BGPfuse: using visual feature fusion for the detection and attribution of BGP anomalies

  • Authors:
  • Stavros Papadopoulos;Georgios Theodoridis;Dimitrios Tzovaras

  • Affiliations:
  • Imperial College London;Information Technologies Institute, Centre for Research and Technology Hellas;Information Technologies Institute, Centre for Research and Technology Hellas

  • Venue:
  • Proceedings of the Tenth Workshop on Visualization for Cyber Security
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents BGPfuse, a scheme for visualizing and exploring BGP (Border Gateway Protocol) path change anomalies. BGPfuse uses a set of BGP features that are capable of quantifying the degree of anomaly of each path change event. Moreover, visual methods are introduced for performing the efficient fusion of these multiple features. The exploitation of the human perception, allows to overcome the static-nature of the existing weight-based fusion approaches. A Parallel Coordinates approach is used to visualize these features, which is further enhanced with filtering capabilities, so as to discriminate between normal and abnormal events. BGPfuse uses multiple linked graph views so as to represent in depth the relationships among the involved Autonomous Systems (ASes), as well as a combined graph view to highlight structural similarities between all the individual feature graphs. The structural similarities as well as the filtering capabilities provided by BGPfuse, enable the analyst to perform visual fusion of the BGP features, so as to detect any suspicious behavior and focus only in the most interesting cases. Experimental demonstration of BGPfuse, shows the analytical potential of the proposed approach by decisively capturing malicious BGP hijacking events.