Comparison of machine learning models for classification of BGP anomalies

Worms such as Slammer, Nimda, and Code Red~I are anomalies that affect performance of the global Internet Border Gateway Protocol (BGP). BGP anomalies also include Internet Protocol (IP) prefix hijacks, miss-configurations, and electrical failures. In this Thesis, we analyzed the feature selection process to choose the most correlated features for an anomaly class. We compare the Fisher, minimum redundancy maximum relevance (mRMR), odds ratio (OR), extended/multi-class/weighted odds ratio (EOR/MOR/WOR), and class discriminating measure (CDM) feature selection algorithms. We extend the odds ratio algorithms to use both continuous and discrete features. We also introduce new classification features and apply Support Vector Machine (SVM) models, Hidden Markov Models (HMMs), and Naive Bayes (NB) models to design anomaly detection algorithms. We apply multi classification models to correctly classify test datasets and identify the correct anomaly types. The proposed models are tested with collected BGP traffic traces from RIPE and BCNET and are employed to successfully classify and detect various BGP anomalies.