Methodology
Detecting and Attributing Submarine-Cable Latency Anomalies with Two-Signal Cross-Validation
Evgeny Korolev — GeoCables · Technical note, June 2026 · v1.1
1. Data foundation
| Asset | Scale |
|---|---|
| Submarine cables (with landing-point geometry) | 703 |
| Landing points (geo-coded) | 1,932 |
| Backbone / cable segments | 26,053 |
| Own probes (Minsk, Almaty, Tbilisi, Jerusalem) + RIPE Atlas | 12 + RIPE |
| Completed health checks (since 2026-03-01) | 168,699 |
| Cables under active measurement | 691 |
The method runs on a curated topology graph and a continuously accumulating measurement archive. Raw per-measurement RTT is preserved append-only, so any future detector can be re-run over the full history — a property that cannot be reconstructed retroactively from public cable maps alone.
2. Detection (baseline + haversine attribution)
Each check pings (and traceroutes) a target near a cable landing point. A measurement is a candidate anomaly when its RTT rises materially above that route's adaptive baseline. Candidates pass through a staged funnel before any alert is raised — the first layer of false-positive suppression:
| Stage | Meaning | Count |
|---|---|---|
spike | raw measurement above baseline | 624 |
anomaly_confirmed | spike that persists / is corroborated | 189 |
alert | promoted to a tracked incident | 114 |
Only ~18% of raw spikes (114 / 624) become alerts. Cable attribution is geometric: the latency jump is associated with the nearest cable segment by haversine distance between the suspected hop and the candidate cables' landing points.
3. Two-signal cross-validation
3.1 Signal A — AS-path reroute
When a submarine cable degrades, traffic frequently reroutes, changing the autonomous-system path. For each alert we compare the AS-path before the event (the modal path on that probe→target) with the path at the event.
| Verdict | Meaning | Count |
|---|---|---|
route_change_break | AS-path changed, with a large further latency rise on the new path | 4 |
route_change | AS-path changed | 5 |
same_path | RTT rose, path unchanged (congestion-class) | 57 |
no routing history | insufficient routing history | 48 |
Of the 66 alerts with sufficient routing history, 9 (13.6%) were independently corroborated by a measured AS-path change. A naive fingerprint over the raw IP-path is far too noisy (ECMP load-balancing and intermittent timeouts produce ~18 distinct IP-paths per probe→target pair); the signal only becomes stable on the AS-set fingerprint (~1.5 distinct per pair), which is what we use.
3.2 Signal B — segment-aware multi-probe consensus
If only the detecting probe sees a degradation, the question is whether the other probes are silent witnesses or simply not on the affected cable. A probe routing around the cable is not a witness — its silence is no alibi. We therefore count a probe as an eligible witness only when its actual AS-path geo-traverses the same cable corridor the alerting probe's path used. This geo-corridor test demoted 30% of the naive same-cable "witnesses" as off-corridor.
| Verdict | Meaning | Count |
|---|---|---|
widespread | majority of corridor witnesses also degraded — real cable event | 1 |
mixed | some corridor witnesses degraded | 4 |
routing_event_non_cable | alerting probe rerouted, corridor witnesses healthy → BGP/peering, not a cut | 7 |
probe_specific_likely_fp | corridor witnesses healthy, no reroute → local artifact | 44 |
narrow_path_event_possible | single-probe cable — cannot rule out a narrow event | 1 |
insufficient_witness_context | no concurrent corridor witness — unknown | 57 |
3.3 Confidence ladder
The two signals are largely independent: an AS-path change reflects a topology event, while multi-probe consensus reflects the geographic breadth of degradation — distinct physical processes that need not co-occur. Very few alerts satisfy both. Combining them:
| Tier | Definition | Count (of 114) |
|---|---|---|
| Dual-confirmed | AS-path change and multi-probe corroboration | 0 |
| Single-signal | corroborated by exactly one signal | 14 |
| Defensible false positive | corridor witnesses healthy and no reroute | 44 |
| Unclassified (coverage) | no witness present on the corridor — a probe-coverage limit, not method uncertainty | 56 |
The dual-confirmed count is zero, and that is the correct result: the 2026-03–06 window contained no large-scale submarine-cable break. A genuine major cut would light both signals simultaneously; the value of the method is that it discriminates — confidently labelling 44 alerts (38%) as defensible false positives and isolating 7 events as routing changes that are not cable faults — rather than producing a dramatic body count on a quiet month.
4. False-positive analysis (honest)
- The funnel already discards 82% of raw spikes before alerting (624 → 114).
- Of alerts, 44/114 (38%) are defensible false positives — both independent signals are negative. These are now suppressed from user notifications while remaining visible in the dashboard.
- A naive "single-probe ⇒ false positive" rule would have over-counted false positives by ~45%: the geo-corridor refinement reclassifies many of them as unknown rather than confirmed-FP, because absence of a witness that never used the cable is not evidence.
- 56/114 alerts remain unclassified because of the structural absence of a witness on the corridor — a probe-coverage limitation, not method uncertainty. The classifier is well-defined for these alerts; the data to evaluate them simply does not yet exist.
5. Limitations
- Probe geography. A small fixed fleet plus RIPE Atlas means many cables have no second vantage on the relevant corridor; for those the consensus signal is structurally unavailable. Expanding the probe fleet directly removes the structural cause of most unclassified cases.
- Geo-resolution. Corridor matching is at country granularity from AS-path geolocation; some networks mis-geolocate, which we treat as unknown rather than mismatch.
- Attribution is geometric. Cable assignment is by haversine proximity; the corridor cross-check confirms it where path data exists (64 of 66 with path data confirmed), but it is a heuristic, not a claim of ground truth.
- Quiet window. The reported period had no major cable break; the method is validated by its discrimination, not by detecting a disaster.
6. Reproducibility & data
Detection uses an adaptive threshold calibrated to each route's baseline distribution rather than a fixed multiplier; the consensus tiers reflect the share of eligible corridor witnesses that corroborate the degradation. The exact parameterisation is intentionally omitted here and is available in a forthcoming complete publication or on request. Raw per-measurement RTT and AS-paths are retained, so the classifier can be re-run end-to-end over the full archive under any revised method. Source signals: RIPE Atlas (ping + traceroute), own probes, and the curated cable/landing-point graph.