On reverse engineering the management actions from observed BGP data

While most of the research work on BGP has focused on detecting and characterizing large-scale routing anomalies from the perspective of network operations and management, it is important to monitor the management actions taken by the network operators in response to global BGP network failures. A fundamental question to answer is the following: by utilizing only public BGP observation data under today's Internet environment, can we reverse engineer the management actions taken by specific autonomous systems? In this paper, we propose a formal framework to describe and analyze MOAS events and possible management actions. We use BGP data and a two-step learning approach to evaluate each possible action then determine the most likely one. Through this process, we discovered that early actions were taken by multiple ASes before the faulty originator corrected its mistake. Furthermore, the results show that only a handful of ASes took such early corrective action, but the effect is disproportional: a significant portion, more than 90%, of affected prefixes were routed back to their correct routing path.