Border Gateway Protocol Anomaly Detection Using Machine Learning Techniques

Authors

Philip Edwards, Southern Methodist UniversityFollow
Lu Cheng, Southern Methodist UniversityFollow
Girish Kadam, EricssonFollow

Abstract

As the primary protocol used to exchange routing information between network domains, Border Gateway Protocol (BGP) plays a central role in the functioning of the Internet. Border Gateway Protocol is a standardized router protocol used to initiate and maintain communication between domains, or autonomous systems, on the Internet. This protocol can exhibit anomalous behavior caused by improper provisioning, malicious attacks, traffic or equipment failure, and network operator error. At large internet service providers, many BGP issues are not immediately seen or explicitly monitored by network operations centers. This possible blind spot is due to the enormous number of BGP handshakes that occur throughout the network along with the fact that there are many of these sub-interfaces associated to a single physical connection. We will present machine learning methods for anomaly detection using unsupervised learning techniques and create a data pipeline to quickly collect and trigger on these anomalies when they occur. Clustering techniques including k-means and DBSCAN were successfully implemented and able to detect known anomalies for historical events. This approach could incur soft savings by triggering early detection warnings of anomalous BGP events, but human intervention may still be required in order to address possible false positives.

Recommended Citation

Edwards, Philip; Cheng, Lu; and Kadam, Girish (2019) "Border Gateway Protocol Anomaly Detection Using Machine Learning Techniques," SMU Data Science Review: Vol. 2: No. 1, Article 5.
Available at: https://scholar.smu.edu/datasciencereview/vol2/iss1/5

Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial 4.0 License