SHAP-BASED EVALUATION OF FEATURE IMPORTANCE IN BGP ANOMALY DETECTION MODELS

2025;
: 34-43
1
Lviv Polytechnic National University
2
Lviv Polytechnic National University
3
Lviv branch of JSC "Ukrtelecom"

The classification of Border Gateway Protocol (BGP) anomalies is essential for maintaining Internet stability and security, as such anomalies can impair network functionality and reliability. Previous studies has examined the impact of key features on anomaly detection; however, current methodologies frequently demonstrate high computational costs, complexity, and usage challenges. The article presents a novel approach for evaluating feature importance based on SHAP (SHapley Additive Explanations), which provides a simplified, interpretable and efficient alternative specifically designed for LSTM-based classification models. A dedicated tool was developed to effectively evaluate feature impact, combining statistical analysis with visualizations to improve comprehension. This tool enables the assessment of global feature influence across datasets, emphasizing features that consistently increase classification performance. Furthermore, it offers insights into the impact of features on a per-class basis, demonstrating the varying contributions of individual features to the detection of different types of anomalies. Various datasets representing distinct anomaly types, such as direct, indirect, and outage anomalies, were utilized to validate the approach's applicability across a range of scenarios. This level of detail enables researchers to enhance LSTM models for particular anomaly categories while preserving overall efficacy. We suggested a structured algorithm to facilitate these developments, showing how feature impact evaluation can directly improve model optimization and detection tactics. Stability tests performed on various datasets demonstrate the reliability of feature rankings, thereby reinforcing the validity of the proposed methodology. The SHAP-based framework described in this paper makes complex analyses easier to understand while also providing useful insights. This approach enhances the efficiency of anomaly detection systems by allowing researchers to identify critical features, integrate new metrics, and refine existing LSTM models. The advancements enhance the security and resilience of infocommunication networks, effectively addressing emerging challenges in network security through a scalable and interpretable solution.

[1].    Rekhter, Y., Li, T. and Hares, S. (2006), ‘A border gateway protocol 4 (BGP-4)’, Internet Requests for Comments, RFC Editor, RFC 4271, January, available at: http://www.rfc-editor.org/rfc/rfc4271.txt (Accessed 25 November 2024). doi: 10.17487/RFC4271

[2].    Hammood, N.H., Al-Musawi, B. and Alhilali, A.H. (2022), ‘A survey of BGP anomaly detection using machine learning techniques’, in Pokhrel, S.R., Yu, M. and Li, G. (eds) Applications and Techniques in Information Security. ATIS 2021. Communications in Computer and Information Science, vol. 1554. Springer, Singapore. doi: 10.1007/978-981-19-1166-8_9

[3].    Al-Rousan, N.M. and Trajković, L. (2012), ‘Machine learning models for classification of BGP anomalies’, 2012 IEEE 13th International Conference on High Performance Switching and Routing, Belgrade, Serbia, pp. 103–108. Doi: 10.1109/HPSR.2012.6260835

[4].    Fonseca, P., Mota, E.S., Bennesby, R. and Passito, A. (2019), ‘BGP dataset generation and feature extraction for anomaly detection’, 2019 IEEE Symposium on Computers and Communications (ISCC), Barcelona, Spain, pp. 1–6. doi: 10.1109/ISCC47284.2019.8969619

[5].    Paiva, T.B., Siqueira, Y., Batista, D.M., Hirata, R. and Terada, R. (2021), ‘BGP anomalies classification using features based on AS relationship graphs’, 2021 IEEE Latin-American Conference on Communications (LATINCOM), Santo Domingo, Dominican Republic, pp. 1–6. doi: 10.1109/LATINCOM53176.2021.9647824

[6].    Lundberg, S.M. and Lee, S.-I. (2017) ‘A unified approach to interpreting model predictions’, in Guyon, I., Luxburg, U.V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S. and Garnett, R. (eds) Advances in Neural Information Processing Systems 30. Curran Associates, Inc., pp. 4765–4774. doi: 10.48550/arXiv.1705.07874

[7].    Al-Musawi, B., Branch, P. and Armitage, G. (2017), ‘BGP anomaly detection techniques: A survey’, IEEE Communications Surveys & Tutorials, 19(1), pp. 377–396. doi: 10.1109/COMST.2016.2622240

[8].    RIPE (1999), ‘RIPE Network Coordination Centre’, available at: https://www.ripe.net/analyse/internet-measurements/routing-information-s... (Accessed: 30 November 2024).

[9].    RouteViews (2013), ‘University of Oregon RouteViews Project’, Eugene, OR., available at: http://www.routeviews.org (Accessed: 30 November 2024).

[10]. Paiva, T., ‘BGP anomaly classification dataset’, available at: https://github.com/thalespaiva/bgp-anomaly-classification/blob/main/data... (accessed: 30 November 2024).

[11]. Maruniak, S., ‘BFRank’, available at: https://github.com/MaruniakS/BFRank (Accessed: 15 December 2024).