Data is routed through the Internet’s several metaphorical tubes using what's called the Border Gateway Protocol (BGP). Any data moving over the Internet needs a physical path of networks and routers to make it from A to B. BGP is the protocol that moves information through those paths - though the downside, just as a person in a game of telephone, is that each junction in the path only knows what they have been told by their immediate neighbor.

 

Since a particular junction in a route recognizes only where the data it’s transmitting just came from and where it’s headed next, it’s relatively simple for someone to step in and divert the data. At these unique junctions, autonomous systems establish BGP connections. Like a party pooper intentionally ruining a game of telephone by whispering a totally different phrase than the one that was told to them, a hacker may perhaps insert their own autonomous system to reroute information. The worst offenders are serial hijackers, who continuously deviate data to skim information or enable distributed denial-of-service (DDOS) attacks. In 1998, various hackers testified to the U.S. Congress that the Internet could be taken down by a dedicated hacker in 30 minutes by deploying BGP hacking.

 

Over the years, serial hijackers have been difficult to stop. One recent example was Bitcanal, a Portuguese web hosting firm that devoted years helping serial hijackers in their attacks. It took years of coordinated effort from legitimate service providers to shut down Bitcanal, and meanwhile, many other serial hijackers still roam the Web. What’s worse, serial hijackers have to, as the name suggests, launch several attacks before it becomes clear that they're a bad-faith actor.

 

“BGP [hacking] is one way to sniff at traffic, or steal traffic,” says Cecilia Testart, a graduate student at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL). ”Given that the Internet is becoming more and more critical, we should try and prevent these attacks.”

 

Testart is the lead author on a paper posted today [PDF] by a few researchers at CSAIL and the Center for Applied Internet Data Analysis (CAIDA). They have suggested that machine learning can be used to pro-actively stop serial hijackers from their hijinks. Serial hijackers, the researchers suggest, show some characteristic traits that make them be noticeable in comparison with ordinary network providers. They reveal that machine learning could dig out serial hijackers a lot faster than the standard method of identifying them only after multiple attacks.

 

The joint team used a machine learning technique which is called an extremely-randomized trees (extra-trees) classifier. In a test with their classifier, the classifier flagged 934 out of 19,103 autonomous systems it tested as potential serial hijackers. You can find extra-trees classifiers as though you were growing a forest of trees, where each tree represents a vote of confidence - as for instance, whether anybody is a serial hijacker - in line with a randomized subset of available information.

 

The resulting forest represents a consensus. If most trees have arrived at the choice that someone is a serial hijacker using the limited information available to them, then you possibly have one on your hands. Testart says extra-trees classifiers and other forest classifiers do not have the same bias toward a set of training data that a machine learning technique such as deep learning may have. Because the available data on known serial hijackers is so small, deep learning techniques may have skewed toward uncovering only ones most similar to known attackers and missed ones that might differ more.

 

Of course, for individual trees to cast a vote, they have to know what they are looking for. The research group identified a few ways in which serial hijackers differ from authentic network providers that usually route Internet traffic. For example, authentic providers tend to be online more regularly, as they are providing Internet service to genuine customers. Serial hijackers, on the contrary, would only be online while they are skimming data.

 

Serial hijackers furthermore usually have more diversified Internet Protocol (IP) blocks - primarily the street addresses of the Internet. Testart explains that an institution like MIT normally has a block of consecutive IP addresses that it uses. Hijackers, however, choose to pick up small strings of IP addresses as they become defunct from other users. One user with a bizarre selection of IP blocks, therefore, is more likely to be a serial hijacker.

 

These rules won't be set in stone. Testart notes there are times when a recognized network provider could go offline - for example, during an earthquake or blackout. Fat finger errors can also lead to typos and misconfigurations that could make a legitimate provider look suspicious at first glance. Testart says there is still plenty to be done with the work the research team has published so far. She suggests that an extra-trees classifier like the one the group developed could give network operators a sort of reputation score, to ensure serial hijackers would see their reputations drop quickly as they went about their nefarious business.

 

The other alternative is to update BGP and turn the game of the telephone into something more secure. But Testart doesn’t think that’s likely. “The Internet is a huge network,” she says. “It’s running on infrastructure set up many years ago. If you update a major protocol, you need to update all that infrastructure.” Think about the headaches of trying to get every network provider in the world to agree to change a protocol - it is far easier just to build a tool that can sniff out serial hijackers.

 

TRONSERVE