In this paper, we propose a BGP anomaly detection framework called BAlet that delivers both temporal and spatial localization of the potential anomalies. It requires only a simple count of BGP update messages collected over a certain period. We first investigate the self-similarity in BGP update traffic and present a quantitative validation. The strength of wavelet analysis in handling signals with scaling property and earlier success in applying it for network anomaly detection motivate us to apply the same technique on BGP routing traffic. Later by clustering the anomalies detected at different locations, BAlet is capable of identifying possible network-wide anomalous events. Our method does not rely on any information within the BGP messages, and serves as a complementary tool to reduce the candidate data set for further detailed root cause analysis. We evaluate BAlet on real BGP data sets that are known to contain anomalies. Results show that it is capable of detecting network-wide events such as message volume surges caused by slammer worm attack, and separating affected ASes from the rest.
展开▼
