elisha: a visual-based anomaly detection system
DESCRIPTION
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis. Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI. Dan Pei, Lan Wang, Lixia Zhang UCLA. Randy Bush IIJ. ELISHA: A Visual-Based Anomaly Detection System. Outline. Visual-based “Anomaly Detection” - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/1.jpg)
10/17/2002 RAID 2002, Zurich 1
ELISHA: A Visual-Based Anomaly Detection System
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu
University of California, Davis
Dan Massey, Xiao-Liang ZhaoAllison Mankin
USC/ISI
Dan Pei, Lan Wang, Lixia ZhangUCLA
Randy BushIIJ
![Page 2: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/2.jpg)
10/17/2002 RAID 2002, Zurich 2
Outline
• Visual-based “Anomaly Detection”• The BGP/MOAS Problem• ELISHA and demo• Conclusion/Future Works
![Page 3: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/3.jpg)
10/17/2002 RAID 2002, Zurich 3
A Few Research Objectives
• Limitations on “Anomaly Detection”– We need to convey the alerts (or their
abstraction) to the “human” users or experts
• Not only detecting the problem, but also, via an interactive process, finding more details about it– Root cause analysis– Event Correlation
• Human versus Machine Intelligence
![Page 4: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/4.jpg)
10/17/2002 RAID 2002, Zurich 4
Visual-based “Anomaly Detection”
• Utilize human’s cognitive pattern matching capability and techniques from information visualization.
• “Visual” Anomalies– Something catches your eyes…
![Page 5: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/5.jpg)
10/17/2002 RAID 2002, Zurich 5
An Interactive Process
• Methodology– Build an interactive
interface between network management and operators, so they can visualize the data
– Features help operators quickly perceive anomalies
Data Collection
Filtering
Mapping
Rendering
Viewing
![Page 6: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/6.jpg)
10/17/2002 RAID 2002, Zurich 6
BGP & Autonomous Systems
AS6192 (UCDavis) AS11423 (UC)
AS11537 (CENIC)
169.237/16
![Page 7: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/7.jpg)
10/17/2002 RAID 2002, Zurich 7
6192 UCDavis 11423 UC, the origin ID is CENIC 11537 is admined by University Corporation for Advanced InternetDevelopment, origin ID UCAID-1 513 is admined CERN - European Organization for Nuclear Research
3356 is admined by Level 3 Communications, LLC, origin ID is L3CL-1 6461 is admined by Abovenet Communications, Inc 13129 is RIPE Network Coordination Centre
209 is admined by Qwest, origin ID is QWEST-4 3320 is RIPE Network Coordination Centre 9177 is admined by NEXTRANET, T-Systems Multilink AG Switzerland.
4637 , 1221 and 4608 are admined by APNIC , but I can't find who theyare in APNIC whois database.
3549 is admined by Global Crossing, it is locate at Phoenix AZ .
3257 and 3333, 1103 are RIPE Network Coordination Centre
2914 is admined by Verio, Inc 7018 is admined by AT&T
![Page 8: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/8.jpg)
10/17/2002 RAID 2002, Zurich 8
Origin AS in an AS Path
• UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• AS Path: 219420911423 6192– 12654 513 11537 11423 6192– 12654 13129 6461 3356 11423 6192– 12654 9177 3320 209 11423 6192– 12654 4608 1221 4637 11423 6192– 12654 777 2497 209 11423 6192– 12654 3549 3356 11423 6192– 12654 3257 3356 11423 6192– 12654 1103 11537 11423 6192– 12654 3333 3356 11423 6192– 12654 7018 209 11423 6192– 12654 2914 209 11423 6192– 12654 3549 209 11423 6192
• Observation Points in the Internet collecting BGP AS Path Updates– RIPE: AS-12654
![Page 9: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/9.jpg)
10/17/2002 RAID 2002, Zurich 9
BGP MOAS/OASC Events
• Observable Changes in IP Address Ownership– OASC: Origin AS Changes
• Example 1:– Multiple ASes announce the same block of IP
addresses.– MOAS stands for Multiple Origin AS.
• Example 2:– Punch Holes in the Address Space.– AS-7777 announced 169.237.6/24
• Maybe legitimate or faulty.• Many different types of MOAS/OASC events
![Page 10: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/10.jpg)
10/17/2002 RAID 2002, Zurich 10
BGP MOAS/OASC Events
year Median number increase rate #BGP table entries increase rate1998 683 520001999 810.5 18.7% 60000 15.40%2000 951 17.3% 80000 33.30%2001 1294 34.8% 109000 36%
Max: 10226(9177 from a single AS)
![Page 11: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/11.jpg)
10/17/2002 RAID 2002, Zurich 11
ELISHA/MOAS
• Low level events: BGP Route Updates• High level events: MOAS/OASC
– Still 1000+ per day and max 10226 per day
• IP address blocks• Origin AS in BGP Update Messages• Different Types of MOAS conflicts
![Page 12: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/12.jpg)
10/17/2002 RAID 2002, Zurich 12
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110
AS#
Quad-Tree Representation
![Page 13: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/13.jpg)
10/17/2002 RAID 2002, Zurich 13
MOAS Event Types
• Using different colors to represent types of MOAS events
• C type: CSS, CSM, CMS, CMM• H type: H• B type: B• O type: OS, OM
![Page 14: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/14.jpg)
10/17/2002 RAID 2002, Zurich 14
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110
oneCSMinstance
victim
suspect
Example: CSM (Change SM)
![Page 15: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/15.jpg)
10/17/2002 RAID 2002, Zurich 15
AS-7777 Punched a Hole
Which AS against whichAnd which address blocks?
![Page 16: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/16.jpg)
10/17/2002 RAID 2002, Zurich 16
Interesting ASs to watch
• AS7777– August 14, 2000 H, OS
• AS15412– April 6-19, 2001 CSM, CMS
• AS4740– August 18, 2001 CSM, CMS– September 27, 2001 CSM, CMS
• AS701– May 02, 2001 H (63.0/10)
• 00 11 11 11 00 ***** March 1, 2000, July 11, 200, September 26, 2001...
• AS64518– September 18, 2001-Nimda H’ed from many ASes.
![Page 17: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/17.jpg)
10/17/2002 RAID 2002, Zurich 17
Demo time!!
![Page 18: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/18.jpg)
10/17/2002 RAID 2002, Zurich 18
08/14/2000 & 04/2001
![Page 19: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/19.jpg)
10/17/2002 RAID 2002, Zurich 19
Remarks
• Preliminary but encouraging results– Root cause analysis– Event correlation
• Integration of Information Visualization, Interactive Investigation Process, and Data Mining
• Examining several other problems:– BGP Route Path Dynamics and Stability– TCP/IP and HTTP Traffic
• Availability (source code, papers, ppt)– http://www.cs.ucdavis.edu/~wu/Elisha/
• Sponsored by DARPA and NSF
![Page 20: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/20.jpg)
10/17/2002 RAID 2002, Zurich 20
August 14, 2000 (larger)
![Page 21: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/21.jpg)
10/17/2002 RAID 2002, Zurich 21
2-D versus 3-D on August 14, 2000
![Page 22: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/22.jpg)
10/17/2002 RAID 2002, Zurich 22
![Page 23: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/23.jpg)
10/17/2002 RAID 2002, Zurich 23
BGP AS Path Dynamics (1)
![Page 24: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/24.jpg)
10/17/2002 RAID 2002, Zurich 24
BGP AS Path Dynamics (2)
![Page 25: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/25.jpg)
10/17/2002 RAID 2002, Zurich 25
Address Appearing Frequency
Normal
![Page 26: ELISHA: A Visual-Based Anomaly Detection System](https://reader035.vdocuments.us/reader035/viewer/2022081519/56813e86550346895da8bf8f/html5/thumbnails/26.jpg)
10/17/2002 RAID 2002, Zurich 26
DDoSAttack