How MIT researchers use machine learning to detect IP hijackings before it occurs

This smacks of Minority Report pre-crime. I like it…:

[…] To zero in on serial IP hijackings, the team grabbed information from network operator mailing lists and from historical BGP data taken every five minutes from the global routing table. By analyzing that information, they were able to detect specific traits of hijackers and then train their system to automatically identify those traits.

Specifically, the machine learning system tagged networks with three key traits in terms of the blocks of IP addresses they use:

  1. Volatile changes in activity. The blocks of addresses used by hijackers appear to vanish faster than do those used by legitimate networks. On average, addresses used by hijackers disappeared after 50 days, compared with two years for legitimate addresses.
  2. Multiple address blocks. Serial IP hijackers often advertise more blocks of IP addresses, or network prefixes. The median number was 41 compared with 23 for legitimate networks.
  3. IP addresses in multiple countries. Most networks don’t have foreign IP addresses, while serial hijackers are more likely to register addresses in other countries and continents.

One challenge is that some IP hijackings can be the result of human error rather than a malicious attack. As a result, the team had to manually identity false positives, which accounted for around 20% of the results from the system. To cut down on the manual work, the team said it hopes that future versions of the system will be able to take on this type of activity without as much human intervention.

[…]

Read the original article here