We discovered two areas of concern. One is offline machines and the other is non normal status policy in two large regions.

  There are 79761 offline machines at 2 pm BMT (see figure 1.1.1). These means, machines without policy status and activity flag information.

Figure 1.1.1

  We discovered most of those offline machines(62%) belong to datacenter 5 and they are highlighted in the Scatterplot matrix using blue points. (See figure 1.1.2). To the other side the rest of those offline machines are workstations and their local time is less than 7 am. This is a correct behaviour acording to the rules because it is not a bussiness hour. See bar plot in the same figure.

Figure 1.1.2

  The second area of concern is region 5 and region 10 which don't have any machine with policy status 1 (healthy). (See figure 1.1.3) Both are large regions and we are showing their location in the Bank World map. Region 2 has 40621 machines and regions 10 has 41317 machines. Most of them have policy status 2. See the third column in the scatterplot.

Figure 1.1.3

Figure 1.2.1

  Figure 1.2.1 shows how policy status is growing over the time. Y axis indicates the machine count per status (one color per status value). You can see that machines with status 1 (healthy) are becoming to higher states. This means that network status is getting worst over the time.

Figure 1.2.2

  Figure 1.2.2 is a zoom of the previous figure. We can see in a major detail how policy status 5 starts to be important at midday of February 3. And this status and the others 3 and 4 also grows until the end of report and never go down. This is the most important anomaly that we found.

Figure 1.2.3

  Figure 1.2.3 displays the machine counts by the different activity flags over the healthtime. This is a particulary situation, most of the machines are reporting activity flag 1 that means 'Normal'. We are expecting that activity flags are related with policy status but it doesn't happenning.

Figure 1.2.4

  Figure 1.2.4 is also a zoom of the previous figure. We can recongnize two hills that are built with the other activities that aren't reporting in all events. We presume that activities over level 3 happen only in business hour. We confirm the supposition in the following figure.

Figure 1.2.5

  Figure 1.2.5, we detected activity flags 3, 4 and 5 were only reported by machines that their local time is between business hour. And there aren't any activity flag (3,4 and 5) outside this time interval. We can think this as another anomaly. Also we observe that machines count per activity flag value keep constant over local time.

Figure 1.2.6

  Figure 1.2.6. We calculated how many workstations should be offline in each health time report. We used the local time to decide if the machine should report or not. Also we calculate the difference between the total of machines and the machines that reported in each health time report. Then we visualize both values to compare between them. So we expected that this values were similar but they didn't. These is an anomaly. The number of workstation that should be offline is never reached by the absent count. We can think there are a lot off machines that are never turning off.

Figure 1.2.7

  Figure 1.2.7 shows another anomaly. Datacenter 5 started without reporting status, it means that at the beginning datacenter 5 could be considered in a offline situation. It was considered in MC 1.1. But here we adding evolution throught the time. Since February 2 at 7.30 pm the situation get normal as the others 4 datacenters, all their machines report its status.

Figure 1.2.8

  Figure 1.2.8 explains how the virus infection is similar between datacenters. We mentioned in figure 1.2.7 that datacenter 5 started in a offline situation and it doesn't affect the policy status 5 increase.

Figure 1.2.9

  Figure 1.2.9. It helps to explain the previous figure. In more details it shows when the virus infection (policy status) appears the first time for each datacenter. February 2 at 12:45 pm appears the first machine with policy status 5 and it belongs to datacenter 2. Then the second one appears at 17:15 pm in the datacenter 1. After that the network virus infection is starting to grow up until the end February 4 at 8 am when it gets the maximun policy status 5 count.