TLC Base stations and network components acquire real-time and statistical measurements for troubleshooting analysis, typically called Key Performance Indicators (KPIs).
Hundred of thousands base-stations collects hourly data (e.g. number of dropped calls). Moreover TLC experts define their own KPIs and aggregated views.
The physical network is continuously changing in terms of hardware. And network usage depends on users habits: in time and space (i.e. weekend, holidays).
Available Indicators (KPIs) are very complex processes exposing many high-dimensional relations with users behavior, seasonality, and cross-correlation related to TLC network structure (i.e. hangover).
In pay-per-use business model, malfunctions and denial of services typically imply a direct loss of money. Anomalies must be early-detected or predicted.
EVoKE is an adaptive anomaly detection system.
Operators feedback (i.e. marking an event as false-positive) is exploited to improve results quality.
based on predefined configurations defined by domain experts, and weighted with respect to the dynamic knowledge base.
domain experts evaluate results and provide a correctness mark with respect to their experience.
feedback is traced and exploited through Learning-By-Example (LBE) techniques. Wrong detections are over-weighted with respect to correct ones.
The logical flow is designed to be efficient and simple.
Main challenges concern big-data I/O, implementation of map-reduce pattern,
false-positive minimization, self-maintenance and rules adaptability.
In the first part of the processing EVoKE evaluates the analysis requirements and it optimizes the configuration of data adapters in order to minimize read operations.
At the first processing stage (detection), EVoKE parses input RAW data (it might be real data with physical meaning or abstract KPIs) in order to find "data events" in terms of generic point or range of interest: it can be a spike, a value out of a fixed range, or a complex pattern in frequency domain. The objective is extracting higher-level information (as events) and evaluate them in the next stage.
The second stage processes data-events (output of first stage) in order to find anomalies (final output). The core layer of EVoKE is based on classification, aggregation, filtering, and ranking.
Anomalies are reported to network operators and domain experts who might provide a feedback (i.e. 0-100% correct). EVoKE exploits this information for further analysis and ranks the more reliable operators.
This stage evaluates RAW data for detecting low-level events.
The mayor challenge is to recognize events with low-complexity algorithms and methodologies.
Implementations are optimized for speed in order to parse Gigabytes of data in seconds.
First and second order statistics are a very standard metric and algorithms can typically be optimized for speed. EVoKe come with configurable detectors with static, dynamic, and adaptive thresholds.
In time-series, trends are typically relevant for long-term analysis and for data normalization. Auto-Correlation and Cross-Correlation are used for validation and inference analysis.
EVoKE comes with a set of discrete transforms presets, such as FFT and Wavelets. In particular, Haar wavelet is typically exploited in various ways such as noise reduction, trend evaluation, ramp and step patterns detection.
This second stage evaluates detected events for finding anomalies.
Aggregation rules are used to link related events and provide a multi-scale ("zoomable") view of the anomalies to operators. Some standard dimensions are time, geo-spatial, network clustering, technology.
Classification has a crucial role in EVoKE, several methodologies are used. The flow is hierarchical and can be recursive, thus classifier can even exploit information extracted by previous iterations.
EVoKe supports multiple ranking metrics which are aggregated in a global ranking index in terms of numerical and literal value. This information is crucial as anomalies are evaluated by operators in order or priority.
EVoKE analysis is defined by a hierarchical schema defining all aspects of the flow.
EVoKE Daemon tool can launch template jobs on particular time patterns. This work-mode is useful for periodic long-time analysis.
Most components and algorithms of the EVoKE suite are designed and optimized to work online. Their typical bottleneck is the access to RAW (or KPI) data that depends on infrastructure.
It's a two-step analysis: the first one is done in real-time and designed to be efficient; the second analysis, designed to refine previous results, is executed as soon as infrastructure resources are available.
This is the typical on-demand mode, it is used to design and test new analysis, and evaluate some particular time period and network cluster.
Key features that make EVoKE: effective, easy to install, use and maintain.
EVoKE architecture has been implemented as a flexible and extendible framework, written in C# with optimized API and lambda support.
EVoKE can analyze dozen of thousand BTS in few seconds.
EVoKE embeds static domain rules as well as machine learning techniques for exploiting operators feedback.
EVoKE cooperates with 3rd-party software in order to integrate control and outputs in the same operators' software.
EVoKE is actually installed at the VODAFONE OMNITEL N.V. data-warehouse