TLC Base Stations and network components acquire real-time and statistical measurements for troubleshooting analysis, typically called Key Performance Indicators (KPIs).
Hundreds of thousands of Base Stations collect hourly data (e.g., number of dropped calls)
The physical network changes continuously and depends on users' habits
Available KPIs are complex to process due to multiple factors, including users' behavior, seasonality, and network structure
Malfunctions and denials of service cause direct financial losses in pay-per-use business models, requiring early detection of anomalies
EVoKE is an adaptive anomaly detection system.
Operators feedback (i.e., marking an event as false-positive) is exploited to improve results quality
Based on predefined configurations defined by domain experts, and weighted with respect to the dynamic knowledge base
Domain experts evaluate results and provide a correctness mark with respect to their experience
Feedback is traced and exploited through AI & Learning-By-Example (LBE) techniques
The logical flow is designed to be efficient and simple.
Main challenges concern big-data I/O, implementation of map-reduce pattern,
false-positive minimization, self-maintenance and rules adaptability
In the first part of the processing EVoKE evaluates the analysis requirements and it optimizes the configuration of data adapters in order to minimize read operations
Keywords : big-data, SQL, MapReduceAt the first processing stage (detection), EVoKE parses input RAW data (it might be real data with physical meaning or abstract KPIs) in order to find "data events" in terms of generic point or range of interest: it can be a spike, a value out of a fixed range, or a complex pattern in frequency domain. The objective is extracting higher-level information (as events) and evaluate them in the next stage
Keywords : RAW data, algorithm complexity, detectionThe second stage processes data-events (output of first stage) in order to find anomalies (final output). The core layer of EVoKE is based on classification, aggregation, filtering, and ranking
Keywords : classification, aggregation, false-positive reductionAnomalies are reported to network operators and domain experts who might provide a feedback (i.e. 0-100% correct). EVoKE exploits this information for further analysis and ranks the more reliable operators
Keywords : machine learning, domain expert, AI, LBEThis stage evaluates RAW data for detecting low-level events.
The mayor challenge is to recognize events with low-complexity algorithms and methodologies.
Implementations are optimized for speed in order to parse Gigabytes of data in seconds
First and second order statistics are a very standard metric and algorithms can typically be optimized for speed. EVoKe come with configurable detectors with static, dynamic, and adaptive thresholds
In time-series, trends are typically relevant for long-term analysis and for data normalization. Auto-Correlation and Cross-Correlation are used for validation and inference analysis
EVoKE comes with a set of discrete transforms presets, such as FFT and Wavelets. In particular, Haar wavelet is typically exploited in various ways such as noise reduction, trend evaluation, ramp and step patterns detection
This second stage evaluates detected events for finding anomalies
Aggregation rules are used to link related events and provide a multi-scale view of the anomalies to operators. Some standard dimensions are time, geo-spatial, network clustering, technology
Classification has a crucial role in EVoKE, several methodologies are used. The flow is hierarchical and can be recursive, thus classifier can even exploit information extracted by previous iterations
EVoKe supports multiple ranking metrics which are aggregated in a global ranking index in terms of numerical and literal value. This information is crucial as anomalies are evaluated by operators in order or priority
EVoKE analysis is defined by a hierarchical schema defining all aspects of the flow
EVoKE Daemon tool can launch template jobs on particular time patterns. This work-mode is useful for periodic long-time analysis
Most components and algorithms of the EVoKE suite are designed and optimized to work online
It's a two-step analysis: the first one is done in real-time and designed to be efficient; the second analysis, designed to refine previous results, is executed as soon as infrastructure resources are available
This is the typical on-demand mode, it is used to design and test new analysis, and evaluate some particular time period and network cluster
EVoKE is effective, easy to install, use, and maintain
EVoKE architecture has been implemented as a flexible and extendible framework, written in C# with optimized API and lambda support
EVoKE can analyze dozen of thousand BTS in few seconds
EVoKE embeds static domain rules as well as machine learning techniques for exploiting operators feedback
EVoKE cooperates with 3rd-party software in order to integrate control and outputs in the same operators' software
EVoKE is installed at the VODAFONE OMNITEL N.V. data-warehouse
