Learning with Semantics: Towards a Semantics-Aware Routing Anomaly Detection System

TL;DR

The paper tackles BGP routing anomalies by addressing the shortcomings of manual analysis and label-heavy ML methods. It introduces BEAM, a semantics-aware network embedding that encodes AS routing roles via proximity and hierarchy from CAIDA AS relationships, enabling unsupervised anomaly detection based on routing-role churn. Extensive evaluation across 18 RouteViews datasets (over 11 billion announcements) plus real-world ISP deployment demonstrates complete detection of confirmed anomalies with minimal false alarms and real-time throughput. The work contributes a practical, interpretable framework that complements existing BGP security measures like RPKI and BGPsec, advancingsecure inter-domain routing through semantics-aware representations.

Abstract

BGP is the de facto inter-domain routing protocol to ensure global connectivity of the Internet. However, various reasons, such as deliberate attacks or misconfigurations, could cause BGP routing anomalies. Traditional methods for BGP routing anomaly detection require significant manual investigation of routes by network operators. Although machine learning has been applied to automate the process, prior arts typically impose significant training overhead (such as large-scale data labeling and feature crafting), and only produce uninterpretable results. To address these limitations, this paper presents a routing anomaly detection system centering around a novel network representation learning model named BEAM. The core design of BEAM is to accurately learn the unique properties (defined as \emph{routing role}) of each Autonomous System (AS) in the Internet by incorporating BGP semantics. As a result, routing anomaly detection, given BEAM, is reduced to a matter of discovering unexpected routing role churns upon observing new route announcements. We implement a prototype of our routing anomaly detection system and extensively evaluate its performance. The experimental results, based on 18 real-world RouteViews datasets containing over 11 billion route announcement records, demonstrate that our system can detect all previously-confirmed routing anomalies, while only introducing at most five false alarms every 180 million route announcements. We also deploy our system at a large ISP to perform real-world detection for one month. During the course of deployment, our system detects 497 true anomalies in the wild with an average of only 1.65 false alarms per day.

Figures (11)

• Figure 1: Illustrations of BGP anomalies.In BGP hijacking, the adversary can either (I) falsely claim the ownership of a prefix, or (II) announce a fake yet more preferable route. In BGP route leak, routes are propagated to unintended ASes.
• Figure 2: Learning AS routing roles via BEAM.BEAM takes AS relationships as the input and outputs the embedding vectors that represent AS routing roles. (II.1) BEAM characterizes the proximity between ASes by $p\_score$. If two ASes are directly connected and have the same business relationships with many common neighbors, their proximity tends to be high, i.e., a lower $p\_score$. (II.2) BEAM characterizes the hierarchy among ASes by $h\_score$. If an AS must traverse multiple consecutive P2C links to reach another AS, their hierarchy difference should be large, i.e., a higher $h\_score$. (II.3) BEAM utilizes one joint objective to optimize both $p\_score$ and $h\_score$; negative sampling is also applied. (II.4) The function $D_{\bm{l},\bm{r}}$ measures the routing-role difference between two ASes. A higher $D_{\bm{l},\bm{r}}$ value means higher difference.
• Figure 3: Embedding results.(A) All embedding vectors visualized in a 3-D space. The Z-axis represents the hierarchy level and the XY-plane reflects the proximity. (B) The terrain plot of the embedding vectors. The estimated spatial distribution shows the overall characteristics of AS routing roles. (C) The YZ-plane projection of the embedding vectors. The X-axis and the Y-axis of the projection plane indicate the proximity and the hierarchy, respectively. The areas with different colors illustrate the distribution of typical ASes (i.e., vertices with different colors), and the dashed lines show their average hierarchy levels. (D) The XY-plane projection of the embedding vectors. (E) The routing role difference regarding the sampled subset $S_0$, $H_0$ and $N_0$. (F) The routing role difference regarding the sampled subset $N_1$ to $N_5$. (G) The routing role difference regarding $S_1$ and $H_1$ to $H_6$.
• Figure 4: The workflow of our routing anomaly detection system built upon BEAM.
• Figure 5: Statistical comparisons of path difference scores between anomalous and legitimate route changes.

Theorems & Definitions (11)

• Definition 1: AS Graph
• Definition 2: First-Order AS Proximity
• Definition 3: Second-Order AS Proximity
• Definition 4: AS Hierarchy
• Definition 5: AS Embedding
• Definition 6: BGP Semantics Aware Network Embedding
• Theorem 1
• proof
• Definition 7: Anomalous Prefix Event
• Definition 8: Responsible AS