research-article

Comparing Machine Learning Algorithms for BGP Anomaly Detection using Graph Features

Authors:

Odnan Ref Sanchez,

Cristel Pelsser,

Randy BushAuthors Info & Claims

Big-DAMA '19: Proceedings of the 3rd ACM CoNEXT Workshop on Big DAta, Machine Learning and Artificial Intelligence for Data Communication Networks

Pages 35 - 41

https://doi.org/10.1145/3359992.3366640

Published: 09 December 2019 Publication History

Abstract

The Border Gateway Protocol (BGP) coordinates the connectivity and reachability among Autonomous Systems, providing efficient operation of the global Internet. Historically, BGP anomalies have disrupted network connections on a global scale, i.e., detecting them is of great importance. Today, Machine Learning (ML) methods have improved BGP anomaly detection using volume and path features of BGP's update messages, which are often noisy and bursty. In this work, we identified different graph features to detect BGP anomalies, which are arguably more robust than traditional features. We evaluate such features through an extensive comparison of different ML algorithms, i.e., Naive Bayes classifier (NB), Decision Trees (DT), Random Forests (RF), Support Vector Machines (SVM), and Multi-Layer Perceptron (MLP), to specifically detect BGP path leaks. We show that SVM offers a good trade-off between precision and recall. Finally, we provide insights into the graph features' characteristics during the anomalous and non-anomalous interval and provide an interpretation of the ML classifier results.

References

[1]

2019. BGPmon. https://bgpmon.net. (2019).

[2]

2019. CAIDA BGP Stream. https://bgpstream.caida.org. (2019).

[3]

Eralp Abdurrahim Akkoyunlu. 1973. The enumeration of maximal cliques of large graphs. SIAM J. Comput. 2, 1 (1973), 1--6. https://doi.org/10.1137/0202001 arXiv:https://doi.org/10.1137/0202001

Digital Library

[4]

Bahaa Al-Musawi, Philip Branch, and Grenville Armitage. 2017. BGP anomaly detection techniques: A survey. IEEE Communications Surveys Tutorials 19, 1 (2017), 377--396. https://doi.org/10.1109/COMST.2016.2622240

Digital Library

[5]

Nabil Al-Rousan, Soroush Haeri, and Ljiljana Trajković. 2012. Feature selection for classification of BGP anomalies using bayesian models. In 2012 International Conference on Machine Learning and Cybernetics, Vol. 1. IEEE, 140--147. https: //doi.org/10.1109/ICMLC.2012.6358901

[6]

Nabil M Al-Rousan and Ljiljana Trajković. 2012. Machine learning models for classification of BGP anomalies. In 2012 IEEE 13th International Conference on High Performance Switching and Routing. IEEE, 103--108. https://doi.org/10.1109/HPSR.2012.6260835

[7]

Alain Barrat, Marc Barthélemy, Romualdo Pastor-Satorras, and Alessandro Vespignani. 2004. The architecture of complex weighted networks. Proceedings of the National Academy of Sciences 101, 11 (2004), 3747--3752. https://doi.org/10.1073/pnas.0400087101 arXiv:https://www.pnas.org/content/101/11/3747.full.pdf

[8]

Prerna Batta, Maninder Singh, Zhida Li, Qingye Ding, and Ljiljana Trajkovic. 2018. Evaluation of Support Vector Machine Kernels for detecting network anomalies. In IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 1--4. https://doi.org/10.1109/ISCAS.2018.8351647

[9]

Randy Bush and Rob Austein. 2017. The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1. RFC 8210. RFC Editor.

[10]

Min Cheng, Qing Li, Jianming Lv, Wenyin Liu, and Jianping Wang. 2018. Multi-Scale LSTM Model for BGP anomaly classification. IEEE Transactions on Services Computing (Apr 2018), 1--14. https://doi.org/10.1109/TSC.2018.2824809

[11]

Marijana Cosovic, Slobodan Obradovic, and Emina Junuz. 2017. Deep learning for detection of BGP anomalies. In Time Series Analysis and Forecasting. Springer International Publishing, 95--113.

[12]

Marijana Ćosović, Slobodan Obradović, and Ljiljana Trajković. 2015. Performance evaluation of BGP anomaly classifiers. In 2015 Third International Conference on Digital Information, Networking, and Wireless Communications (DINWC). IEEE, 115--120. https://doi.org/10.1109/DINWC.2015.7054228

[13]

Xianbo Dai, Na Wang, and Wenjuan Wang. 2019. Application of machine learning in BGP anomaly detection. Journal of Physics: Conference Series 1176, 3 (mar 2019), 1--12. https://doi.org/10.1088/1742-6596/1176/3/032015

[14]

Iñigo Ortiz de Urbina Cazenave, Erkan Köşlük, and Murat Can Ganiz. 2011. An anomaly detection framework for BGP. In 2011 International Symposium on Innovations in Intelligent Systems and Applications. IEEE, 107--111. https://doi.org/10.1109/INISTA.2011.5946083

[15]

Shivani Deshpande, Marina Thottan, and Biplab Sikdar. 2004. Early detection of BGP instabilities resulting from Internet worm attacks. In IEEE Global Telecommunications Conference, GLOBECOM '04, Vol. 4. IEEE, 2266--2270 Vol.4. https://doi.org/10.1109/GLOCOM.2004.1378412

[16]

Qingye Ding, Zhida Li, Prerna Batta, and Ljiljana Trajković. 2016. Detecting BGP anomalies using machine learning techniques. In 2016 IEEE International Conference on Systems, Man, and Cybernetics (SMC). IEEE, 3352--3355. https://doi.org/10.1109/SMC.2016.7844751

[17]

Qingye Ding, Zhida Li, Soroush Haeri, and Ljiljana Trajković. 2018. Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Datasets and Feature Selection Algorithms. (2018), 47--70. https://doi.org/10.1007/978-3-319-73951-9_3

[18]

Romain Fontugne, Anant Shah, and Emile Aben. 2017. AS Hegemony: A Robust Metric for AS Centrality. In Proceedings of the SIGCOMM Posters and Demos (SIGCOMM Posters and Demos '17). ACM, New York, NY, USA, 48--50. https://doi.org/10.1145/3123878.3131982

Digital Library

[19]

Javier Martın Hernández and Piet Van Mieghem. 2011. Classification of graph metrics. Technical Report. Delft, Netherlands. 1--20 pages.

[20]

Anil Jain, Karthik Nandakumar, and Arun Ross. 2005. Score normalization in multimodal biometric systems. Pattern Recognition 38, 12 (2005), 2270--2285. https://doi.org/10.1016/j.patcog.2005.01.012

Digital Library

[21]

Jun Li, Dejing Dou, Zhen Wu, Shiwoong Kim, and Vikash Agarwal. 2005. An Internet routing forensics framework for discovering rules of abnormal BGP events. SIGCOMM Comput. Commun. Rev. 35, 5 (Oct. 2005), 55--66. https://doi.org/10.1145/1096536.1096542

Digital Library

[22]

Pedro G Lind, Marta C Gonzalez, and Hans J Herrmann. 2005. Cycles and clustering in bipartite networks. Physical Review E 72, 5 (Nov 2005). https://doi.org/10.1103/physreve.72.056127

[23]

Andra Lutu, Marcelo Bagnulo, Jesus Cid-Sueiro, and Olaf Maennel. 2014. Separating wheat from chaff: Winnowing unintended prefixes using machine learning. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 943--951. https://doi.org/10.1109/INFOCOM.2014.6848023

[24]

Andra Lutu, Marcelo Bagnulo, Cristel Pelsser, Olaf Maennel, and Jesus Cid-Sueiro. 2016. The BGP visibility toolkit: Detecting anomalous internet routing behavior. IEEE/ACM Transactions on Networking 24, 2 (April 2016), 1237--1250. https://doi.org/10.1109/TNET.2015.2413838

Digital Library

[25]

Neelam Naik and Seema Purohit. 2017. Comparative study of binary classification methods to analyze a massive dataset on virtual machine. Procedia computer science 112 (Sep 2017), 1863--1870. https://doi.org/10.1016/j.procs.2017.08.232

[26]

James Orlin. 1977. Contentment in graph theory: covering graphs with cliques. Indagationes Mathematicae (Proceedings) 80, 5, 406--424. https://doi.org/10.1016/1385-7258(77)90055-5

[27]

Hanchuan Peng, Fuhui Long, and Chris Ding. 2005. Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy. IEEE Transactions on Pattern Analysis and Machine Intelligence 27, 8 (Aug 2005), 1226--1238. https://doi.org/10.1109/TPAMI.2005.159

[28]

Alin C Popescu, Brian J Premore, and Todd Underwood. 2005. Anatomy of a leak: AS9121. Technical Report.

[29]

Andrian Putina, Steven Barth, Albert Bifet, Drew Pletcher, Cristina Precup, Patrice Nivaggioli, and Dario Rossi. 2018. Unsupervised real-time detection of BGP anomalies leveraging high-rate and fine-grained telemetry data. In IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 1--2. https://doi.org/10.1109/INFCOMW.2018.8406838

[30]

Diego F Rueda, Eusebi Calle, and Jose L Marzo. 2017. Robustness comparison of 15 real telecommunication networks: Structural and centrality measurements. Journal of Network and Systems Management 25, 2 (1 Apr 2017), 269--289. https://doi.org/10.1007/s10922-016-9391-y

Digital Library

[31]

Loqman Salamatian, Dali Kaafar, and Kavé Salamatian. 2018. A Geometric Approach for Real-time Monitoring of Dynamic Large Scale Graphs: AS-level graphs illustrated. CoRR abs/1806.00676 (2018). arXiv:1806.00676 http://arxiv.org/abs/1806.00676

[32]

Jari Saramäki, Mikko Kivelä, Jukka-Pekka Onnela, Kimmo Kaski, and Janos Kertesz. 2007. Generalizations of the clustering coefficient to weighted complex networks. Physical Review E 75, 2 (Feb 2007). https://doi.org/10.1103/physreve.75.027105

[33]

Pavlos Sermpezis, Vasileios Kotronis, Petros Gigis, Xenofontas A. Dimitropoulos, Danilo Cicalese, Alistair King, and Alberto Dainotti. 2018. ARTEMIS: neutralizing BGP hijacking within a minute. CoRR abs/1801.01085 (2018). arXiv:1801.01085 http://arxiv.org/abs/1801.01085

[34]

Kotikapaludi Sriram, Oliver Borchert, Okhee Kim, Patrick Gleichmann, and Doug Montgomery. 2009. A comparative analysis of BGP anomaly detection and robustness algorithms. In 2009 Cybersecurity Applications & Technology Conference for Homeland Security. IEEE, 25--38. https://doi.org/10.1109/CATCH.2009.20

Digital Library

[35]

Andree Toonk. 2015. Massive route leak causes internet slowdown. Technical Report.

[36]

Andree Toonk. 2016. Large hijack affects reachability of high traffic destinations. Technical Report.

[37]

Koji Tsuda, Motoaki Kawanabe, and Klaus-Robert Müller. 2003. Clustering with the Fisher Score. In Advances in Neural Information Processing Systems 15. MIT Press, 745--752.

[38]

Matthias Wählisch, Thomas C. Schmidt, Markus de Brün, and Thomas Häberlen. 2012. Exposing a nation-centric view on the German internet--A change in perspective on AS-level. In Lecture Notes in Computer Science (International Conference on Passive and Active Measurement), Vol. 7192. Springer, Berlin, Heidelberg, Berlin, Heidelberg, 200--210. https://doi.org/10.1007/978-3-642-28537-0_20

Digital Library

[39]

Zheng Zhao, Fred Morstatter, Shashvata Sharma, Aneeth Anand, and Huan Liu. 2010. Advancing Feature Selection Research. (2010), 28 pages.

Cited By

Scott BJohnstone MSzewczyk P(2024)A Survey of Advanced Border Gateway Protocol Attack Detection TechniquesSensors10.3390/s2419641424:19(6414)Online publication date: 3-Oct-2024
https://doi.org/10.3390/s24196414
Shen CWang RLi XZhang PLiu KTan L(2024)Border Gateway Protocol Route Leak Detection Technique Based on Graph Features and Machine LearningElectronics10.3390/electronics1320407213:20(4072)Online publication date: 16-Oct-2024
https://doi.org/10.3390/electronics13204072
Verma RKeserwani PJain V(2024)A CNN Approach to Detect The Anomalies In BGP Traffic2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10725729(1-6)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10725729
Show More Cited By

Index Terms

Comparing Machine Learning Algorithms for BGP Anomaly Detection using Graph Features
1. Computing methodologies
  1. Machine learning
2. Security and privacy
  1. Network security

Recommendations

Unveiling the potential of graph neural networks for BGP anomaly detection
GNNet '22: Proceedings of the 1st International Workshop on Graph Neural Networking

The Border Gateway Protocol (BGP) is central to the global connectivity of the Internet, enabling fast and efficient dissemination of routing information. Hence, detecting any anomaly concerning BGP announcements is of critical importance to ensure the ...
Architecture of the remote routing validation tool for BGP anomaly detection
RACS '12: Proceedings of the 2012 ACM Research in Applied Computation Symposium

The Border Gateway Protocol (BGP) is an Inter-domain routing protocol that has gradually evolved over the past few decades. The main functionality of BGP is to exchange Network Layer Reachability Information (NLRI) between ASes so that a BGP speaker can ...
Neighbor-specific BGP: more flexible routing policies while improving global stability
SIGMETRICS '09

The Border Gateway Protocol (BGP) offers network administrators considerable flexibility in controlling how traffic flows through their networks. However, the interaction between routing policies in different Autonomous Systems (ASes) can lead to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Big-DAMA '19: Proceedings of the 3rd ACM CoNEXT Workshop on Big DAta, Machine Learning and Artificial Intelligence for Data Communication Networks

December 2019

53 pages

ISBN:9781450369992

DOI:10.1145/3359992

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Silicon Valley Community Foundation

Conference

CoNEXT '19

Sponsor:

SIGCOMM

CoNEXT '19: The 15th International Conference on emerging Networking EXperiments and Technologies

December 9, 2019

FL, Orlando, USA

Acceptance Rates

Big-DAMA '19 Paper Acceptance Rate 7 of 11 submissions, 64%;

Overall Acceptance Rate 7 of 11 submissions, 64%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
646
Total Downloads

Downloads (Last 12 months)78
Downloads (Last 6 weeks)10

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Scott BJohnstone MSzewczyk P(2024)A Survey of Advanced Border Gateway Protocol Attack Detection TechniquesSensors10.3390/s2419641424:19(6414)Online publication date: 3-Oct-2024
https://doi.org/10.3390/s24196414
Shen CWang RLi XZhang PLiu KTan L(2024)Border Gateway Protocol Route Leak Detection Technique Based on Graph Features and Machine LearningElectronics10.3390/electronics1320407213:20(4072)Online publication date: 16-Oct-2024
https://doi.org/10.3390/electronics13204072
Verma RKeserwani PJain V(2024)A CNN Approach to Detect The Anomalies In BGP Traffic2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10725729(1-6)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10725729
Scott BJohnstone MSzewczyk PRichardson S(2024)Matrix Profile data mining for BGP anomaly detectionComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110257242:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110257
Verma RGovil MKeserwani P(2024)A Deep Learning Approach for BGP Security ImprovementData Science and Applications10.1007/978-981-99-7862-5_7(85-96)Online publication date: 16-Feb-2024
https://doi.org/10.1007/978-981-99-7862-5_7
Muosa AAli A(2024)Detecting BGP Routing Anomalies Using Machine Learning: A ReviewForthcoming Networks and Sustainability in the AIoT Era10.1007/978-3-031-62871-9_13(145-164)Online publication date: 26-Jun-2024
https://doi.org/10.1007/978-3-031-62871-9_13
Liu ZQiu HWang RZhu JWang Q(2023)Detecting BGP Anomalies based on Spatio-Temporal Feature Representation Model for Autonomous Systems2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00071(404-411)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00071
Deo Verma RChandra Govil MKumar Keserwani P(2023)ELM based Ensemble of Classifiers for BGP Security against Network Anomalies2023 11th International Symposium on Electronic Systems Devices and Computing (ESDC)10.1109/ESDC56251.2023.10149854(1-6)Online publication date: 4-May-2023
https://doi.org/10.1109/ESDC56251.2023.10149854
Kowalski MMazurczyk W(2023)Toward the mutual routing security in wide area networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109778230:COnline publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1016/j.comnet.2023.109778
Sun JLiu YZhang WLi YYan XZhou NJiang Z(2023)An Efficient BGP Anomaly Detection Scheme with Hybrid Graph FeaturesEmerging Networking Architecture and Technologies10.1007/978-981-19-9697-9_40(494-506)Online publication date: 1-Feb-2023
https://doi.org/10.1007/978-981-19-9697-9_40
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten