Skip to main content
Goline Logo
Goline It Services Logo

Home

About Us

Services

Solutions

Systems Architecture

Support

FAQ

News

  • GOLINE SA Announces Strategic Partnership with NetApp November 7th, 2025
    GOLINE SA is excited to announce a new partnership with NetApp, a global leader in cloud data services and storage solutions. This collaboration aims to help organizations modernize their IT infrastructure, streamline data management, and enhance performance across cloud and hybrid environments. Modern Data Solutions for Businesses Through this partnership, GOLINE integrates advanced data management solutions, enabling businesses to securely store, manage, and access critical information across cloud, on-premises, or hybrid setups. Clients can benefit from: Flexible and scalable storage solutions to meet growing data needs Simplified management of cloud and on-premises environments Enterprise-grade security for sensitive and mission-critical data...
  • GOLINE SA Announces Partnership with Omnissa November 7th, 2025
    GOLINE SA is proud to announce a new strategic partnership with Omnissa, a global leader in digital workspace platforms and Horizon Cloud Service solutions. This collaboration marks a significant step forward in helping organizations embrace secure, flexible, and high-performance work environments. Why Choose Omnissa for Your Business? The platform enables virtual desktops, applications, and unified endpoint management. Organizations can deploy scalable workspaces across cloud, hybrid, or on-premises setups. Key benefits include: Easy access to desktops and apps on any device Centralized management for Windows, macOS, iOS, Android, and ChromeOS Strong security with access controls and multi-factor authentication Automated scaling to...
  • GOLINE SA partners with Cloudflare November 6th, 2025
    Goline is proud to announce a strategic partnership with Cloudflare, the world leader in web performance and security solutions. This collaboration aims to provide goline.ch customers with state-of-the-art protection against cyber threats while delivering lightning-fast website performance. Through this partnership, Goline integrates Cloudflare’s advanced services, including DDoS protection, CDN caching, DNS security, and edge computing, allowing businesses to secure and optimize their websites effortlessly. Users will benefit from improved page load speed, enhanced reliability, and robust defense against malicious attacks. This partnership with Cloudflare enables goline to offer unmatched security and performance solutions to clients. By leveraging Cloudflare’s cutting-edge technology,...

RoutePulse — CAD Compositional Anomaly Detector (90% noise reduction)

  1. RoutePulse — BGP Analytics & Security Intelligence

Back to RoutePulse Overview

RoutePulse — Compositional Anomaly Detector with 90% noise reduction

Compositional Anomaly Detector (CAD) — Multi-Modal Host Anomaly Detection

Aggregate z-score on per-host traffic is structurally broken for multi-modal hosts. A FortiGate with 11 interfaces (outside / inside / DMZ × 4 / IPSec / HA-Sync / mgmt) has 11 different normal behaviors — collapsing them into one mean produces close to 100% false positives when any single mode shifts. CAD decomposes the aggregate by peer class, builds per-(host, peer-class, hour-bucket) baselines, and detects via KL-divergence plus per-suspect-class spikes. Result: 90% noise reduction on multi-modal hosts since v4.32.55.

The detector lives alongside the legacy cyber_host_baseline_shift on the /anomalies page and now drives all paging decisions for multi-interface devices: firewalls, hypervisor clusters, jump boxes, replication endpoints. Without CAD, every operator-relevant host quietly produced a noisy critical incident every hour. With CAD, only the genuinely-anomalous compositional shifts trigger.

90%
Noise Reduction
10
Peer Classes
16
Service-Role Profiles
39
Catalog Roles

10-class peer classifier · per-interface decomposition

Every host’s traffic is decomposed into N (host, peer-class) streams via the classifier in peer-classifier.ts: transit_isp, ixp_peer, ixp_route_server, internal_lan, dmz, ipsec_tunnel, ha_sync, mgmt, monitoring, unknown. Each (host, peer-class, hour-bucket) carries its own EWMA baseline in host_class_baseline — so the same FortiGate has 11 separate, independent baselines, one per interface, not one collapsed mean across all 11.

16 service-role profiles for security-zone-aware detection

PROFILE_OUTSIDE_WAN, PROFILE_INSIDE_LAN, PROFILE_HA_HEARTBEAT, PROFILE_DMZ_WEB, PROFILE_DMZ_DB and 11 more. Each profile encodes which peer classes are expected and which are suspect for that interface’s security zone. Outside spike on internal_lan = exfiltration; inside spike on transit_isp = compromised host; HA-sync spike on anything = fabric abuse. Same FortiGate, three completely different anomaly classifications.

Triple-gate severity (v4.32.56)

CRITICAL severity now requires all three gates: (1) semantic gate — dominant-shifted peer-class must be in suspect-list for this role’s profile; (2) volume floor — critical requires ≥1 MB observed bytes; (3) direction guardobs/baseline < 0.2 is collapse not attack, downgrade. Together these gates eliminated 90% of pre-v4.32.56 critical incidents on multi-modal hosts.

SNMP ifAlias role inference

For each unknown interface, RoutePulse queries SNMP IF-MIB::ifAlias and runs 16 regex patterns against the operator-maintained alias strings (“Cogent Zurich”, “outside-Telecom”, “vMotion”, “HA-Sync”) to suggest a role with top-5 confidence-ranked candidates. Operator confirms or overrides in the Pending Review tab; coverage is 95%+ for SNMP-managed devices, 0% for pure clients (where manual catalog or PTR pattern takes over).

Key Capabilities

  • 10-class peer classifier (peer-classifier.ts): transit_isp, ixp_peer, ixp_route_server, internal_lan, dmz, ipsec_tunnel, ha_sync, mgmt, monitoring, unknown
  • 16 PROFILE_* semantic constants encoding expected vs suspect peer-class composition for each service-role / security zone
  • Per-(host, peer-class, hour-bucket) EWMA baselines in host_class_baseline Postgres table — no aggregation across interfaces
  • KL-divergence detection + per-suspect-class spike for mathematical rigour beyond simple z-score
  • Triple-gate critical-severity decision: semantic + volume-floor + direction-guard (90% noise reduction vs pre-v4.32.56)
  • SNMP ifAlias role inference: 16 regex patterns, top-5 confidence-ranked suggestions, one-click apply in Pending Review tab
  • 39 catalog roles with operator-curated trust hierarchy: manual catalog > SNMP ifAlias > PTR pattern > Shodan/nmap > traffic composition heuristic
  • Role-tag sync: hosts.ml_role (legacy pipe-string) + hosts.role_tags (text[] + GIN index) kept in sync for filter compatibility
  • Catalog-driven ML primitives via Role Catalog (v4.28+) — replaces the hand-coded role decisions of v4.20
  • Live on production /anomalies page since v4.32.55 (2026-05-22)
Related standards & references: KL-divergence on multi-modal distributions · RFC 2863 — IF-MIB · EWMA Baselines

Engineered and operated by the GOLINE SOC & Network Engineering team.

Explore all RoutePulse features →