Opening the Black Box – Applying Explainable AI to Enhance Prefix Hijacking Detection
Abstract
The BGP protocol lacks native security mechanisms, allowing malicious actors to hijack prefixes. Recent studies use machine learning to detect these hijacks, but the models are black boxes, making it difficult to determine if they use the most suitable features. This work applies eXplainable Artificial Intelligence (XAI) techniques to evaluate and improve a recently proposed model for prefix-hijack detection. Through extensive analysis of the original model with 28 features, we developed two models with 11 and 5 features that yield results without statistical difference to the complete model while reducing processing time by over 30% and storage space by over 59%.
References
Ahmed, M., Seraj, R., and Islam, S. M. S. (2020). The K-Means Algorithm: A Comprehensive Survey and Performance Evaluation. Electronics, 9(8):1295.
Alfroy, T., Holterbach, T., and Pelsser, C. (2022). MVP: Measuring Internet Routing from the Most Valuable Points. In Proceedings of the 22nd ACM IMC 2022, page 770–771.
Arai, T., Nakano, K., and Chakraborty, B. (2019). Selection of effective features for bgp anomaly detection. In 2019 IEEE 10th International Conference on Awareness Science and Technology (iCAST), pages 1–6.
Beltiukov, R., Guo, W., Gupta, A., and Willinger, W. (2023). In Search of netUnicorn: A Data-Collection Platform to Develop Generalizable ML Models for Network Security Problems. In Proc. of the 2023 ACM CCS, CCS ’23, page 2217–2231.
Birge-Lee, H., Sun, Y., Edmundson, A., Rexford, J., and Mittal, P. (2018). Bamboozling Certificate Authorities with BGP. In Proc. of the 27th USENIX Security’18, pages 833–849.
Bühler, T., Milolidakis, A., Jacob, R., Chiesa, M., Vissicchio, S., and Vanbever, L. (2023). Oscilloscope: Detecting BGP Hijacks in the Data Plane. arXiv preprint arXiv:2301.12843.
Bush, R. and Austein, R. (2017). The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1. RFC 8210.
CAIDA (2001). CAIDA AS Rank. [link].
CAIDA (2015). AS Relationships (Serial-2). [link].
Carvalho, A. B., da Silva Jr, B. A., da Silva, C. A., and Ferreira, R. A. (2024). Material suplementar. [link].
Cho, S., Fontugne, R., Cho, K., Dainotti, A., and Gill, P. (2019). BGP Hijacking Classification. In 2019 Network Traffic Measurement and Analysis Conference, pages 25–32.
Du, B., Izhikevich, K., Rao, S., Akiwate, G., Testart, C., Snoeren, A. C., and claffy, k. (2023). IRRegularities in the Internet Routing Registry. In Proc. of the ACM IMC 2023, page 104–110.
Freedman, D., Foust, B., Greene, B., Maddison, B., Robachevsky, A., Snijders, J., and Steffann, S. (2019). Mutually Agreed Norms for Routing Security (MANRS) Implementation Guide.
Hammood, N. H. and Al-Musawi, B. (2021). Using BGP Features Towards Identifying Type of BGP Anomaly. In Proc. of the 2021 ICOTEN, pages 1–10.
Holterbach, T., Alfroy, T., Phokeer, A. D., Dainotti, A., and Pelsser, C. (2024). A System to Detect Forged-Origin Hijacks. In Proc. of the 21th USENIX NSDI.
Jacobs, A. S., Beltiukov, R., Willinger, W., Ferreira, R. A., Gupta, A., and Granville, L. Z. (2022). AI/ML for Network Security: The Emperor Has No Clothes. In Proc. of the 2022 ACM Conf. on Computer and Comm. Security, CCS ’22, page 1537–1551.
Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang, L. (2006). PHAS: A Prefix Hijack Alert System. In USENIX Security Symposium, volume 1, page 3.
Lakkaraju, H., Bach, S. H., and Leskovec, J. (2016). Interpretable Decision Sets: A Joint Framework for Description and Prediction. In Proc. of the 22nd ACM KDD.
Lepinski, M. and Sriram, K. (2017). BGPsec Protocol Specification. RFC 8205.
Liu, Y., Su, J., and Chang, R. K. (2012). LDC: Detecting BGP Prefix Hijacking by Load Distribution Change. In 2012 IEEE 26th IPDPS Workshops, pages 1197–1203.
Lychev, R., Schapira, M., and Goldberg, S. (2016). Rethinking Security for Internet Routing. Commun. ACM, 59(10):48–57.
Mcgregor, T., Alcock, S., and Karrenberg, D. (2010). The RIPE NCC internet measurement data repository. In Int. Conf. on Passive and Active Network Measurement.
Merit Network, Inc (2024). Internet Routing Registry. [link].
Meyer, D. (1997). University of Oregon Route Views Archive Project.
Milolidakis, A. and et al. (2023). On the Effectiveness of BGP Hijackers That Evade Public Route Collectors. In IEEE Access, volume 11, pages 31092–31124.
PeeringDB (2010). [link].
Qin, L., Li, D., Li, R., and Wang, K. (2022). Themis: Accelerating the Detection of Route Origin Hijacking by Distinguishing Legitimate and Illegitimate MOAS. In Proc. of the 31st USENIX Security Symposium (USENIX Security 22), pages 4509–4524.
Rekhter, Y. and et al. (2006). A Border Gateway Protocol 4 (BGP-4). RFC 4271.
Ribeiro, M. T., Singh, S., and Guestrin, C. (2016). “Why Should I Trust You?”: Explaining the Predictions of Any Classifier. In Proc. of the 22nd ACM International Conference on Knowledge Discovery and Data Mining, KDD ’16, page 1135–1144.
RIPE NCC RIS (2008). YouTube Hijacking: A RIPE NCC RIS Case Study. [link].
Sermpezis, P., Kotronis, V., Gigis, P., Dimitropoulos, X., Cicalese, D., King, A., and Dainotti, A. (2018). ARTEMIS: Neutralizing BGP Hijacking Within a Minute. In IEEE/ACM Transactions on Networking, volume 26, pages 2471–2486.
Shapira, T. and Shavitt, Y. (2022). AP2Vec: An Unsupervised Approach for BGP Hijacking Detection. IEEE Trans. on Network and Service Management, 19(3):2255–2268.
Shi, X., Xiang, Y., Wang, Z., Yin, X., and Wu, J. (2012). Detecting Prefix Hijackings in the Internet with Argus. In Proc. of the 2012 ACM IMC, page 15–28.
Siddiqui, A. (2022). KlaySwap – Another BGP Hijack Targeting Crypto Wallets. [link].
Testart, C., Richter, P., King, A., Dainotti, A., and Clark, D. (2019). Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table. In Proc. of the 2019 ACM Internet Measurement Conference, IMC ’19, page 420–434.
Willinger, W., Gupta, A., Jacobs, A. S., Beltiukov, R., Ferreira, R. A., and Granville, L. (2023). A NetAI Manifesto (Part I): Less Explorimentation, More Science. SIGMETRICS Perform. Eval. Rev., 51(2):106–108.
Alfroy, T., Holterbach, T., and Pelsser, C. (2022). MVP: Measuring Internet Routing from the Most Valuable Points. In Proceedings of the 22nd ACM IMC 2022, page 770–771.
Arai, T., Nakano, K., and Chakraborty, B. (2019). Selection of effective features for bgp anomaly detection. In 2019 IEEE 10th International Conference on Awareness Science and Technology (iCAST), pages 1–6.
Beltiukov, R., Guo, W., Gupta, A., and Willinger, W. (2023). In Search of netUnicorn: A Data-Collection Platform to Develop Generalizable ML Models for Network Security Problems. In Proc. of the 2023 ACM CCS, CCS ’23, page 2217–2231.
Birge-Lee, H., Sun, Y., Edmundson, A., Rexford, J., and Mittal, P. (2018). Bamboozling Certificate Authorities with BGP. In Proc. of the 27th USENIX Security’18, pages 833–849.
Bühler, T., Milolidakis, A., Jacob, R., Chiesa, M., Vissicchio, S., and Vanbever, L. (2023). Oscilloscope: Detecting BGP Hijacks in the Data Plane. arXiv preprint arXiv:2301.12843.
Bush, R. and Austein, R. (2017). The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1. RFC 8210.
CAIDA (2001). CAIDA AS Rank. [link].
CAIDA (2015). AS Relationships (Serial-2). [link].
Carvalho, A. B., da Silva Jr, B. A., da Silva, C. A., and Ferreira, R. A. (2024). Material suplementar. [link].
Cho, S., Fontugne, R., Cho, K., Dainotti, A., and Gill, P. (2019). BGP Hijacking Classification. In 2019 Network Traffic Measurement and Analysis Conference, pages 25–32.
Du, B., Izhikevich, K., Rao, S., Akiwate, G., Testart, C., Snoeren, A. C., and claffy, k. (2023). IRRegularities in the Internet Routing Registry. In Proc. of the ACM IMC 2023, page 104–110.
Freedman, D., Foust, B., Greene, B., Maddison, B., Robachevsky, A., Snijders, J., and Steffann, S. (2019). Mutually Agreed Norms for Routing Security (MANRS) Implementation Guide.
Hammood, N. H. and Al-Musawi, B. (2021). Using BGP Features Towards Identifying Type of BGP Anomaly. In Proc. of the 2021 ICOTEN, pages 1–10.
Holterbach, T., Alfroy, T., Phokeer, A. D., Dainotti, A., and Pelsser, C. (2024). A System to Detect Forged-Origin Hijacks. In Proc. of the 21th USENIX NSDI.
Jacobs, A. S., Beltiukov, R., Willinger, W., Ferreira, R. A., Gupta, A., and Granville, L. Z. (2022). AI/ML for Network Security: The Emperor Has No Clothes. In Proc. of the 2022 ACM Conf. on Computer and Comm. Security, CCS ’22, page 1537–1551.
Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang, L. (2006). PHAS: A Prefix Hijack Alert System. In USENIX Security Symposium, volume 1, page 3.
Lakkaraju, H., Bach, S. H., and Leskovec, J. (2016). Interpretable Decision Sets: A Joint Framework for Description and Prediction. In Proc. of the 22nd ACM KDD.
Lepinski, M. and Sriram, K. (2017). BGPsec Protocol Specification. RFC 8205.
Liu, Y., Su, J., and Chang, R. K. (2012). LDC: Detecting BGP Prefix Hijacking by Load Distribution Change. In 2012 IEEE 26th IPDPS Workshops, pages 1197–1203.
Lychev, R., Schapira, M., and Goldberg, S. (2016). Rethinking Security for Internet Routing. Commun. ACM, 59(10):48–57.
Mcgregor, T., Alcock, S., and Karrenberg, D. (2010). The RIPE NCC internet measurement data repository. In Int. Conf. on Passive and Active Network Measurement.
Merit Network, Inc (2024). Internet Routing Registry. [link].
Meyer, D. (1997). University of Oregon Route Views Archive Project.
Milolidakis, A. and et al. (2023). On the Effectiveness of BGP Hijackers That Evade Public Route Collectors. In IEEE Access, volume 11, pages 31092–31124.
PeeringDB (2010). [link].
Qin, L., Li, D., Li, R., and Wang, K. (2022). Themis: Accelerating the Detection of Route Origin Hijacking by Distinguishing Legitimate and Illegitimate MOAS. In Proc. of the 31st USENIX Security Symposium (USENIX Security 22), pages 4509–4524.
Rekhter, Y. and et al. (2006). A Border Gateway Protocol 4 (BGP-4). RFC 4271.
Ribeiro, M. T., Singh, S., and Guestrin, C. (2016). “Why Should I Trust You?”: Explaining the Predictions of Any Classifier. In Proc. of the 22nd ACM International Conference on Knowledge Discovery and Data Mining, KDD ’16, page 1135–1144.
RIPE NCC RIS (2008). YouTube Hijacking: A RIPE NCC RIS Case Study. [link].
Sermpezis, P., Kotronis, V., Gigis, P., Dimitropoulos, X., Cicalese, D., King, A., and Dainotti, A. (2018). ARTEMIS: Neutralizing BGP Hijacking Within a Minute. In IEEE/ACM Transactions on Networking, volume 26, pages 2471–2486.
Shapira, T. and Shavitt, Y. (2022). AP2Vec: An Unsupervised Approach for BGP Hijacking Detection. IEEE Trans. on Network and Service Management, 19(3):2255–2268.
Shi, X., Xiang, Y., Wang, Z., Yin, X., and Wu, J. (2012). Detecting Prefix Hijackings in the Internet with Argus. In Proc. of the 2012 ACM IMC, page 15–28.
Siddiqui, A. (2022). KlaySwap – Another BGP Hijack Targeting Crypto Wallets. [link].
Testart, C., Richter, P., King, A., Dainotti, A., and Clark, D. (2019). Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table. In Proc. of the 2019 ACM Internet Measurement Conference, IMC ’19, page 420–434.
Willinger, W., Gupta, A., Jacobs, A. S., Beltiukov, R., Ferreira, R. A., and Granville, L. (2023). A NetAI Manifesto (Part I): Less Explorimentation, More Science. SIGMETRICS Perform. Eval. Rev., 51(2):106–108.
Published
2024-09-16
How to Cite
CARVALHO, Adriano B.; SILVA JR., Brivaldo A. da; SILVA, Carlos Alberto da; FERREIRA, Ronaldo A..
Opening the Black Box – Applying Explainable AI to Enhance Prefix Hijacking Detection. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 16-31.
DOI: https://doi.org/10.5753/sbseg.2024.240764.
