Method for detecting regional route withdrawal interrupt event, tracing method and related device

By optimizing the selection of route observation nodes and constructing regional time-series features, and utilizing a long short-term memory network model to detect regional route rollback interruption events, the accuracy and real-time issues of detection and location in existing technologies are solved, achieving fast and accurate event detection and location.

CN122247892APending Publication Date: 2026-06-19BEIJING UNIV OF POSTS & TELECOMM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING UNIV OF POSTS & TELECOMM
Filing Date
2026-02-26
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing methods for detecting regional route rollback interruption events are difficult to detect and locate quickly and accurately in noisy and complex network environments, leading to loss of network reachability and security threats.

Method used

By calculating the number of route prefixes declared by the route observation nodes, the set of observation nodes is filtered, the set of monitored autonomous system nodes is determined based on the geographical location information of the route prefixes of the autonomous system, a regional-level temporal feature vector is constructed, and anomaly detection is performed using a pre-trained long short-term memory network model to determine the start time of the event.

Benefits of technology

It enables rapid and accurate detection and location of regional route rollback interruption events while reducing noise interference, thereby improving the efficiency of network fault emergency response.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247892A_ABST
    Figure CN122247892A_ABST
Patent Text Reader

Abstract

This application provides a method, a source tracing method, and related equipment for detecting regional route rollback interruption events. The detection method includes: filtering route observation nodes based on the number of route prefixes to obtain an observation node set; determining a set of monitored autonomous system nodes within the region whose registration location and operation location are consistent; constructing a temporal feature vector of the monitored autonomous system based on the observation node set and the set of monitored autonomous system nodes within the region, according to the behavioral characteristics of route rollback interruption; aggregating the temporal feature vectors of all monitored autonomous systems within the region to obtain regional-level temporal features; inputting the regional-level temporal features into a long short-term memory network model for anomaly detection to determine the regional route rollback interruption event and recording the start time of the event. The method, source tracing method, and related equipment for detecting regional route rollback interruption events provided in this application are simple and convenient, and can quickly and accurately detect regional route rollback interruption events.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of Internet security technology, and in particular to a method for detecting, tracing, and related equipment for regional routing rollback interruption events. Background Technology

[0002] Border Gateway Protocol (BGP) is a standard protocol for interconnection between Autonomous Systems (AS). It controls the forwarding paths of inter-domain traffic and acts as the central nervous system of the Internet, playing a crucial role in the stability and reliability of the entire network. Area route rollback interruption events, as a typical type of inter-domain routing anomaly, can lead to a loss of network reachability in a specific area, affecting normal user access services and even threatening the stable operation of critical infrastructure. Therefore, there is an urgent need for a method that can accurately and quickly detect and locate the source of area route rollback interruption events. Summary of the Invention

[0003] In view of this, the purpose of this application is to propose a method for detecting and tracing regional routing rollback interruption events, as well as related equipment, to solve the above-mentioned technical problems.

[0004] A first aspect of this application provides a method for detecting regional route rollback interruption events, comprising: calculating the number of route prefixes declared by each route observation node; filtering the route observation nodes according to the number of route prefixes to obtain a set of observation nodes; determining a set of monitored autonomous system nodes within a region whose registration location and operation location are consistent based on the geographical location information of the route prefixes of autonomous systems; constructing a temporal feature vector of the monitored autonomous system based on the observation node set and the set of monitored autonomous system nodes within the region, according to the behavioral characteristics of route rollback interruption; aggregating the temporal feature vectors of all monitored autonomous systems within the region to obtain regional-level temporal features; inputting the regional-level temporal features into a pre-trained long short-term memory network model for anomaly detection to determine regional route rollback interruption events and recording the start time of the event.

[0005] Further, the calculation of the number of route prefixes advertised by each route observation node, and the filtering of route observation nodes based on the number of route prefixes to obtain an observation node set; determining the set of monitored autonomous system nodes within the region where the registration location and operation location are consistent based on the geographical location information of the autonomous system's route prefixes, including: initializing the global route prefix advertisement set, the route observation node route prefix data dictionary, the route prefix path dictionary, the autonomous system advertised route prefix dictionary, the route prefix autonomous system affiliation dictionary, and the autonomous system area affiliation dictionary; loading the route snapshot dump file of the route packet collector; reading the packet records in the route snapshot dump file, extracting the route prefixes and inserting them into the global route prefix advertisement set, extracting the route prefixes observed by each observation node and inserting them into the route observation node route prefix data dictionary, extracting the route prefix, the observation point autonomous system number, and the autonomous system path, and inserting them into the route prefix path dictionary; extracting the route prefix and the route prefix advertised autonomous system number, and inserting them into the autonomous system advertised route prefix dictionary; extracting the route prefix, The routing prefix announces the Autonomous System Number (AS Number) and inserts it into the AS Number Attribution Dictionary. The number of global routing prefixes in the global routing prefix announcement set is calculated. Based on the routing prefix data dictionary of the routing observation nodes, the number of routing prefixes observed by each observation node is calculated. Observation nodes whose observed number of routing prefixes is greater than or equal to a preset proportion of the global routing prefix number are selected to form an observation node set. The original allocation data of the AS Number is extracted from the public Internet Number Allocation Database and inserted into the AS Number Attribution Dictionary. The AS Number Attribution Dictionary is traversed to extract the Autonomous Region Number. When the AS Number Attribution Dictionary contains the AS Number, all AS Numbers are traversed. For each routing prefix, an Internet Protocol address is randomly selected, and its geographical location information is determined to construct an operational area distribution set corresponding to each routing prefix. When the operational area distribution set points to a unique operational location and is consistent with the registration location, the set of monitored AS nodes within the region is determined based on the routing prefix.

[0006] Further, based on the set of observation nodes and the set of monitored autonomous system nodes within the region, the step of constructing a time-series feature vector for the monitored autonomous system according to the behavioral characteristics of route rollback interruption, and aggregating the time-series feature vectors of all monitored autonomous systems within the region to obtain regional-level time-series features, includes: initializing the autonomous system routing feature dictionary and the regional routing feature dictionary; loading the routing update dump file after the routing snapshot dump file, the routing update dump file including rollback messages and announcement messages, the rollback messages corresponding to the set of observation nodes, and the announcement messages corresponding to the set of monitored autonomous system nodes within the region; reading the message records in the routing update dump file to obtain the route rollback interruption... The behavior features are timestamps; when the message is a rollback message, the observation node autonomous system number and routing prefix are extracted from the message record, and the routing prefix path dictionary and the autonomous system routing feature dictionary are updated; when the message is an announcement message, the observation node autonomous system number, routing prefix and autonomous system path are extracted from the message record, and the autonomous system announcement routing prefix dictionary, the routing prefix autonomous system affiliation dictionary and the autonomous system routing feature dictionary are updated; when the timestamp changes, the autonomous systems in the autonomous system routing feature dictionary are traversed, the temporal feature vector of each autonomous system within the timestamp interval is determined, and all temporal feature vectors in the region are synchronously accumulated to obtain the regional-level temporal feature.

[0007] Further, the step of inputting the regional-level temporal features into a pre-trained long short-term memory network model for anomaly detection to determine regional route rollback interruption events and recording the start time of the event includes: extracting historical temporal features of the target region during the stable operation period of the network to construct a benchmark dataset; using the benchmark dataset to train the long short-term memory network model; inputting the regional-level temporal features into the trained long short-term memory network model to obtain statistical deviation; when the statistical deviation is greater than or equal to a preset deviation, it is determined that a route rollback interruption event has occurred in the region, and the start time is recorded.

[0008] A second aspect of this application provides a method for tracing the source of a regional route rollback interruption event, comprising: determining a regional route rollback interruption event using the detection method for regional route rollback interruption events as described in the first aspect above and recording the start time point of the event; calculating the proportion of abnormal routing packets of autonomous systems within the region at the start time point, and filtering according to the proportion to obtain a set of affected autonomous systems; extracting path change information based on the set of autonomous systems, and determining the source of the fault based on the path change information.

[0009] Further, the percentage of abnormal routing packets of autonomous systems within the calculation area at the starting time point is used to filter and obtain a set of affected autonomous systems, including: extracting the time-series feature vectors of all monitored autonomous systems within the area at the starting time point according to the autonomous system area affiliation dictionary, calculating the ratio of the time-series feature vectors to the area-level time-series features to obtain the percentage of abnormal routing packets; and aggregating autonomous systems with a percentage of abnormal routing packets greater than a preset percentage to form an autonomous system set.

[0010] Further, the step of extracting path change information based on the set of autonomous systems and determining the fault source based on the path change information includes: traversing the autonomous systems in the set of autonomous systems and extracting path change information of the prefix when an anomaly occurs; decomposing the autonomous system path into internal edge topology components and inter-edge topology components based on the path change information, and generating a candidate root source set, wherein the candidate root source set is the union of the old path and the new path; calculating the occurrence frequency of each topology component in all the candidate root source sets, and extracting the topology components with occurrence frequencies greater than a preset frequency to form a suspect list; performing an intersection operation on the suspect lists of multiple autonomous systems in the set of autonomous systems to determine the common topology component, and determining the topology component as the fault source.

[0011] A third aspect of this application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements either the method for detecting a regional routing rollback interruption event as described in the first aspect above or the method for tracing the source of a regional routing rollback interruption event as described in the second aspect above.

[0012] A fourth aspect of this application provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to execute the method for detecting regional route rollback interruption events as described in the first aspect above or the method for tracing regional route rollback interruption events as described in the second aspect above.

[0013] A fifth aspect of this application provides a computer program product, including computer program instructions, characterized in that, when the computer program instructions are executed on a computer, the computer causes the computer to perform the method for detecting regional route rollback interruption events as described in the first aspect above or the method for tracing regional route rollback interruption events as described in the second aspect above.

[0014] As described above, this application provides a method for detecting, tracing, and related equipment for regional route rollback interruption events. The detection method includes: calculating the number of route prefixes declared by each route observation node; filtering route observation nodes based on the number of route prefixes to obtain a set of observation nodes; determining a set of monitored autonomous system nodes within the region whose registration and operation locations are consistent based on the geographical location information of the route prefixes of autonomous systems; constructing a temporal feature vector of the monitored autonomous system based on the behavioral characteristics of route rollback interruption based on the set of observation nodes and the set of monitored autonomous system nodes within the region; aggregating the temporal feature vectors of all monitored autonomous systems within the region to obtain regional-level temporal features; inputting the regional-level temporal features into a pre-trained long short-term memory network model for anomaly detection to determine regional route rollback interruption events and recording the start time of the event. By optimizing the selection of route observation nodes and regional monitored autonomous systems, noise interference within the detection range is reduced from the source; by constructing regional-level temporal features for anomaly detection, the judgment of route rollback interruption events and the determination of the start time are realized. Testing shows that this method can quickly and accurately detect regional route rollback interruption events, effectively improving detection accuracy. The detection method, tracing method, and related equipment for regional route rollback interruption events are simple and convenient, and can quickly and accurately detect regional route rollback interruption events. Attached Figure Description

[0015] To more clearly illustrate the technical solutions in this application or related technologies, the drawings used in the description of the embodiments or related technologies will be briefly introduced below. Obviously, the drawings described below are only embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0016] Figure 1 This is a flowchart illustrating a method for detecting regional routing rollback interruption events in an embodiment of this application.

[0017] Figure 2 This is a schematic diagram illustrating the logical relationship of the method for tracing the source of regional routing rollback interruption events in the embodiments of this application.

[0018] Figure 3 This is a schematic diagram illustrating the logical relationship of the method for detecting regional routing rollback interruption events in the embodiments of this application.

[0019] Figure 4 This is a schematic diagram of the structure of the long short-term memory network model in the embodiments of this application.

[0020] Figure 5 This is a schematic diagram of the time-normalization curve for feature aggregation at the collector level in related technologies.

[0021] Figure 6 This is a schematic diagram of the time-normalization curve for feature aggregation at the autonomous system level in an embodiment of this application.

[0022] Figure 7 This is a schematic diagram of the structure of an electronic device according to an embodiment of this application. Detailed Implementation

[0023] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with specific embodiments and the accompanying drawings.

[0024] It should be noted that, unless otherwise defined, the technical or scientific terms used in the embodiments of this application should have the ordinary meaning understood by one of ordinary skill in the art to which this application pertains. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the elements or objects listed following the word and their equivalents, without excluding other elements or objects. Terms such as "connected" or "linked" are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect.

[0025] The Internet consists of thousands of independent and autonomous systems. Each Autonomous System (AS) is a collection of Internet Protocol (IP) routing prefixes connected under the control of one or more organizations representing a single administrative entity or domain that provides a common, well-defined routing policy. Each AS is assigned a globally unique Autonomous System Number (ASN) and logically corresponds to a specific governing body and administrative region. Given the diversity of cross-border business and network deployments, situations exist in which the ASN registration location and the network operation location are inconsistent. This application defines such a phenomenon as "inconsistency between the Autonomous System registration location and the operation location."

[0026] Border Gateway Protocol (BGP) is a standard inter-domain routing protocol used for exchanging routing information between Autonomous Systems. This protocol employs a path vector mechanism, guiding the transmission paths of data packets in the Internet by exchanging route reachability information among edge routers. Each Autonomous System (AS) in the Internet can advertise one or more IP routing prefixes via BGP. During the BGP advertisement of IP routing prefixes, the update message contains the specific prefix and the corresponding AS path (AS_PATH) attribute. An AS path refers to the sequence of Autonomous Systems that routing information traverses during inter-domain propagation, consisting of a series of ASNs arranged on demand. Whenever routing information crosses an AS, the current AS adds its own ASN to the path sequence, thus forming a complete topological trajectory from the originating route to the receiving end. The AS path is not only the core basis for BGP's loop prevention mechanism and optimal path selection, but also provides crucial routing evolution information for tracing the source of route rollback time; the last ASN in the sequence represents the original advertiser of the routing prefix.

[0027] In BGP, neighbor relationships are called communication peers or peers. The operation of the BGP protocol relies on the exchange of BGP messages between peers. The main BGP message types include Open messages (initiating a BGP session), Update messages (transmitting network routing information), Keepalive messages (maintaining the BGP session's activity), Notification messages (notifying the other party of problems or errors), and Route refresh messages (requesting the other party to resend its routing information). Update messages are used by BGP peers to exchange IP prefix reachability updates. A single Update message can advertise one feasible route or withdraw multiple infeasible routes.

[0028] The core of the BGP routing information management and processing system is the database that stores routes. This database is collectively called the Routing Information Base (RIB), which consists of three independent parts: Adj-RIB-In (routing information table / database for neighbor inbound directions), Loc-RIB (containing routes that have been selected by local BGP), and Adj-RIB-Out (routing information table / database for neighbor outbound directions).

[0029] Adj-RIB-In is responsible for storing Network Layer Reachability Information (NLRI) received from specific neighbors without any attribute modification or policy filtering. When the BGP process receives an Update message containing route advertisements or rollbacks, it will update its route entries in real time to ensure that it can reflect the topology status advertised by the neighbors.

[0030] The Loc-RIB stores the globally optimal path selected from each Adj-RIB-In according to the input routing policy and BGP routing criteria. Whenever an Adj-RIB-In changes, the Loc-RIB triggers a re-decision logic to dynamically update and replace the optimal route.

[0031] Adj-RIB-Out stores routing information intended for distribution to a specific neighbor. Typically, BGP routes are not directly advertised to peers. BGP creates RIB-exported routes by modifying the path attributes of routes in the Loc-RIB, thus achieving path export. For each neighbor, the BGP process needs to maintain an Adj-RIB-Out to record the NLRI information sent to that neighbor.

[0032] When a BGP router receives an Update message, it dynamically updates the Adj-RIB-In based on the message content. The Withdrawn Routes in the message will cause the corresponding entry to be removed, while NLRI will trigger the replacement, update, or addition of the corresponding prefix entry. Once the Adj-RIB-In is synchronized, the system triggers a core decision-making process to select the unique best route from all candidate paths provided by neighbors according to preset routing criteria. This decision-making process proceeds in the following priority order: first, the path with the highest Local Preference attribute value is selected; if priorities are the same, the path with the shortest AS path (AS_PATH) length is preferred; if path lengths are the same, the origin attribute, multi-egress discriminator, peer type, and Interior Gateway Protocol (IGP) metric value reaching the BGP next hop are compared in sequence. If a distinction still cannot be made, the path with the smallest unique identifier, such as the originating router's Router ID and the peer's IP address, is selected as the optimal path.

[0033] The optimal route determined by the decision-making process will be installed in Loc-RIB, and after applying the export policy and modifying the path attributes, it will be stored in Adj-RIB-Out and distributed to each peer. BGP's routing decision-making process ensures that data flows in the network to the optimal path. Through meticulous path selection and strict routing criteria, BGP can adapt to complex network environments and topology changes. Each BGP path selection undergoes careful filtering and calculation to ensure the reliability and efficiency of the route.

[0034] BGP route withdrawal events refer to abnormal routing events caused by factors such as network infrastructure failures, malicious attacks, configuration errors, or administrative controls, resulting in the withdrawal of BGP prefixes and subsequent unreachability of upper-layer application services. Based on the triggering mechanism and protocol state of route withdrawal, this invention classifies inter-domain route withdrawal interruptions into two types: proactive withdrawal and session interruption.

[0035] Active rollback interruptions refer to outages caused by the originating router actively sending rollback packets while the BGP session remains connected. These outages typically stem from network traffic engineering adjustments, automated maintenance operations, or changes to route aggregation policies. They can also include legitimate prefix rollbacks caused by unexpected misconfigurations. While active rollback outages do not involve broken neighbor relationships, they propagate rapidly throughout the network, leading to loss of reachability to the target area.

[0036] Session failure refers to a chain reaction of route rollbacks caused by the interruption of communication links between BGP peers or physical failures (such as fiber optic cable cut-offs, power outages, or equipment failures). In session failure mode, routers at both ends of the session immediately delete all routes known from that neighbor from their routing databases. If a router cannot find an alternative path to the same prefix through path discovery, it sends rollback messages to its remaining neighbors. This process propagates throughout the network via BGP update messages, causing previously reachable IP prefixes to become unreachable. Without alternative paths or policy filtering mechanisms, packets will be dropped during forwarding, leading to regional or even global communication outages. Especially in multi-homed networks, a route rollback in a single AS can trigger a chain reaction, causing routing oscillations.

[0037] In summary, inter-domain route rollback interruptions are not merely local fluctuations in network topology, but also significant threats to cybersecurity. Whether it's a proactive rollback or a session interruption, both can lead to large-scale network reachability losses, causing widespread network outages.

[0038] BGP messages contain rich path and routing state information, which is a crucial foundation for constructing the global internet routing topology, monitoring routing state changes, and detecting and analyzing routing anomalies. Currently, the mainstream method for collecting BGP routing messages is primarily passive collection, i.e., acquiring BGP routing data from the actual operating network by deploying routing message collectors.

[0039] Passive routing packet collection methods typically involve constructing a simulated router (e.g., based on routing protocol simulation software like Quagga) and establishing peering connections with one or more actual running BGP routers, known as Vantage Points (VPs). Each collector can simultaneously establish BGP peering sessions with multiple VPs, thereby receiving routing advertisement information from different network locations and performing unified parsing and archiving. The BGP route update process is essentially a path adjustment process triggered by the protocol's operation, through which the collector can obtain path information to globally reachable prefixes via each VP.

[0040] During the data collection process, the collector maintains the session state and routing data structure for each VPN, and dumps the collected information in the form of periodic snapshots (Bviews) and incremental updates (Updates). Route snapshot dumps record the complete BGP routing table state at each point in time, typically stored at a granularity of 2 to 8 hours, used to analyze the phased changes in the overall network routing state. Route update dumps record BGP update interactions between the VPN and the collector at a higher frequency (e.g., every 5 minutes), including prefix announcements and withdrawal information, thus providing a continuous observation view of dynamic routing changes.

[0041] Each record in a route snapshot dump typically contains the following fields: protocol type, timestamp, entry type, peer IP address, peer AS number (i.e., the VP's AS number), destination route prefix, AS path, message origin type, and next-hop information. The AS path represents the sequence of AS numbers traversed from the VP to the destination prefix. The message origin field is generally IGP or EGP, indicating whether the advertisement originated from within or outside the AS, respectively.

[0042] The update dump file consists of message records, which are of two types: route rollback messages, with a record format of <protocol type, timestamp, entry type, peer IP address, VP AS number, route prefix>, and route advertisement messages, with a record format of <protocol type, timestamp, entry type, peer IP address, VP AS number, route prefix, AS path, message origin, and next hop>. The VP AS number is the AS number of the VP observation point, the prefix is ​​the target route prefix, and the AS path is a list of ASs traversed from the VP observation point AS to the target prefix. These messages collectively constitute the dynamic behavioral data of the BGP routing system during operation, supporting near real-time network status monitoring, anomaly detection, and topology change analysis, among other application scenarios.

[0043] With the continuous expansion of the Internet, the detection and prevention of BGP route rollback interruptions has become a crucial issue in network security. Current methods for route rollback interruption detection mainly fall into two categories: rule-based detection methods and machine learning-based detection methods. Rule-based methods identify anomalies by monitoring fluctuations in the visibility of route prefixes. While possessing high computational efficiency, they often rely on manually set fixed thresholds, making them difficult to adapt to dynamically changing network environments, resulting in a high risk of false positives and false negatives. In contrast, machine learning-based methods utilize nonlinear models to mine deep patterns in BGP data, exhibiting stronger adaptability and accuracy in complex network environments. However, these methods heavily rely on large-scale labeled data, and their model generalization ability in cross-domain network scenarios still faces significant bottlenecks.

[0044] In the field of root cause analysis (RDA) system localization, research focuses on accurately tracing the source of a fault from massive amounts of update messages. Current approaches are divided into heuristic algorithms and topology-based methods. Heuristic tracing methods emphasize logical deduction of BGP path attributes, locating the fault source by tracking path changes. However, they are prone to getting trapped in local optima when dealing with large-scale network oscillations. Topology-based methods introduce graph theory or machine learning techniques, inferring the root cause by analyzing the connectivity and dependencies of the global or local topology. While these methods can utilize the coverage of path changes for identification, they generally suffer from topology centrality bias, easily misidentifying highly connected core nodes as the root cause, thus affecting the robustness of the localization.

[0045] In summary, existing detection methods and localization technologies still have limitations. On the one hand, the massive BGP oscillation noise generated by the Global Autonomous System (GAS) significantly interferes with the purity of feature extraction, leading to biased detection results. On the other hand, due to the inherent pathfinding phenomenon of the BGP protocol, the route convergence process is complex and lengthy. This not only causes severe detection delays, making real-time monitoring difficult, but also obscures the true path of fault propagation, resulting in decreased localization accuracy. Therefore, effectively avoiding the impact of pathfinding on convergence analysis while filtering noise interference is a key breakthrough for improving accuracy and real-time performance.

[0046] The following describes specific embodiments in conjunction with... Figures 1 to 7 The technical solution of this application will be described in detail below.

[0047] Some embodiments of this application provide a method for detecting area routing rollback interruption events, such as... Figure 1 As shown, it includes the following steps:

[0048] S1. Calculate the number of route prefixes advertised by each route observation node, and filter the route observation nodes according to the number of route prefixes to obtain the observation node set; determine the set of monitored autonomous system nodes in the area where the registration location and the operation location are consistent based on the geographical location information of the route prefixes of the autonomous system.

[0049] The selection of route observation nodes and the set of monitored Autonomous Systems (AS) within the region is optimized. The number of route prefixes advertised by each route observation node is calculated from the route packet collector, and the set of observation nodes is optimized based on this number. To address the issue of inconsistencies between the registered location and the operational location of an AS within the region, ASs with inconsistent registered and operational locations are eliminated based on the geographical location information of their route prefixes, resulting in the final set of monitored Autonomous System nodes within the region. This can reduce latency in subsequent detection. For example... Figure 5 As shown, this represents feature aggregation at the collector level, such as... Figure 6 As shown, this embodiment shows the feature aggregation at the AS level, where the yellow area is the interrupted area. It can be seen that the aggregation at the collector level is about 20 minutes slower than the aggregation at the AS level.

[0050] S2. Based on the set of observation nodes and the set of monitored autonomous system nodes in the region, construct the time-series feature vector of the monitored autonomous system according to the behavior characteristics of route rollback interruption, and aggregate the time-series feature vectors of all monitored autonomous systems in the region to obtain regional-level time-series features.

[0051] Based on the set of observation nodes and the set of monitored autonomous system nodes within the region selected in step S1, and according to the behavioral characteristics of route rollback interruption (data fields of two types of messages), a time-series feature vector of the monitored autonomous system is constructed. Then, the time-series feature vectors within the region are aggregated to construct regional-level time-series features, thus avoiding getting trapped in local optima.

[0052] S3. Input the regional time-series features into a pre-trained Long Short-Term Memory (LSTM) network model to perform anomaly detection, determine the regional routing rollback interruption event, and record the start time of the event.

[0053] Based on regional time-series characteristics, anomaly detection using a traditional long short-term memory network model can identify route rollback interruption events and determine the starting time of their occurrence.

[0054] This method reduces data noise in the monitoring range by optimizing the selection of route observation nodes and eliminating ambiguous ASs within the region. Then, it constructs regional-level temporal features of regional routing packets for detection, which can determine whether a regional route rollback interruption event has occurred. It can accurately and quickly detect and locate regional route interruption events, which has an important impact on ensuring network space security and improving the efficiency of network fault emergency response.

[0055] In some embodiments, such as Figure 2 As shown, step S1 includes: S101. Initialize the global route prefix declaration set, route observation node route prefix data dictionary, route prefix path dictionary, autonomous system declared route prefix dictionary, route prefix autonomous system affiliation dictionary, and autonomous system area affiliation dictionary.

[0056] The route observation node route prefix data dictionary is a one-dimensional data dictionary, where the key is the route observation node and the key value is the set of unique route prefixes observed by the route observation node; the route prefix path dictionary is a two-dimensional data dictionary, where the first dimension key is the route prefix, the second dimension key is the route observation node, and the key value is the route path to that prefix; the autonomous system declared route prefix dictionary is a one-dimensional data dictionary, where the key is the autonomous system number and the key value is the list of route prefixes declared by that autonomous system; the route prefix autonomous system affiliation dictionary is a one-dimensional data dictionary, where the key is the route prefix and the key value is the autonomous system number that declared that route prefix; and the autonomous system area affiliation dictionary is a one-dimensional dictionary, where the key is the autonomous system number and the key value is the registered area to which the autonomous system belongs.

[0057] S102, Load the route snapshot dump file from the route packet collector.

[0058] Load the route packet collector in Route snapshot dump file at any time This file consists of message records, denoted as Each message record The data fields include <protocol type, timestamp, entry type, peer IP (Internet Protocol) address, VP AS number, routing prefix, AS path, message origin, and next hop>. The VP AS number is the AS number of the routing observation point, the prefix is ​​the routing prefix, and the AS path is a list of ASs traversed from the VP observation point AS to the target prefix. From left to right, the first AS number in the AS path is the routing observation point AS number, and the last AS number is the routing prefix advertising AS number.

[0059] S103. Read the packet records in the route snapshot dump file, extract the route prefix and insert it into the global route prefix declaration set, extract the route prefix observed by each observation node and insert it into the route observation node route prefix data dictionary, extract the route prefix, observation point autonomous system number and autonomous system path, and insert them into the route prefix path dictionary; extract the route prefix and route prefix declaration autonomous system number, and insert them into the autonomous system declaration route prefix dictionary; extract the route prefix and route prefix declaration autonomous system number, and insert them into the route prefix autonomous system affiliation dictionary.

[0060] Read each packet record in the route snapshot dump file one by one. The process involves extracting route prefixes and inserting them into the global route prefix declaration set; extracting the route prefixes observed by each VP and inserting them into the route prefix data dictionary of the route observation node; extracting the route prefix, VP AS number, and AS path and inserting them into the route prefix path dictionary; extracting the route prefix and route prefix declared AS number and inserting them into the autonomous system declared route prefix dictionary; and extracting the route prefix and route prefix declared AS number and inserting them into the route prefix autonomous system affiliation dictionary. After traversal, the global route prefix declaration set contains globally declared route prefixes, the route prefix data dictionary of the route observation node contains the set of route prefixes that each observation point can observe, the route prefix path dictionary contains the AS path from each VP to the global route prefix, the autonomous system declared route prefix dictionary contains the set of route prefixes declared by each AS, and the route prefix autonomous system affiliation dictionary contains each route prefix and the AS that declared it.

[0061] S104. Calculate the number of global route prefixes in the global route prefix declaration set, calculate the number of route prefixes observed by each observation node based on the route observation node route prefix data dictionary, and select observation nodes whose observed number of route prefixes is greater than or equal to a preset proportion of the number of global route prefixes to form an observation node set.

[0062] Initialize the set of route observation nodes, and calculate the number of global route prefixes in the global route prefix declaration set, denoted as . Based on the routing prefix data dictionary of the routing observation nodes, calculate the routing prefix data for each observation node. The number of observable route prefixes, denoted as ; Traverse each of the route prefix data dictionaries in the route observation nodes ,if satisfy achieve If 90% (preset ratio) of the nodes are selected, they are inserted into the observation node set. After the traversal is complete, the observation node set of the full routing table is obtained.

[0063] S105. Extract the original allocation data of the Autonomous System Number from the public Internet Number Allocation Database, insert it into the Autonomous System Area Attribution Dictionary, and traverse the Autonomous System Area Attribution Dictionary to extract the Autonomous Region Number; when the Autonomous System announces the Autonomous Region Number in the routing prefix dictionary, traverse all routing prefixes announced by the Autonomous System; randomly select an Internet Protocol address for each routing prefix and determine its geographical location information to construct an operational area distribution set corresponding to each routing prefix; when the operational area distribution set points to a unique operational location and is consistent with the registration location, determine the set of monitored Autonomous System nodes in the area based on the routing prefix.

[0064] Initialize the set of monitored Autonomous System nodes within the region; extract the original allocation data of Autonomous System numbers from the public Internet Number Allocation Database and insert it into the Autonomous System Area Attribution Dictionary; traverse the Autonomous System Area Attribution Dictionary keys to extract AS numbers. Query the autonomous system's declared route prefix dictionary; if it exists... Iterate through all the route prefixes advertised by the AS, and for each route prefix... Randomly select an IP address, query the IP geographic information database, and obtain the IP address location. Construct the set of operational regions corresponding to the route prefixes. Only when the distribution set is unique and points to a target region (operation location) that matches the registration location assigned by the AS, is it inserted into the set of monitored autonomous system nodes within that region. After traversal, the set of monitored autonomous system nodes within the region is obtained.

[0065] In some embodiments, such as Figure 2 As shown, step S2 includes: S201. Initialize the autonomous system routing feature dictionary and the area routing feature dictionary.

[0066] Initialize the Autonomous System (AS) routing feature dictionary and the area routing feature dictionary. The AS routing feature dictionary is a three-dimensional dictionary: the first key is the AS number, the second key is the timestamp, and the third key is the AS routing feature. The third key value is the AS routing feature value, which includes the number of all prefix advertisement messages, the number of rollback messages, the number of implicit rollback messages, the number of messages that lengthen the AS path, and the number of messages that shorten the AS path. The area routing feature dictionary is also a three-dimensional dictionary: the first key is the area name, the second key is the timestamp, and the third key is the area routing feature. The third key value is the area routing feature value, which includes the number of all prefix advertisement messages, the number of rollback messages, the number of implicit rollback messages, the number of messages that lengthen the AS path, and the number of messages that shorten the AS path. Set the fixed interval to T.

[0067] S202. Load the route update dump file after the route snapshot dump file. The route update dump file includes a rollback message and an announcement message. The rollback message corresponds to the set of observation nodes, and the announcement message corresponds to the set of monitored autonomous system nodes in the region.

[0068] Load route snapshot dump file Subsequent route update dump file A route update dump file consists of route update message records, denoted as The message record format includes rollback messages. , Announcement Message There are two formats. The data fields of the withdrawal message are <BGP protocol, timestamp, peer IP address, VP AS number (corresponding to the observation node), routing prefix>. The data fields of the announcement message are <BGP protocol, timestamp, A, peer IP address, VP AS number, routing prefix, AS path (corresponding to the monitored AS), message origin, and next hop, etc. fields>. Set the fixed interval as T.

[0069] S203. Read the message records in the routing update dump file to obtain the timestamp of the behavioral characteristics of the routing withdrawal interruption.

[0070] Read sequentially message records, obtain the timestamp in the message records, and the current routing feature timestamp , where is the timestamp of the initial routing feature, is the timestamp in the message record, that is, bucketed in units of time T.

[0071] S204. When the current message is a withdrawal message, extract the observed node autonomous system number and routing prefix in the message record, and update the routing prefix path dictionary and the autonomous system routing feature dictionary.

[0072] Extract the VP AS number and routing prefix in the record, search for the routing prefix path dictionary according to the routing prefix and VP AS number, delete the VP AS number key and the corresponding value, and update the routing prefix path dictionary; search for the routing prefix AS ownership dictionary according to the routing prefix, obtain the source AS of this routing prefix, and update the autonomous system routing feature dictionary. If the dictionary does not exist for this AS, insert this AS into the dictionary, the timestamp is t, the announcement message quantity count is 0, the withdrawal message quantity is 1, the implicit withdrawal message quantity is 0, the quantity of messages that make the AS path longer is 0, and the quantity of messages that make the AS path shorter is 0; if the dictionary exists for this AS, increment the withdrawal message quantity by 1.

[0073] S205. When the current message is an announcement message, extract the observed node autonomous system number, routing prefix, and autonomous system path in the message record, and update the autonomous system announcement routing prefix dictionary, the routing prefix autonomous system ownership dictionary, and the autonomous system routing feature dictionary.

[0074] Extract the VP AS number, routing prefix, and AS path in the record, search for the routing prefix path dictionary according to the routing prefix and VP AS number, and record the old value corresponding to the VP AS number key If it does not exist, leave it empty and update the value corresponding to the VP AS number key to the new AS path. ; obtain The last AS in the list updates the Autonomous System's advertised route prefix dictionary, adding the route prefix to the AS's prefix set; updates the Autonomous System home dictionary for the route prefix, indicating that this AS is the source AS of the route prefix; updates the Autonomous System route feature dictionary, inserting the AS into the dictionary if it does not exist, with timestamp t, an advertisement message count of 1, and a rollback message count of 0. If empty, the number of implicit rollback messages is 0, the number of messages that lengthen the AS path is 0, and the number of messages that shorten the AS path is 0. The number of implicit rollback messages is 1, the number of messages that lengthen the AS path is 1, and the number of messages that shorten the AS path is 0. The number of implicit rollback messages is 1, the number of messages that lengthen the AS path is 0, and the number of messages that shorten the AS path is 0. The implicit rollback message count is 1, the message count that lengthens the AS path is 0, and the message count that shortens the AS path is 1; if the AS exists in the dictionary, the announcement message count is incremented by 1. If not empty, the implicit rollback message count is incremented by 1. This increases the number of packets with longer AS paths by 1. This increases the number of messages with shorter AS paths by 1.

[0075] S206. When the timestamp changes, traverse the autonomous systems in the autonomous system routing feature dictionary, determine the time-series feature vector of each autonomous system within the timestamp interval, and synchronously accumulate all time-series feature vectors in the region to obtain the region-level time-series feature.

[0076] Construct regional-level temporal features. When the routing feature timestamp t changes, traverse the autonomous system's routing feature dictionary. ,according to Find the temporal eigenvectors of the autonomous system within time interval t. Then, based on the AS region affiliation dictionary, it was found The corresponding area For each region, if the key does not exist in the region routing feature dictionary... Then insert into the dictionary. The timestamp is t, the number of announcement messages is 0, the number of rollback messages is 0, the number of implicit rollback messages is 0, the number of messages that lengthen the AS path is 0, and the number of messages that shorten the AS path is 0. Based on this, the time-series feature vectors of all ASs in this region are... Synchronous accumulation is performed to aggregate AS behavior into regional time-series features. .

[0077] In some embodiments, such as Figure 2 As shown, step S3 includes: S301. Extract historical temporal features of the target region during the stable operation period of the network to construct a benchmark dataset, and use the benchmark dataset to train the long short-term memory network model.

[0078] like Figure 4 The diagram shows the structure of a Long Short-Term Memory (LSTM) network model, which extracts historical multidimensional regional temporal features of the target region (i.e., the region to be detected) during the network's stable operation period. Build a benchmark dataset The model was trained using this dataset to fit the normal pattern probability distribution of macroscopic routing behavior in the target area in the time domain.

[0079] S302. Input the regional temporal features into the trained long short-term memory network model to obtain the statistical deviation.

[0080] The regional multidimensional time-series features collected and aggregated in real time Define the anomaly scoring function in the input of the trained model. This represents the statistical deviation between the current feature vector and the model prediction baseline.

[0081] S303. When the statistical deviation is greater than or equal to the preset deviation, it is determined that a route rollback interruption event has occurred in the area, and the start time point is recorded.

[0082] Set the preset deviation as an adaptive threshold (Can be set according to a fixed ratio), when When this occurs, the system determines that a route rollback interruption event has occurred in the area and records the start and end times of this abnormal event. .

[0083] By employing an unsupervised learning method based on Long Short-Term Memory (LSTM) networks, regional-level route rollback anomalies can be accurately identified and detected without relying on labeled data. The construction of multi-dimensional temporal features comprehensively reflects network dynamics, and combined with regional-level features for anomaly analysis, effectively improving the accuracy of anomaly detection.

[0084] In some embodiments of this application, a method for tracing the source of a regional routing rollback interruption event is provided, such as... Figure 3 As shown, it includes: S4. Use the method for detecting regional route rollback interruption events as described in any of the above embodiments to determine the regional route rollback interruption event and record the start time of the event; calculate the proportion of abnormal routing packets of autonomous systems in the region at the start time, and filter according to the proportion to obtain the set of affected autonomous systems.

[0085] The percentage of abnormal routing packets in an AS within the calculation area at an abnormal time point (starting time point) is used to identify the set of affected ASs.

[0086] S5. Extract path change information from the set of autonomous systems, and determine the source of the fault based on the path change information.

[0087] Based on the set of affected Autonomous Systems (AS), this method collects path change information from the route observation node to the affected AS before and after the route rollback interruption, thereby identifying the fault source of the route rollback interruption event. This method comprehensively analyzes the changes in route propagation paths before and after the occurrence of the route rollback event, achieving precise localization of the autonomous system at the source of the interruption event. Furthermore, by processing route update data in real time, it provides rapid response capabilities, ensuring timely location and countermeasures when network outage events occur.

[0088] In some embodiments, step S4 includes: S401. Extract the time-series feature vectors of all monitored autonomous systems in the region at the starting time point according to the autonomous system region affiliation dictionary, and calculate the ratio of the time-series feature vectors to the regional time-series features to obtain the proportion of routing abnormal packets.

[0089] Calculation of the contribution of routing anomalies at the autonomous system level. (Targeting...) Based on the autonomous system region affiliation dictionary, extract the multidimensional original temporal feature vectors of all monitored ASs within the region during the specified time period. The contribution ratio of the fluctuation of micro-characteristics of each autonomous system to the total deviation of macro-regional characteristics (i.e., the time-series feature vector) is calculated. (The proportion of regional time-series characteristics) quantifies the proportion of routing anomaly packets in each autonomous system at abnormal times.

[0090] S402. The autonomous systems with a routing error message ratio greater than a preset ratio are aggregated to form an autonomous system set.

[0091] The selection and output of the affected autonomous systems set involves sorting the autonomous systems within the region in descending order based on the proportion of routing anomaly packets. Then, a proportional selection threshold (i.e., a preset proportion) is set, and autonomous systems with higher weight scores are extracted and included in the affected autonomous system set. .

[0092] In some embodiments, step S5 includes: S501. Traverse the autonomous systems in the set of autonomous systems and extract the path change information of the prefix when an anomaly occurs.

[0093] Initialize context and extract path changes. Traverse. Each of them And extract the path change information of its prefix within the abnormal time window. For Each affected prefix declared Identify its steady-state path before the anomaly. Towards the transition state or new stable path after the anomaly The evolutionary process. Extracting this path pairs , which serve as input samples for subsequent topology localization.

[0094] S502. Based on the path change information, the autonomous system path is decomposed into internal edge topology components and inter-edge topology components, and a candidate root source set is generated, wherein the candidate root source set is the union of the old path and the new path.

[0095] A candidate root source set with a single prefix is ​​generated based on heuristic rules. The AS path is decomposed into two basic topological components: AS internal edges. and AS For each prefix where a route change occurs Its candidate root set Defined as the union of all node components and link components in the old path and the new path: ,in .

[0096] S503. Calculate the occurrence frequency of each topology component in all candidate root source sets, and extract the topology components with occurrence frequencies greater than a preset frequency to form a suspect list.

[0097] Cross-prefix association and suspect list generation. For all affected prefix sets under the affected AS, perform association analysis based on the common cause assumption to calculate all candidate root source sets related to each topological component (including inter-edges and internal edges) in the corresponding AS. Frequency of occurrence : ,in This is an indicator function. Based on frequency values. All components are sorted in descending order, and components that appear at high frequencies (greater than a preset frequency) are extracted to form an independent suspect list for the affected AS, thereby identifying the most explanatory source of instability from this observation perspective.

[0098] S504. Perform an intersection operation on the suspected lists of multiple autonomous systems in the set of autonomous systems to determine the common topology component, and determine the topology component as the source of the fault.

[0099] Global root cause inference and localization. Integrating independent suspect lists derived from analyses of multiple affected ASs. It then utilizes global spatial consistency constraints to perform set intersection operations across autonomous systems. It identifies topological components that are commonly pointed to in all affected AS suspect sequences and computes the global intersection. Ultimately, the topology components remaining in the intersection are identified as the final source of failure in this large-scale outage, thus locating and identifying the source of instability.

[0100] This method analyzes changes in AS paths based on NOOR (heuristic rules), which can accurately locate the root AS, narrow down the scope of suspects, and reduce false positives.

[0101] It is understood that before using the technical solutions of the various embodiments in this disclosure, users will be informed of the type, scope of use, and usage scenarios of the personal information involved in an appropriate manner, and user authorization will be obtained.

[0102] For example, upon receiving a user's active request, a prompt message is sent to the user to explicitly inform them that the requested operation will require the acquisition and use of the user's personal information. This allows the user to independently choose, based on the prompt message, whether to provide personal information to the software or hardware such as electronic devices, applications, servers, or storage media performing the operations of this disclosed technical solution.

[0103] As an optional but not limited implementation, in response to a user's active request, sending a prompt message to the user can be done via a pop-up window, where the prompt message can be presented in text format. Furthermore, the pop-up window can also include a selection control allowing the user to choose "agree" or "disagree" to provide personal information to the electronic device.

[0104] It is understood that the above notification and user authorization process are merely illustrative and do not constitute a limitation on the implementation of this disclosure. Other methods that comply with relevant laws and regulations may also be applied to the implementation of this disclosure.

[0105] Based on the same inventive concept, corresponding to any of the above embodiments, this application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the method for detecting regional routing rollback interruption events or the method for tracing the source of regional routing rollback interruption events as described in any of the above embodiments.

[0106] Figure 7This embodiment illustrates a more specific hardware structure of an electronic device, which may include a processor 1010, a memory 1020, an input / output interface 1030, a communication interface 1040, and a bus 1050. The processor 1010, memory 1020, input / output interface 1030, and communication interface 1040 are interconnected internally via the bus 1050.

[0107] The processor 1010 can be implemented using a general-purpose CPU (Central Processing Unit), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of this specification.

[0108] The memory 1020 can be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory), static storage device, dynamic storage device, etc. The memory 1020 can store the operating system and other applications. When the technical solutions provided in the embodiments of this specification are implemented by software or firmware, the relevant program code is stored in the memory 1020 and is called and executed by the processor 1010.

[0109] The input / output interface 1030 is used to connect input / output modules to realize information input and output. The input / output modules can be configured as components within the device (not shown in the figure) or externally connected to the device to provide corresponding functions. The input devices can include keyboards, mice, touchscreens, microphones, various sensors, etc., and the output devices can include displays, speakers, vibrators, indicator lights, etc.

[0110] The communication interface 1040 is used to connect a communication module (not shown in the figure) to enable communication between this device and other devices. The communication module can communicate via wired means (e.g., USB, Ethernet cable, etc.) or wireless means (e.g., mobile network, WIFI, Bluetooth, etc.).

[0111] Bus 1050 includes a pathway for transmitting information between various components of the device, such as processor 1010, memory 1020, input / output interface 1030, and communication interface 1040.

[0112] It should be noted that although the above-described device only shows the processor 1010, memory 1020, input / output interface 1030, communication interface 1040, and bus 1050, in specific implementations, the device may also include other components necessary for normal operation. Furthermore, those skilled in the art will understand that the above-described device may only include the components necessary for implementing the embodiments of this specification, and not necessarily all the components shown in the figures.

[0113] The electronic devices described above are used to implement the detection method or the source tracing method for the corresponding area route rollback interruption event in any of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.

[0114] Based on the same inventive concept, corresponding to the methods of any of the above embodiments, this application also provides a non-transitory computer-readable storage medium storing computer instructions, which are used to cause the computer to execute the method for detecting regional route rollback interruption events or the method for tracing regional route rollback interruption events as described in any of the above embodiments.

[0115] The non-transitory computer-readable medium of this embodiment includes both permanent and non-permanent, removable and non-removable media, and information storage can be implemented by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transfer medium that can be used to store information accessible by a computing device.

[0116] The computer instructions stored in the storage medium of the above embodiments are used to cause the computer to execute the method for detecting regional route rollback interruption events or the method for tracing regional route rollback interruption events as described in any of the above embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.

[0117] Based on the same concept, corresponding to the methods of any of the above embodiments, this application also provides a computer program product, including computer program instructions. When the computer program instructions are run on a computer, the computer causes the computer to execute the method for detecting regional route rollback interruption events or the method for tracing regional route rollback interruption events as described in any of the above embodiments, which has the beneficial effects of the corresponding method embodiments, and will not be repeated here.

[0118] Those skilled in the art should understand that the discussion of any of the above embodiments is merely exemplary and is not intended to imply that the scope of this application (including the claims) is limited to these examples; within the framework of this application, the technical features of the above embodiments or different embodiments can also be combined, the steps can be implemented in any order, and there are many other variations of different aspects of the embodiments of this application as described above, which are not provided in the details for the sake of brevity.

[0119] Furthermore, to simplify the description and discussion, and to avoid obscuring the embodiments of this application, the apparatus may be shown in block diagram form. This is to prevent the embodiments of this application from being difficult to understand, and it also takes into account the fact that the details of the implementation of these block diagram apparatuses are highly dependent on the platform on which the embodiments of this application will be implemented (i.e., these details should be fully within the understanding of those skilled in the art). In setting forth specific details to describe exemplary embodiments of this application, it will be apparent to those skilled in the art that the embodiments of this application may be implemented without these specific details or with variations thereof. Therefore, these descriptions should be considered illustrative rather than restrictive.

[0120] Although this application has been described in conjunction with specific embodiments thereof, many substitutions, modifications and variations of these embodiments will be apparent to those skilled in the art from the foregoing description.

[0121] The embodiments of this application are intended to cover all such substitutions, modifications, and variations that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the embodiments of this application should be included within the protection scope of this application.

Claims

1. A method for detecting regional routing rollback interruption events, characterized in that, include: Calculate the number of route prefixes advertised by each route observation node, and filter the route observation nodes according to the number of route prefixes to obtain the observation node set; Based on the geographical location information of the routing prefix of the autonomous system, determine the set of monitored autonomous system nodes within the area where the registration location and the operation location are consistent; Based on the set of observation nodes and the set of monitored autonomous system nodes within the region, a time-series feature vector of the monitored autonomous system is constructed according to the behavioral characteristics of route rollback interruption. The time-series feature vectors of all monitored autonomous systems within the region are aggregated to obtain regional-level time-series features. The regional time-series features are input into a pre-trained long short-term memory network model for anomaly detection to identify regional routing rollback interruption events and record the start time of the event.

2. The method for detecting regional routing rollback interruption events according to claim 1, characterized in that, The calculation of the number of route prefixes advertised by each route observation node, followed by filtering the route observation nodes based on the number of route prefixes to obtain an observation node set; and the determination of the set of monitored autonomous system nodes within the region where the registration location and operation location are consistent, based on the geographical location information of the autonomous system's route prefixes, including: Initialize the global route prefix declaration set, the route observation node route prefix data dictionary, the route prefix path dictionary, the autonomous system declared route prefix dictionary, the route prefix autonomous system affiliation dictionary, and the autonomous system area affiliation dictionary; Load the route snapshot dump file from the route packet collector; Read the packet records from the route snapshot dump file, extract the route prefix and insert it into the global route prefix declaration set, extract the route prefix observed by each observation node and insert it into the route observation node route prefix data dictionary, extract the route prefix, observation point autonomous system number and autonomous system path, and insert them into the route prefix path dictionary; extract the route prefix and route prefix declaration autonomous system number, and insert them into the autonomous system declaration route prefix dictionary; extract the route prefix and route prefix declaration autonomous system number, and insert them into the route prefix autonomous system affiliation dictionary; Calculate the number of global route prefixes in the global route prefix declaration set, calculate the number of route prefixes observed by each observation node based on the route prefix data dictionary of the route observation node, and filter the observation nodes whose observed number of route prefixes is greater than or equal to a preset proportion of the number of global route prefixes to form an observation node set. The original allocation data of the Autonomous System (AS) number is extracted from the public Internet Number Allocation Database and inserted into the AS region affiliation dictionary. The AS region affiliation dictionary is traversed to extract the AS region number. When the AS region number exists in the AS announcement routing prefix dictionary, all AS announcement routing prefixes are traversed. For each routing prefix, an Internet Protocol address is randomly selected, and its geographical location information is determined to construct an operational area distribution set corresponding to each routing prefix. When the operational area distribution set points to a unique operational location and is consistent with the registration location, the set of monitored AS nodes in the region is determined based on the routing prefix.

3. The method for detecting regional routing rollback interruption events according to claim 2, characterized in that, Based on the set of observation nodes and the set of monitored autonomous system nodes within the region, a time-series feature vector of the monitored autonomous system is constructed according to the behavioral characteristics of route rollback interruption. The time-series feature vectors of all monitored autonomous systems within the region are aggregated to obtain regional-level time-series features, including: Initialize the autonomous system routing feature dictionary and the area routing feature dictionary; The route update dump file is loaded after the route snapshot dump file. The route update dump file includes a rollback message and an announcement message. The rollback message corresponds to the set of observation nodes, and the announcement message corresponds to the set of monitored autonomous system nodes in the region. Read the message records in the route update dump file to obtain the timestamp of the behavior characteristics of the route rollback interruption; When the message is a rollback message, extract the observation node autonomous system number and routing prefix from the message record, and update the routing prefix path dictionary and the autonomous system routing feature dictionary; When the message is an announcement message, extract the observation node autonomous system number, routing prefix and autonomous system path from the message record, and update the autonomous system announcement routing prefix dictionary, the routing prefix autonomous system attribution dictionary and the autonomous system routing feature dictionary; When the timestamp changes, the autonomous systems in the autonomous system routing feature dictionary are traversed, the temporal feature vector of each autonomous system within the timestamp interval is determined, and all temporal feature vectors in the region are synchronously accumulated to obtain the regional-level temporal feature.

4. The method for detecting regional routing rollback interruption events according to claim 3, characterized in that, The step of inputting the regional-level temporal features into a pre-trained long short-term memory network model for anomaly detection to determine regional route rollback interruption events and recording the start time of the event includes: Historical temporal features of the target region during the stable operation period of the network are extracted to construct a benchmark dataset, and the long short-term memory network model is trained using the benchmark dataset; The regional temporal features are input into the trained long short-term memory network model to obtain the statistical deviation. When the statistical deviation is greater than or equal to the preset deviation, it is determined that a route rollback interruption event has occurred in the area, and the start time point is recorded.

5. A method for tracing the source of a regional routing rollback interruption event, characterized in that, include: The area route rollback interruption event is determined using the detection method for area route rollback interruption events as described in any one of claims 1-4, and the start time of the event is recorded. The percentage of abnormal routing packets of autonomous systems within the region at the starting time point is calculated, and the set of affected autonomous systems is obtained by filtering based on the percentage. Path change information is extracted from the set of autonomous systems, and the source of the fault is determined based on the path change information.

6. The method for tracing the source of regional routing rollback interruption events according to claim 5, characterized in that, The percentage of abnormal routing packets of autonomous systems within the computing area at the starting time point is used to filter and obtain the set of affected autonomous systems, including: Based on the autonomous system region affiliation dictionary, extract the time-series feature vectors of all monitored autonomous systems in the region at the starting time point, and calculate the ratio of the time-series feature vectors to the regional time-series features to obtain the proportion of routing anomaly packets; Autonomous systems whose proportion of routing error messages is greater than a preset proportion are aggregated to form an autonomous system set.

7. The method for tracing the source of regional routing rollback interruption events according to claim 6, characterized in that, The step of extracting path change information based on the set of autonomous systems and determining the fault source based on the path change information includes: Traverse the autonomous systems in the set of autonomous systems and extract the path change information of the prefix when an anomaly occurs; Based on the path change information, the autonomous system path is decomposed into internal edge topology components and inter-edge topology components, and a candidate root source set is generated, which is the union of the old path and the new path. Calculate the occurrence frequency of each topology component in all candidate root source sets, and extract the topology components with occurrence frequencies greater than a preset frequency to form a suspect list; The intersection operation is performed on the suspected lists of multiple autonomous systems in the set of autonomous systems to determine the common topology component, and the topology component is determined to be the source of the fault.

8. An electronic device, characterized in that, It includes a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the method for detecting area route rollback interruption events as described in any one of claims 1-4 or the method for tracing the source of area route rollback interruption events as described in any one of claims 5-7.

9. A non-transitory computer-readable storage medium, characterized in that, The non-transitory computer-readable storage medium stores computer instructions for causing the computer to execute the method for detecting regional route rollback interruption events as described in any one of claims 1-4 or the method for tracing regional route rollback interruption events as described in any one of claims 5-7.

10. A computer program product comprising computer program instructions, characterized in that, When the computer program instructions are executed on the computer, the computer performs the method for detecting area route rollback interruption events as described in any one of claims 1-4 or the method for tracing the source of area route rollback interruption events as described in any one of claims 5-7.