原始互联网拓扑下的BGP异常检测

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-10-08 DOI:10.1016/j.comnet.2025.111753

Hamid Latif-Martínez, Jordi Paillissé, Pere Barlet-Ros, Albert Cabellos-Aparicio

{"title":"原始互联网拓扑下的BGP异常检测","authors":"Hamid Latif-Martínez, Jordi Paillissé, Pere Barlet-Ros, Albert Cabellos-Aparicio","doi":"10.1016/j.comnet.2025.111753","DOIUrl":null,"url":null,"abstract":"<div><div>The Border Gateway Protocol (BGP) is central to the global connectivity of the Internet, enabling fast and efficient dissemination of routing information. Hence, detecting any anomaly concerning BGP announcements is of critical importance to ensure the continuous operation of Internet services. Typically, BGP anomaly detection algorithms have relied on features of the BGP messages, such as the average length of the AS_PATH attribute, the volume of messages, or the type of message (announcement or withdrawal). Even though these algorithms provide good performance, they do not take into account the Internet topology, that is, the graph of Autonomous Systems (AS) created by the BGP announcements. In addition, some of the existing algorithms can detect only specific types of anomalies, while others require retraining them to support new scenarios.</div><div>In this paper we propose detecting BGP anomalies by leveraging the raw BGP topology graph, instead of manually curated features of the BGP messages. We implement a Machine Learning algorithm to process the entire BGP topology and evaluate it with real-world data from 4 well-known incidents. We compare our proposal against two state-of-the-art solutions and a classical method that use BGP features and features of the BGP topology, not the topology itself. Our results show that our solution obtains remarkable performance identifying the incidents. Finally, we test our model with regular data (non-anomalous) to prove that it can be used in a production scenario, with samples processed on the fly and guaranteeing a low false alarm rate.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"273 ","pages":"Article 111753"},"PeriodicalIF":4.6000,"publicationDate":"2025-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"BGP anomaly detection using the raw internet topology\",\"authors\":\"Hamid Latif-Martínez, Jordi Paillissé, Pere Barlet-Ros, Albert Cabellos-Aparicio\",\"doi\":\"10.1016/j.comnet.2025.111753\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>The Border Gateway Protocol (BGP) is central to the global connectivity of the Internet, enabling fast and efficient dissemination of routing information. Hence, detecting any anomaly concerning BGP announcements is of critical importance to ensure the continuous operation of Internet services. Typically, BGP anomaly detection algorithms have relied on features of the BGP messages, such as the average length of the AS_PATH attribute, the volume of messages, or the type of message (announcement or withdrawal). Even though these algorithms provide good performance, they do not take into account the Internet topology, that is, the graph of Autonomous Systems (AS) created by the BGP announcements. In addition, some of the existing algorithms can detect only specific types of anomalies, while others require retraining them to support new scenarios.</div><div>In this paper we propose detecting BGP anomalies by leveraging the raw BGP topology graph, instead of manually curated features of the BGP messages. We implement a Machine Learning algorithm to process the entire BGP topology and evaluate it with real-world data from 4 well-known incidents. We compare our proposal against two state-of-the-art solutions and a classical method that use BGP features and features of the BGP topology, not the topology itself. Our results show that our solution obtains remarkable performance identifying the incidents. Finally, we test our model with regular data (non-anomalous) to prove that it can be used in a production scenario, with samples processed on the fly and guaranteeing a low false alarm rate.</div></div>\",\"PeriodicalId\":50637,\"journal\":{\"name\":\"Computer Networks\",\"volume\":\"273 \",\"pages\":\"Article 111753\"},\"PeriodicalIF\":4.6000,\"publicationDate\":\"2025-10-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Networks\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1389128625007194\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625007194","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

边界网关协议BGP （Border Gateway Protocol）是实现互联网全球互联互通的核心协议，能够实现路由信息的快速高效传播。因此，检测BGP通告异常对于保证Internet业务的持续运行至关重要。通常情况下，BGP异常检测算法依赖于BGP消息的特征，如AS_PATH属性的平均长度、消息量、消息类型（公告或撤回）等。尽管这些算法提供了良好的性能，但它们没有考虑到Internet拓扑，即BGP公告创建的自治系统（AS）图。此外，现有的一些算法只能检测特定类型的异常，而其他算法则需要重新训练以支持新的场景。在本文中，我们提出利用原始BGP拓扑图来检测BGP异常，而不是手动管理BGP消息的特征。我们实现了一种机器学习算法来处理整个BGP拓扑，并使用来自4个众所周知事件的真实数据对其进行评估。我们将我们的建议与两种最先进的解决方案和一种使用BGP特征和BGP拓扑特征（而不是拓扑本身）的经典方法进行比较。结果表明，该方案在事件识别方面取得了显著的效果。最后，我们用常规数据（非异常数据）测试我们的模型，以证明它可以在生产场景中使用，在运行中处理样本并保证低误报率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

BGP anomaly detection using the raw internet topology

The Border Gateway Protocol (BGP) is central to the global connectivity of the Internet, enabling fast and efficient dissemination of routing information. Hence, detecting any anomaly concerning BGP announcements is of critical importance to ensure the continuous operation of Internet services. Typically, BGP anomaly detection algorithms have relied on features of the BGP messages, such as the average length of the AS_PATH attribute, the volume of messages, or the type of message (announcement or withdrawal). Even though these algorithms provide good performance, they do not take into account the Internet topology, that is, the graph of Autonomous Systems (AS) created by the BGP announcements. In addition, some of the existing algorithms can detect only specific types of anomalies, while others require retraining them to support new scenarios.

In this paper we propose detecting BGP anomalies by leveraging the raw BGP topology graph, instead of manually curated features of the BGP messages. We implement a Machine Learning algorithm to process the entire BGP topology and evaluate it with real-world data from 4 well-known incidents. We compare our proposal against two state-of-the-art solutions and a classical method that use BGP features and features of the BGP topology, not the topology itself. Our results show that our solution obtains remarkable performance identifying the incidents. Finally, we test our model with regular data (non-anomalous) to prove that it can be used in a production scenario, with samples processed on the fly and guaranteeing a low false alarm rate.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.