域间路由异常检测技术研究  

作　　者：邓海莲 刘宇靖[1] 葛一漩 苏金树[1] DENG Hailian;LIU Yujing;GE Yixuan;SU Jinshu(College of Computer Science and Technology,National University of Defense Technology,Changsha Hunan 410005,China;College of Liberal Arts and Sciences,National University of Defense Technology,Changsha Hunan 410005,China)

机构地区：[1]国防科技大学计算机学院,湖南长沙410005 [2]国防科技大学文理学院,湖南长沙410005

出　　处：《信息网络安全》2019年第11期63-70,共8页Netinfo Security

基　　金：国家自然科学基金[61602503]

摘　　要：由于BGP协议设计的缺陷,互联网域间路由系统面临着前缀劫持、路径篡改和路由泄露等严重安全问题。目前相关路由异常检测系统通常利用路由消息和数据流量的异常特征进行检测。但是由于网络环境瞬息变化,路由攻击形式变化多样,高效精确定位异常事件成为难点。文章通过对海量真实域间路由数据的分析可知,路由变化呈现幂律性,即绝大多数的源目对之间的路由是稳定的,极少部分源目对之间的路由是会频繁变化的。基于该观测结果,文章提出一种通过对比路由行为与正常模型的偏差检测异常路由行为的检测方法,并对互联网上真实发生的Google意外劫持日本网络前缀事件进行了检测验证。该方法可对路由异常事件检测、分析提供有力支撑,对提高异常事件的快速反应具有重要意义。Due to the shortcomings of BGP protocol design, the inter-domain routing system suffers serious security problems such as prefix hijacking, path tampering and route leakage. Currently, the related routing anomaly detection systems usually use the abnormal characteristics of routing message and data traffic to detect. However, due to the instantaneous change of network environment and the variety of routing attacks, it is difficult to locate abnormal events effectively and accurately. This paper analyzes the massive real inter-domain routing data and finds that the routing changes show power law, that is, the routing between the vast majority of source target pairs is stable, and the routing between a few source target pairs will change frequently. Based on the observation results, this paper proposes a detection method of detecting abnormal routing behavior by comparing the deviation of routing behavior from the normal model, and tests and verifies the real hijacking of Japanese network events on the Internet. This method can provide powerful support for the detection and analysis of routing abnormal events, and is of great significance for improving the rapid response of abnormal events.

关 键 词：域间路由 异常检测 BGP 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]