Saved in:
Bibliographic Details
Main Author: Adebayo, Samuel Oluwafemi
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.17821
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908416107085824
author Adebayo, Samuel Oluwafemi
author_facet Adebayo, Samuel Oluwafemi
contents Deep learning has significant potential to make the Internet's Border Gateway Protocol (BGP) secure by detecting anomalous routing activity. However, all but a few of these approaches rely on the implicit assumption that anomalies manifest as noisy, high-complexity outliers from some normal baseline. This work challenges this assumption by investigating if a best-in-class detection model built on this assumption can effectively deal with real-world security events' diverse signatures. We employ an LSTM-based autoencoder, a classical example of a reconstruction-based anomaly detector, as our test vehicle. We then contrast this model with a representative sampling of historical BGP anomalies, including the Slammer worm and the Moscow blackout, and with a simulated 'BGP storm' designed as a positive control. Our experience unveils a blind spot of our model: the model easily identifies the synthetic anomaly of high complexity but invariably fails to identify real-world events that manifest in the form of a "signal loss" (e.g., Slammer, Moscow Blackout) or "low-deviation" (e.g., WannaCry) signature. We demonstrate that the model mistakenly recognizes the abrupt cut-off of BGP updates during catastrophic failures as a signal of extreme stability, leading to reconstruction errors of virtually zero and total failure to detect. We conclude that the characterization of BGP anomalies as high-reconstruction-error events alone is a weak and dangerous oversimplification. Our research provides the data-driven case for why hybrid, multi-modal detection systems capable of identifying both high-complexity and signal-loss signatures are required to enable end-to-end BGP security.
format Preprint
id arxiv_https___arxiv_org_abs_2506_17821
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle The Blind Spot of BGP Anomaly Detection: Why LSTM Autoencoders Fail on Real-World Outages
Adebayo, Samuel Oluwafemi
Networking and Internet Architecture
Deep learning has significant potential to make the Internet's Border Gateway Protocol (BGP) secure by detecting anomalous routing activity. However, all but a few of these approaches rely on the implicit assumption that anomalies manifest as noisy, high-complexity outliers from some normal baseline. This work challenges this assumption by investigating if a best-in-class detection model built on this assumption can effectively deal with real-world security events' diverse signatures. We employ an LSTM-based autoencoder, a classical example of a reconstruction-based anomaly detector, as our test vehicle. We then contrast this model with a representative sampling of historical BGP anomalies, including the Slammer worm and the Moscow blackout, and with a simulated 'BGP storm' designed as a positive control. Our experience unveils a blind spot of our model: the model easily identifies the synthetic anomaly of high complexity but invariably fails to identify real-world events that manifest in the form of a "signal loss" (e.g., Slammer, Moscow Blackout) or "low-deviation" (e.g., WannaCry) signature. We demonstrate that the model mistakenly recognizes the abrupt cut-off of BGP updates during catastrophic failures as a signal of extreme stability, leading to reconstruction errors of virtually zero and total failure to detect. We conclude that the characterization of BGP anomalies as high-reconstruction-error events alone is a weak and dangerous oversimplification. Our research provides the data-driven case for why hybrid, multi-modal detection systems capable of identifying both high-complexity and signal-loss signatures are required to enable end-to-end BGP security.
title The Blind Spot of BGP Anomaly Detection: Why LSTM Autoencoders Fail on Real-World Outages
topic Networking and Internet Architecture
url https://arxiv.org/abs/2506.17821