AP2Vec: An Unsupervised Approach for BGP Hijacking Detection

Tal Shapira, Yuval Shavitt

Research output: Contribution to journalArticlepeer-review

Abstract

BGP hijack attacks deflect traffic between endpoints through the attacker network, leading to man-in-the-middle attacks. Thus its detection is an important security challenge. In this paper, we introduce a novel approach for BGP hijacking detection that is based on the observation that during a hijack attack, the functional roles of ASNs along the route change. To identify a functional change, we build on previous work that embeds ASNs to vectors based on BGP routing announcements and embed each IP address prefix (AP) to a vector representing its latent characteristics, we call it AP2Vec. Then, we compare the embedding of a new route with the AP embedding that is based on the old routes to identify large differences. We compare our unsupervised approach to several other new and previous approaches and show that it strikes the best balance between a high detection rate of hijack events and a low number of flagged events. In particular, for a two-hour route collection with 10-90,000 route changes, our algorithm typically flags 1-11 suspected events (0.01-0.05% FP). Our algorithm also detected most of the previously published hijack events.

Original languageEnglish
Pages (from-to)2255-2268
Number of pages14
JournalIEEE Transactions on Network and Service Management
Volume19
Issue number3
DOIs
StatePublished - 1 Sep 2022

Keywords

  • AP embedding
  • BGP
  • IP hijack detection
  • Internet security
  • deep learning

All Science Journal Classification (ASJC) codes

  • Electrical and Electronic Engineering
  • Computer Networks and Communications

Cite this