TY - JOUR
T1 - AP2Vec
T2 - An Unsupervised Approach for BGP Hijacking Detection
AU - Shapira, Tal
AU - Shavitt, Yuval
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2022/9/1
Y1 - 2022/9/1
N2 - BGP hijack attacks deflect traffic between endpoints through the attacker network, leading to man-in-the-middle attacks. Thus its detection is an important security challenge. In this paper, we introduce a novel approach for BGP hijacking detection that is based on the observation that during a hijack attack, the functional roles of ASNs along the route change. To identify a functional change, we build on previous work that embeds ASNs to vectors based on BGP routing announcements and embed each IP address prefix (AP) to a vector representing its latent characteristics, we call it AP2Vec. Then, we compare the embedding of a new route with the AP embedding that is based on the old routes to identify large differences. We compare our unsupervised approach to several other new and previous approaches and show that it strikes the best balance between a high detection rate of hijack events and a low number of flagged events. In particular, for a two-hour route collection with 10-90,000 route changes, our algorithm typically flags 1-11 suspected events (0.01-0.05% FP). Our algorithm also detected most of the previously published hijack events.
AB - BGP hijack attacks deflect traffic between endpoints through the attacker network, leading to man-in-the-middle attacks. Thus its detection is an important security challenge. In this paper, we introduce a novel approach for BGP hijacking detection that is based on the observation that during a hijack attack, the functional roles of ASNs along the route change. To identify a functional change, we build on previous work that embeds ASNs to vectors based on BGP routing announcements and embed each IP address prefix (AP) to a vector representing its latent characteristics, we call it AP2Vec. Then, we compare the embedding of a new route with the AP embedding that is based on the old routes to identify large differences. We compare our unsupervised approach to several other new and previous approaches and show that it strikes the best balance between a high detection rate of hijack events and a low number of flagged events. In particular, for a two-hour route collection with 10-90,000 route changes, our algorithm typically flags 1-11 suspected events (0.01-0.05% FP). Our algorithm also detected most of the previously published hijack events.
KW - AP embedding
KW - BGP
KW - IP hijack detection
KW - Internet security
KW - deep learning
UR - http://www.scopus.com/inward/record.url?scp=85128332787&partnerID=8YFLogxK
U2 - 10.1109/TNSM.2022.3166450
DO - 10.1109/TNSM.2022.3166450
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85128332787
SN - 1932-4537
VL - 19
SP - 2255
EP - 2268
JO - IEEE Transactions on Network and Service Management
JF - IEEE Transactions on Network and Service Management
IS - 3
ER -