The Border Gateway Protocol (BGP) serves as the foundational routing protocol for the tens of thousands of Autonomous Systems (ASes) that constitute the backbone of the Internet. However, BGP is subject to a range of routing anomalies, including route hijacking, where ASes may falsely announce ownership or present a more favorable path to a prefix. The adoption of existing solutions has been limited, primarily due to high implementation costs and the intricate nature of the internet’s infrastructure. To address these challenges, we propose an approach leveraging the Deep Anomaly Detection on Attributed Networks (DOMINANT) model, which utilizes Graph Convolutional Networks (GCNs) and attributed networks to detect anomalous nodes within graph structures. Our dataset, comprising over 18,000 BGP updates related to Twitter’s AS and obtained via the RIPEstat Data API, spans from 2015 to 2022 and provides a robust foundation for anomaly detection. Given that DOMINANT generates anomaly scores at the node level, we refined this scoring methodology by aggregating scores across connections and pathways to yield comprehensive path-level anomaly metrics, facilitating efficient anomaly detection. This methodology accurately identified all known anomalous updates associated with the RT-Comm Twitter hijack in March 2022, as well as an additional, unexpected hijack in the dataset by a Colombian provider in 2019, confirmed to be an actual anomaly. Importantly, no false positives were detected, ensuring the precision of the approach. This approach is efficient, accessible, and cost-effective, providing a scalable solution that can be easily adapted for continuous anomaly detection across networks and expanded to address broader cybersecurity challenges. |
*** Title, author list and abstract as submitted during Camera-Ready version delivery. Small changes that may have occurred during processing by Springer may not appear in this window.