A PERTURBATION-BASED XAI APPROACH FOR CLASS-SPECIFIC FEATURE SENSITIVITY ANALYSIS IN BGP ANOMALY CLASSIFICATION

Abstract

Interdomain routing plays a central role in maintaining global Internet connectivity, yet abnormal BGP behavior remains difficult to classify reliably in operational settings. Although machine learning models often report strong overall accuracy, their performance is frequently uneven across anomaly types. Certain classes demonstrate persistently low recall or systematic confusion with neighboring categories, while aggregate metrics conceal these weaknesses. From a practical perspective, such class-dependent instability limits the usefulness of automated classifiers.

This paper proposes a sensitivity-driven refinement approach to improve degraded anomaly classes without modifying the model architecture. The method is based on controlled occlusion of individual routing features within temporal input sequences. By measuring changes in predicted and true class probabilities after feature removal, the approach identifies inputs that negatively influence recognition of a specific class. Unlike global importance rankings, the analysis is restricted to misclassified segments of the weakest-performing category, enabling targeted diagnosis of classification errors.

The approach was evaluated using an LSTM-based classifier and two different feature sets derived from historical BGP events. An event-based split ensured evaluation on previously unseen anomalies. In the first configuration, occlusion analysis revealed a feature that strongly suppressed outage recognition; its removal increased recall from near-zero values to 0.64 and raised the F1-score to 0.78, without degrading other classes. In the second configuration, refinement led to a moderate but consistent reduction of confusion between outage and indirect anomalies.

The results show that perturbation-based sensitivity analysis can serve not only as an explanatory mechanism but also as a practical tool for class-oriented improvement of multi-class BGP anomaly classification systems.