BGP Anomalies Classification using Features based on AS Relationship Graphs

Ensuring the correct behavior of the Border Gateway Protocol (BGP) is essential for keeping a good quality of service on the internet. When an anomalous behavior is detected, operators of border gateways need to classify it correctly into a direct (intended or unintended) anomaly, an indirect anomaly, or a link failure. This classification helps to understand its cause and act upon it. Recently, some techniques for the classification of BGP anomalies using machine learning models were proposed. However, we notice some limitations of these classification models that make it unclear if they can be used in the real world to classify new anomalies. This paper presents a new model with good performance when classifying BGP events not seen in its training. Our model is based on Long Short-Term Memory (LSTM) networks and uses new features based on inferred relationships between Autonomous Systems (ASes) to classify sets of BGP update messages. The model classifies samples from new events achieving 91% of accuracy and F1 scores of 1.00, 0.93, and 0.80 for direct anomalies, indirect anomalies, and link failure, respectively.