Authors:
Hussain Alshamrani
and
Bogdan Ghita
Affiliation:
Plymouth University, United Kingdom
Keyword(s):
RIPE Database, ASNs and IP Prefix Delegators, Information Correlation, False Positives.
Related
Ontology
Subjects/Areas/Topics:
Data Communication Networking
;
Information and Systems Security
;
Internet Technologies
;
Network Protocols
;
Network Security
;
Telecommunications
;
Wireless Network Security
Abstract:
In spite of significant on-going research, the Border Gateway Protocol (BGP) still encompasses conceptual vulnerability issues regarding impersonating the ownership of IP prefixes for ASes (Autonomous Systems). In this context, a number of research studies focused on securing BGP through historical-based and statistical-based behavioural models. This paper improves the earlier IP prefix hijack detection method presented in (Alshamrani et al. 2015) by identifying false positives showing up due to the organisations that may use multiple ASNs (Autonomous System Numbers) to advertise their routes. To solve this issue, we link a Verification Database to the previously proposed detection method to improve the accuracy. The method extracts the organisation names (unique code) and associated ASNs from different ASN delegators and RIRs (Regional Internet Registries), more specifically the RIPE (Reseaux IP Europeans) dump database (John Stamatakis 2014) in order to evaluate the method. Since t
he organisation name is not available in the BGP updates, the data are extracted and processed to produce a structured database (Verification DB). The algorithm excludes false positive IP prefix hijack detection events in the SFL (Suspicious Findings List) introduced in (Alshamrani et al. 2015). Finally, the algorithm is validated using the 2008 YouTube Pakistan hijack event and the Con-Edison hijack (2006); the analysis demonstrates that the improved algorithm qualitatively increases the accuracy of detecting the IP prefix hijacks, specifically reducing the false positives.
(More)