{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,19]],"date-time":"2025-12-19T09:15:23Z","timestamp":1766135723300},"reference-count":34,"publisher":"Association for Computing Machinery (ACM)","issue":"5","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGCOMM Comput. Commun. Rev."],"published-print":{"date-parts":[[2005,10,6]]},"abstract":"<jats:p>Abnormal BGP events such as attacks, misconfigurations, electricity failures, can cause anomalous or pathological routing behavior at either global level or prefix level, and thus must be detected in their early stages. Instead of using ad hoc methods to analyze BGP data, in this paper we introduce an Internet Routing Forensics framework to systematically process BGP routing data, discover rules of abnormal BGP events, and apply these rules to detect the occurrences of these events. In particular, we leverage data mining techniques to train the framework to learn rules of abnormal BGP events, and our results from two case studies show that these rules are effective. In one case study, rules of worm events discovered from the BGP data during the outbreaks of the CodeRed and Nimda worms were able to successfully detect worm impact on BGP when an independent worm, the Slammer, subsequently occurred. Similarly, in another case study, rules of electricity blackout events obtained using BGP data from the 2003 East Coast blackout were able to detect the BGP impact from the Florida blackout caused by Hurricane Frances in 2004.<\/jats:p>","DOI":"10.1145\/1096536.1096542","type":"journal-article","created":{"date-parts":[[2005,11,7]],"date-time":"2005-11-07T19:28:32Z","timestamp":1131391712000},"page":"55-66","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":41,"title":["An internet routing forensics framework for discovering rules of abnormal BGP events"],"prefix":"10.1145","volume":"35","author":[{"given":"Jun","family":"Li","sequence":"first","affiliation":[{"name":"University of Oregon"}]},{"given":"Dejing","family":"Dou","sequence":"additional","affiliation":[{"name":"University of Oregon"}]},{"given":"Zhen","family":"Wu","sequence":"additional","affiliation":[{"name":"University of Oregon"}]},{"given":"Shiwoong","family":"Kim","sequence":"additional","affiliation":[{"name":"University of Oregon"}]},{"given":"Vikash","family":"Agarwal","sequence":"additional","affiliation":[{"name":"University of Oregon"}]}],"member":"320","published-online":{"date-parts":[[2005,10,6]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Hurricane frances chronology. http:\/\/www.fpl.com\/storm\/contents\/hurricane_frances_chronology.shtml.  Hurricane frances chronology. http:\/\/www.fpl.com\/storm\/contents\/hurricane_frances_chronology.shtml."},{"key":"e_1_2_1_2_1","unstructured":"RIPE routing information service raw data. http:\/\/data.ris.ripe.net\/.  RIPE routing information service raw data. http:\/\/data.ris.ripe.net\/."},{"key":"e_1_2_1_3_1","first-page":"487","volume-title":"Proceedings of 1994 VLDB Conference","author":"Agrawal R.","year":"1994"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948133"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/604264.604268"},{"key":"e_1_2_1_6_1","volume-title":"Internet Draft","author":"Convery S.","year":"2003"},{"key":"e_1_2_1_7_1","volume-title":"Renesys","author":"Cowie J.","year":"2003"},{"key":"e_1_2_1_8_1","volume-title":"Renesys","author":"Cowie J.","year":"2001"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of SPIE International symposium on Convergence of IT and Communication","author":"Cowie J.","year":"2002"},{"key":"e_1_2_1_10_1","unstructured":"J. Fartar. C&W routing instability. http:\/\/www.merit.edu\/mail.archives\/nanog\/2001-04\/msg00209.html.  J. Fartar. C&W routing instability. http:\/\/www.merit.edu\/mail.archives\/nanog\/2001-04\/msg00209.html."},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"Goodell G.","year":"2003"},{"key":"e_1_2_1_12_1","volume-title":"Morgan Kaufmann Publishers","author":"Han J.","year":"2001"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/49.839934"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45248-5_2"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/90.731185"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-24604-6_7"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/322510.322526"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611972733.3"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/312129.312212"},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of IEEE INFOCOM","author":"Li J.","year":"2002"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/633025.633027"},{"key":"e_1_2_1_22_1","unstructured":"S. Misel. Wow AS7007! http:\/\/www.merit.edu\/mail.archives\/nanog\/1997-04\/msg00340.html.  S. Misel. Wow AS7007! http:\/\/www.merit.edu\/mail.archives\/nanog\/1997-04\/msg00340.html."},{"key":"e_1_2_1_23_1","volume-title":"Computer Security Series. Artech House Publishers","author":"Mohay G.","year":"2003"},{"key":"e_1_2_1_24_1","volume-title":"Internet Draft","author":"Murphy S.","year":"2003"},{"key":"e_1_2_1_25_1","volume-title":"Morgan Kaufmann Publishers","author":"Quinlan J.","year":"1993"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/347059.347560"},{"key":"e_1_2_1_27_1","volume-title":"New Riders","author":"Schultz E.","year":"2002"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/383059.383060"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-39671-0_14"},{"key":"e_1_2_1_30_1","unstructured":"University of Oregon Route Views Project. http:\/\/antc.uoregon.edu\/route-views\/.  University of Oregon Route Views Project. http:\/\/antc.uoregon.edu\/route-views\/."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/637201.637231"},{"key":"e_1_2_1_32_1","volume-title":"International Symposium on Integrated Network Management","author":"Wu Z.","year":"2005"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-24693-0_22"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5555\/647883.760856"}],"container-title":["ACM SIGCOMM Computer Communication Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1096536.1096542","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T16:43:34Z","timestamp":1672245814000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1096536.1096542"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2005,10,6]]},"references-count":34,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2005,10,6]]}},"alternative-id":["10.1145\/1096536.1096542"],"URL":"https:\/\/doi.org\/10.1145\/1096536.1096542","relation":{},"ISSN":["0146-4833"],"issn-type":[{"value":"0146-4833","type":"print"}],"subject":[],"published":{"date-parts":[[2005,10,6]]},"assertion":[{"value":"2005-10-06","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}