An expert-aware Markovian system for end-user proactive troubleshooting in the Network and Security Operations Center

Companies’ Network Operations Centers continuously monitor network health to keep activity fully operational in the current scenario of decentralization of digital workplaces. In this task, network managers have a diverse set of tools to proactively troubleshoot network changes that could potentiall...

Descripción completa

Detalles Bibliográficos
Autores: León, alejandro, Perdices Burrero, Daniel, García Dorado, José Luis, Ramos de Santiago, Francisco Javier, Aracil Rico, Javier
Tipo de recurso: artículo
Fecha de publicación:2025
País:España
Institución:Universidad Autónoma de Madrid
Repositorio:Biblos-e Archivo. Repositorio Institucional de la UAM
Idioma:inglés
OAI Identifier:oai:repositorio.uam.es:10486/730021
Acceso en línea:https://hdl.handle.net/10486/730021
https://dx.doi.org/10.1016/j.eswa.2025.127072
Access Level:acceso abierto
Palabra clave:Network monitoring
End-user traffic
End-user anomalies
Network Operations Center
Proactive troubleshooting
Telecomunicaciones
Descripción
Sumario:Companies’ Network Operations Centers continuously monitor network health to keep activity fully operational in the current scenario of decentralization of digital workplaces. In this task, network managers have a diverse set of tools to proactively troubleshoot network changes that could potentially lead to network outages. Unfortunately, these tools primarily focus on servers and high-volume services, while changes in end-users’ traffic can also be a symptom of relevant issues such as the misuse and misconfiguration of resources, service slowdowns, and cybersecurity breaches. End-user behavior, in particular, tends to be more erratic and chaotic than server traffic, especially when different users may share the same IP address over time (e.g., DHCP and Wi-Fi environments). To address these challenges, we propose modeling end-user behavior as an unordered collection of activities (i.e., pieces of regular behavior) rather than as time series. These activities, such as downloading a file or browsing the Internet, yield an identifiable sequence of measurements in terms of network metrics over time (e.g., throughput or number of connections). Deviations from typical sequences of measurements are flagged as irregular behaviors, with higher priority assigned to increasingly uncommon patterns. This methodology leverages Markov chains to represent activities as sequences of expert-aware discrete states of network metrics. When applied to a multi-year dataset from a global enterprise, our proposal has been able to cope with the chaotic and challenging environment of end-user behavioral modeling, identifying critical issues such as DNS misconfigurations, compromised printers, and cybersecurity threats