A Multi-View Framework for BGP Anomaly Detection via Graph Attention Network

TL;DR

This paper introduces a multi-view framework combining STL and GAT to improve BGP anomaly detection, capturing feature relationships and time correlations for more accurate real-time monitoring.

Contribution

It proposes a novel multi-view model integrating STL and GAT to enhance BGP anomaly detection by capturing feature relationships and temporal dependencies.

Findings

Achieved up to 96.3% F1 score on balanced datasets.

Outperformed state-of-the-art methods in anomaly detection.

Model can classify multiple anomalies and detect unknown events.

Abstract

As the default protocol for exchanging routing reachability information on the Internet, the abnormal behavior in traffic of Border Gateway Protocols (BGP) is closely related to Internet anomaly events. The BGP anomalous detection model ensures stable routing services on the Internet through its real-time monitoring and alerting capabilities. Previous studies either focused on the feature selection problem or the memory characteristic in data, while ignoring the relationship between features and the precise time correlation in feature (whether it's long or short term dependence). In this paper, we propose a multi-view model for capturing anomalous behaviors from BGP update traffic, in which Seasonal and Trend decomposition using Loess (STL) method is used to reduce the noise in the original time-series data, and Graph Attention Network (GAT) is used to discover feature relationships and time correlations in feature, respectively. Our results outperform the state-of-the-art methods at the anomaly detection task, with the average F1 score up to 96.3% and 93.2% on the balanced and imbalanced datasets respectively. Meanwhile, our model can be extended to classify multiple anomalous and to detect unknown events.