A deep learning framework for BGP anomaly detection and classification

Abstract

The Border Gateway Protocol (BGP) is the default Internet routing protocol that manages connectivity among Autonomous Systems (ASes). Although BGP disruptions are rare when they occur the consequences can be very damaging. Consequently, there has been a considerable effort aimed at understanding what is normal and abnormal BGP traffic and, in so doing, enable potentially disruptive anomalous traffic to be identified quickly. Even though there is an extensive research on anomaly detection, there are two major gaps in current literature: the scarcity of public datasets for all types of events and the lack of a BGP anomaly classification framework that differentiates anomaly classes. Since that there are no public datasets of labeled BGP anomalous events, each model was validated using different datasets, which had to be individually generated for each approach. The absence of common groundwork dataset increases the difficulty in comparing different approaches. The lack of a classification framework hinders the deployment of specific mitigation measures to each anomaly class in an automated fashion. In the current work, we address both problems: 1) We provide a BGP dataset generation tool and publicly available datasets for different anomaly classes. These datasets contain the most used features by previous research efforts and additional novel features; 2) We address the BGP anomaly classification problem by developing a framework that uses deep learning as the core engine of an anomaly detection and classification mechanism. We built a model that exploits different neural network architectures advantages. Both novel features and the BGP anomaly detector and classifier were evaluated and it was demonstrated that they can be used to react to anomalies in real-time and leverage the deployment of different mitigation and coordination strategies to different anomaly classes in an autonomous fashion.