Cybercriminals, through Border Gateway Protocol (BGP) hijacking, may temporarily steal blocks of Internet Protocol addresses (IP addresses) associated with trusted Autonomous Systems (AS) to perform other malicious activities, such as, spamming, phishing, malware hosting and the like. Since the IP address is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication, the thief of the IP address represents a form of identity thief, whereby the tracks of the criminal cannot be retraced. These individual IP addresses may be grouped together into prefixes, which may be originated or owned by an AS (such as Sprint, Verizon, AT&T, and the like). Each AS may include one or more routers having routing tables that are maintained using the BGP as a standard routing protocol for exchanging information about IP routing between ASes. Accordingly, launching attacks from hijacked networks, cybercriminals can hinder traceability and circumvent security systems based on prior IP reputation, which may typically be used as a first layer of defense for networks.
Although BGP hijack monitors facilitate the detection of hijacked network IP prefixes, existing hijack detection technologies suffer in four major areas. First, traditional hijacking detection systems assume a labeled set containing examples of both positive and negative samples, where a positive sample represents a malicious BGP announcement (routing data) and a negative sample represents a benign one. Yet, positive samples for real-world implementations can only be detected by security experts who can confidently identify a BGP hijacking event, while negative samples (benign BGP announcements) are too diverse to be labelled. Further current hijack monitors suffer from many false positives due to the challenging task of invalidating detected hijacks.
Secondly, some current hijack monitors are instrumental in merely helping network operators to monitor their own networks in which case the network operator manually provides the validation or invalidation of detected hijacking events. Third, some of these detection mechanisms only look for anomalies in the Internet routing infrastructure to detect hijacks of network IP prefixes without correlating them with any kind of malicious network traffic to see if the hijacked prefixes might be used to launch other types of attacks. Fourth, some systems only consider a few scenarios of network IP prefix hijacking, which may not necessarily be the ones used by cybercriminals.
Finally, a lot of effort has been made to implement security mechanisms into the routing infrastructure, usually using cryptography, to prevent network IP prefix hijacking attacks (e.g., RPKI, BGPsec, etc.). However, these proposed solutions usually require major changes to the software and hardware of the network devices, which currently prevent these solutions from being widely deployed. It is within this context that the embodiments arise.