MAD-MulW: A Multi-Window Anomaly Detection Framework for BGP Security Events

TL;DR

This paper introduces MAD-MulW, an unsupervised multi-window anomaly detection framework for BGP security events, improving detection accuracy and stability through adaptive window strategies and innovative modules.

Contribution

The paper presents a novel multi-window serial framework with adaptive weighting and predictive reconstruction modules for enhanced BGP anomaly detection.

Findings

Achieved over 90% average F1 score on multiple BGP anomaly datasets.

Demonstrated improved efficiency and stability of the detection model.

Validated the effectiveness of stage windows and adaptive strategies.

Abstract

In recent years, various international security events have occurred frequently and interacted between real society and cyberspace. Traditional traffic monitoring mainly focuses on the local anomalous status of events due to a large amount of data. BGP-based event monitoring makes it possible to perform differential analysis of international events. For many existing traffic anomaly detection methods, we have observed that the window-based noise reduction strategy effectively improves the success rate of time series anomaly detection. Motivated by this observation, we propose an unsupervised anomaly detection model, MAD-MulW, which incorporates a multi-window serial framework. Firstly, we design the W-GAT module to adaptively update the sample weights within the window and retain the updated information of the trailing sample, which not only reduces the outlier samples' noise but also avoids the space consumption of data scale expansion. Then, the W-LAT module based on predictive reconstruction both captures the trend of sample fluctuations over a certain period of time and increases the interclass variation through the reconstruction of the predictive sample. Our model has been experimentally validated on multiple BGP anomalous events with an average F1 score of over 90\%, which demonstrates the significant improvement effect of the stage windows and adaptive strategy on the efficiency and stability of the timing model.