7 days ago by Mert Erdemir 8 min read

Intern Research: Understanding the Behavior and Categorization of Personal Autonomous Systems

Intern Research: Understanding the Behavior and Categorization of Personal Autonomous Systems

Hello! My name is Mert Erdemir, a PhD student at the School of Cybersecurity and Privacy, Georgia Institute of Technology, in Atlanta, GA, USA. I joined the IPinfo research team this summer as a research intern. It has been a great experience working with the team, and in this blog post, I will summarize some of our findings regarding the project I worked on over the summer. You can also find my other blog post talking about A Day in the Life of an IPinfo Research Intern here if you are curious what a snapshot of my daily work schedule looks like.

The high-level goal of my internship was to better understand the behavior and categorization of personal ASes (or, in a broader sense, ASes that belong to natural persons, not legal entities). Lately, a growing number of these ASes [BGPTools Personal ASes, RIPE NCC - Reflections on Six Months as Chief Registry Officer] do not fit neatly into traditional categories (such as hosting providers, ISPs, educational, governments, or businesses). Instead, they are observed to show mixed signals, and do not have an agreed-upon, clear, systematic definition in the Internet community.

Although there are not many, these ASes also might sometimes cause incorrect mappings in some datasets, like associating IP addresses/networks with companies [IPinfo IP to Company API], as they do not always belong to “a company." In addition, there have been many ongoing discussions about their good/bad impacts on the Internet community and Internet measurement efforts [RIPE NCC - Reflections on Six Months as Chief Registry Officer,RIPE NCC - Personal ASes Open House, RIPE 88 Meeting, DENOG13 Research Networks Talk, Putting the MAU Into meowmeow: On Personal ASNs, and Driving the ASN Truck Without a Licence]. 

Considering the lack of a definition, the classification challenges, and the ongoing community discussions, we think that it is very important to build a better understanding of how to actually identify these kinds of ASes. We also explored what characteristics define personal ASes and whether there are patterns that distinguish them from traditional organizational networks.. 

BGPTools

As of this writing, to the best of our knowledge, the only public resource/dataset that provides a Personal AS label/tag is BGP Tools. BGP Tools defines the personal ASes as follows:

Although the labeling methodology is not publicly available and the bounds of the potential use cases are not very clearly defined, BGP Tools Personal ASNs provides a good list of ASes (currently 1,324 ASes to be exact) for initial exploration to understand what distinctive properties might stand out for Personal ASes labeled by BGP Tools. 

Several resources have reported that since 2019, the registration of natural person ASNs has been steadily increasing [RIPE NCC - Personal ASes Open House]. To understand how this increase reflected in the historical personal ASes data, and to start answering what the increasing number of personal ASes would mean, we briefly looked at some daily snapshots of BGPTools personal ASes list between late May 2025 and late August 2025 (bars: the number of personal ASes on a day; lines: the aggregated unique personal ASNs over time):

Our analysis showed that even though the number of personal ASes looks very stable per day, we observed a steady increase in the total number of unique personal ASes over time, confirming the previously reported observations. However, considering the lack of clarity/transparency in the labeling methodology, any further analysis is very challenging. In the following section, I will talk about what data points we explored, any useful information we found, and why we created a manually labeled “ground-truth” dataset from the common properties we observed.

What Do Personal ASes Look Like?

To better understand the landscape of personal ASes, we analyzed the 1,324 ASes labeled by BGP Tools as of August 2025. Here's what we found:

Geographic Distribution

Personal ASes span 79 countries but show strong regional clustering. The following table shows the 10 most common countries:

Country Code

% in BGP Tools Personal ASes

Raw Count

DE

18.90%

251

US

9.52%

126

GB

8.99%

119

CN

8.23%

109

FR

6.50%

86

NL

4.53%

60

TW

2.79%

37

CH

2.57%

34

PL

2.34%

31

TR

2.27%

30

Germany leads at 19% of all personal ASes, followed by the United States (9.5%) and the United Kingdom (9%). Overall, the distribution shows that personal ASes are spread globally but more common in Europe (or RIPE regions).

Regional Internet Registry Distribution

Nearly 92% of personal ASes originate from RIPE regions (Europe, Middle East, and parts of Central Asia):

WHOIS Dataset

% in BGP Tools Personal ASes

Raw Count

RIPE

91.69%

1,214

ARIN

3.93%

52

APNIC

3.63%

48

JPNIC

0.60%

8

RADB

0.08%

1

LACNIC

0.08%

1

This concentration in RIPE regions aligns with community discussions about policy differences across Regional Internet Registries.

A Younger Generation of Networks

Personal ASes are notably younger than the broader AS ecosystem. Using the created timestamp from WHOIS records, we found:

Metric

Personal ASes

All ASes

Minimum Age (days)

2

1

Maximum Age (days)

20,324

20,324

Average Age (days)

1,427

4,582.85

Standard Deviation

1,560.88

3,482.78

Median (25%)

503

1,990

Median (50%)

957

3,898

Median (75%)

1,935

6,582

On average, personal ASes are approximately 3.9 years old (median: 2.6 years), compared to 12.5 years for all ASes (median: 10.7 years). This confirms observations from the community that personal AS registration has accelerated in recent years, particularly since 2019, making them a relatively new phenomenon compared to other ASes.

IPv6 Enthusiasts

Perhaps the most striking characteristic is IPv6 adoption. We analyzed BGP announcements from the same ASes:


IPv4 Announcements

IPv6 Announcements

BGP Tools Personal ASes

15.75%

82.75%

All ASes (same day snapshot)

80.64%

19.36%

While only 19% of all AS announcements are IPv6, personal ASes flip this ratio dramatically: 83% of their announcements are IPv6. This is the complete opposite of the general trend!

It's worth noting that from an IPv4 perspective, 67.4% of personal ASes don't appear active in IPv4 at all (i.e., no IPv4 announcements). Within the IPv4-active personal ASes, 64.7% announce at /24 level, which makes sense with current resource allocation or address assignment strategies. This IPv6-centric approach may reflect both the technical interests of individual operators and practical considerations around IPv4 address scarcity. Another consideration is that it's challenging to conduct active measurements when networks are heavily IPv6-focused, as IPv6 measurement remains an open research problem.

Classification Challenges

Using IPinfo's standard AS classification, we found that most personal ASes don't fit neatly into traditional categories:

AS Type Label

% in BGP Tools Personal ASes

Raw Count

business

53.3%

705

hosting

33.6%

445

isp

12.5%

166

education

0.6%

8

The majority of personal ASes cannot be classified properly as they lack many distinctive network properties. As a result, tagging them with a "business" label becomes a fallback classification. This mixed categorization underscores why a distinct "personal" or "natural person" category could improve classification accuracy. Roughly half of them appear as hosting, ISP, and education categories.

What Did We Explore for Personal AS Detection?

We started our exploration by looking at many passive data resources such as WHOIS records, web pages, and BGP-related data (e.g., AS paths, connectivity/Hegemony scores, size of the announced networks, etc.). Unfortunately, almost none of these had any properties that could usefully distinguish between a “personal” AS and a “non-personal” one in an automated detection pipeline.

Exploring Name-Based Detection

One pattern that emerged from our analysis involved WHOIS records. We observed that personal ASes often show commonalities in how personal information appears in certain registration fields, particularly when individual names appear in organization and point-of-contact records. This observation led us to investigate whether organization names themselves could serve as indicators.

Rather than relying solely on field matching, we explored whether the organization name itself could indicate a personal AS. We manually labeled a sample dataset of several thousand ASes based on whether the organization name is an individual's name or not, creating a ground-truth dataset. Our labeling revealed that the vast majority of personal ASes belong to organizations with individual names, whereas this is quite rare for non-personal ASes, suggesting that name analysis could be a useful signal.

“Is It a Person’s Name?”

This gave us a cue that, rather than looking at the matches in the passive WHOIS data, we could just check whether the organization name is an individual’s name or not. We went over the aggregated personal ASes, and the non-personal ASes we sampled (~2.6K), and manually labeled them based on whether the organization name is a person’s name or not, creating a ground-truth “is it a person’s name?” dataset.

We found that 84.7% of the personal ASes belong to an organization with an individual’s name, whereas it is only 2.2% for the non-personal ASes. In this name dataset, 97.8% of the ASes that had a name match belong to personal ASes, hinting that identifying an organization name as an individual’s name might be a good indicator of personal ASes!

Classical NLP Approach

Initially, we explored Named Entity Recognition (NER) models due to their ability to categorize entities within texts and their potentially clearer explanatory paths. However, we found that NER models face several challenges for this specific task: they struggle with context when only a short name string is provided, they're sensitive to grammatical variations (capitalization, word order), they tend to favor specific languages (often English) and fail on multilingual inputs, and they're limited by their training corpus, missing names that are spelled differently or use short forms and nicknames.

In practice, while NER models performed reasonably well at detecting name strings, they missed a significant portion of names due to these limitations. For example, they might successfully identify "Mert Erdemir" but fail to recognize "Erdemir Mert", "mert erdemir," or "MERT ERDEMIR." Performance improved somewhat when we standardized capitalization, but the approach still had limitations with non-name strings and required carefully selecting language models per AS, making it less practical for large-scale detection.

LLM Approach

We then explored whether large language models could better handle this task. LLMs showed significantly better performance, with strong accuracy for both identifying actual names and correctly classifying non-name strings. The models demonstrated more flexibility with name formats and capitalization variations compared to NER approaches.

An additional advantage of the LLM approach was the ability to request explanations alongside classifications, which helped us understand edge cases and refine our approach. This also revealed that names can appear in various formats across different cultures and naming conventions. Overall, we found that LLM-based name detection offers a practical and a very accurate method for determining when organizations belong to natural persons, particularly given that the majority of personal ASes are registered in databases that track natural person networks.

Initial exploration has also looked at other (non-name) features, and in the future, we will be diving deeper into the characteristics of such networks to find a more complete systematic definition of personal ASes. Thus, we think that the LLM approach is a very simple and effective way to identify organizations that belong to natural persons (and to some extent, personal ASes), as 95% of the personal ASes are present in the RIPE NCC natural persons database [RIPE NCC - Personal ASes Open House].

Conclusion

Detecting personal ASes remains challenging due to the lack of standardized definitions and the diversity of these networks. However, our research suggests several distinguishing patterns: strong geographic clustering in RIPE regions, significantly younger network age, exceptional IPv6 adoption, and detectable signals in WHOIS registration data.

While network behavior characteristics (like BGP announcements and connectivity patterns) show little distinction from traditional ASes, the combination of registration metadata and demographic patterns may help the community better understand and categorize these networks. Our findings may inform future research directions and contribute to ongoing discussions about how Internet registries and data providers handle natural person networks.

As personal AS registration continues to grow, developing better identification methods will be important for accurate network classification, data quality, and understanding the evolving Internet ecosystem.

Interested in being a research intern in 2026? Reach out to our research team.

About the author

Mert Erdemir

Mert Erdemir

Mert is a 2025 IPinfo Research Intern. He’s also a fourth-year PhD student at the School of Cybersecurity and Privacy at the Georgia Institute of Technology, Atlanta, Georgia.