Fusing information from tickets and alerts to improve the incident resolution process
Díaz-Verdejo, Jesús E.
In the context of network incident monitoring, alerts are useful notifications that provide IT management staff with information about incidents. They are usually triggered in an automatic manner by network equipment and monitoring systems, thus containing only technical information available to the systems that are generating them. On the other hand, ticketing systems play a different role in this context. Tickets represent the business point of view of incidents. They are usually generated by human intervention and contain enriched semantic information about ongoing and past incidents. In this article, our main hypothesis is that incorporating tickets information into the alert correlation process will be beneficial to the incident resolution life-cycle in terms of accuracy, timing, and overall incident’s description. We propose a methodology to validate this hypothesis and suggest a solution to the main challenges that appear. The proposed correlation approach is based on the time alignment of the events (alerts and tickets) that affect common elements in the network. For this we use real alert and ticket datasets obtained from a large telecommunications network. The results have shown that using ticket information enhances the incident resolution process, mainly by reducing and aggregating a higher percentage of alerts compared with standard alert correlation systems that only use alerts as the main source of information. Finally, we also show the applicability and usability of this model by applying it to a case study where we analyze the performance of the management staff.
Quality of service , Data analysis , Network management systems , Alert correlation , Ticket-alert correlation
TY - JOUR AU - Salah, Saeed AU - Maciá-Fernández, Gabriel AU - Díaz-Verdejo, Jesús PY - 2018/01/17 SP - T1 - Fusing Information from Tickets and Alerts to Improve the Incident Resolution Process VL - 45 DO - 10.1016/j.inffus.2018.01.011 JO - Information Fusion ER -