SASA: Source-Aware Self-Attention for IP Hijack Detection

Abstract

IP hijack attacks deflect traffic between endpoints through the attacker network, leading to man-in-the-middle attacks. Current detection solutions are only based on AS-level path analysis, while attacks that include data-plane manipulations may exhibit only geographic anomalies and preserve the AS-level route, or hide the problematic AS in the path. Thus, there is a need to develop data-plane analysis frameworks that examine the actual route packets traverse. We introduce here a deep learning system that examines the geography of traceroute measurements to detect malicious routes. We use multiple geolocation services, with various levels of confidence; each also suffers from location errors. Moreover, identifying a hijacked route is not sufficient since an operator presented with a hijack alert needs an indication of the cause for flagging out the problematic route. Thus, we introduce a novel deep learning layer, called Source-Aware Self-Attention ( <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SASA</i> ), which is an extension of the attention mechanism. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SASA</i> learns each data source’s confidence and combines this score with the attention of each router in the route to point out the most problematic one. We validate our IP hijacking classification method using two router data types: coordinates and country location, and show that <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SASA</i> outperforms the regular self-attention layer, using the same neural network architecture, and achieves extremely high accuracy.