Abstract: The present disclosure describes a method for detecting and mitigating network attacks. The method includes collecting network data packets transmitted by a plurality of computing devices across a communications network; presenting a user interface on a user device, the user interface comprising a threshold calculation button and one or more fields each corresponding to a threshold for a different network characteristic of the communications network; receiving a selection of the threshold calculation button from the user device; determining a threshold for each of the one or more fields based on the collected network data packets; responsive to receiving the selection of the threshold calculation button, automatically populating each of the one or more fields with the threshold determined for the field; and detecting an attack on the communications network using a first threshold that was automatically populated into a first field of the one or more fields.

Abstract: A system and method for analyzing error codes includes detecting a failure condition on a network, identifying a subset of subscribers impacted by the failure condition, determining for each subscriber in the subset of subscribers a first set of error codes associated with the failure condition, creating a Bayesian network comprising one or more error codes from the first set of error codes of each the subset of subscribers, computing a Conditional Probability Distribution (CPD) for each of the one or more error codes of the Bayesian network, and determining a second set of error codes based on the CPD, the second set of error codes indicative of a cause of the failure condition.

Abstract: Systems and methods for service response analysis via out-of-band signaling is provided. A system may obtain, via a first network channel, a network data packet from a network service provider. The system may determine the network data packet comprises a response code indicating a status of the request. The system may extract the response code from the network data packet. The system may generate an out-of-band response message comprising the response code. The system may send, to an external device via a second network channel, the out-of-band response message comprising the response code.

Abstract: A system is disclosed. The system can include a network monitoring device connected to a communications network. The network monitoring device to store a probabilistic data structure indicating one or more domain names; receive a response data packet from the DNS server, the response data packet comprising a first domain name transmitted in a query to the DNS server and an affirmative response code; update the probabilistic data structure with the first domain name identified from the response data packet; responsive to detecting an attack on the network, retrieve a query message, the query message containing a second domain name; query the updated probabilistic data structure with the second domain name; and restrict transmission of the query message or communication by the computing device with the DNS server.

Abstract: Systems and methods for transparent service response analysis is provided. A system may obtain a network data packet from a network service provider. The system may determine the network data packet includes a response code indicating a status of the request. The system may extract the response code from the network data packet. The system may modify an IP header of the network data packet based on the response code. The system may encapsulate the network data packet based on the response code. The system may send the network data packet with the modified IP header. The system may send the encapsulated network data packet.

Abstract: A method is disclosed. In the method, a data generation process can continuously generate data in real time. The data generation process can store the data into discrete data blocks. An analyzer process can run analytical queries on the data from the data blocks. After the analytics is complete for different data blocks, data can be removed from the respective data blocks. The empty data blocks can be returned back to the generation process for reuse. The data blocks can be shared resources between the generation and the analyzer processes. The data can be stored in a directly queryable format. Though at any given time a given analytical query can run on a single data block, the analyzer process can preserve certain important records from that data block to be used while analyzing subsequent data blocks at a later time.

Abstract: Methods and systems for temporal context monitoring and enforcement for telecommunications networks are disclosed. A first and a second set of metrics associated with a network are collected. The first set of metrics are associated with a first time and indicate a first state of the network. The second set of metrics are associated with a second time and indicate a second state of the network. An indication of an anomaly on the network is determined responsive to comparing the second set of metrics with the first set of metrics. A network policy is applied to revert the network from the second state to the first state.

Abstract: Decrypting synthetic transactions with beacon packets is provided. A probe receives, from a client device, a start beacon packet that identifies a test of a service provided by one or more servers. The probe establishes, responsive to receipt of the start beacon packet, a log for the test. The probe stores, in the log established responsive to the start beacon packet, data packets transmitted between the client device and the one or more servers subsequent to the start beacon packet and encrypted with a key using a security protocol. The probe receives, from the client device, key information used to decrypt the data packets of the test encrypted with the key using the security protocol. The probe provides at least one of the data packets for evaluation or decryption using the key information to determine a performance of the service.

Abstract: A method for detecting the sources of distributed denial of service attacks is disclosed. Control plane signaling data and user plane data is collected using network monitoring equipment connected to a communications network. The control plane signaling data and user plane data is correlated. Amounts of traffic are calculated for individual computing devices based on the correlated data. One or more computing devices are determined based on the amounts of traffic associated with the one or more computing devices satisfying a device anomaly criterion. A record including a list of the one or more computing devices is generated.

Abstract: Systems and methods for remote synthetic transactions is provided. A system may create a tunnel between the system and a device to perform remote synthetic transactions. The system may be at a location other than a location of the device and remotely transfer data packets to the device to be sent to a service of a service provider via a network. The data packets may appear to originate from the device and be handled accordingly by the service. The system may receive a response to the synthetic transactions from the device and provide an indication of performance of the synthetic transaction based on the response.

Abstract: A system and method for hierarchical network monitoring functions are disclosed. An order of execution for layer functions of a network architecture is determined. The layer functions may be distributed across multiple layers. The layers may include a sensor layer, a federated application layer, and a data lake layer. A machine learning model may be executed at a first layer. The first layer may be the sensor layer.

Abstract: A cluster load balancer can be coupled to a network for monitoring network traffic. The cluster load balancer can include one or more computing devices. The one or more computing devices can be configured to receive a data packet, the data packet comprising a device identifier of a first device connected to a network for a communication session, wherein the data packet is a user plane data packet or a control plane data packet; generate a probe identification based on the device identifier of the first device in the data packet; add the probe identification to the data packet; and transmit the data packet with the probe identification to a second device in communication with a plurality of network probes. The second device can be configured to forward the data packet to a network probe of the plurality of network probes based on the probe identification in the data packet.

Abstract: Decrypting synthetic transactions with beacon packets is provided. A probe receives, from a client device, a start beacon packet that identifies a test of a service provided by one or more servers. The probe establishes, responsive to receipt of the start beacon packet, a log for the test. The probe stores, in the log established responsive to the start beacon packet, data packets transmitted between the client device and the one or more servers subsequent to the start beacon packet and encrypted with a key using a security protocol. The probe receives, from the client device, key information used to decrypt the data packets of the test encrypted with the key using the security protocol. The probe provides at least one of the data packets for evaluation or decryption using the key information to determine a performance of the service.

Abstract: A method for detecting cell positioning anomalies is disclosed. Control plane signaling data packets are collected associated with multiple cells of a communications network. Distance and azimuth values for individual communication sessions are calculated for each cell. A machine learning model is executed using various communication parameters as input to generate a classification for each cell. A list identifying which cells are experiencing anomalies is generated.

Abstract: A method is disclosed. A first data packet is received. Data is extracted from the first data packet. A first synthetic data packet is generated from data of the first data packet. A second data packet is received. Data is extracted from the second data packet. A key performance indicator is generated from data of the first and second synthetic data packets.

Abstract: A method is disclosed. In the method, a data generation process can continuously generate data in real time. The data generation process can store the data into discrete data blocks. An analyzer process can run analytical queries on the data from the data blocks. After the analytics is complete for different data blocks, data can be removed from the respective data blocks. The empty data blocks can be returned back to the generation process for reuse. The data blocks can be shared resources between the generation and the analyzer processes. The data can be stored in a directly queryable format. Though at any given time a given analytical query can run on a single data block, the analyzer process can preserve certain important records from that data block to be used while analyzing subsequent data blocks at a later time.

Abstract: Decrypting synthetic transactions with beacon packets is provided. A probe receives, from a client device, a start beacon packet that identifies a test of a service provided by one or more servers. The probe establishes, responsive to receipt of the start beacon packet, a log for the test. The probe stores, in the log established responsive to the start beacon packet, data packets transmitted between the client device and the one or more servers subsequent to the start beacon packet and encrypted with a key using a security protocol. The probe receives, from the client device, key information used to decrypt the data packets of the test encrypted with the key using the security protocol. The probe provides at least one of the data packets for evaluation or decryption using the key information to determine a performance of the service.

Abstract: A method for machine learning model selection for time series data is disclosed. Sets of time series data is obtained. The time series data is clustered using a clustering algorithm. A similarity value of the clusters is evaluated and a quantity of clusters is selected. Machine learning models are evaluated using a center of each cluster of time series data. A machine learning model is selected for each cluster. Selection may be updated.

Abstract: In some embodiments, a non-transitory computer readable medium is disclosed. In some embodiments, the medium includes instructions for providing a mobile user monitoring solution that, when executed by a processor, cause the processor to capture a first message transmitted over an N11 interface, extract at least one type of session ID and a first Next Generation Application Protocol (NGAP) tunnel endpoint identifier (TEID) from the first message, store the at least one type of session ID and the first NGAP TEID in a first N11 protocol data unit (PDU) session record, capture a second message transmitted over an N3 interface, extract a general packet radio service (GPRS) tunneling protocol (GTP)-user plane (U) TEID from the second message, wherein the GTP-U TEID matches the first NGAP TIED, and retrieve information associated with session details record using the GTP-U TEID.

Abstract: A computer-implemented method for repurposing one or more software configurable layer 2 switches in an IP (Internet Protocal) computer network to function as a layer 1 switch. Ternary Content-Addressable Memory (TCAM) is reconfigured in each of the one or more layer 2 switches and one or more pipeline engines are routed to emulate layer 1 switching functionality in each of the one or more layer 2 switches.