A Deep Learning Approach for Detecting IP Hijack Attacks
2. July 2024, 14:00 bis 15:00
In recent years, there have been many reports of BGP Prefix hijacking of nations and large companies, as more than 40% of the network operators reported that their organization had been a victim of a hijack in the past. BGP hijack attacks deflect traffic between endpoints through the attacker network, leading to man-in-the-middle attacks.
In this talk, we will discuss a deep learning approach for detecting IP hijack attacks on the internet. To detect these attacks, we propose a system that harnesses deep learning techniques. First, we create a dense vector representation of Autonomous Systems (ASes) using BGP routing update messages, called BGP2Vec. This representation allows us to identify the type of relationship between ASes, known as ToR, and detect hijack attacks using valley-free routing rules. Additionally, we train a model using complete routes to identify hijacked routes, taking into account small deviations from valley-free routing. To improve the system’s ability to identify the cause of a flagged route, we also propose a Source-Aware Self- Attention (SASA) layer. Lastly, we introduce a novel approach, called AP2Vec, that detects functional changes in ASes during a hijack attack by comparing the embedding of a new route to the embedding of old routes. We demonstrate that our approach strikes the best balance between a high detection rate and a low number of flagged events.