Abstract: A method for detecting PCI confusion during cellular network handovers includes identifying a geographic location of a handover failure of a user device from a first cell to a second cell, determining a strength of a signal to be received by the user device from the second cell, identifying, based on the strength of the signal to be received by the user device from the second cell, a hidden neighbor cell of the first cell, determining a strength of a signal to be received by the user device from the hidden neighbor cell, classifying, based on the determined signal strength of the hidden neighbor cell, a cause of the confusion during cellular network handovers, modifying, based on the classified cause of confusion, one or more parameters of the second cell or the hidden neighbor cell to prevent confusion during future cellular network handovers.

Abstract: A system and method for analyzing error codes includes detecting a failure condition on a network, identifying a subset of subscribers impacted by the failure condition, determining for each subscriber in the subset of subscribers a first set of error codes associated with the failure condition, creating a Bayesian network comprising one or more error codes from the first set of error codes of each the subset of subscribers, computing a Conditional Probability Distribution (CPD) for each of the one or more error codes of the Bayesian network, and determining a second set of error codes based on the CPD, the second set of error codes indicative of a cause of the failure condition.

Abstract: Systems and methods for network element clustering include identifying a plurality of network elements, each network element configured to send and receive a plurality of data packets across a communications network, assigning each network element of the plurality of network elements to a cluster of a first plurality of clusters according to a location of each network element, determining a distance between each network element assigned to a cluster and a centroid of the cluster, executing an optimization algorithm using the distances to reassign the plurality of network elements to clusters of a second plurality of clusters that reduces a cost value of the optimization algorithm, generating a matrix indicating an assignment of each network element of the plurality of network elements to a cluster of the second plurality of clusters, and routing one or more data packets received from the plurality of network elements according to the generated matrix.

Abstract: Systems and methods for network traffic monitoring are provided. A system may obtain a data packet of a data packet exchange between the server and a network device, extract a time to live (TTL) value and an internet protocol (IP) address of the network device from the data packet, compare the TTL value with a TTL value range or signature determined based on TTL values observed from data packets transmitted across a communications network, determine that the TTL value violates an authentication policy based on the TTL value being outside of the TTL value range or signature, and apply a tag to the IP address of the network device in a database stored memory.

Abstract: A system includes instructions that cause processors to store a directed acyclic graph including nodes comprising selector nodes, mitigator nodes, and actor nodes, each of the nodes linked to another node, receive a data packet, inspect, using a selector node, a header of the data packet to determine a protection group, tag the data packet with an identification of the protection group based on the inspection, apply, using a mitigator node, criteria of a protection group policy corresponding to the protection group to the data packet based on the identification of the protection group tagged to the data packet, tag the data packet with a mitigation flag corresponding to a mitigation measure selected based on the application of the criteria of the protection group policy to the data packet, and apply, using an actor node, the mitigation measure corresponding to the mitigation tag to the data packet.

Abstract: The present disclosure describes a system including one or more processors to store a plurality of inspection tools in memory; detect a plurality of data packet exchanges between pairs of network devices communicating across a communications network; store metadata generated from the plurality of data packet exchanges in respective records corresponding to the different data packet exchanges; receive a data packet transmitted from a first network device to a second network device across a communications network; extract session information from a header of the data packet; responsive to determining the extracted session information matches stored session information for a communication session, tag the data packet with an indication of an active session; and process the data packet based on the tag of the data packet indicating the active session.

Abstract: A system may include one or more memory devices storing instructions thereon that, when executed by one or more processors, cause the one or more processors to detect a transmission of a first data packet between a computing device and a server, determine a first amount of time elapsed between the transmission of the first data packet and a transmission of a second data packet, store the first amount of time in a data structure in a database, detect a transmission of a third data packet between the computing device and the server, determine a second amount of time elapsed between the transmission of the second data packet and the transmission of the third data packet, and determine that the computing device is utilizing a proxy device to communicate with the server.

Abstract: A method for detecting cell positioning anomalies is disclosed. Control plane signaling data packets are collected associated with multiple cells of a communications network. Distance and azimuth values for individual communication sessions are calculated for each cell. A machine learning model is executed using various communication parameters as input to generate a classification for each cell. A list identifying which cells are experiencing anomalies is generated.

Abstract: Systems and methods for source-based misuse detection are provided. A system may store a managed objects in memory. Each of the managed objects corresponding to one or more computing devices configured to communicate over a communications network and having a configuration including one or more thresholds corresponding to network parameters for detecting an attack on the communications network. The system may monitor network traffic. The system may detect a first network parameter exceeds a threshold of a first misuse type. The system may identify a source internet protocol (IP) address associated with the first network parameter exceeding the threshold. The system may generate a tag for each source IP address indicating misuse of the communications network by the source IP address.

Abstract: Systems and methods for network traffic monitoring are provided. A system may obtain a data packet of a data packet exchange between the server and a network device, extract a time to live (TTL) value and an internet protocol (IP) address of the network device from the data packet, compare the TTL value with a TTL value range or signature determined based on TTL values observed from data packets transmitted across a communications network, determine that the TTL value violates an authentication policy based on the TTL value being outside of the TTL value range or signature, and apply a tag to the IP address of the network device in a database stored memory.

Abstract: A system may detect a plurality of data packet exchanges, the plurality of data packet exchanges representing establishments of communication sessions between a server and a plurality of network devices; extract, from first information associated with the plurality of data packet exchanges, a plurality of time to live (TTL) values that correspond to the plurality of data packet exchanges; and store, responsive to extraction of the plurality of TTL values, second information that represents the plurality of TTL values in a data structure, the data structure configured to store the second information according to a Classless Inter-Domain Routing (CIDR) block that indicates a list of internet protocol (IP) addresses associated with the communications network; and responsive to a determination that a network characteristic of the monitored network traffic satisfies a condition, change operation from an observation mode to an idle mode.

Abstract: A method is disclosed. A first data packet is received. Data is extracted from the first data packet. A first synthetic data packet is generated from data of the first data packet. A second data packet is received. Data is extracted from the second data packet. A key performance indicator is generated from data of the first and second synthetic data packets.

Abstract: A method is disclosed. In the method, a set of data blocks can be stored. A continuous stream of data can be received. First data from the continuous stream of data can be stored in a first subset of data blocks. Second data from the continuous stream of data can be stored in a second subset of data blocks. Responsive to determining each of the set of data blocks is filled with data, data in a third subset of data blocks can be overwritten with data from the continuous stream of data.

Abstract: A system and method for hierarchical network monitoring functions are disclosed. An order of execution for layer functions of a network architecture is determined. The layer functions may be distributed across multiple layers. The layers may include a sensor layer, a federated application layer, and a data lake layer. A machine learning model may be executed at a first layer. The first layer may be the sensor layer.

Abstract: Systems and methods for transparent service response analysis is provided. A system may obtain a network data packet from a network service provider. The system may determine the network data packet includes a response code indicating a status of the request. The system may extract the response code from the network data packet. The system may modify an IP header of the network data packet based on the response code. The system may encapsulate the network data packet based on the response code. The system may send the network data packet with the modified IP header. The system may send the encapsulated network data packet.

Abstract: Systems and methods for USN monitoring via virtual tap is provided. A system may obtain, from a virtual tap, virtual network data packets associated with a first type of wireless communication protocol. The system may extract a first ID from the virtual network data packets. The system may query a first database associated with the first type of wireless communication protocol or a second database using a second type of wireless communication protocol using the first ID. The system may determine a second ID and a security context based on the query. The system may convert the security context from a first type to a second type of security context. The system may store the converted security context into a field based on the second ID.

Abstract: A method for network anomaly detection and policy-based network state restoration includes collecting a first set of metrics associated with a network at a first time indicating a first state of the network and storing the first set of metrics in association with the first state in a memory at the first time. A second set of metrics associated with the network is collected at a second time indicating a second state of the network. An indication of an anomaly on the network is determined based on a comparison of the second set of metrics with the first set of metrics. A network policy is applied to revert the network from the second state to the first state by restoring configuration parameters and operational settings of the network to match the stored first set of metrics exactly as recorded at the first time in response to determining the indication of the anomaly. The network may be monitored in response to applying the network policy and action may be taken based on the monitoring.

Abstract: A network monitoring device is connected to a communications network and monitors traffic transmitted to and from a server. The system stores a device fingerprint of devices identified as involved in attacks across the communications network, generates attack patterns for attacks across the communications network based on data packets transmitted or received by the devices during an attack based on the data packets corresponding to the device fingerprint, monitors data packet exchanges between the server and network devices, determines a set of transmission parameters for each of the data packet exchanges, compares the set of transmission parameters for the plurality of data packet exchanges to the attack patterns, and, responsive to determining a match between a first set of transmission parameters and an attack pattern, applies a tag to a network device communicating with the server via the data packet exchange indicating the network device is involved in an attack.

Abstract: Systems and methods for service response analysis via out-of-band signaling is provided. A system may obtain, via a first network channel, a network data packet from a network service provider. The system may determine the network data packet comprises a response code indicating a status of the request. The system may extract the response code from the network data packet. The system may generate an out-of-band response message comprising the response code. The system may send, to an external device via a second network channel, the out-of-band response message comprising the response code.

Abstract: A system for selective user plane (UP) monitoring includes a service gateway (SGW) having a plurality of units. The system further includes a network packet broker (NPB) configured to receive packets including UP data from tunnels created to enable transmission of the UP packets from UE to the plurality of SGW units. The NPB is also configured to receive packets including control plane (CP) data from channels enabling transmission of the CP packets from a base transceiver station to the SGW. The system also includes a plurality of probes operatively coupled to the NPB. The probes are configured to generate first metrics associated with the received CP packets and to selectively generate second metrics associated with the received UP packets based on one or more identifiers. The NPB is configured to forward UP packets being processed by a particular SGW unit to a particular probe of the plurality of probes.