GraphBGP: BGP Anomaly Detection Based on Dynamic Graph Learning

Detecting anomalous BGP (Border Gateway Protocol) messages is critical for securing inter-domain routing systems over autonomous system (AS)-level networks. The dynamic nature of routing policies, massive scale of global routes, and incomplete global topology visibility make BGP anomalies exceptionally challenging to identify—let alone trace back to malicious or misconfigured ASes. To effectively overcome these barriers, this paper proposes GraphBGP, a novel BGP anomaly detection method that dynamically constructs real-time AS-level topologies, achieves precise anomaly detection and classification, and accurately traces malicious or misconfigured ASes. Specifically, to address the evolving nature of BGP routing status, GraphBGP constructs an attributed AS-level graph that dynamically integrates node and edge attributes. It intelligently tracks BGP updates to refresh this graph efficiently. Leveraging this enriched, up-to-date representation, GraphBGP employs tailored detection and tracing models grounded in graph convolutional networks (GCNs), enabling precise anomaly identification and source tracing. Comprehensive experiments with real-world and synthetic datasets demonstrate that GraphBGP achieves state-of-the-art anomaly detection accuracy while significantly reducing inference time, even under partial BGP network visibility. Furthermore, GraphBGP precisely traces malicious or misconfigured ASes within a short time period of 7 milliseconds after anomaly detection, enabling rapid mitigation.