- Researchers are working on a machine-learning model that can identify the dominant characteristics of hijackers.
- This is a new approach to help proactively prevent serial hijackers.
Border Gateway Protocol (BGP) is an internet protocol that is used to transfer data between different host gateways.
- However, it lacks route authentication and validation. This allows attackers to perform malicious activities.
- In the BGP route tables, internet service providers (ISPs) are identified using an Autonomous System (AS) number.
- Researchers from MIT are working on a system that identifies Autonomous Systems (ASes) that show characteristics similar to that of serial hijackers.
- This system will help network providers to proactively stop serial hijackers.
“We take on a new perspective on illicit BGP activity: instead of looking at individual BGP hijacking events, we study the long-term prefix advertisement dynamics in the global routing table in space and time,” say the researchers in the published paper.
Details of the research
Researchers at MIT’s Computer Science and Artificial Intelligence Lab conducted a detailed study of the BGP over a course of five years.
- On the basis of preliminary results, they concluded that the patterns could be potentially leveraged in automated applications to reveal undetected behavior.
- A typical BGP attack involves the malicious actor deceiving networks into routing data through a compromised system to a specific IP address. Operators rely on mailing lists to track ongoing hijacks.
- The research team studied related operator mailing lists of five years and noticed the same ASes carrying out the hijackings.
- With this data, the team trained the machine-learning model to identify key characteristics.
- During this process, they faced multiple challenges including false positives and a large amount of heterogeneous data.
“In the future, we plan to extend the features we leverage for classification. Potential additional features include more BGP-derived properties, such as AS-path characteristics of hijacked prefixes, as well as sub- and super-MOAS events,” reads the paper.