Abstract: A processing system may obtain time series associated with a plurality of network functions of a communication network, each time series including a sequence of values over a plurality of time intervals, each value indicating a percentage of events generated by a respective network function indicating a procedure failure within a respective time interval out of a total number of events generated by the respective network function within the respective time interval, identify, via a time series anomaly detection algorithm implemented by the processing system, an anomaly detection result comprising at least one time interval in which at least one time series exhibits at least one anomaly, apply a query to a generative model requesting an interpretation of the anomaly detection result, where an output comprising the interpretation is generated via the generative model in response to the query, and present the output to at least one endpoint device.

Abstract: A processing system may obtain time series associated with a plurality of network functions of a communication network, each time series including a sequence of values over a plurality of time intervals, each value indicating a percentage of events generated by a respective network function indicating a procedure failure within a respective time interval out of a total number of events generated by the respective network function within the respective time interval, identify, via a time series anomaly detection algorithm implemented by the processing system, an anomaly detection result comprising at least one time interval in which at least one time series exhibits at least one anomaly, apply a query to a generative model requesting an interpretation of the anomaly detection result, where an output comprising the interpretation is generated via the generative model in response to the query, and present the output to at least one endpoint device.

Abstract: A processing system may obtain a plurality of sequences of network function transaction events, each sequence comprising a plurality of network function transaction events in a communication network. The processing system may next apply the plurality of sequences as inputs to a sequential rule mining module implemented by the processing system to obtain a first rule set comprising at least a first rule, where the first rule indicates that a consequent network function transaction event follows an antecedent comprising one or more prior network function transaction events, and may apply the plurality of sequences as inputs to a generative model to obtain a second rule set. The processing system may then identify that the first rule is contained in the first and second rule sets, and may add the first rule to a set of active rules for generating alerts in the communication network, in response.

Abstract: Concepts and technologies disclosed herein are directed to a notification traffic anomaly detector. The notification traffic anomaly detector can receive, from a notification system, notification traffic data associated with at least one of notification requests or notifications processed by the notification system. The notification traffic anomaly detector can determine, using at least one machine learning model, whether the notification traffic data indicates an anomaly associated with the notification requests and/or the notifications processed by the notification system. In response to determining that the notification traffic data indicates an anomaly associated with the notification requests and/or the notifications processed by the notification system, the notification traffic anomaly detector can generate an anomaly notification and provide the anomaly notification to the notification system while at least one of notification requests or the notifications is being processed by the notification system.

Abstract: The described technology is generally directed towards methods for data latency evaluation. The techniques disclosed herein can provide useful information about when a data consumer can expect to receive data. Methods can create and compare data latency cumulative probability distributions comprising probabilities associated with different latency values, at various different levels of completeness.

Abstract: The described technology is generally directed towards methods for data latency evaluation. The techniques disclosed herein can provide useful information about when a data consumer can expect to receive data. Methods can create and compare data latency cumulative probability distributions comprising probabilities associated with different latency values, at various different levels of completeness.

Abstract: The described technology is generally directed towards methods for data latency evaluation. The techniques disclosed herein can provide useful information about when a data consumer can expect to receive data. Methods can create and compare data latency cumulative probability distributions comprising probabilities associated with different latency values, at various different levels of completeness.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.

Abstract: Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers.

Abstract: Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers.

Abstract: A system and method for detecting Email spammers from unknown SMTP Clients using the unknown SMTP Client's SMTP traffic information e.g. byte size and variability data. The system and method includes a byte size and variability traffic flow model and a classification system. The traffic flow model may be based upon a standard deviation of byte size and variability of traffic flows for a plurality of legitimate SMTP Clients and for a plurality of Spammer SMTP Clients. The classification system then classifies an Unknown SMTP Client as an Email Spammer based on a comparison between the byte size and the variability of the Unknown SMTP Client's traffic flows with the byte size and variability traffic flow model.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.