update message according to the routing abnormality detection result. The implementation process of the analysis device determining the route anomaly detection result according to the BGP routing feature can refer to the implementation process of the network device determining the routing anomaly detection result according to the BGP routing feature in step 204, which will not be repeated in this embodiment of the application.
示例地,当路由异常检测结果指示BGP更新消息异常,且路由异常类型为路由劫持时,分析设备基于BGP数据库,确定目标源AS是否正常发布过目标路由前缀。若目标源AS正常发布过目标路由前缀,则分析设备确定该BGP更新消息正常;若目标源AS未正常发布过目标路由前缀,则分析设备确定该BGP更新消息异常,且路由异常类型为路由劫持。For example, when the route anomaly detection result indicates that the BGP update message is abnormal, and the type of the route anomaly is route hijacking, the analysis device determines whether the target source AS has normally advertised the target route prefix based on the BGP database. If the target source AS has advertised the target routing prefix normally, the analysis device determines that the BGP update message is normal; if the target source AS has not advertised the target routing prefix normally, the analysis device determines that the BGP update message is abnormal, and the routing exception type is route hijacking .
可选地,分析设备的BGP数据库中包括AS中心度列表、AS标识列表以及接收到的历史目标路由信息中的一个或多个。Optionally, the BGP database of the analysis device includes one or more of an AS centrality list, an AS identification list, and received historical target routing information.
本申请实施例中,当路由异常检测结果指示BGP更新消息异常时,分析设备还可以基于BGP数据库,根据目标路由信息进行故障定位等。In the embodiment of the present application, when the routing abnormality detection result indicates that the BGP update message is abnormal, the analysis device can also perform fault location based on the BGP database and based on the target routing information.
步骤206、当分析设备确定BGP更新消息异常时,分析设备输出BGP更新消息的路由异常类型。Step 206: When the analysis device determines that the BGP update message is abnormal, the analysis device outputs the route abnormality type of the BGP update message.
可选地,当分析设备确定BGP更新消息异常时,分析设备向运维支撑系统(operations support system,OSS)或其它与分析设备连接的终端设备输出BGP更新消息的路由异常类型,供OSS或终端设备显示。当然,若分析设备自身具有显示功能,则分析设备也可以直接在自身的显示界面上显示BGP更新消息的路由异常类型。Optionally, when the analysis device determines that the BGP update message is abnormal, the analysis device outputs the routing exception type of the BGP update message to the operations support system (OSS) or other terminal devices connected to the analysis device for the OSS or terminal Device display. Of course, if the analysis device itself has a display function, the analysis device can also directly display the routing exception type of the BGP update message on its display interface.
本申请实施例中,通过分析设备输出BGP更新消息的路由异常类型,供运维人员查看,以便于运维人员快速确定通信网络中的路由异常事件并进行维护,从而保证通信网络的运行安全性和可靠性。In the embodiment of the application, the abnormal routing type of the BGP update message output by the device is analyzed for the operation and maintenance personnel to view, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety of the communication network And reliability.
本申请实施例提供的故障根因定位方法的步骤先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减,例如步骤201也可以不执行。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本申请的保护范围之内,因此不再赘述。The sequence of steps in the method for locating the root cause of the fault provided in the embodiment of the present application can be appropriately adjusted, and the steps can also be increased or decreased accordingly according to the situation, for example, step 201 may not be executed. Any person familiar with the technical field can easily think of a method of change within the technical scope disclosed in this application, which should be covered by the protection scope of this application, and therefore will not be repeated.
综上所述,在本申请实施例提供的路由异常检测方法中,网络设备在接收到BGP路由信息后,确定BGP路由信息对应的BGP路由特征,并向分析设备发送BGP路由特征和/或路由异常检测结果,由于BGP路由特征以及路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。其中,通过网络设备根据BGP路由特征生成路由异常检测结果,再向分析设备发送该路由异常检测结果,可以进一步减少分析设备的计算量。另外,通过分析设备输出BGP更新消息的路由异常类型,供运维人员查看,以便于运维人员快速确定通信网络中的路由异常事件并进行维护,从而保证通信网络的运行安全性和可靠性。In summary, in the routing anomaly detection method provided by the embodiment of the present application, after receiving the BGP routing information, the network device determines the BGP routing characteristics corresponding to the BGP routing information, and sends the BGP routing characteristics and/or routes to the analysis device Anomaly detection results. Compared with BGP update messages, the data volume of BGP routing characteristics and routing anomaly detection results is smaller, which reduces the amount of data transmission between network equipment and analysis equipment, thereby reducing network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device. Among them, the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device. In addition, by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network.
图4是本申请实施例提供的一种路由异常检测装置的结构示意图。该装置可以应用于如图1所示的路由异常检测系统中的网络设备102。如图4所示,该装置40包括:Fig. 4 is a schematic structural diagram of a routing abnormality detection device provided by an embodiment of the present application. The device can be applied to the network equipment 102 in the routing anomaly detection system shown in FIG. 1. As shown in Fig. 4, the device 40 includes:
接收模块401,用于接收BGP更新消息。The receiving module 401 is used to receive BGP update messages.
处理模块402,用于确定BGP更新消息对应的BGP路由特征。The processing module 402 is used to determine the BGP routing feature corresponding to the BGP update message.
发送模块403,用于向分析设备发送目标路由信息,该目标路由信息包括BGP路由特征和/或路由异常检测结果,路由异常检测结果基于BGP路由特征得到,路由异常检测结果用于指示BGP更新消息正常或异常。The sending module 403 is used to send target routing information to the analysis device. The target routing information includes BGP routing features and/or routing anomaly detection results. The routing anomaly detection results are obtained based on the BGP routing features, and the routing anomaly detection results are used to indicate BGP update messages Normal or abnormal.
综上所述,本申请实施例提供的路由异常检测装置中,网络设备在通过接收模块接收到BGP路由信息后,通过处理模块确定BGP路由信息对应的BGP路由特征,并通过发送模块向分析设备发送BGP路由特征和/或路由异常检测结果,由于BGP路由特征以及路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。In summary, in the routing anomaly detection device provided by the embodiment of the present application, after receiving the BGP routing information through the receiving module, the network device determines the BGP routing characteristics corresponding to the BGP routing information through the processing module, and sends the BGP routing information to the analysis device through the sending module. Sending BGP routing characteristics and/or routing anomaly detection results. Compared with BGP update messages, BGP routing characteristics and routing anomaly detection results have a smaller amount of data, which reduces the amount of data transmission between network equipment and analysis equipment, thereby reducing Network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
可选地,处理模块,用于:Optionally, a processing module for:
根据BGP更新消息,获取目标路由前缀以及目标AS路径,目标路由前缀为发布该BGP更新消息的目标源AS宣告的互联网协议IP前缀,目标AS路径为从目标源AS到网络设备所在AS的AS路径。获取携带有目标路由前缀的历史BGP更新消息。根据历史BGP更新消息,获取历史AS路径。根据目标AS路径以及历史AS路径,确定BGP路由特征。According to the BGP update message, obtain the target routing prefix and the target AS path. The target routing prefix is the Internet Protocol IP prefix announced by the target source AS that advertises the BGP update message. The target AS path is the AS path from the target source AS to the AS where the network device is located. . Obtain historical BGP update messages that carry the target route prefix. Obtain historical AS paths according to historical BGP update messages. Determine BGP routing characteristics based on the target AS path and historical AS path.
可选地,BGP路由特征包括以下一个或多个:Optionally, BGP routing features include one or more of the following:
目标AS路径与历史AS路径的路径相似度;目标AS路径与历史AS路径的霸权相似度,霸权相似度基于目标AS路径上各个AS的中心度以及历史AS路径上各个AS的中心度确定;目标AS路径上的AS的罕见度,AS的罕见度等于AS在历史AS路径中的出现次数与历史AS路径的数量的比值;目标AS路径的罕见度,目标AS路径的罕见度等于目标AS的罕见度,目标AS为目标AS路径上罕见度最小的AS;历史AS路径上不同于目标源AS的源AS的数量;目标源AS的出现概率值,出现概率值等于目标源AS在历史AS路径中的出现次数与历史AS路径的数量的比值;以及目标源AS的稳定性,稳定性与历史AS路径上不同于目标源AS的源AS的数量负相关,且与网络设备所在AS在历史AS路径上的邻居AS不同于网络设备所在AS在目标AS路径上的邻居AS的数量负相关。The path similarity between the target AS path and the historical AS path; the hegemonic similarity between the target AS path and the historical AS path. The hegemonic similarity is determined based on the centrality of each AS on the target AS path and the centrality of each AS on the historical AS path; The rarity of the AS on the AS path, the rarity of the AS is equal to the ratio of the number of AS occurrences in the historical AS path to the number of historical AS paths; the rarity of the target AS path, the rarity of the target AS path is equal to the rarity of the target AS The target AS is the least rare AS on the target AS path; the number of source ASs that are different from the target source AS on the historical AS path; the occurrence probability value of the target source AS, the occurrence probability value is equal to the target source AS in the historical AS path The ratio of the number of occurrences to the number of historical AS paths; and the stability of the target source AS. The stability is negatively related to the number of source ASs on the historical AS path that are different from the target source AS, and is related to the AS where the network device is located in the historical AS path The number of neighbor ASs on the target AS path is negatively related to the number of neighbor ASs on the path where the network device is located.
可选地,BGP路由特征包括目标AS路径与历史AS路径的霸权相似度,处理模块,用于:获取目标AS路径对应的第一中心度向量,第一中心度向量中包括目标AS路径上各个AS的中心度;获取历史AS路径对应的第二中心度向量,第二中心度向量中包括历史AS路径上各个AS的中心度;将第一中心度向量与第二中心度向量之间的相似度作为霸权相似度。Optionally, the BGP routing feature includes the hegemonic similarity between the target AS path and the historical AS path, and the processing module is configured to: obtain a first centrality vector corresponding to the target AS path, and the first centrality vector includes each of the target AS paths. The centrality of the AS; obtain the second centrality vector corresponding to the historical AS path, the second centrality vector includes the centrality of each AS on the historical AS path; the similarity between the first centrality vector and the second centrality vector Degree as the degree of hegemony similarity.
可选地,接收模块,还用于接收分析设备发送的AS中心度列表,中心度列表中包括网络中各个AS的中心度;处理模块,还用于根据目标AS路径上各个AS的标识,从AS中心度列表中获取目标AS路径上各个AS的中心度,生成第一中心度向量;处理模块,还用于根据历史AS路径上各个AS的标识,从AS中心度列表中获取历史AS路径上各个AS的中心度,生成第二中心度向量。Optionally, the receiving module is also used to receive the AS centrality list sent by the analysis device, and the centrality list includes the centrality of each AS in the network; the processing module is also used to determine from the identity of each AS on the target AS path Obtain the centrality of each AS on the target AS path from the AS centrality list to generate the first centrality vector; the processing module is also used to obtain the historical AS path from the AS centrality list according to the identification of each AS on the historical AS path The centrality of each AS generates a second centrality vector.
可选地,BGP路由特征包括目标AS路径上的AS的罕见度;接收模块,还用于接收分析设备发送的AS标识列表,AS标识列表中包括运营商AS的标识;处理模块,还用于确定目标AS路径上除运营商AS以外的其它AS的罕见度,目标AS路径上的AS的罕见度等于AS在历史AS路径中的出现次数与历史AS路径的数量的比值。Optionally, the BGP routing feature includes the rarity of the AS on the target AS path; the receiving module is also used to receive the AS identification list sent by the analysis device, and the AS identification list includes the operator's AS identification; the processing module is also used to Determine the rarity of other ASs on the target AS path except for the operator AS. The rarity of the AS on the target AS path is equal to the ratio of the number of AS occurrences in the historical AS path to the number of historical AS paths.
可选地,目标路由信息中包括路由异常检测结果;处理模块,还用于根据BGP路由特征,确定路由异常检测结果。Optionally, the target routing information includes a routing anomaly detection result; the processing module is also used to determine the routing anomaly detection result according to the BGP routing characteristics.
可选地,接收模块,还用于接收分析设备发送的路由异常检测模型;处理模块,还用于向路由异常检测模型输入BGP路由特征,以获取路由异常检测模型输出的路由异常检测结果。Optionally, the receiving module is also used to receive the routing anomaly detection model sent by the analysis device; the processing module is also used to input BGP routing features to the routing anomaly detection model to obtain the routing anomaly detection result output by the routing anomaly detection model.
可选地,当BGP更新消息异常时,路由异常检测结果还用于指示BGP更新消息的路由异常类型。Optionally, when the BGP update message is abnormal, the route anomaly detection result is also used to indicate the route abnormality type of the BGP update message.
可选地,路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。Optionally, the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
综上所述,本申请实施例提供的路由异常检测装置中,网络设备在通过接收模块接收到BGP路由信息后,通过处理模块确定BGP路由信息对应的BGP路由特征,并通过发送模块向分析设备发送BGP路由特征和/或路由异常检测结果,由于BGP路由特征以及路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。其中,通过网络设备根据BGP路由特征生成路由异常检测结果,再向分析设备发送该路由异常检测结果,可以进一步减少分析设备的计算量。In summary, in the routing anomaly detection device provided by the embodiment of the present application, after receiving the BGP routing information through the receiving module, the network device determines the BGP routing characteristics corresponding to the BGP routing information through the processing module, and sends the BGP routing information to the analysis device through the sending module. Sending BGP routing characteristics and/or routing anomaly detection results. Compared with BGP update messages, BGP routing characteristics and routing anomaly detection results have a smaller amount of data, which reduces the amount of data transmission between network equipment and analysis equipment, thereby reducing Network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device. Among them, the network device generates the routing anomaly detection result according to the BGP routing characteristics, and then sends the routing anomaly detection result to the analysis device, which can further reduce the calculation amount of the analysis device.
图5是本申请另一实施例提供的一种路由异常检测装置的结构示意图。该装置可以应用于如图1所示的路由异常检测系统中的分析设备101。如图5所示,该装置50包括:Fig. 5 is a schematic structural diagram of a routing abnormality detection device provided by another embodiment of the present application. This device can be applied to the analysis device 101 in the routing anomaly detection system shown in FIG. 1. As shown in Fig. 5, the device 50 includes:
接收模块501,用于接收网络设备发送的目标路由信息,目标路由信息中包括网络设备接收到的BGP更新消息对应的BGP路由特征和/或路由异常检测结果,路由异常检测结果基于BGP路由特征得到,路由异常检测结果用于指示BGP更新消息正常或异常。The receiving module 501 is configured to receive target routing information sent by a network device. The target routing information includes BGP routing characteristics and/or routing anomaly detection results corresponding to BGP update messages received by the network device. The routing anomaly detection results are obtained based on the BGP routing characteristics , The route anomaly detection result is used to indicate whether the BGP update message is normal or abnormal.
处理模块502,用于根据目标路由信息对BGP更新消息进行异常分析。The processing module 502 is configured to perform abnormal analysis on the BGP update message according to the target routing information.
综上所述,本申请实施例提供的路由异常检测装置中,分析设备在通过接收模块接收到网络设备发送的目标路由信息后,通过处理模块根据目标路由信息对BGP更新消息进行异常分析。由于目标路由信息中的BGP路由特征和/或路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。In summary, in the routing anomaly detection apparatus provided by the embodiment of the present application, after receiving the target routing information sent by the network device through the receiving module, the analysis device performs anomaly analysis on the BGP update message according to the target routing information through the processing module. Compared with the BGP update message, the data volume of the BGP routing feature and/or the abnormal routing detection result in the target routing information is smaller, so the data transmission volume between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device.
可选地,处理模块,还用于:根据BGP路由特征,确定路由异常检测结果;根据路由异常检测结果对BGP更新消息进行异常分析。Optionally, the processing module is further configured to: determine the routing anomaly detection result according to the BGP routing characteristics; and perform an abnormal analysis on the BGP update message according to the routing anomaly detection result.
可选地,如图6所示,装置50还包括:Optionally, as shown in FIG. 6, the apparatus 50 further includes:
输出模块503,用于当分析设备确定BGP更新消息异常时,输出BGP更新消息的路由异常类型。The output module 503 is used for outputting the abnormal routing type of the BGP update message when the analysis device determines that the BGP update message is abnormal.
可选地,路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。Optionally, the route abnormality type includes one or more of route leakage, route hijacking, or route forgery.
可选地,如图7所示,装置50还包括:Optionally, as shown in FIG. 7, the apparatus 50 further includes:
发送模块504,用于向网络设备发送网络级BGP信息、路由异常检测模型和消息分析配置参数中的一个或多个,网络级BGP信息包括AS中心度列表和/或AS标识列表,AS中心度列表中包括网络中各个AS的中心度,AS标识列表中包括运营商AS的标识,路由异常检测模型用于基于输入的BGP路由特征输出路由异常检测结果,消息分析配置参数包括BGP 更新消息分析窗口的大小。The sending module 504 is used to send one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device. The network-level BGP information includes an AS centrality list and/or an AS identification list, and AS centrality The list includes the centrality of each AS in the network, the AS identification list includes the operator's AS identification, the routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics, and the message analysis configuration parameters include the BGP update message analysis window the size of.
综上所述,本申请实施例提供的路由异常检测装置中,分析设备在通过接收模块接收到网络设备发送的目标路由信息后,通过处理模块根据目标路由信息对BGP更新消息进行异常分析。由于目标路由信息中的BGP路由特征和/或路由异常检测结果与BGP更新消息相比,数据量较小,因此减少了网络设备与分析设备之间的数据传输量,从而降低了网络开销。另外,在网络设备侧对BGP更新消息进行特征提取和/或路由异常检测,减少了分析设备的计算量,节约了分析设备的计算资源。另外,通过分析设备输出BGP更新消息的路由异常类型,供运维人员查看,以便于运维人员快速确定通信网络中的路由异常事件并进行维护,从而保证通信网络的运行安全性和可靠性。In summary, in the routing anomaly detection apparatus provided by the embodiment of the present application, after receiving the target routing information sent by the network device through the receiving module, the analysis device performs anomaly analysis on the BGP update message according to the target routing information through the processing module. Compared with the BGP update message, the data volume of the BGP routing feature and/or the abnormal routing detection result in the target routing information is smaller, so the data transmission volume between the network device and the analysis device is reduced, thereby reducing the network overhead. In addition, performing feature extraction and/or routing abnormality detection on the BGP update message on the network device side reduces the calculation amount of the analysis device and saves the calculation resources of the analysis device. In addition, by analyzing the routing abnormality type of the BGP update message output by the device, it can be viewed by the operation and maintenance personnel, so that the operation and maintenance personnel can quickly determine and maintain the abnormal routing event in the communication network, thereby ensuring the operational safety and reliability of the communication network.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the device in the foregoing embodiment, the specific manner in which each module performs operation has been described in detail in the embodiment of the method, and detailed description will not be given here.
本申请实施例还提供了一种路由异常检测系统。包括:网络设备和分析设备。该网络设备包括如图4所示的路由异常检测装置,该分析设备包括如图5至图7任一所示的路由异常检测装置。The embodiment of the present application also provides a routing anomaly detection system. Including: network equipment and analysis equipment. The network equipment includes the routing anomaly detection device as shown in FIG. 4, and the analysis equipment includes the routing anomaly detection device as shown in any one of FIGS. 5 to 7.
本申请实施例提供了一种网络设备,包括:处理器和存储器;The embodiment of the present application provides a network device, including: a processor and a memory;
所述存储器,用于存储计算机程序,所述计算机程序包括程序指令;The memory is used to store a computer program, and the computer program includes program instructions;
所述处理器,用于调用所述计算机程序,实现上述方法实施例中网络设备执行的步骤。The processor is configured to call the computer program to implement the steps executed by the network device in the above method embodiment.
本申请实施例提供了一种分析设备,包括:处理器和存储器;The embodiment of the present application provides an analysis device, including: a processor and a memory;
所述存储器,用于存储计算机程序,所述计算机程序包括程序指令;The memory is used to store a computer program, and the computer program includes program instructions;
所述处理器,用于调用所述计算机程序,实现上述方法实施例中分析设备执行的步骤。The processor is configured to call the computer program to implement the steps executed by the analysis device in the foregoing method embodiment.
示例地,图8是本申请实施例提供的一种路由异常检测装置的框图。该路由异常检测装置可以是网络设备或分析设备。如图8所示,该装置80包括:处理器801和存储器802。Illustratively, FIG. 8 is a block diagram of a routing abnormality detection device provided by an embodiment of the present application. The routing abnormality detection device may be a network device or an analysis device. As shown in FIG. 8, the device 80 includes: a processor 801 and a memory 802.
存储器802,用于存储计算机程序,所述计算机程序包括程序指令;The memory 802 is configured to store a computer program, where the computer program includes program instructions;
处理器801,用于调用所述计算机程序,实现上述方法实施例中网络设备执行的步骤或分析设备执行的步骤。The processor 801 is configured to call the computer program to implement the steps performed by the network device or the steps performed by the analysis device in the foregoing method embodiments.
可选地,该装置80还包括通信总线803和通信接口804。Optionally, the device 80 further includes a communication bus 803 and a communication interface 804.
其中,处理器801包括一个或者一个以上处理核心,处理器801通过运行计算机程序,执行各种功能应用以及数据处理。The processor 801 includes one or more processing cores, and the processor 801 executes various functional applications and data processing by running a computer program.
存储器802可用于存储计算机程序。可选地,存储器可存储操作系统和至少一个功能所需的应用程序单元。操作系统可以是实时操作系统(Real Time eXecutive,RTX)、LINUX、UNIX、WINDOWS或OS X之类的操作系统。The memory 802 can be used to store computer programs. Optionally, the memory may store an operating system and at least one application program unit required by the function. The operating system can be a real-time operating system (Real Time eXecutive, RTX), LINUX, UNIX, WINDOWS, or OS X.
通信接口804可以为多个,通信接口804用于与其它存储设备或网络设备进行通信。例如在本申请实施例中,网络设备的通信接口804可以用与分析设备进行通信。可选地,该通信网络可以是软件定义网络(software define network,SDN)或虚拟扩展局域网(virtual extensible local area network,VXLAN)等。网络设备可以是交换机或路由器等。分析设备可 以是服务器或云服务等。There may be multiple communication interfaces 804, and the communication interface 804 is used to communicate with other storage devices or network devices. For example, in the embodiment of the present application, the communication interface 804 of the network device may be used to communicate with the analysis device. Optionally, the communication network may be a software defined network (software defined network, SDN) or a virtual extended local area network (virtual extensive local area network, VXLAN), etc. The network device can be a switch or router. The analysis device can be a server or cloud service.
存储器802与通信接口804分别通过通信总线803与处理器801连接。The memory 802 and the communication interface 804 are respectively connected to the processor 801 through a communication bus 803.
本申请实施例还提供了一种计算机存储介质,所述计算机存储介质上存储有指令,当所述指令被网络设备的处理器执行时,实现上述方法实施例中网络设备执行的步骤;当所述指令被分析设备的处理器执行时,实现上述方法实施例中分析设备执行的步骤。The embodiment of the present application also provides a computer storage medium with instructions stored on the computer storage medium. When the instructions are executed by the processor of the network device, the steps performed by the network device in the above method embodiment are implemented; When the instructions are executed by the processor of the analysis device, the steps executed by the analysis device in the foregoing method embodiment are implemented.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person of ordinary skill in the art can understand that all or part of the steps in the above embodiments can be implemented by hardware, or by a program to instruct relevant hardware. The program can be stored in a computer-readable storage medium. The storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.
在本申请实施例中,术语“第一”、“第二”和“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In the embodiments of the present application, the terms "first", "second" and "third" are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance.
本申请中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in this application is merely an association relationship describing associated objects, which means that there can be three types of relationships. For example, A and/or B can mean that there is A alone, and both A and B exist. There are three cases of B. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.
以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的构思和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only optional embodiments of this application and are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the concept and principle of this application shall be included in the protection of this application. Within range.

Claims (34)

  1. 一种路由异常检测方法,其特征在于,所述方法包括:A routing anomaly detection method, characterized in that the method includes:
    网络设备接收边界网关协议BGP更新消息;The network device receives the Border Gateway Protocol BGP update message;
    所述网络设备确定所述BGP更新消息对应的BGP路由特征;Determining, by the network device, the BGP routing feature corresponding to the BGP update message;
    所述网络设备向分析设备发送目标路由信息,所述目标路由信息中包括所述BGP路由特征和/或路由异常检测结果,所述路由异常检测结果基于所述BGP路由特征得到,所述路由异常检测结果用于指示所述BGP更新消息正常或异常。The network device sends target routing information to the analysis device, the target routing information includes the BGP routing feature and/or routing anomaly detection result, the routing anomaly detection result is obtained based on the BGP routing feature, the routing anomaly The detection result is used to indicate that the BGP update message is normal or abnormal.
  2. 根据权利要求1所述的方法,其特征在于,所述网络设备确定所述BGP更新消息对应的BGP路由特征,包括:The method according to claim 1, wherein the determining, by the network device, the BGP routing feature corresponding to the BGP update message comprises:
    所述网络设备根据所述BGP更新消息,获取目标路由前缀以及目标自治系统AS路径,所述目标路由前缀为发布所述BGP更新消息的目标源AS宣告的互联网协议IP前缀,目标AS路径为从所述目标源AS到所述网络设备所在AS的AS路径;The network device obtains a target routing prefix and a target autonomous system AS path according to the BGP update message, the target routing prefix is the Internet Protocol IP prefix announced by the target source AS that advertises the BGP update message, and the target AS path is the slave The AS path from the target source AS to the AS where the network device is located;
    所述网络设备获取携带有所述目标路由前缀的历史BGP更新消息;Acquiring, by the network device, a historical BGP update message carrying the target routing prefix;
    所述网络设备根据所述历史BGP更新消息,获取历史AS路径;The network device obtains the historical AS path according to the historical BGP update message;
    所述网络设备根据所述目标AS路径以及所述历史AS路径,确定所述BGP路由特征。The network device determines the BGP routing feature according to the target AS path and the historical AS path.
  3. 根据权利要求2所述的方法,其特征在于,所述BGP路由特征包括以下一个或多个:The method according to claim 2, wherein the BGP routing feature includes one or more of the following:
    所述目标AS路径与所述历史AS路径的路径相似度;The path similarity between the target AS path and the historical AS path;
    所述目标AS路径与所述历史AS路径的霸权相似度,所述霸权相似度基于所述目标AS路径上各个AS的中心度以及所述历史AS路径上各个AS的中心度确定;Hegemonic similarity between the target AS path and the historical AS path, where the hegemonic similarity is determined based on the centrality of each AS on the target AS path and the centrality of each AS on the historical AS path;
    所述目标AS路径上的AS的罕见度,所述AS的罕见度等于所述AS在所述历史AS路径中的出现次数与所述历史AS路径的数量的比值;The rarity of the AS on the target AS path, where the rarity of the AS is equal to the ratio of the number of occurrences of the AS in the historical AS path to the number of the historical AS path;
    所述目标AS路径的罕见度,所述目标AS路径的罕见度等于目标AS的罕见度,所述目标AS为所述目标AS路径上罕见度最小的AS;The rarity of the target AS path, the rarity of the target AS path is equal to the rarity of the target AS, and the target AS is the AS with the least rarity on the target AS path;
    所述历史AS路径上不同于所述目标源AS的源AS的数量;The number of source ASs that are different from the target source AS on the historical AS path;
    所述目标源AS的出现概率值,所述出现概率值等于所述目标源AS在所述历史AS路径中的出现次数与所述历史AS路径的数量的比值;The occurrence probability value of the target source AS, where the occurrence probability value is equal to the ratio of the number of occurrences of the target source AS in the historical AS path to the number of the historical AS paths;
    以及所述目标源AS的稳定性,所述稳定性与所述历史AS路径上不同于所述目标源AS的源AS的数量负相关,且与所述网络设备所在AS在所述历史AS路径上的邻居AS不同于所述网络设备所在AS在所述目标AS路径上的邻居AS的数量负相关。And the stability of the target source AS, the stability is negatively related to the number of source ASs on the historical AS path that are different from the target source AS, and is related to the AS where the network device is located on the historical AS path The number of neighbor ASs on the path of the target AS that is different from the AS where the network device is located is negatively correlated.
  4. 根据权利要求2或3所述的方法,其特征在于,所述BGP路由特征包括所述目标AS路径与所述历史AS路径的霸权相似度,所述网络设备根据所述目标AS路径以及所述历史AS路径,确定所述BGP路由特征,包括:The method according to claim 2 or 3, wherein the BGP routing feature includes the hegemonic similarity between the target AS path and the historical AS path, and the network device is based on the target AS path and the historical AS path. The historical AS path to determine the BGP routing characteristics includes:
    所述网络设备获取所述目标AS路径对应的第一中心度向量,所述第一中心度向量中包括所述目标AS路径上各个AS的中心度;Acquiring, by the network device, a first centrality vector corresponding to the target AS path, where the first centrality vector includes the centrality of each AS on the target AS path;
    所述网络设备获取所述历史AS路径对应的第二中心度向量,所述第二中心度向量中包 括所述历史AS路径上各个AS的中心度;Acquiring, by the network device, a second centrality vector corresponding to the historical AS path, where the second centrality vector includes the centrality of each AS on the historical AS path;
    所述网络设备将所述第一中心度向量与所述第二中心度向量之间的相似度作为所述霸权相似度。The network device uses the similarity between the first centrality vector and the second centrality vector as the hegemonic similarity.
  5. 根据权利要求4所述的方法,其特征在于,在所述网络设备根据所述目标AS路径以及所述历史AS路径,确定所述BGP路由特征之前,所述方法还包括:The method according to claim 4, characterized in that, before the network device determines the BGP routing characteristics according to the target AS path and the historical AS path, the method further comprises:
    所述网络设备接收所述分析设备发送的AS中心度列表,所述中心度列表中包括网络中各个AS的中心度;The network device receives the AS centrality list sent by the analysis device, where the centrality list includes the centrality of each AS in the network;
    所述网络设备获取所述目标AS路径对应的第一中心度向量,包括:The acquiring, by the network device, the first centrality vector corresponding to the target AS path includes:
    所述网络设备根据所述目标AS路径上各个AS的标识,从所述AS中心度列表中获取所述目标AS路径上各个AS的中心度,生成所述第一中心度向量;The network device obtains the centrality of each AS on the target AS path from the AS centrality list according to the identifier of each AS on the target AS path, and generates the first centrality vector;
    所述网络设备获取所述历史AS路径对应的第二中心度向量,包括:The acquiring, by the network device, the second centrality vector corresponding to the historical AS path includes:
    所述网络设备根据所述历史AS路径上各个AS的标识,从所述AS中心度列表中获取所述历史AS路径上各个AS的中心度,生成所述第二中心度向量。The network device obtains the centrality of each AS on the historical AS path from the AS centrality list according to the identifier of each AS on the historical AS path, and generates the second centrality vector.
  6. 根据权利要求2至5任一所述的方法,其特征在于,所述BGP路由特征包括所述目标AS路径上的AS的罕见度,在所述网络设备根据所述目标AS路径以及所述历史AS路径,确定所述BGP路由特征之前,所述方法还包括:The method according to any one of claims 2 to 5, wherein the BGP routing feature includes the rarity of the AS on the target AS path, and the network device is based on the target AS path and the history Before determining the AS path, the method further includes:
    所述网络设备接收所述分析设备发送的AS标识列表,所述AS标识列表中包括运营商AS的标识;The network device receives the AS identification list sent by the analysis device, and the AS identification list includes the operator AS identification;
    所述网络设备根据所述目标AS路径以及所述历史AS路径,确定所述BGP路由特征,包括:The network device determining the BGP routing feature according to the target AS path and the historical AS path includes:
    所述网络设备确定所述目标AS路径上除所述运营商AS以外的其它AS的罕见度,所述目标AS路径上的AS的罕见度等于所述AS在所述历史AS路径中的出现次数与所述历史AS路径的数量的比值。The network device determines the rarity of other ASs on the target AS path except the operator AS, and the rarity of the AS on the target AS path is equal to the number of occurrences of the AS in the historical AS path The ratio to the number of historical AS paths.
  7. 根据权利要求1至6任一所述的方法,其特征在于,所述目标路由信息中包括所述路由异常检测结果,在所述网络设备确定所述BGP更新消息对应的BGP路由特征之后,所述方法还包括:The method according to any one of claims 1 to 6, wherein the target routing information includes the routing anomaly detection result, and after the network device determines the BGP routing feature corresponding to the BGP update message, The method also includes:
    所述网络设备根据所述BGP路由特征,确定所述路由异常检测结果。The network device determines the route anomaly detection result according to the BGP route characteristic.
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    所述网络设备接收所述分析设备发送的路由异常检测模型;Receiving, by the network device, a routing anomaly detection model sent by the analysis device;
    所述网络设备根据所述BGP路由特征,生成所述路由异常检测结果,包括:The network device generating the routing anomaly detection result according to the BGP routing feature includes:
    所述网络设备向所述路由异常检测模型输入所述BGP路由特征,以获取所述路由异常检测模型输出的所述路由异常检测结果。The network device inputs the BGP routing feature to the routing anomaly detection model to obtain the routing anomaly detection result output by the routing anomaly detection model.
  9. 根据权利要求1至8任一所述的方法,其特征在于,当所述BGP更新消息异常时,所述路由异常检测结果还用于指示所述BGP更新消息的路由异常类型。The method according to any one of claims 1 to 8, wherein when the BGP update message is abnormal, the route anomaly detection result is further used to indicate the route abnormality type of the BGP update message.
  10. 根据权利要求9所述的方法,其特征在于,所述路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。The method according to claim 9, wherein the type of abnormal routing includes one or more of routing leakage, routing hijacking, or routing forgery.
  11. 一种路由异常检测方法,其特征在于,所述方法包括:A routing anomaly detection method, characterized in that the method includes:
    分析设备接收网络设备发送的目标路由信息,所述目标路由信息中包括所述网络设备接收到的边界网关协议BGP更新消息对应的BGP路由特征和/或路由异常检测结果,所述路由异常检测结果基于所述BGP路由特征得到,所述路由异常检测结果用于指示所述BGP更新消息正常或异常;The analysis device receives the target routing information sent by the network device, where the target routing information includes the BGP routing characteristics and/or the routing anomaly detection result corresponding to the Border Gateway Protocol BGP update message received by the network device, and the routing anomaly detection result Obtained based on the BGP routing feature, the routing anomaly detection result is used to indicate that the BGP update message is normal or abnormal;
    所述分析设备根据所述目标路由信息对所述BGP更新消息进行异常分析。The analysis device performs abnormal analysis on the BGP update message according to the target routing information.
  12. 根据权利要求11所述的方法,其特征在于,所述目标路由信息中包括所述BGP路由特征,所述分析设备根据所述目标路由信息对所述BGP更新消息进行异常分析,包括:The method according to claim 11, wherein the target routing information includes the BGP routing feature, and the analysis device performs abnormal analysis on the BGP update message according to the target routing information, comprising:
    所述分析设备根据所述BGP路由特征,确定路由异常检测结果;The analysis device determines the route anomaly detection result according to the BGP route characteristic;
    所述分析设备根据所述路由异常检测结果对所述BGP更新消息进行异常分析。The analysis device performs abnormal analysis on the BGP update message according to the routing abnormality detection result.
  13. 根据权利要求11或12所述的方法,其特征在于,在所述分析设备根据所述目标路由信息对所述BGP更新消息进行异常分析之后,所述方法还包括:The method according to claim 11 or 12, wherein after the analysis device performs an abnormal analysis on the BGP update message according to the target routing information, the method further comprises:
    当所述分析设备确定所述BGP更新消息异常时,所述分析设备输出所述BGP更新消息的路由异常类型。When the analysis device determines that the BGP update message is abnormal, the analysis device outputs the route abnormality type of the BGP update message.
  14. 根据权利要求11至13任一所述的方法,其特征在于,所述路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。The method according to any one of claims 11 to 13, wherein the type of route abnormality includes one or more of route leakage, route hijacking, or route forgery.
  15. 根据权利要求11至14任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 11 to 14, wherein the method further comprises:
    所述分析设备向所述网络设备发送网络级BGP信息、路由异常检测模型和消息分析配置参数中的一个或多个,所述网络级BGP信息包括自治系统AS中心度列表和/或AS标识列表,所述AS中心度列表中包括网络中各个AS的中心度,所述AS标识列表中包括运营商AS的标识,所述路由异常检测模型用于基于输入的BGP路由特征输出路由异常检测结果,所述消息分析配置参数包括BGP更新消息分析窗口的大小。The analysis device sends one or more of network-level BGP information, a routing anomaly detection model, and message analysis configuration parameters to the network device, and the network-level BGP information includes an autonomous system AS centrality list and/or an AS identification list The AS centrality list includes the centrality of each AS in the network, the AS identification list includes the identifier of the operator AS, and the routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics, The message analysis configuration parameter includes the size of the BGP update message analysis window.
  16. 一种路由异常检测装置,其特征在于,用于网络设备,所述装置包括:A routing abnormality detection device, which is characterized in that it is used in network equipment, and the device includes:
    接收模块,用于接收边界网关协议BGP更新消息;The receiving module is used to receive the Border Gateway Protocol BGP update message;
    处理模块,用于确定所述BGP更新消息对应的BGP路由特征;A processing module, configured to determine the BGP routing feature corresponding to the BGP update message;
    发送模块,用于向分析设备发送目标路由信息,所述目标路由信息中包括所述BGP路由特征和/或路由异常检测结果,所述路由异常检测结果基于所述BGP路由特征得到,所述路由异常检测结果用于指示所述BGP更新消息正常或异常。The sending module is configured to send target routing information to the analysis device, where the target routing information includes the BGP routing feature and/or routing anomaly detection result, the routing anomaly detection result is obtained based on the BGP routing feature, the routing The abnormality detection result is used to indicate that the BGP update message is normal or abnormal.
  17. 根据权利要求16所述的装置,其特征在于,所述处理模块,用于:The device according to claim 16, wherein the processing module is configured to:
    根据所述BGP更新消息,获取目标路由前缀以及目标自治系统AS路径,所述目标路由前缀为发布所述BGP更新消息的目标源AS宣告的互联网协议IP前缀,目标AS路径为从所述目标源AS到所述网络设备所在AS的AS路径;According to the BGP update message, a target routing prefix and a target autonomous system AS path are obtained. The target routing prefix is the Internet Protocol IP prefix announced by the target source AS that advertises the BGP update message, and the target AS path is from the target source AS path from the AS to the AS where the network device is located;
    获取携带有所述目标路由前缀的历史BGP更新消息;Acquiring historical BGP update messages carrying the target routing prefix;
    根据所述历史BGP更新消息,获取历史AS路径;Obtaining the historical AS path according to the historical BGP update message;
    根据所述目标AS路径以及所述历史AS路径,确定所述BGP路由特征。The BGP routing feature is determined according to the target AS path and the historical AS path.
  18. 根据权利要求17所述的装置,其特征在于,所述BGP路由特征包括以下一个或多个:The apparatus according to claim 17, wherein the BGP routing feature comprises one or more of the following:
    所述目标AS路径与所述历史AS路径的路径相似度;The path similarity between the target AS path and the historical AS path;
    所述目标AS路径与所述历史AS路径的霸权相似度,所述霸权相似度基于所述目标AS路径上各个AS的中心度以及所述历史AS路径上各个AS的中心度确定;Hegemonic similarity between the target AS path and the historical AS path, where the hegemonic similarity is determined based on the centrality of each AS on the target AS path and the centrality of each AS on the historical AS path;
    所述目标AS路径上的AS的罕见度,所述AS的罕见度等于所述AS在所述历史AS路径中的出现次数与所述历史AS路径的数量的比值;The rarity of the AS on the target AS path, where the rarity of the AS is equal to the ratio of the number of occurrences of the AS in the historical AS path to the number of the historical AS path;
    所述目标AS路径的罕见度,所述目标AS路径的罕见度等于目标AS的罕见度,所述目标AS为所述目标AS路径上罕见度最小的AS;The rarity of the target AS path, the rarity of the target AS path is equal to the rarity of the target AS, and the target AS is the AS with the least rarity on the target AS path;
    所述历史AS路径上不同于所述目标源AS的源AS的数量;The number of source ASs that are different from the target source AS on the historical AS path;
    所述目标源AS的出现概率值,所述出现概率值等于所述目标源AS在所述历史AS路径中的出现次数与所述历史AS路径的数量的比值;The occurrence probability value of the target source AS, where the occurrence probability value is equal to the ratio of the number of occurrences of the target source AS in the historical AS path to the number of the historical AS paths;
    以及所述目标源AS的稳定性,所述稳定性与所述历史AS路径上不同于所述目标源AS的源AS的数量负相关,且与所述网络设备所在AS在所述历史AS路径上的邻居AS不同于所述网络设备所在AS在所述目标AS路径上的邻居AS的数量负相关。And the stability of the target source AS, the stability is negatively related to the number of source ASs on the historical AS path that are different from the target source AS, and is related to the AS where the network device is located on the historical AS path The number of neighbor ASs on the path of the target AS that is different from the AS where the network device is located is negatively correlated.
  19. 根据权利要求17或18所述的装置,其特征在于,所述BGP路由特征包括所述目标AS路径与所述历史AS路径的霸权相似度,所述处理模块,用于:The device according to claim 17 or 18, wherein the BGP routing feature includes hegemonic similarity between the target AS path and the historical AS path, and the processing module is configured to:
    获取所述目标AS路径对应的第一中心度向量,所述第一中心度向量中包括所述目标AS路径上各个AS的中心度;Acquiring a first centrality vector corresponding to the target AS path, where the first centrality vector includes the centrality of each AS on the target AS path;
    获取所述历史AS路径对应的第二中心度向量,所述第二中心度向量中包括所述历史AS路径上各个AS的中心度;Acquiring a second centrality vector corresponding to the historical AS path, where the second centrality vector includes the centrality of each AS on the historical AS path;
    将所述第一中心度向量与所述第二中心度向量之间的相似度作为所述霸权相似度。The similarity between the first centrality vector and the second centrality vector is used as the hegemonic similarity.
  20. 根据权利要求19所述的装置,其特征在于,The device of claim 19, wherein:
    所述接收模块,还用于接收所述分析设备发送的AS中心度列表,所述中心度列表中包括网络中各个AS的中心度;The receiving module is further configured to receive an AS centrality list sent by the analysis device, where the centrality list includes the centrality of each AS in the network;
    所述处理模块,还用于根据所述目标AS路径上各个AS的标识,从所述AS中心度列表中获取所述目标AS路径上各个AS的中心度,生成所述第一中心度向量;The processing module is further configured to obtain the centrality of each AS on the target AS path from the AS centrality list according to the identifier of each AS on the target AS path, and generate the first centrality vector;
    所述处理模块,还用于根据所述历史AS路径上各个AS的标识,从所述AS中心度列表中获取所述历史AS路径上各个AS的中心度,生成所述第二中心度向量。The processing module is further configured to obtain the centrality of each AS on the historical AS path from the AS centrality list according to the identifier of each AS on the historical AS path, and generate the second centrality vector.
  21. 根据权利要求17至20任一所述的装置,其特征在于,所述BGP路由特征包括所述目标AS路径上的AS的罕见度;The apparatus according to any one of claims 17 to 20, wherein the BGP routing characteristic comprises the rarity of the AS on the path of the target AS;
    所述接收模块,还用于接收所述分析设备发送的AS标识列表,所述AS标识列表中包括运营商AS的标识;The receiving module is further configured to receive an AS identification list sent by the analysis device, where the AS identification list includes an operator's AS identification;
    所述处理模块,还用于确定所述目标AS路径上除所述运营商AS以外的其它AS的罕见度,所述目标AS路径上的AS的罕见度等于所述AS在所述历史AS路径中的出现次数与所述历史AS路径的数量的比值。The processing module is further configured to determine the rarity of other ASs on the target AS path except the operator AS, and the rarity of the AS on the target AS path is equal to the AS’s in the historical AS path The ratio of the number of occurrences in to the number of historical AS paths.
  22. 根据权利要求16至21任一所述的装置,其特征在于,所述目标路由信息中包括所述路由异常检测结果;The device according to any one of claims 16 to 21, wherein the target routing information includes the routing anomaly detection result;
    所述处理模块,还用于根据所述BGP路由特征,确定所述路由异常检测结果。The processing module is further configured to determine the routing anomaly detection result according to the BGP routing feature.
  23. 根据权利要求22所述的装置,其特征在于,The device of claim 22, wherein:
    所述接收模块,还用于接收所述分析设备发送的路由异常检测模型;The receiving module is further configured to receive the routing anomaly detection model sent by the analysis device;
    所述处理模块,还用于向所述路由异常检测模型输入所述BGP路由特征,以获取所述路由异常检测模型输出的所述路由异常检测结果。The processing module is further configured to input the BGP routing feature to the routing anomaly detection model to obtain the routing anomaly detection result output by the routing anomaly detection model.
  24. 根据权利要求16至23任一所述的装置,其特征在于,当所述BGP更新消息异常时,所述路由异常检测结果还用于指示所述BGP更新消息的路由异常类型。The apparatus according to any one of claims 16 to 23, wherein when the BGP update message is abnormal, the route anomaly detection result is further used to indicate the route abnormality type of the BGP update message.
  25. 根据权利要求24所述的装置,其特征在于,所述路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。The device according to claim 24, wherein the type of abnormal routing includes one or more of routing leakage, routing hijacking, or routing forgery.
  26. 一种路由异常检测装置,其特征在于,用于分析设备,所述装置包括:A routing abnormality detection device, which is characterized in that it is used for analyzing equipment, and the device includes:
    接收模块,用于接收网络设备发送的目标路由信息,所述目标路由信息中包括所述网络设备接收到的边界网关协议BGP更新消息对应的BGP路由特征和/或路由异常检测结果,所述路由异常检测结果基于所述BGP路由特征得到,所述路由异常检测结果用于指示所述BGP更新消息正常或异常;The receiving module is configured to receive target routing information sent by a network device, where the target routing information includes the BGP routing characteristics and/or routing abnormality detection results corresponding to the Border Gateway Protocol BGP update message received by the network device, the routing An anomaly detection result is obtained based on the BGP routing feature, and the routing anomaly detection result is used to indicate that the BGP update message is normal or abnormal;
    处理模块,用于根据所述目标路由信息对所述BGP更新消息进行异常分析。The processing module is configured to perform abnormal analysis on the BGP update message according to the target routing information.
  27. 根据权利要求26所述的装置,其特征在于,所述目标路由信息中包括所述BGP路由特征,所述处理模块,还用于:The device according to claim 26, wherein the target routing information includes the BGP routing feature, and the processing module is further configured to:
    根据所述BGP路由特征,确定路由异常检测结果;Determine the routing anomaly detection result according to the BGP routing feature;
    根据所述路由异常检测结果对所述BGP更新消息进行异常分析。Perform abnormal analysis on the BGP update message according to the routing abnormality detection result.
  28. 根据权利要求26或27所述的装置,其特征在于,所述装置还包括:The device according to claim 26 or 27, wherein the device further comprises:
    输出模块,用于当所述分析设备确定所述BGP更新消息异常时,输出所述BGP更新消息的路由异常类型。The output module is configured to output the abnormal route type of the BGP update message when the analysis device determines that the BGP update message is abnormal.
  29. 根据权利要求26至28任一所述的装置,其特征在于,所述路由异常类型包括路由泄露、路由劫持或路由伪造中的一个或多个。The device according to any one of claims 26 to 28, wherein the type of route abnormality includes one or more of route leakage, route hijacking, or route forgery.
  30. 根据权利要求26至29任一所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 26 to 29, wherein the device further comprises:
    发送模块,用于向所述网络设备发送网络级BGP信息、路由异常检测模型和消息分析配置参数中的一个或多个,所述网络级BGP信息包括自治系统AS中心度列表和/或AS标识列表,所述AS中心度列表中包括网络中各个AS的中心度,所述AS标识列表中包括运营商AS的标识,所述路由异常检测模型用于基于输入的BGP路由特征输出路由异常检测结果,所述消息分析配置参数包括BGP更新消息分析窗口的大小。The sending module is used to send one or more of network-level BGP information, routing anomaly detection model, and message analysis configuration parameters to the network device, where the network-level BGP information includes an autonomous system AS centrality list and/or AS identification List, the AS centrality list includes the centrality of each AS in the network, the AS identification list includes the operator AS identification, and the routing anomaly detection model is used to output routing anomaly detection results based on the input BGP routing characteristics , The message analysis configuration parameter includes the size of the BGP update message analysis window.
  31. 一种路由异常检测系统,其特征在于,包括:网络设备和分析设备;A routing anomaly detection system, which is characterized by comprising: network equipment and analysis equipment;
    所述网络设备包括如权利要求16至25任一所述的路由异常检测装置,所述分析设备包括如权利要求26至30任一所述的路由异常检测装置。The network equipment includes the routing abnormality detection device according to any one of claims 16 to 25, and the analysis equipment includes the routing abnormality detection device according to any one of claims 26 to 30.
  32. 一种网络设备,其特征在于,包括:处理器和存储器;A network device, characterized by comprising: a processor and a memory;
    所述存储器,用于存储计算机程序,所述计算机程序包括程序指令;The memory is used to store a computer program, and the computer program includes program instructions;
    所述处理器,用于调用所述计算机程序,实现如权利要求1至10任一所述的路由异常检测方法。The processor is configured to call the computer program to implement the routing abnormality detection method according to any one of claims 1 to 10.
  33. 一种分析设备,其特征在于,包括:处理器和存储器;An analysis device, characterized by comprising: a processor and a memory;
    所述存储器,用于存储计算机程序,所述计算机程序包括程序指令;The memory is used to store a computer program, and the computer program includes program instructions;
    所述处理器,用于调用所述计算机程序,实现如权利要求11至15任一所述的路由异常检测方法。The processor is configured to call the computer program to implement the routing abnormality detection method according to any one of claims 11 to 15.
  34. 一种计算机存储介质,其特征在于,所述计算机存储介质上存储有指令,当所述指令被网络设备的处理器执行时,实现如权利要求1至10任一所述的路由异常检测方法;当所述指令被分析设备的处理器执行时,实现如权利要求11至15任一所述的路由异常检测方法。A computer storage medium, characterized in that instructions are stored on the computer storage medium, and when the instructions are executed by a processor of a network device, the routing abnormality detection method according to any one of claims 1 to 10 is implemented; When the instructions are executed by the processor of the analysis device, the routing abnormality detection method according to any one of claims 11 to 15 is realized.
PCT/CN2020/112147 2020-01-21 2020-08-28 Routing abnormity detection method, apparatus and system, and computer storage medium WO2021147320A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010069782.X 2020-01-21
CN202010069782.XA CN113225194B (en) 2020-01-21 2020-01-21 Routing abnormity detection method, device and system and computer storage medium

Publications (1)

Publication Number Publication Date
WO2021147320A1 true WO2021147320A1 (en) 2021-07-29

Family

ID=76992847

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/112147 WO2021147320A1 (en) 2020-01-21 2020-08-28 Routing abnormity detection method, apparatus and system, and computer storage medium

Country Status (2)

Country Link
CN (1) CN113225194B (en)
WO (1) WO2021147320A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110262937A (en) * 2019-05-06 2019-09-20 阿里巴巴集团控股有限公司 A kind of recognition methods of Indexes Abnormality reason and device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143085B (en) * 2021-11-30 2023-08-01 中国人民解放军国防科技大学 BGP community attribute anomaly detection method and system based on self-encoder
CN114528946B (en) * 2021-12-16 2022-10-04 浙江省新型互联网交换中心有限责任公司 Autonomous domain system sibling relationship identification method
CN115396337B (en) * 2022-08-10 2023-06-06 广州天懋信息系统股份有限公司 Routing anomaly detection method, system, storage medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101471824A (en) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 System and method for monitoring abnormity of BGP network
CN102202004A (en) * 2011-07-08 2011-09-28 福建星网锐捷网络有限公司 Routing error processing method and device and routing equipment
CN102594714A (en) * 2012-03-29 2012-07-18 杭州华三通信技术有限公司 BGP (Border Gateway Protocol) routing processing method and BGP routing equipment
CN108886521A (en) * 2016-02-22 2018-11-23 动态网络服务股份有限公司 Method and apparatus for finding Global routing abduction
US20190349396A1 (en) * 2018-05-08 2019-11-14 Charter Communications Operating, Llc Reducing The Impact Of Border Gateway Protocol (BGP) Hijacks
CN110661714A (en) * 2018-06-30 2020-01-07 华为技术有限公司 Method for sending BGP message, method for receiving BGP message and equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005500A (en) * 2006-12-31 2007-07-25 中国科学院计算技术研究所 Method for verifying houndary gateway protocol route strategy based on autonomous system recation
JP5170778B2 (en) * 2009-09-03 2013-03-27 Kddi株式会社 BGP fault location estimation method and apparatus
CN104601466B (en) * 2014-12-31 2018-01-05 华为技术有限公司 A kind of route control method, border router
CN105763468B (en) * 2016-03-31 2019-04-09 新华三技术有限公司 A kind of transmission method and device of bgp update message

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101471824A (en) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 System and method for monitoring abnormity of BGP network
CN102202004A (en) * 2011-07-08 2011-09-28 福建星网锐捷网络有限公司 Routing error processing method and device and routing equipment
CN102594714A (en) * 2012-03-29 2012-07-18 杭州华三通信技术有限公司 BGP (Border Gateway Protocol) routing processing method and BGP routing equipment
CN108886521A (en) * 2016-02-22 2018-11-23 动态网络服务股份有限公司 Method and apparatus for finding Global routing abduction
US20190349396A1 (en) * 2018-05-08 2019-11-14 Charter Communications Operating, Llc Reducing The Impact Of Border Gateway Protocol (BGP) Hijacks
CN110661714A (en) * 2018-06-30 2020-01-07 华为技术有限公司 Method for sending BGP message, method for receiving BGP message and equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110262937A (en) * 2019-05-06 2019-09-20 阿里巴巴集团控股有限公司 A kind of recognition methods of Indexes Abnormality reason and device
CN110262937B (en) * 2019-05-06 2023-07-18 创新先进技术有限公司 Identification method and device for index abnormality reasons

Also Published As

Publication number Publication date
CN113225194B (en) 2022-09-09
CN113225194A (en) 2021-08-06

Similar Documents

Publication Publication Date Title
WO2021147320A1 (en) Routing abnormity detection method, apparatus and system, and computer storage medium
US11362884B2 (en) Fault root cause determining method and apparatus, and computer storage medium
US10154053B2 (en) Method and apparatus for grouping features into bins with selected bin boundaries for use in anomaly detection
CN112787841B (en) Fault root cause positioning method and device and computer storage medium
WO2022083540A1 (en) Method, apparatus, and system for determining fault recovery plan, and computer storage medium
US8526325B2 (en) Detecting and identifying connectivity in a network
US20220200844A1 (en) Data processing method and apparatus, and computer storage medium
WO2021018309A1 (en) Method, device and system for determination of message transmission path, and computer storage medium
WO2021052380A1 (en) Method and apparatus for extracting fault propagation condition, and storage medium
US8675498B2 (en) System and method to provide aggregated alarm indication signals
CN114915561B (en) Network topology graph generation method and device
CN110071843B (en) Fault positioning method and device based on flow path analysis
US20040158780A1 (en) Method and system for presenting neighbors of a device in a network via a graphical user interface
CN112532468B (en) Network measurement system, method, device and storage medium
US20230254244A1 (en) Path determining method and apparatus, and computer storage medium
CN115314419B (en) Cloud network-oriented self-adaptive connectivity analysis method, system, equipment and storage medium
CN113190368A (en) Method, device and system for realizing table item check and computer storage medium
JP7056207B2 (en) Topology determination device, topology determination method, topology determination program and communication system
CN116248479A (en) Network path detection method, device, equipment and storage medium
US11438237B1 (en) Systems and methods for determining physical links between network devices
US10904123B2 (en) Trace routing in virtual networks
CN113114588A (en) Data processing method and device, electronic equipment and storage medium
CN115834461B (en) Method and device for generating BGP global connection diagram based on route analysis
US11916746B1 (en) Decision tree based dynamic mesh topology
CN114978580B (en) Network detection method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20915697

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20915697

Country of ref document: EP

Kind code of ref document: A1