This paper proposes a general-purpose anomaly detection mechanism for Internet backbone traffic named GAMPAL (General-purpose Anomaly detection Mechanism using Prefix Aggregate without Labeled data). GAMPAL does not require labeled data to achieve general-purpose anomaly detection. For scalability to the number of entries in the BGP RIB (Border Gateway Protocol Routing Information Base), GAMPAL introduces prefix aggregate. The BGP RIB entries are classified into prefix aggregates, each of which is identified with the first three AS (Autonomous System) numbers in the AS_PATH attribute. GAMPAL establishes a prediction model for traffic sizes based on past traffic sizes. It adopts a LSTM-RNN (Long Short-Term Memory Recurrent Neural Network) model that focuses on the periodicity of the Internet traffic patterns at a weekly scale. The validity of GAMPAL is evaluated using real traffic information, BGP RIBs exported from the WIDE backbone network (AS2500), a nationwide backbone network for research and educational organizations in Japan, and the dataset of an ISP (Internet Service Provider) in Spain. As a result, GAMPAL successfully detects anomalies such as increased traffic due to an event, DDoS (Distributed Denial of Service) attacks targeted at a stub organization, a connection failure, an SSH (Secure Shell) scan attack, and anomaly spam.

本文提出了一种名为GAMPAL（General-purpose Anomaly detection Mechanism using Prefix Aggregate without Labeled data）的互联网骨干流量通用异常检测机制。GAMPAL 不需要标记数据来实现通用异常检测。为了可扩展到 BGP RIB（边界网关协议路由信息库）中的条目数量，GAMPAL 引入了前缀聚合。BGP RIB 条目分为前缀聚合，每个聚合都由 AS_PATH 属性中的前三个 AS（自治系统）编号标识。GAMPAL 根据过去的流量大小建立流量大小的预测模型。它采用 LSTM-RNN（长短期记忆循环神经网络）模型，专注于每周规模的互联网流量模式的周期性。GAMPAL 的有效性是使用真实交通信息、从 WIDE 骨干网 (AS2500) 导出的 BGP RIB、日本研究和教育组织的全国骨干网以及西班牙 ISP（互联网服务提供商）的数据集来评估的。因此，GAMPAL 成功检测到异常情况，例如事件导致的流量增加、针对存根组织的 DDoS（分布式拒绝服务）攻击、连接失败、SSH（安全外壳）扫描攻击和异常垃圾邮件。