Detection of BGP Routing Leaks Using Historical Baseline Profiling

Border Gateway Protocol (BGP) prefix hijacking and route leaks (RFC 7908 Type 5 incidents) pose critical threats to inter-domain routing stability. Despite expanding RPKI deployment reaching 56% IPv4 coverage by July 2025 and minimal BGPsec/Autonomous System Provider Authorization (ASPA) adoption, such large-scale events continue to bypass existing cryptographic protections.We present a dual-signal detection framework addressing complementary manifestations of Type 5 incidents. Our approach builds stable baselines from Routing Information Base (RIB) snapshots to generate Baseline-Deviation (BD) signals that identify incidents through origin AS deviations on known prefixes, and New-Prefix (NP) signals that identify incidents through previously unseen address space. These signals are aggregated across multiple vantage points using MAX aggregation, scored with Z-score thresholds, and fused via logical disjunction.Cross-incident validation on six diverse real-world Type 5 incidents achieved F1-scores ranging from 0.48 to 0.88 (mean 0.69) on entirely unseen incidents, demonstrating that effective detection requires both signal types to capture the full spectrum of manifestation patterns. The lightweight approach requires no machine learning, enabling rapid deployment in resource-constrained NOC environments and improving interpretability for incident response.