BGP Anomaly Detection Engine

BGP routing incidents — from prefix hijacks to route leaks — can silently redirect traffic through malicious or misconfigured paths before anyone notices. RoutePulse’s anomaly detection engine monitors over 51 distinct anomaly types across BGP routing, traffic patterns, ML-driven behavioral analysis, and network management, giving your NOC team complete visibility into threats that traditional monitoring tools miss entirely. With 99.8% false positive reduction through intelligent scope filtering, your operators focus on genuine incidents rather than drowning in noise. Smart severity classification ensures CRITICAL alerts fire only when your own AS202032 or locally originated prefixes are involved, while DFZ-generic events are downgraded to WARNING level.

The engine covers 18 BGP-specific detection types including MOAS (Multi-Origin AS) conflicts, subprefix hijacks, AS-PATH loops, route leaks, bogon announcements, private ASN leaks, ASPA-invalid paths, IXP LAN leaks, ROA changes, mass withdrawals, peer flaps, and fat-finger typo detection that catches single-digit ASN transcription errors (such as AS29596 versus AS2959). Traffic anomaly detection spans 16 types covering spikes, drops, capacity thresholds, and visibility drops. On the behavioral side, 42 configurable ML flow rules cover 8 MITRE-mapped categories: scanning, brute-force, DDoS, exfiltration, C2 communication, lateral movement, protocol abuse, and reconnaissance. Confidence scoring from 0-100 incorporates evidence factors including RPKI status, local-ASN involvement, fat-finger patterns, CAIDA relationship validation, and ASPA data. Per-type cooldowns ranging from 5 minutes for loops and MOAS to 60 minutes for looped ASN events prevent alert fatigue, while a 5-minute peer reconnection grace period suppresses restart false positives. A closed-loop ML learning cycle feeds anomalies into Claude for analysis, auto-generates tuning rules, and routes them through operator approval.

Key Capabilities

• 51+ anomaly detection types across BGP routing (18), traffic (16), ML behavioral (8 categories), and network management
• BGP-specific detections: MOAS, subprefix hijack, AS-PATH loop, route leak, bogon announcement, private ASN leak, ASPA invalid, IXP LAN leak, and more
• Fat-finger typo detection catches single-digit ASN transcription errors (e.g., AS29596 vs AS2959)
• 42 configurable ML flow rules covering scanning, brute-force, DDoS, exfiltration, C2, lateral movement, protocol abuse, and reconnaissance
• Smart severity classification: CRITICAL only when local AS202032 or own prefixes are involved, WARNING for DFZ-generic events
• Confidence scoring from 0-100 incorporating RPKI status, local-ASN involvement, fat-finger patterns, CAIDA validation, and ASPA
• 99.8% false positive reduction via intelligent scope filtering (local vs. all mode)
• Per-type cooldowns from 5 minutes (loop/MOAS) to 60 minutes (looped ASN) to prevent alert fatigue
• 5-minute peer reconnection grace period suppresses restart false positives
• MOAS whitelist for legitimate multi-origin scenarios such as Cloudflare anycast and multi-homing CDN
• Real-time processing from BMP/BGP streams with 5-minute grace after initial RIB dump
• Closed-loop ML learning: anomalies trigger Claude analysis, auto-generate tuning rules, and route through operator approval

Engineered and operated by the GOLINE SOC & Network Engineering team.

Explore all RoutePulse features →