[liberationtech] Paper being read at this week's Stanford info-sec seminar series

[Yosem Companys]

Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global
Routing Table
BGP hijacks remain an acute problem in today's Internet, with widespread
consequences. While hijack detection systems are readily available, they
typically rely on a priori prefix-ownership information and are reactive in
nature. In this work, we take on a new perspective on BGP hijacking activity: we
introduce and track the long-term routing behavior of serial hijackers, networks
that repeatedly hijack address blocks for malicious purposes, often over the
course of many months or even years. Based on a ground truth dataset that we
construct by extracting information from network operator mailing lists, we
illuminate the dominant routing characteristics of serial hijackers, and how
they differ from legitimate networks. We then distill features that can capture
these behavioral differences and train a machine learning model to automatically
identify Autonomous Systems (ASes) that exhibit characteristics similar to
serial hijackers. Our classifier identifies ≈ 900 ASes  with similar behavior in
the global IPv4 routing table. We analyze and categorize these networks, finding
a wide range of indicators of malicious activity, misconfiguration, as well as
benign hijacking activity. Our work presents a solid first step towards
identifying and understanding this important category of networks, which can aid
network operators in taking proactive measures to defend themselves against
prefix hijacking and serve as input for current and future detection systems.
https://dl.acm.org/doi/10.1145/3355369.3355581
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200428/a2b9b6ab/attachment.html>