Learning-Based Anomaly Detection in BGP Updates

Abstract

We propose an instance-learning based framework for detecting BGP routing anomalies. By using a vector of quantified features to represent BGP updates, our framework can capture more complex features of BGP updates than previous methods that use simple aggregation. The feature vector is based on BGP-update dynamics and is constructed using wavelet transformations. The transformations provide a systematic, multi-scaled analysis of the dynamics and thus avoid using "magic numbers" that are hard to determine. We experiment with a preliminary implementation of our framework, investigating daily BGP update behaviors for six months. Focusing on each prefix in isolation, we show that, for most prefixes, update dynamics are similar from day to day. Furthermore, on a single day, most prefixes also display similar dynamics. Only a few prefixes exhibit behaviors that are quite different from the majority. The small set of prefixes or daily behaviors can be further examined for anomaly detection. In particular, we observe that most prefixes whose update dynamics deviate from the majority are unstable prefixes with frequent routing changes.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 01, 2005
Accession Number
ADA458902

Entities

People

  • Jennifer Rexford
  • Jian Zhang
  • Joan Feigenbaum

Organizations

  • Yale University

Tags

Communities of Interest

  • C4I

DTIC Thesaurus Topics

  • Anomaly Detection
  • Change Detection
  • Clustering
  • Computer Science
  • Computers
  • Detection
  • Detectors
  • Dynamics
  • Efficiency
  • Factor Analysis
  • Frequency
  • Intrusion Detection
  • Learning
  • Peak Values
  • Signal Processing
  • Statistics
  • Vector Spaces

Fields of Study

  • Computer science

Readers

  • Astronomy/Astrophysics
  • Computational Fluid Dynamics (CFD)
  • Neural Network Machine Learning.