Host Intelligence & Unified Threat Scoring

RoutePulse automatically discovers over 870,000 hosts from flow data and enriches each with comprehensive threat intelligence through a 5-pillar unified threat scoring system. The scoring framework spans a 183-point raw maximum across five pillars: Cyber Events (48 points), Behavioral Analysis (40 points), ML Ensemble (30 points), External Intelligence (40 points from AbuseIPDB, Shodan, SIEM, and Nmap), and FeedIntel (25 points), normalized to 0–100 via Bayesian sigmoid. Fourteen behavioral scoring components — volume, connections, ports, flow patterns, directionality, beaconing, temporal patterns, port scanning, persistence, infrastructure targeting, burst intensity, reconnaissance profile, subnet correlation, and extended port scan — are computed via 9 parallel ClickHouse queries with adaptive P90/P95/P99 thresholds from live traffic.

Each host follows a lifecycle state machine progressing from safe to observation to active to malicious, with a hysteresis deadzone (promote at 35, demote at 25) that prevents status flapping. ML Host Roles auto-categorize infrastructure IPs such as firewalls, DNS servers, and monitoring systems from 7 discovery sources across 70+ role categories, applying scoring reductions of 30-70% to known-good infrastructure. Three enrichment services run continuously with real-time rate indicators: AbuseIPDB (with 429 rate limit detection and CAPPED indicator showing API reset time), Shodan (InternetDB pre-filter), and Nmap (parallel scanning, configurable 1–10 concurrent scans). Smart score gates for safe hosts prevent wasting resources on clean IPs: safeAbuseMinScore (15), safeShodanMinScore (15), safeNmapMinScore (25) — saving 99% of API calls and CPU. A 7-level priority system governs role assignment: operator, FortiGate, BGP, BMP, Well-Known, IP patterns, and database.

Key Capabilities

• 870K+ auto-discovered hosts from flow data with continuous AbuseIPDB, Shodan, and Nmap enrichment
• 5-pillar unified threat scoring (183-point raw max, Bayesian sigmoid 0–100) across Cyber Events (48), Behavioral (56), ML Ensemble (15), External Intel (40), and Threat Feeds (15)
• 14 behavioral scoring components with adaptive P90/P95/P99 thresholds computed via 9 parallel ClickHouse queries
• Real-time enrichment bars with rate/min, queue size, blinking activity indicators, and AbuseIPDB CAPPED detection (429 → red indicator with API reset countdown)
• Smart score gates for safe hosts: safeAbuseMinScore (15), safeShodanMinScore (15), safeNmapMinScore (25) — 99% API/CPU savings vs blind scanning
• Nmap parallel scanning (configurable 1–10 concurrent, default 3, periodic backfill every 30min)
• Host lifecycle state machine with hysteresis deadzone (promote at 35, demote at 25) to prevent status flapping
• ML Host Roles auto-categorization from 7 sources with 70+ role categories and 30–70% scoring reduction for infrastructure IPs
• AbuseIPDB integration with confidence scoring, auto-reporting (900/day limit), configurable daily API cap (Settings > Integrations)
• Shodan InternetDB enrichment providing open ports, CVE lists, OS detection, and cloud provider identification
• 36 settings pages fully audited (v4.7.43): 35 dead fields removed, all remaining settings verified functional
• Infrastructure auto-discovery from 7 pipelines: FortiGate SSH, SNMP, BMP, BGP-4, Flow, Role Loading, and External enrichment

Engineered and operated by the GOLINE SOC & Network Engineering team.

Explore all RoutePulse features →