Israeli Networking Day 2021 - A Deep Learning Approach to Detecting IP Hijack Attacks

A Deep Learning Approach to Detecting IP Hijack Attack, go to minute 19:24.

Presented in the Israeli Networking Day 2021.

The Internet consists of thousands of Autonomous Systems (ASes), each AS advertises one or more IP address prefixes (APs) using the Border Gateway Protocol (BGP). In recent years, there have been many reports of BGP Prefix hijacking of nations and large companies, as more than 40% of the network operators reported that their organization had been a victim of a hijack in the past. In this work, we harness Deep Learning to detect IP hijack attacks and gain additional insight into the Internet structure. First, we build on the excellent results achieved for NLP tasks and create a dense vector representation of AS numbers (ASNs), called BGP2Vec. As a replacement to sentences used in NLP, we use AS-level routes, such as the ones used in BGP announcements. Our results show that indeed such embedding reveals latent characteristics of the ASNs. Next, we use the difference between the coordinate vectors representing neighboring ASNs in a route to indicate their type of relationship (ToR). This allows us to solve the long-studied problem of ToR identification. We found out that similar ToRs are embedded into the same vicinity; therefore, we can use the neighbors of a new ToR to classify it. This result allows us to use valley-free routing rules in order to detect hijack attacks. Furthermore, we also train a model with complete routes to identify hijacked routes. This allows the system to learn also small deviations from valley free routing, that are due to complex ToRs.