Article Title: BGP Anomaly Detection Using Graph Embedding and LSTM AutoencodersAuthors: Zhang Shuxiao, Tang Yong, Liu YujingAffiliation: College of Computer Science, National University of Defense TechnologyPublished: 2022, 31(2): 246–252Abstract
In response to the problem of detecting BGP anomaly data, relying on publicly available real BGP update message data from the internet, we propose a new BGP anomaly detection method based on graph embedding features and LSTM autoencoders, focusing on the network’s topological characteristics and temporal changes. First, we utilize the AS_PATH attribute information from BGP data to construct a dynamic embedding feature dataset of the time-series network topology graph. Then, we use the LSTM autoencoder model to detect the data and identify anomalies. In actual anomaly event data, this method successfully detected anomalies and demonstrated a higher accuracy compared to traditional detection methods.
Scan the QR code to read the full article
Featured Images
(1) Graph Embedding Features
From the perspective of the AS that constitutes the internet, each AS is regarded as a node in the internet, which is a vertex in the topology graph, and the interconnections between ASes are seen as edges in the topology graph, allowing us to construct basic connectivity relationships. The AS_PATH attribute in BGP update messages contains the elements that make up the topology graph, embodying the network’s topological characteristics. Moreover, each AS_PATH can be viewed as a subgraph within the overall topology graph. Additionally, by integrating the timing update characteristics of the messages, the accumulated AS_PATH over time windows can form a relatively complete topology graph, with the changes in the entire network’s state reflected in the changes of the network topology graph, represented through the distributed characteristics of the graph.
Graph Embedding Feature Structure
(2) LSTM Autoencoder The LSTM network is composed of LSTM units, where each LSTM unit passes its own state and the state from previous inputs, selecting to forget unimportant information and remembering important feature information. Therefore, LSTM units can be integrated into the autoencoder, with both the encoder and decoder parts employing LSTM units.
LSTM Autoencoder Structure
(3) Experimental Methods and Results
First, we used the aforementioned data and model to classify the relevant datasets for detection to validate the effectiveness of the method. For this paper, the experiments not only validate the detection effectiveness of the model but also effectively verify the dataset construction method based on network topology graph embedding features proposed in the text. The specific results of the experiments are shown in the table below.LSTM Autoencoder Detection Results (%)
To further evaluate the model’s performance, we conducted anomaly detection classification tests on the Slammer dataset using the classic Support Vector Machine (SVM) model and the previously mentioned original autoencoder model, with the results shown in the table below.
Different Models Anomaly Detection Results (%)
(4) Conclusion
This paper proposes a method for detecting BGP anomaly events using an LSTM autoencoder model in response to the problem of detecting anomalies in BGP data. To effectively detect BGP anomaly events, we started with real historical data from the internet, utilizing graph embedding feature algorithms to obtain the time-series network topology changes and construct a dataset based on network topology graph features, providing efficient and concise data for model processing. We validated the model method by selecting three representative BGP security events and collecting data from related nodes. The experimental results indicate that this dataset can effectively reflect the changes in network features during anomaly events, and the model used has higher accuracy compared to traditional detection methods, effectively detecting BGP anomaly events for timely response and handling. The next step will be to study the detection and response mechanisms under larger-scale BGP time-series data scenarios in conjunction with specific application cases.
Contact Us
Phone: 010-62661041
WeChat: csaWeChat
Email: [email protected]
Website: http://www.c-s-a.org.cn