The defense will take place on March 02, 2026

Title
Service Provider Network Anomaly Detection: Standards, Architecture, and Algorithms for actual use by Network Operators

Abstract
IP networks are critical infrastructure. Disruptions can impact essential services and cause serious economic and societal harm. Rapid detection is therefore essential for service providers.
This thesis investigates an architecture and approach for detecting service anomalies in real-world service provider networks. While statistical outlier detection has been widely studied for this purpose, such methods often misalign with how engineers monitor and diagnose networks, limiting their actual adoption in production.
This thesis proposes a network-centric anomaly detection approach based on deterministic, rule-based inspections. Instead of outlier detection, expert knowledge is encoded into rules that reflect how engineers interpret network telemetry data. The system processes telemetry data, maps it to customer identifiers, and applies rules to detect deviations from expected behaviors. Because these rules mirror operational data inspections from network engineers, alerts are directly actionable: they identify affected customers and specify the underlying symptoms. We apply this method to the two most revenue-generating connectivity services: BGP/MPLS Layer 3 VPNs and Internet access.

Our work addresses three questions:
(i) what operational requirements must an anomaly detection system meet in service provider networks,
(ii) which telemetry protocols best align with network operations, and
(iii) which detection strategies best reflect engineers’ mental models.

This is the first systematic study of anomaly detection in BGP/MPLS Layer 3 VPNs. For Internet access, we focus on issues within the service provider network, including those invisible to end users but economically relevant. Our system is deployed in Swisscom’s production environment, monitoring over 13,000 VPN customers. It processes 760,000 telemetry messages per second and has detected incidents such as software defects, misconfigured DNS blacklists, and mistakenly decommissioned fiber links. Since its deployment, it has identified over 20 disruptions, enabling operators to quickly acknowledge incidents and postpone maintenance windows. This thesis presents production cases showing how the system reduced detection time and supported operational workflows.
Our findings show that effective anomaly detection in service provider environments must go beyond data-driven approaches. Systems need to reflect how network engineers actually work.Rule-based data inspections, grounded in established operational practices, offer a practical, actionable alternative to statistical models.

Jury
– CONTRERAS MURILLO Luis Miguel, Chercheur, Telefonica, Rapporteur
– PELSSER Cristel,  Professeur des Universités, UCLouvain, Rapporteuse
– IANNONE Luigi,  Chercheur, Huawei, Examinateur
– ROOSE Philippe, Professeur des Universités, IUT de Bayonne, Examinateur
– FRANCOIS Pierre, Professeur, INSA de Lyon, Directeur de thèse
– FRENOT Stéphane, Professeur des Universités, INSA de Lyon, Co-directeur de thèse