[go: up one dir, main page]

WO2025074414A1 - System and method for anomaly detection in a network - Google Patents

System and method for anomaly detection in a network Download PDF

Info

Publication number
WO2025074414A1
WO2025074414A1 PCT/IN2024/051974 IN2024051974W WO2025074414A1 WO 2025074414 A1 WO2025074414 A1 WO 2025074414A1 IN 2024051974 W IN2024051974 W IN 2024051974W WO 2025074414 A1 WO2025074414 A1 WO 2025074414A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
model
network
dataset
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/IN2024/051974
Other languages
French (fr)
Inventor
Aayush Bhatnagar
Ankit Murarka
Jugal Kishore
Chandra GANVEER
Sanjana Chaudhary
Gourav Gurbani
Yogesh Kumar
Avinash Kushwaha
Dharmendra Kumar Vishwakarma
Sajal Soni
Niharika PATNAM
Shubham Ingle
Harsh Poddar
Sanket KUMTHEKAR
Mohit Bhanwria
Shashank Bhushan
Vinay Gayki
Aniket KHADE
Durgesh KUMAR
Zenith KUMAR
Gaurav Kumar
Manasvi Rajani
Kishan Sahu
Sunil Meena
Supriya Kaushik DE
Kumar Debashish
Mehul Tilala
Satish Narayan
Rahul Kumar
Harshita GARG
Kunal Telgote
Ralph LOBO
Girish DANGE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jio Platforms Ltd
Original Assignee
Jio Platforms Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jio Platforms Ltd filed Critical Jio Platforms Ltd
Publication of WO2025074414A1 publication Critical patent/WO2025074414A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • the present invention relates generally to a wireless communication system, and in particular, to a system and method for anomaly detection in a network.
  • the raw data or analyzed data used for training a Machine Learning (ML) model is typically expected to be devoid of any anomalies. If data containing anomalies is used for training, the model may not generate precise predictions or results. This necessitates the manual configuration of various policies for different parameters to ensure that the model is not trained on data containing anomalies. If parameters associated with data breach certain thresholds (or generate negative values or values that are not associated with a particular parameter), then the data may be considered anomalous, potentially resulting in undesired outcomes. Accordingly, policies must be established for different parameters.
  • One or more embodiments of the present disclosure provides a method and a system for anomaly detection in a network.
  • the method for anomaly detection in a network includes the step of receiving, by one or more processors, data from one or more Network Functions (NFs) of the network, wherein network functions further may be one or more of Virtual Network Functions (VNFs)/Virtual Network Function Components (VNFCs), Container Network Functions (CNFs)/Container Network Function Components (CNFCs).
  • VNFs Virtual Network Functions
  • VNFCs Virtual Network Functions
  • CNFs Container Network Functions
  • CNFCs Container Network Function Components
  • the method further includes the step of segregating, by the one or more processors, the received data based on one or more features.
  • the method further includes the step of applying, by the one or more processors, one or more policies corresponding to identification of one or more anomalies on the segregated data.
  • the method further includes the step of splitting, by the one or more processors, the segregated data into one of a training dataset and a test dataset.
  • the method further includes the step of training, by the one or more processors, a model utilizing the training dataset to identify trends and patterns within the training dataset.
  • the method further includes the step of evaluating, by the one or more processors, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset.
  • the method further includes the step of updating, by the one or more processors, the one or more policies based on the evaluation of the validation metrics.
  • the data is one of a raw data and an analyzed data.
  • the one or more features correspond to at least a time of day or a day of week or a day of month.
  • the training dataset is used to train the model
  • the test dataset is used to evaluate the model
  • the model is selected based on a characteristic of the training dataset, desired output, and a task.
  • the validation metrics is at least one of an accuracy and an error of the trained model over the model trained utilizing the test dataset.
  • the method includes the steps of, dynamically detecting, by the one or more processors, the anomaly in an incoming data in real time based on the updated policies. Thereafter, the method includes the step of discarding, by the one or more processors, the data with the anomaly in response to the detection.
  • the method includes the steps of, retraining, by the one or more processors, the model utilizing updated data; wherein the updated data corresponds to the one or more NFs. Thereafter, the method includes the step of updating, by the one or more processors, the one or more policies based on the evaluation of the validation metrics of the trained model and the tested model utilizing the updated dataset.
  • the method includes, monitoring, by the one or more processors, the network performance data to dynamically detect the anomaly within the real time incoming data. Thereafter, forecasting, by the one or more processors, a load in the network based on the network performance data; and managing, by the one or more processors, one or more resources based on the forecasted load in a closed loop action, wherein the closed loop action corresponds to increasing or decreasing the one or more resources based on the forecasted load.
  • the system for anomaly detection in a network includes a receiving unit configured to receive data from the network, where the data pertains to the network performance data from one or more Network Functions (NFs) of the network. Said network functions (NFs) further may be one or more of VNFs/VNFCs, CNFs/CNFCs.
  • the system further includes a segregating unit configured to segregate the received data based on one or more features.
  • the system further includes an application unit configured to apply one or more policies corresponding to identification of one or more anomalies on the segregated data.
  • the system further includes a splitting unit configured to split the segregated data into one of a training dataset and a test dataset.
  • the system further includes a training unit configured to train a model utilizing the training dataset to identify trends and patterns within the training dataset.
  • the system further includes an evaluating unit configured to evaluate validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset.
  • the system further includes an updating unit configured to update the one or more policies based on the evaluation of the validation metrics.
  • a non -transitory computer- readable medium having stored thereon computer-readable instructions that, when executed by a processor.
  • the processor is configured to receive, data from one or more Network Functions (NFs) of the network.
  • the processor is further configured to segregate the received data based on one or more features.
  • the processor is further configured to apply one or more policies corresponding to identification of one or more anomalies on the segregated data.
  • the processor is further configured to split the segregated data into one of a training dataset and a test dataset.
  • the processor is further configured to train a model utilizing the training dataset to identify trends and patterns within the training dataset.
  • the processor is further configured to evaluate validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset.
  • the processor is further configured to update the one or more policies based on the evaluation of the validation metrics.
  • FIG. 1 is an exemplary block diagram of an environment for anomaly detection in a network, according to one or more embodiments of the present invention
  • FIG. 2 is an exemplary block diagram of a system for anomaly detection in the network, according to one or more embodiments of the present invention
  • FIG. 3 is an exemplary architecture of the system of FIG. 2, according to one or more embodiments of the present invention.
  • FIG. 4 is an exemplary architecture illustrating the flow for anomaly detection in the network, according to one or more embodiments of the present disclosure
  • FIG. 5 is a flow diagram of a method for anomaly detection in the network, according to one or more embodiments of the present invention.
  • FIG. 6 is a flow chart for anomaly detection in the network, according to one or more embodiments of the present invention.
  • the present invention discloses a system and a method for anomaly detection in a network. More particularly, the system described herein offers a comprehensive approach for identifying anomalies in incoming raw or analysed network data in near real-time. This real-time detection ensures that potential issues are spotted immediately as they occur, allowing for proactive responses and minimizing the impact on network performance.
  • the system is further configured to autonomously adapt anomaly detection policies to continuously learn and adjust detection criteria without requiring manual intervention. This may keep the anomaly detection mechanism up-to-date with changing data patterns, which is crucial in dynamic network environments. Additionally, the system is configured to perform immediate discarding of anomalous data to prevent the training of AI/ML models with potentially noisy or erroneous data, to avoid inaccurate predictions and outcomes.
  • FIG. 1 illustrates an exemplary block diagram of an environment 100 for anomaly detection in a network, according to one or more embodiments of the present invention.
  • the environment 100 includes a User Equipment (UE) 102, a server 104, a network 106, and a system 108.
  • UE User Equipment
  • a user interacts with the system 108 utilizing the UE 102.
  • each of the first UE 102a, the second UE 102b, and the third UE 102c is one of, but not limited to, any electrical, electronic, electromechanical or an equipment and a combination of one or more of the above devices such as smartphones, Virtual Reality (VR) devices, Augmented Reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
  • VR Virtual Reality
  • AR Augmented Reality
  • the network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof.
  • PSTN Public-Switched Telephone Network
  • the network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
  • 3G Third Generation
  • 4G Fourth Generation
  • 5G Fifth Generation
  • 6G Sixth Generation
  • NR New Radio
  • NB-IoT Narrow Band Internet of Things
  • O-RAN Open Radio Access Network
  • the network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth.
  • the environment 100 includes the server 104 accessible via the network 106.
  • the server 104 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, a processor executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof.
  • the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
  • the environment 100 further includes the system 108 communicably coupled to the server 104, and the UE 102 via the network 106.
  • the system 108 is adapted to be embedded within the server 104 or is embedded as the individual entity.
  • FIG. 2 is an exemplary block diagram of the system 108 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
  • the system 108 for anomaly detection in the network 106 includes one or more processors 202, a memory 204, and an inventory unit 206.
  • the one or more processors 202 hereinafter referred to as the processor 202, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
  • the system 108 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure.
  • the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
  • the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204 as the memory 204 is communicably connected to the processor 202.
  • the memory 204 is configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed for anomaly detection in the network 106.
  • the memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
  • the inventory unit 206 is configured to store data associated with the operations performed in the network 106.
  • the inventory unit 206 is one of, but not limited to, the Unified Inventory Management (UIM) unit, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No- Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth.
  • the foregoing examples of inventory unit 206 types are non- limiting and may not be mutually exclusive e.g., the database can be both commercial and cloud-based, or both relational and open-source, etc.
  • the inventory unit 206 such as, a Unified Inventory Management (UIM) unit is a standard based telecommunications inventory management application that enables users to model and manage customers, services, and resources.
  • the UIM unit serves as the backbone of the network 106.
  • the inventory unit 206 stores the logical and physical inventory data of every asset, device, node, and application.
  • the inventory unit 206 serves as a central repository for storing customer related information.
  • the customer related information includes at least one of, but not limited to, a name, an address, a location, a mobile number, subscription plans and a number of customers in the network 106.
  • the system 108 includes the processor 202 to detect anomaly in the network 106.
  • the processor 202 includes a receiving unit 208, a segregating unit 210, an application unit 212, a splitting unit 214, a training unit 216, an evaluating unit 218, an updating unit 220, a detecting unit 222, and a retraining unit 224.
  • the processor 202 is communicably coupled to the one or more components of the system 108 such as the memory 204 and the inventory unit 206.
  • operations and functionalities of the receiving unit 208, the segregating unit 210, the application unit 212, the splitting unit 214, the training unit 216, the evaluating unit 218, the updating unit 220, and the detecting unit 222, and the retraining unit 224, and the one or more components of the system 108 are used in combination or interchangeably.
  • the receiving unit 208 of the processor 202 is configured to receive data from the network 106, where the data pertains to the network performance data from one or more network functions (NFs) of the network 106.
  • Said network functions (NFs) further may be one or more of VNFs/VNFCs, CNFs/CNFCs.
  • the data is at least one of, raw network data and analyzed network data where said raw network data and analyzed network data are standardized and pre- processed to ensure consistency, making it easier to analyze and compare. This data serves as foundational input for further analysis or particularly as a training dataset for an artificial intelligence/machine learning model.
  • network data corresponds to at least one of, but is not limited to, network performance data, which is essential for assessing the quality and efficiency of a network.
  • the network performance data encompasses various metrics that provide insights into how well the network is functioning from the perspective of users and applications.
  • the raw network data consists of unprocessed information collected directly from the network functions, which may include metrics such as bandwidth, latency, pocket loss, jitter, and error rates.
  • the bandwidth refers to maximum rate at which data can be transmitted over the network. It is a critical measure of network capacity and is often expressed in bits per second (bps). High bandwidth indicates that a network can handle a large amount of data traffic simultaneously, which is essential for applications requiring significant data transfer, such as video streaming or large file downloads.
  • the latency measures the time it takes for data to travel from the source to the destination. It is usually expressed in milliseconds (ms). Low latency is crucial for real-time applications, such as online gaming or video conferencing, where delays can significantly impact user experience.
  • the packet Loss indicates the percentage of packets that are lost during transmission. High packet loss can lead to degraded performance and is often a sign of network congestion or hardware issues.
  • the jitter refers to the variability in packet arrival times. It is particularly important for applications that require a steady stream of data, such as VoIP (Voice over Internet Protocol) calls. High jitter can result in choppy audio or video. [0049]
  • the error rates track the number of errors that occur during data transmission. High error rates can indicate problems with network hardware or interference in wireless networks.
  • the analyzed network performance data provides insights derived from the raw data, highlighting trends, patterns, and potential issues within the network. This capability is vital for maintaining high levels of service quality and ensuring that any anomalies or performance degradations are promptly addressed.
  • the receiving unit 208 of the processor 202 is configured to receive data from the inventory unit 206.
  • the inventory unit 206 may contain analyzed network data pertaining to the network 106.
  • the data pertaining to the operation of the network 106 is extracted and stored in the inventory unit 206. Thereafter, the receiving unit 208 receives the analyzed data pertaining to the operation of the network 106 from the inventory unit 206.
  • the receiving unit 208 may utilize data aggregation techniques such as packet sniffing techniques to capture data packets as they traverse the network. This allows the unit to analyze traffic from multiple the NFs simultaneously, providing insights into network performance and behavior.
  • data aggregation techniques such as packet sniffing techniques to capture data packets as they traverse the network. This allows the unit to analyze traffic from multiple the NFs simultaneously, providing insights into network performance and behavior.
  • the receiving unit 208 may utilize flow monitoring techniques to aggregate data that flows from various the NFs. This method helps in understanding traffic patterns and identifying bottlenecks or anomalies in the network.
  • the receiving unit 208 may utilize message queuing protocols like MQTT or AMQP to receive data from the NFs. These protocols allow for asynchronous communication, where messages can be sent and stored until the receiving unit is ready to process them, ensuring that no data is lost during peak loads.
  • message queuing protocols like MQTT or AMQP to receive data from the NFs.
  • the receiving unit 208 may utilize an event- driven architecture where the NFs send notifications or alerts when specific events occur. This technique allows the receiving unit 208 to react promptly to changes in the network, such as security breaches or performance issues.
  • the receiving unit 208 may leverage network telemetry techniques to continuously monitor and collect data from the NFs. This involves using protocols like ICMP for status messages or SNMP for network management, enabling real-time insights into network health and performance.
  • the receiving unit 208 may use Direct API Calls to interact with the NFs through RESTful APIs, allowing for direct data requests and responses. This method is particularly useful for integrating various services and ensuring that the receiving unit can access the latest data as needed.
  • the segregating unit 210 of the processor 202 is configured to receive data based on one or more features that are significant for analysis.
  • the segregating unit 210 of the processor 202 is configured to eliminate the recursive features and retain only the most relevant features for analysis. Further, the segregating unit 210 is configured to ensure the retrieval of significant data by performing statistical testing, feature selection models, data preprocessing, performance metrics, and the like. These features may include at least one of but not limited to, a time of day, a day of week or a day of month, these are significant because these are the most relevant features for the data
  • the time of day allows the segregating unit 210 to categorize data based on specific hours, which can be critical for applications that depend on time-sensitive information, such as traffic patterns, user activity, or system performance.
  • the day of week allows the segregating unit 210 to differentiate between weekdays and weekends, which often exhibit different behaviors in various contexts, such as retail sales, website traffic, or service usage.
  • the day of month helps in identifying trends or patterns that occur on specific dates, such as monthly billing cycles, seasonal promotions, or recurring events.
  • the data collected by the segregating unit 210 may undergo a process known as feature engineering. This process involves the extraction of relevant information from raw data.
  • the raw data may include timestamps, user interactions, system logs, or any other relevant information.
  • the raw data received from various sources often contains a wealth of information, but not all of it is useful for analysis.
  • Feature engineering focuses on extracting relevant features that can enhance the model's performance. For instance, from a timestamp, the segregating unit 210 can derive the hour, day of the week, and whether it falls on a holiday.
  • the application unit 212 of the processor 202 is configured to apply one or more policies corresponding to the identification of one or more anomalies within the segregated data. This process begins with the analysis of the segregated data, followed by the application of the relevant policies for identifying these anomalies
  • the application unit 212 of the processor is configured to applying policies to identify and respond to anomalies in transaction data which includes below mentioned at least three steps.
  • the segregating unit first analyzes transaction data and segregates it based on features such as transaction amount, frequency, geographical location, and transaction type.
  • the system identifies an anomaly, such as a sudden spike in transactions from a specific account that exceeds typical spending patterns.
  • the application unit applies a predefined policy, such as temporarily freezing the account and flagging the transactions for further investigation.
  • This policy might include notifying the account holder to confirm if the transactions were authorized.
  • the policies refer to predefined rules or guidelines that dictate how the data should be evaluated for anomalies. They may include thresholds for acceptable behavior, patterns of normal operation, or specific indicators that signal potential issues.
  • the data is labeled with a target variable, specifically the identification of anomalies, which is achieved through the application of the one or more policies.
  • the application unit 212 may utilize machine learning models or statistical methods to assess the segregated data against these policies. When the data exhibits characteristics that align with the definitions of anomalies set forth by the policies, it is flagged for further information. Said machine learning models or statistical methods for assessing the segregated data, are crucial for maintaining the integrity and security of the network, as it enables the early detection of potential threats or operational failures. Moreover, the application unit 212 may continuously update and refine these policies based on new data and insights gained from previous anomaly detections. This adaptive approach ensures that the system 108 remains effective in identifying anomalies as network conditions and threats evolve over time. By leveraging the labeled data and applying the appropriate policies, the application unit 212 plays a vital role in enhancing the overall performance and reliability of the network 106.
  • the splitting unit 214 is configured to split, the segregated data into one of a training dataset and a test dataset. It is important to note that the splitting unit 214 is designed to take a set of data that is segregated based on one or more features and divide it into two distinct subsets: a training dataset and a test dataset. This division is essential for building robust machine learning models.
  • the training dataset is the portion of the data used to train the machine learning model. This contains examples that the model learns from, adjusting its parameters to minimize error and improve accuracy. Typically, this dataset comprises a larger portion of the overall data, allowing the model to generalize better.
  • the test dataset is used to evaluate the model's performance after training. This dataset is crucial for assessing how well the model can make predictions on unseen data. It acts as a benchmark to measure the model's accuracy, precision, recall, and other performance metrics.
  • the training unit 216 is configured to train a model utilizing the training dataset to identify trends and patterns within that dataset.
  • the training data is essential for training the selected model.
  • the model learns the underlying patterns and relationships between the input features that may include threshold values for different parameters and the target variable such as anomaly detection based on current policy.
  • the training unit 216 is responsible for core function of training the machine learning model, enabling it to learn and adapt by identifying trends and patterns within the data.
  • the model is selected based on a characteristic of the training dataset, desired output, and a task. This process involves several key activities, such as feature extraction and learning relationships.
  • feature extraction the model identifies important features or attributes in the data that contribute to making predictions.
  • learning relationships the model learns how different features relate to each other and how they correlate with the output labels. This understanding is crucial for various tasks, such as regression, where the model predicts continuous values, or classification, where it predicts discrete categories.
  • the evaluating unit 218 is configured to evaluate, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset.
  • the validation metrics 218 is at least one of an accuracy and an error of the trained model over the model trained utilizing the test dataset. After training, the model's performance is assessed using the testing dataset. Common evaluation metrics might include accuracy, precision, depending on the specific goals.
  • the updating unit 220 is configured to update one or more policies by analyzing evaluation results of the validation metrics.
  • These metrics are critical indicators of a model’s performance, providing insights into how well the model performs on validation data, which is separate from the training and test datasets.
  • These validation metrics are quantitative measures used to assess effectiveness of the trained model.
  • common validation metrics include:
  • Precision The ratio of true positive predictions to the total predicted positives, indicating the model's ability to avoid false positives.
  • AUC-ROC Area Under the Receiver Operating Characteristic Curve, which evaluates the trade-off between true positive rate and false positive rate.
  • the updating unit can determine the effectiveness of the trained model in achieving its intended objectives.
  • the sufficient effectiveness of the trained model is determined when the evaluation findings indicate whether or not established thresholds are fulfilled for validation metrics (e.g., accuracy, precision, recall, Fl score, etc.). These cutoff points are usually established by reference to performance benchmarks or domain requirements.
  • the detecting unit 222 is configured to continuously detect incoming data based on updated policies and dynamically assess them for anomalies. Anomalies are defined as data points that deviate significantly from expected patterns, potentially indicating issues such as fraud, system failures, or unexpected behavior in the data.
  • the detecting unit 222 is designed to detect anomalies in real-time based on updated policies, allowing it to discard any data identified as anomalous upon detection.
  • the “dynamically detect” implies that the detecting unit 222 operates in real-time, enabling it to analyze data as it arrives. This capability is crucial for timely responses to anomalies, which can help prevent further complications.
  • the detection process involves real-time analysis, where the detecting unit 222 processes each incoming data point immediately, comparing it against established norms or expected patterns defined by the updated policies.
  • the effectiveness of the anomaly detection heavily relies on these updated policies, which govern what constitutes an anomaly.
  • These policies are shaped by ongoing analysis of validation metrics, ensuring that the detection models remain aligned with the latest data trends and operational requirements.
  • a retraining unit 224 is configured to retrain the model using updated data, where the updated data corresponds to the one or more NFs.
  • the retraining unit 224 is designed to enhance the machine learning model by incorporating the updated data, ensuring that the model remains effective and relevant to the current dataset and operational environment.
  • the machine learning process is often iterative; which continuously collects new data, periodically retrains the model, and refines its predictions over time to adapt to changing network conditions and requirements.
  • the retraining unit 224 may perform steps, which includes:
  • Model Selection Depending on the nature of the updated data and the task at hand, the retraining unit may decide to use the same model architecture or explore different algorithms that better suit the updated dataset.
  • Training the Model The model is then trained on the updated dataset. This involves feeding the data into the model, allowing it to adjust its parameters and learn from the new information. Various techniques, such as cross-validation, may be employed to ensure that the model generalizes well to unseen data. Evaluation: After retraining, the model’s performance is evaluated using validation metrics. This step helps assess whether the model has improved and if it is performing optimally with the updated data.
  • FIG. 3 illustrates an exemplary architecture for the system 108, according to one or more embodiments of the present invention. More specifically, FIG. 3 illustrates the system 108 for anomaly detection in the network 106. It is to be noted that the embodiment with respect to FIG. 3 will be explained with respect to the NFs 302 for the purpose of description and illustration and should nowhere be construed as limited to the scope of the present disclosure.
  • FIG. 3 shows communication between the NFs 302, and the system 108.
  • the NFs 302 uses network protocol connection to communicate with the system 108.
  • the network protocol connection is the establishment and management of communication between the NFs 302, and the system 108 over the network 106 (as shown in FIG. 1) using a specific protocol or set of protocols.
  • the network protocol connection includes, but not limited to, Session Initiation Protocol (SIP), System Information Block (SIB) protocol, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Network Management Protocol (SNMP), Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol Secure (HTTPS) and Terminal Network (TELNET).
  • SIP Session Initiation Protocol
  • SIB System Information Block
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • FTP File Transfer Protocol
  • HTTP Hypertext Transfer Protocol
  • SNMP Simple Network Management Protocol
  • ICMP Internet Control Message Protocol
  • HTTPS Hypertext Transfer Protocol Secure
  • TELNET Terminal Network
  • the NFs 302 are essential components within the network 106 that perform specific tasks related to data processing, transmission, and management. These NFs 302 are integral to the operation of the networks, providing essential services that enhance performance, security, and resource management.
  • the NFs can be either hardware-based or software -based.
  • the NFs 302 may include hardware components such as routers, switches, firewalls, access points, and servers, as well as software components such as network operating systems, protocols, and network management software. They are responsible for various functionalities, including firewalls, load balancers, intrusion detection systems (IDS), and routers and switches.
  • hardware components such as routers, switches, firewalls, access points, and servers, as well as software components such as network operating systems, protocols, and network management software. They are responsible for various functionalities, including firewalls, load balancers, intrusion detection systems (IDS), and routers and switches.
  • IDS intrusion detection systems
  • the firewalls protect the network by monitoring and controlling incoming and outgoing traffic based on predetermined security rules.
  • the load balancers distribute network or application traffic across multiple servers to ensure that no single server becomes overwhelmed, enhancing performance and reliability.
  • the IDS monitor network traffic for suspicious activity and potential threats, alerting administrators to possible security breaches.
  • the routers and switches direct data packets between devices on a network, ensuring efficient data flow and connectivity.
  • the inventory unit 206 is hosted on the server 104.
  • the inventory unit 206 is configured to store all the data received from the NFs 302.
  • the receiving unit 208 is configured to receive data stored in the inventory unit 206.
  • the training dataset is utilized to train the model, and the one or more processors evaluate validation metrics based on a comparison of the trained model with a model trained using the test dataset.
  • the one or more processors update the policies based on the evaluation of the validation metrics.
  • the system 108 includes the processors 202, the memory 204, and the inventory unit 206, for managing operations in the network 106, which are already explained in FIG. 2.
  • the processors 202 the memory 204
  • the inventory unit 206 for managing operations in the network 106, which are already explained in FIG. 2.
  • FIG. 2 For the sake of brevity, a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition.
  • the processor 202 includes the receiving unit 208, the segregating unit 210, the application unit 212, the splitting unit 214, the training unit 216, the evaluating unit 218, and the updating unit 220, which are already explained in FIG. 2.
  • the processor 202 includes the receiving unit 208, the segregating unit 210, the application unit 212, the splitting unit 214, the training unit 216, the evaluating unit 218, and the updating unit 220, which are already explained in FIG. 2.
  • a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition.
  • the limited description provided for the system 108 in FIG. 3 should be read with the description provided for the system 108 in the FIG. 2 above, and should not be construed as limiting the scope of the present disclosure.
  • FIG. 4 is an architecture illustrating the flow for anomaly detection in the network, according to one or more embodiments of the present disclosure.
  • the architecture 400 includes NFs 302, a data integration unit 402, a data preprocessing unit 404, a data lake 406, a model training unit 408, a prediction unit 410, an artificial intelligence Al/ machine learning ML model 412, and a user interface 414.
  • the NFs 302 which analyzes different types of network performance data transmits the data to the data integration unit 402.
  • the data integration unit 402 is configured to receive and store the data pertaining to the particular operation in the data lake 406 for future analysis and retrieval.
  • the data preprocessing unit 404 is configured to prepare the data for analysis. This involves several key functions, including combining data from various sources as needed and splitting the data into training and testing sets.
  • the data preprocessing unit 404 is responsible for data definition, which establishes the structure and format of the data, as well as data normalization, which ensures that the data is on a consistent scale.
  • the data preprocessing unit 404 performs data cleaning, which includes removing redundant data and addressing missing values such as NaN values. This process is crucial for enhancing the quality of the dataset, as it helps to identify and correct errors, eliminate inconsistencies, and ensure that the data is suitable for further analysis. By effectively preparing the data, the data preprocessing unit 404 enables more accurate and reliable outcomes in subsequent analytical processes.
  • the data lake 406 is a distributed data base used to store the processed data and model outputs in a highly scalable and flexible manner. Unlike traditional databases that often require structured data, the data lake 406 can accommodate both structured and unstructured data, allowing for greater versatility in data storage and management. The data lake 406 has the ability to handle diverse data types, scalability, and integration with analytics tools makes it an essential resource for organizations looking to leverage data for informed decision-making and strategic initiatives.
  • the model training unit 408 is responsible for training the model using the gathered data to discover patterns and connections between different variables. This process involves utilizing the training data, which is a subset of the data, ensuring that the model is exposed to a diverse range of scenarios and relationships.
  • the selected model utilizes various algorithms to analyze the training data, learning from the information provided through an iterative process. Each iteration involves adjusting the model’s internal parameters to minimize prediction errors and enhance accuracy, thereby allowing the model to identify significant correlations and dependencies among the variables. This capability is essential for the model to generalize well, to make accurate predictions on new, unseen data based on the patterns learned during training.
  • the model training unit 408 continually evaluates its performance using validation techniques, ensuring that the model not only fits the training data but also maintains robustness and effectiveness in real-world applications.
  • the prediction unit 410 is crucial for automated anomaly detection in incoming data streams. Said real-time streaming data are continuously generated data that is processed and analyzed immediately as it arrives, rather than being stored for later processing. Further, the real-time streaming data helps to immediate identification of unusual patterns or behaviors that could indicate issues such as fraud, system failures, or security breaches.
  • Said prediction unit 410 is designed to continuously monitor and analyze incoming data in real time, identifying any irregularities or deviations from expected patterns.
  • the prediction unit 410 employs advanced models to detect anomalies automatically, where anomalies are defined as data points that significantly deviate from the established norms or patterns identified during the model training phase. By implementing real-time monitoring, the prediction unit 410 can quickly identify and flag any anomalous data, ensuring that only accurate and reliable information is processed further. Upon detecting anomalies, the prediction unit 410 can automatically discard these data points to maintain the integrity of the dataset, helping to prevent skewed results that could arise from erroneous or outlier data.
  • the prediction unit 410 operates under a "go policy,” meaning it continuously evaluates incoming data and makes immediate decisions about which data to keep and which to discard based on its anomaly detection models. Additionally, the prediction unit 410 is not static, it adapts to changing data patterns over time. As new data flows in, the prediction unit 410 assesses the evolving trends and adjusts its detection models and policies accordingly. This dynamic capability ensures that the prediction unit 410 remains effective in identifying anomalies as data patterns shift. Furthermore, in the prediction unit 410, the trained model forecasts results based on the learned patterns.
  • the AI/ML model 412 is configured to execute a variety of models that facilitate predictive tasks, anomaly detection, and the generation of Al-driven outputs using Large Language Models (LLMs).
  • LLMs Large Language Models
  • the primary function of the Al/ML model 412 revolves around analyzing both network data and operational data, leveraging sophisticated machine learning techniques for comprehensive and in-depth analysis. This includes the implementation of various models tailored for specific tasks, such as classification, regression, and clustering, thereby enhancing the model’s ability to understand and interpret complex datasets.
  • integration of the user interface 414 allows users to interact with the Al/ML model 412 effectively. This provides a platform for the users to visualize the data, monitor the Al/ML model's outputs, and gain insights from the analyses performed.
  • the user interface 414 facilitates seamless communication between the user and the Al/ML model 412, empowering users to make informed decisions based on data-driven insights.
  • FIG. 5 is a flow diagram of a method 500 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
  • the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
  • the method 500 includes the step of segregating the received data based on one or more features.
  • the segregating unit 210 organizes the received data based on features that correspond to at least the time of day, day of the week, or day of the month. For example, after receiving data that includes raw metrics such as signal strength, latency, and throughput, the segregating unit 210 categorizes this information into distinct segments. For instance, it may identify that signal strength is consistently low during weekday mornings (e.g., 8 AM to 10 AM) and high during weekends.
  • the method 500 includes the step of applying one or more policies corresponding to identification of one or more anomalies on the segregated data. For example, suppose the segregating unit 210 has categorized network performance data and identified a consistent pattern of unusually high latency during weekday afternoons. Upon detecting this anomaly, the system can apply specific policies designed to address such issues. For instance, one policy might trigger an automatic bandwidth allocation adjustment, reallocating resources to alleviate the congestion causing the latency spike. Another policy may involve sending alerts to network operators to investigate potential underlying causes, such as a malfunctioning router or an unexpected increase in user traffic due to a special event in the area.
  • the method 500 includes the step of training the model utilizing the training dataset to identify trends and patterns within the training dataset.
  • the training dataset consists of network performance metrics, including signal strength, latency, and throughput, collected over several months.
  • the model analyzes this dataset to learn how different factors influence network performance. For instance, it might identify that latency tends to increase during peak usage hours, such as weekday evenings, or that signal strength is often lower in certain geographic areas.
  • the model uses algorithms to process the data, adjusting its parameters to minimize prediction errors based on the observed patterns.
  • the model becomes adept at recognizing these trends, allowing to predict future network performance under similar conditions. For example, if the model has learned that high traffic on Fridays leads to increased latency, this can forecast potential performance issues for upcoming Fridays, enabling network operators to take proactive measures to mitigate these effects.
  • the Mean Absolute Error is significantly higher (e.g., 12 milliseconds) during these periods compared to off-peak times (e.g., 4 milliseconds).
  • the processor decides to update the existing policies regarding network management such as policy adjustment for traffic management, dynamic resource allocation policy, alerting and investigation policy.
  • alerting and investigation policy creating an alerting policy that triggers notifications for the network management team.
  • This policy may include realtime alerts when latency predictions exceed a predetermined threshold, prompting immediate investigation and remediation efforts.
  • FIG. 6 is a flow chart 600 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
  • the flow chart 600 includes the steps of the data collection and analysis.
  • the receiving unit 208 received data from the network 106, where the data pertains to the network performance data from one or more network functions (NFs) of the network 106.
  • the data is at least one of raw network data and analyzed network data, where said raw network data and analyzed network data are standardized and preprocessed to ensure consistency, making it easier to analyse and compare.
  • This data serves as foundational input for further analysis or particularly as a training dataset for an artificial intelligence/machine learning model.
  • the receiving unit 208 collects data from a network data analytics function that is responsible for analyzing network performance metrics.
  • the data may consist of raw data, which includes metrics such as signal strength, latency, and throughput.
  • the data may be analyzed data, which comprises metrics derived from the raw data, such as trends in network usage, identification of potential bottlenecks, or alerts regarding unusual traffic patterns that could indicate a network anomaly.
  • the training dataset is the portion of the data used to train the machine learning model. This contains examples that the model learns from, adjusting its parameters to minimize error and improve accuracy. Typically, this dataset comprises a larger portion of the overall data, allowing the model to generalize better.
  • the test dataset is used to evaluate the model's performance after training. This dataset is crucial for assessing how well the model can make predictions on unseen data. It acts as a benchmark to measure the model's accuracy, precision, recall, and other performance metrics.
  • the data preprocessing step 604 is responsible for data definition, which establishes the structure and format of the data, as well as data normalization, which ensures that the data is on a consistent scale. By effectively preparing the data, the data preprocessing step 604 enables more accurate and reliable outcomes in subsequent analytical processes.
  • the AI/ML model training includes training a model by utilizing the training dataset to identify trends and patterns within the training dataset.
  • the model learns the underlying patterns and relationships between the input features that may include threshold values for different parameters and the target variable such as anomaly detection based on current policy.
  • the training unit 216 is responsible for core function of training the machine learning model, enabling it to learn and adapt by identifying trends and patterns within the data.
  • the model is selected based on a characteristic of the training dataset, desired output, and a task.
  • This process involves several key activities, such as feature extraction and learning relationships. For example, in feature extraction, the model identifies important features or attributes in the data that contribute to making predictions. In learning relationships, the model learns how different features relate to each other and how they correlate with the output labels. This understanding is crucial for various tasks, such as regression, where the model predicts continuous values, or classification, where it predicts discrete categories.
  • the data visualization step allows the users to interact with the AI/ML model effectively, where the user can visualize the network performance results that is generated by the trained model. This provides a platform for the users to visualize the data, monitor the AI/ML model's outputs, and gain insights from the analyses performed.
  • the user interface facilitates seamless communication between the user and the AI/ML model, empowering users to make informed decisions based on data-driven insights.
  • the data presentation in the user interface may be in different manner such as line charts, bar graphs, heat maps, and scatter plots, depending on the nature of the data. For instance, time-series data might be best represented through line charts that show trends over time.
  • the autonomous anomaly detection includes including automated anomaly detection in the incoming data; discarding data with anomalies and change the policy based on changing data pattern.
  • the detecting unit 222 is configured to continuously detect incoming data based on updated policies and dynamically assess them for anomalies.
  • the detecting unit 222 is designed to detect anomalies in real-time based on updated policies, allowing it to discard any data identified as anomalous upon detection.
  • the “dynamically detect” implies that the detecting unit 222 operates in real-time, enabling it to analyze data as it arrives. This capability is crucial for timely responses to anomalies, which can help prevent further complications.
  • the retraining unit 224 retrain the model using updated data.
  • the processor changes the policy based on change in data pattern.
  • the policy is not static, it changes as per changing data patterns over time. For example, as new data flows, the processor assesses the evolving trends and adjusts its detection models and policies accordingly. This dynamic capability ensures that the model remains effective in identifying anomalies as data patterns shift.
  • the trained model forecasts results based on the learned patterns.
  • the closed loop reporting includes the monitoring step, forecasting step, and managing step.
  • Said monitoring step of the closed loop includes monitoring, by one or more processors, the network performance data to dynamically detect the anomaly within the real-time incoming data.
  • a company implements a real-time network security monitoring system using a machine learning model to detect anomalies that could indicate security threats, such as unauthorized access.
  • the forecasting step includes forecasting, by one or more processors, a load in the network based on the network performance data, which involves analyzing historical network performance data to predict future usage patterns.
  • a load in the network based on the network performance data, which involves analyzing historical network performance data to predict future usage patterns.
  • an enterprise network team wants to forecast network load to ensure optimal performance during peak usage times, such as during business hours or major events.
  • the forecasting techniques such as ARIMA (Auto Regressive Integrated Moving Average) or Exponential Smoothing, are used to model the historical data and predict future loads.
  • the managing step includes managing, by the one or more processors, one or more resources based on the forecasted load in a closed loop action, wherein if there are changes (increasing/decreasing) in one or more resources, a closed-loop reporting action is triggered.
  • This means the system receives feedback about the changes, allowing it to take appropriate actions, such as updating inventory, balancing loads, notifying users, or refreshing the dashboard.
  • a cloud service provider offers a web application that experiences fluctuating traffic levels. To optimize performance and cost, the provider uses a system that forecasts server load and dynamically adjusts resources in a closed-loop manner.
  • the present invention further discloses a non -transitory computer-readable medium having stored thereon computer-readable instructions.
  • the computer-readable instructions are executed by the processor 202.
  • the processor 202 is configured to receive, data from the network, where the data pertains to the network performance data from one or more Network Functions (NFs) of the network. Said network functions (NFs) further may be one or more of VNFs/VNFCs, CNFs/CNFCs.
  • the processor 202 is further configured to segregate, the received data based on one or more features.
  • the processor 202 is further configured to apply, one or more policies corresponding to identification of one or more anomalies on the segregated data.
  • the processor 202 is further configured to split, the segregated data into one of a training dataset and a test dataset.
  • the processor 202 is further configured to train, a model utilizing the training dataset to identify trends and patterns within the training dataset.
  • the processor 202 is further configured to evaluate, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset.
  • the processor 202 is further configured to update, the one or more policies based on the evaluation of the validation metrics.
  • FIG.1 -6 A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1 -6) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
  • the present disclosure offers a technical advancement by automating anomaly detection and policy adjustments, significantly minimizing manual effort and time needed for maintaining these systems.
  • This automation enhances operational efficiency and enables near real-time identification of anomalies, facilitating prompt corrective actions that reduce impacts on network performance and customer satisfaction.
  • the AI/ML model's ability to autonomously adapt to changing data patterns keeps the system effective without requiring constant manual updates. This not only decreases reliance on human resources for these tasks but also leads to cost savings, allowing staff to focus on more strategic activities. Additionally, the system 108 ensures that the training data for AI/ML models is free from anomalies, resulting in more accurate predictions and insights.
  • the present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features.
  • the listed advantages are to be read in a non-limiting manner.
  • UE User Equipment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Databases & Information Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a system (108) and a method (500) for anomaly detection in a network (106) The method (500) includes the step of receiving data from the network (106). The method (500) further includes the step of segregating the received data based on one or more features. The method (500) further includes the step of applying one or more policies corresponding to an identification of one or more anomalies in the segregated data. The method (500) further includes the step of splitting the segregated data into one of a training dataset and a test dataset. The method (500) further includes the step of training a model utilizing the training dataset to identify trends and patterns within the training dataset. The method (500) further includes the step of evaluating validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. Thereafter, the method (500) includes the step of updating the one or more policies based on the evaluation of the validation metrics.

Description

SYSTEM AND METHOD FOR ANOMALY DETECTION IN A NETWORK
FIELD OF THE INVENTION
[0001] The present invention relates generally to a wireless communication system, and in particular, to a system and method for anomaly detection in a network.
BACKGROUND OF THE INVENTION
[0002] In traditional telecom systems, the raw data or analyzed data used for training a Machine Learning (ML) model is typically expected to be devoid of any anomalies. If data containing anomalies is used for training, the model may not generate precise predictions or results. This necessitates the manual configuration of various policies for different parameters to ensure that the model is not trained on data containing anomalies. If parameters associated with data breach certain thresholds (or generate negative values or values that are not associated with a particular parameter), then the data may be considered anomalous, potentially resulting in undesired outcomes. Accordingly, policies must be established for different parameters.
[0003] Furthermore, patterns within the input network data continually evolve, necessitating ongoing policy adjustments for effective anomaly detection. As such, data containing anomalies must not be fed to the ML model. This process can be timeconsuming and often requires significant human resources.
[0004] Hence, there is a need for effective solutions for automatically detecting anomalies in Machine Learning (ML) training data within a network.
SUMMARY OF THE INVENTION
[0005] One or more embodiments of the present disclosure provides a method and a system for anomaly detection in a network.
[0006] In one aspect of the present invention, the method for anomaly detection in a network is disclosed. The method includes the step of receiving, by one or more processors, data from one or more Network Functions (NFs) of the network, wherein network functions further may be one or more of Virtual Network Functions (VNFs)/Virtual Network Function Components (VNFCs), Container Network Functions (CNFs)/Container Network Function Components (CNFCs). The method further includes the step of segregating, by the one or more processors, the received data based on one or more features. The method further includes the step of applying, by the one or more processors, one or more policies corresponding to identification of one or more anomalies on the segregated data. The method further includes the step of splitting, by the one or more processors, the segregated data into one of a training dataset and a test dataset. The method further includes the step of training, by the one or more processors, a model utilizing the training dataset to identify trends and patterns within the training dataset. The method further includes the step of evaluating, by the one or more processors, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. The method further includes the step of updating, by the one or more processors, the one or more policies based on the evaluation of the validation metrics.
[0007] In another embodiment, the data is one of a raw data and an analyzed data.
[0008] In another embodiment, the one or more features correspond to at least a time of day or a day of week or a day of month.
[0009] In another embodiment, the training dataset is used to train the model, and the test dataset is used to evaluate the model.
[0010] In another embodiment, the model is selected based on a characteristic of the training dataset, desired output, and a task.
[0011] In another embodiment, the validation metrics is at least one of an accuracy and an error of the trained model over the model trained utilizing the test dataset. [0012] In another embodiment, to update the one or more policies, the method includes the steps of, dynamically detecting, by the one or more processors, the anomaly in an incoming data in real time based on the updated policies. Thereafter, the method includes the step of discarding, by the one or more processors, the data with the anomaly in response to the detection.
[0013] In another embodiment, the method includes the steps of, retraining, by the one or more processors, the model utilizing updated data; wherein the updated data corresponds to the one or more NFs. Thereafter, the method includes the step of updating, by the one or more processors, the one or more policies based on the evaluation of the validation metrics of the trained model and the tested model utilizing the updated dataset.
[0014] In another embodiment, the method includes, monitoring, by the one or more processors, the network performance data to dynamically detect the anomaly within the real time incoming data. Thereafter, forecasting, by the one or more processors, a load in the network based on the network performance data; and managing, by the one or more processors, one or more resources based on the forecasted load in a closed loop action, wherein the closed loop action corresponds to increasing or decreasing the one or more resources based on the forecasted load.
[0015] In another aspect of the present invention, the system for anomaly detection in a network is disclosed. The system includes a receiving unit configured to receive data from the network, where the data pertains to the network performance data from one or more Network Functions (NFs) of the network. Said network functions (NFs) further may be one or more of VNFs/VNFCs, CNFs/CNFCs. The system further includes a segregating unit configured to segregate the received data based on one or more features. The system further includes an application unit configured to apply one or more policies corresponding to identification of one or more anomalies on the segregated data. The system further includes a splitting unit configured to split the segregated data into one of a training dataset and a test dataset. The system further includes a training unit configured to train a model utilizing the training dataset to identify trends and patterns within the training dataset. The system further includes an evaluating unit configured to evaluate validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. The system further includes an updating unit configured to update the one or more policies based on the evaluation of the validation metrics.
[0016] In yet another aspect of the present invention, a non -transitory computer- readable medium having stored thereon computer-readable instructions that, when executed by a processor. The processor is configured to receive, data from one or more Network Functions (NFs) of the network. The processor is further configured to segregate the received data based on one or more features. The processor is further configured to apply one or more policies corresponding to identification of one or more anomalies on the segregated data. The processor is further configured to split the segregated data into one of a training dataset and a test dataset. The processor is further configured to train a model utilizing the training dataset to identify trends and patterns within the training dataset. The processor is further configured to evaluate validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. The processor is further configured to update the one or more policies based on the evaluation of the validation metrics.
[0017] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all- inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter. BRIEF DESCRIPTION OF THE DRAWINGS
[0018] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0019] FIG. 1 is an exemplary block diagram of an environment for anomaly detection in a network, according to one or more embodiments of the present invention;
[0020] FIG. 2 is an exemplary block diagram of a system for anomaly detection in the network, according to one or more embodiments of the present invention;
[0021] FIG. 3 is an exemplary architecture of the system of FIG. 2, according to one or more embodiments of the present invention;
[0022] FIG. 4 is an exemplary architecture illustrating the flow for anomaly detection in the network, according to one or more embodiments of the present disclosure;
[0023] FIG. 5 is a flow diagram of a method for anomaly detection in the network, according to one or more embodiments of the present invention; and
[0024] FIG. 6 is a flow chart for anomaly detection in the network, according to one or more embodiments of the present invention. [0025] The foregoing shall be more apparent from the following detailed description of the invention. DETAILED DESCRIPTION OF THE INVENTION
[0026] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0027] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0028] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0029] The present invention discloses a system and a method for anomaly detection in a network. More particularly, the system described herein offers a comprehensive approach for identifying anomalies in incoming raw or analysed network data in near real-time. This real-time detection ensures that potential issues are spotted immediately as they occur, allowing for proactive responses and minimizing the impact on network performance. The system is further configured to autonomously adapt anomaly detection policies to continuously learn and adjust detection criteria without requiring manual intervention. This may keep the anomaly detection mechanism up-to-date with changing data patterns, which is crucial in dynamic network environments. Additionally, the system is configured to perform immediate discarding of anomalous data to prevent the training of AI/ML models with potentially noisy or erroneous data, to avoid inaccurate predictions and outcomes.
[0030] Referring to FIG. 1, FIG. 1 illustrates an exemplary block diagram of an environment 100 for anomaly detection in a network, according to one or more embodiments of the present invention. The environment 100 includes a User Equipment (UE) 102, a server 104, a network 106, and a system 108. A user interacts with the system 108 utilizing the UE 102.
[0031] In an embodiment, each of the first UE 102a, the second UE 102b, and the third UE 102c is one of, but not limited to, any electrical, electronic, electromechanical or an equipment and a combination of one or more of the above devices such as smartphones, Virtual Reality (VR) devices, Augmented Reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0032] The network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0033] The network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth.
[0034] The environment 100 includes the server 104 accessible via the network 106. The server 104 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, a processor executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
[0035] The environment 100 further includes the system 108 communicably coupled to the server 104, and the UE 102 via the network 106. The system 108 is adapted to be embedded within the server 104 or is embedded as the individual entity.
[0036] Operational and construction features of the system 108 will be explained in detail with respect to the following figures.
[0037] FIG. 2 is an exemplary block diagram of the system 108 for anomaly detection in the network 106, according to one or more embodiments of the present invention. [0038] As per the illustrated and preferred embodiment, the system 108 for anomaly detection in the network 106, includes one or more processors 202, a memory 204, and an inventory unit 206. The one or more processors 202, hereinafter referred to as the processor 202, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. However, it is to be noted that the system 108 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure. Among other capabilities, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
[0039] As per the illustrated embodiment, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204 as the memory 204 is communicably connected to the processor 202. The memory 204 is configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed for anomaly detection in the network 106. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0040] As per the illustrated embodiment, the inventory unit 206 is configured to store data associated with the operations performed in the network 106. The inventory unit 206 is one of, but not limited to, the Unified Inventory Management (UIM) unit, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No- Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of inventory unit 206 types are non- limiting and may not be mutually exclusive e.g., the database can be both commercial and cloud-based, or both relational and open-source, etc.
[0041] In one embodiment, the inventory unit 206, such as, a Unified Inventory Management (UIM) unit is a standard based telecommunications inventory management application that enables users to model and manage customers, services, and resources. The UIM unit serves as the backbone of the network 106. The inventory unit 206 stores the logical and physical inventory data of every asset, device, node, and application. In particular, the inventory unit 206 serves as a central repository for storing customer related information. The customer related information includes at least one of, but not limited to, a name, an address, a location, a mobile number, subscription plans and a number of customers in the network 106.
[0042] As per the illustrated embodiment, the system 108 includes the processor 202 to detect anomaly in the network 106. The processor 202 includes a receiving unit 208, a segregating unit 210, an application unit 212, a splitting unit 214, a training unit 216, an evaluating unit 218, an updating unit 220, a detecting unit 222, and a retraining unit 224. The processor 202 is communicably coupled to the one or more components of the system 108 such as the memory 204 and the inventory unit 206. In an embodiment, operations and functionalities of the receiving unit 208, the segregating unit 210, the application unit 212, the splitting unit 214, the training unit 216, the evaluating unit 218, the updating unit 220, and the detecting unit 222, and the retraining unit 224, and the one or more components of the system 108 are used in combination or interchangeably.
[0043] In an embodiment, the receiving unit 208 of the processor 202 is configured to receive data from the network 106, where the data pertains to the network performance data from one or more network functions (NFs) of the network 106. Said network functions (NFs) further may be one or more of VNFs/VNFCs, CNFs/CNFCs. In an embodiment, the data is at least one of, raw network data and analyzed network data where said raw network data and analyzed network data are standardized and pre- processed to ensure consistency, making it easier to analyze and compare. This data serves as foundational input for further analysis or particularly as a training dataset for an artificial intelligence/machine learning model.
[0044] In particular, network data corresponds to at least one of, but is not limited to, network performance data, which is essential for assessing the quality and efficiency of a network. The network performance data encompasses various metrics that provide insights into how well the network is functioning from the perspective of users and applications. The raw network data consists of unprocessed information collected directly from the network functions, which may include metrics such as bandwidth, latency, pocket loss, jitter, and error rates.
[0045] The bandwidth refers to maximum rate at which data can be transmitted over the network. It is a critical measure of network capacity and is often expressed in bits per second (bps). High bandwidth indicates that a network can handle a large amount of data traffic simultaneously, which is essential for applications requiring significant data transfer, such as video streaming or large file downloads.
[0046] The latency measures the time it takes for data to travel from the source to the destination. It is usually expressed in milliseconds (ms). Low latency is crucial for real-time applications, such as online gaming or video conferencing, where delays can significantly impact user experience.
[0047] The packet Loss indicates the percentage of packets that are lost during transmission. High packet loss can lead to degraded performance and is often a sign of network congestion or hardware issues.
[0048] The jitter refers to the variability in packet arrival times. It is particularly important for applications that require a steady stream of data, such as VoIP (Voice over Internet Protocol) calls. High jitter can result in choppy audio or video. [0049] The error rates track the number of errors that occur during data transmission. High error rates can indicate problems with network hardware or interference in wireless networks.
[0050] The analyzed network performance data provides insights derived from the raw data, highlighting trends, patterns, and potential issues within the network. This capability is vital for maintaining high levels of service quality and ensuring that any anomalies or performance degradations are promptly addressed.
[0051] In an alternate embodiment, the receiving unit 208 of the processor 202 is configured to receive data from the inventory unit 206. For example, the inventory unit 206 may contain analyzed network data pertaining to the network 106. The data pertaining to the operation of the network 106 is extracted and stored in the inventory unit 206. Thereafter, the receiving unit 208 receives the analyzed data pertaining to the operation of the network 106 from the inventory unit 206.
[0052] In one embodiment, the receiving unit 208 may utilize data aggregation techniques such as packet sniffing techniques to capture data packets as they traverse the network. This allows the unit to analyze traffic from multiple the NFs simultaneously, providing insights into network performance and behavior.
[0053] In another embodiment, the receiving unit 208 may utilize flow monitoring techniques to aggregate data that flows from various the NFs. This method helps in understanding traffic patterns and identifying bottlenecks or anomalies in the network.
[0054] In another embodiment, the receiving unit 208 may utilize message queuing protocols like MQTT or AMQP to receive data from the NFs. These protocols allow for asynchronous communication, where messages can be sent and stored until the receiving unit is ready to process them, ensuring that no data is lost during peak loads.
[0055] In an alternate embodiment, the receiving unit 208 may utilize an event- driven architecture where the NFs send notifications or alerts when specific events occur. This technique allows the receiving unit 208 to react promptly to changes in the network, such as security breaches or performance issues. In an alternate embodiment, the receiving unit 208 may leverage network telemetry techniques to continuously monitor and collect data from the NFs. This involves using protocols like ICMP for status messages or SNMP for network management, enabling real-time insights into network health and performance. In an alternate embodiment, the receiving unit 208 may use Direct API Calls to interact with the NFs through RESTful APIs, allowing for direct data requests and responses. This method is particularly useful for integrating various services and ensuring that the receiving unit can access the latest data as needed.
[0056] In an embodiment, the segregating unit 210 of the processor 202 is configured to receive data based on one or more features that are significant for analysis. The segregating unit 210 of the processor 202 is configured to eliminate the recursive features and retain only the most relevant features for analysis. Further, the segregating unit 210 is configured to ensure the retrieval of significant data by performing statistical testing, feature selection models, data preprocessing, performance metrics, and the like. These features may include at least one of but not limited to, a time of day, a day of week or a day of month, these are significant because these are the most relevant features for the data
[0057] The time of day allows the segregating unit 210 to categorize data based on specific hours, which can be critical for applications that depend on time-sensitive information, such as traffic patterns, user activity, or system performance.
[0058] The day of week allows the segregating unit 210 to differentiate between weekdays and weekends, which often exhibit different behaviors in various contexts, such as retail sales, website traffic, or service usage. [0059] The day of month helps in identifying trends or patterns that occur on specific dates, such as monthly billing cycles, seasonal promotions, or recurring events.
[0060] To create meaningful input features for the model, the data collected by the segregating unit 210 may undergo a process known as feature engineering. This process involves the extraction of relevant information from raw data. The raw data may include timestamps, user interactions, system logs, or any other relevant information. The raw data received from various sources often contains a wealth of information, but not all of it is useful for analysis. Feature engineering focuses on extracting relevant features that can enhance the model's performance. For instance, from a timestamp, the segregating unit 210 can derive the hour, day of the week, and whether it falls on a holiday.
[0061] In an embodiment, the application unit 212 of the processor 202 is configured to apply one or more policies corresponding to the identification of one or more anomalies within the segregated data. This process begins with the analysis of the segregated data, followed by the application of the relevant policies for identifying these anomalies For example, in the case of a financial transaction processing system, the application unit 212 of the processor is configured to applying policies to identify and respond to anomalies in transaction data which includes below mentioned at least three steps. In the first step, the segregating unit first analyzes transaction data and segregates it based on features such as transaction amount, frequency, geographical location, and transaction type. In the second step, the system identifies an anomaly, such as a sudden spike in transactions from a specific account that exceeds typical spending patterns. In the third step, upon detecting this anomaly, the application unit applies a predefined policy, such as temporarily freezing the account and flagging the transactions for further investigation. This policy might include notifying the account holder to confirm if the transactions were authorized. It is important to note that the policies refer to predefined rules or guidelines that dictate how the data should be evaluated for anomalies. They may include thresholds for acceptable behavior, patterns of normal operation, or specific indicators that signal potential issues. The data is labeled with a target variable, specifically the identification of anomalies, which is achieved through the application of the one or more policies.
[0062] In an embodiment, the application unit 212 may utilize machine learning models or statistical methods to assess the segregated data against these policies. When the data exhibits characteristics that align with the definitions of anomalies set forth by the policies, it is flagged for further information. Said machine learning models or statistical methods for assessing the segregated data, are crucial for maintaining the integrity and security of the network, as it enables the early detection of potential threats or operational failures. Moreover, the application unit 212 may continuously update and refine these policies based on new data and insights gained from previous anomaly detections. This adaptive approach ensures that the system 108 remains effective in identifying anomalies as network conditions and threats evolve over time. By leveraging the labeled data and applying the appropriate policies, the application unit 212 plays a vital role in enhancing the overall performance and reliability of the network 106.
[0063] In an embodiment, the splitting unit 214 is configured to split, the segregated data into one of a training dataset and a test dataset. It is important to note that the splitting unit 214 is designed to take a set of data that is segregated based on one or more features and divide it into two distinct subsets: a training dataset and a test dataset. This division is essential for building robust machine learning models. The training dataset is the portion of the data used to train the machine learning model. This contains examples that the model learns from, adjusting its parameters to minimize error and improve accuracy. Typically, this dataset comprises a larger portion of the overall data, allowing the model to generalize better. The test dataset is used to evaluate the model's performance after training. This dataset is crucial for assessing how well the model can make predictions on unseen data. It acts as a benchmark to measure the model's accuracy, precision, recall, and other performance metrics.
[0064] In an embodiment, the training unit 216 is configured to train a model utilizing the training dataset to identify trends and patterns within that dataset. The training data is essential for training the selected model. During this training process, the model learns the underlying patterns and relationships between the input features that may include threshold values for different parameters and the target variable such as anomaly detection based on current policy.
[0065] The training unit 216 is responsible for core function of training the machine learning model, enabling it to learn and adapt by identifying trends and patterns within the data. The model is selected based on a characteristic of the training dataset, desired output, and a task. This process involves several key activities, such as feature extraction and learning relationships. In feature extraction, the model identifies important features or attributes in the data that contribute to making predictions. In learning relationships, the model learns how different features relate to each other and how they correlate with the output labels. This understanding is crucial for various tasks, such as regression, where the model predicts continuous values, or classification, where it predicts discrete categories.
[0066] In an embodiment, the evaluating unit 218 is configured to evaluate, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. The validation metrics 218 is at least one of an accuracy and an error of the trained model over the model trained utilizing the test dataset. After training, the model's performance is assessed using the testing dataset. Common evaluation metrics might include accuracy, precision, depending on the specific goals.
[0067] In an embodiment, the updating unit 220 is configured to update one or more policies by analyzing evaluation results of the validation metrics. These metrics are critical indicators of a model’s performance, providing insights into how well the model performs on validation data, which is separate from the training and test datasets. These validation metrics are quantitative measures used to assess effectiveness of the trained model. In an exemplary embodiment, common validation metrics include:
Accuracy: The proportion of correct predictions made by the model.
Precision: The ratio of true positive predictions to the total predicted positives, indicating the model's ability to avoid false positives.
Recall: The ratio of true positive predictions to the total actual positives, reflecting the model's ability to identify relevant instances.
Fl Score: The harmonic mean of precision and recall, providing a balance between the two.
AUC-ROC: Area Under the Receiver Operating Characteristic Curve, which evaluates the trade-off between true positive rate and false positive rate.
[0068] By evaluating these metrics, the updating unit can determine the effectiveness of the trained model in achieving its intended objectives. The sufficient effectiveness of the trained model is determined when the evaluation findings indicate whether or not established thresholds are fulfilled for validation metrics (e.g., accuracy, precision, recall, Fl score, etc.). These cutoff points are usually established by reference to performance benchmarks or domain requirements.
[0069] In an embodiment, the detecting unit 222 is configured to continuously detect incoming data based on updated policies and dynamically assess them for anomalies. Anomalies are defined as data points that deviate significantly from expected patterns, potentially indicating issues such as fraud, system failures, or unexpected behavior in the data. The detecting unit 222 is designed to detect anomalies in real-time based on updated policies, allowing it to discard any data identified as anomalous upon detection. The “dynamically detect" implies that the detecting unit 222 operates in real-time, enabling it to analyze data as it arrives. This capability is crucial for timely responses to anomalies, which can help prevent further complications.
Y1 [0070] The detection process involves real-time analysis, where the detecting unit 222 processes each incoming data point immediately, comparing it against established norms or expected patterns defined by the updated policies. The effectiveness of the anomaly detection heavily relies on these updated policies, which govern what constitutes an anomaly. These policies are shaped by ongoing analysis of validation metrics, ensuring that the detection models remain aligned with the latest data trends and operational requirements.
[0071] In an embodiment, a retraining unit 224 is configured to retrain the model using updated data, where the updated data corresponds to the one or more NFs. The retraining unit 224 is designed to enhance the machine learning model by incorporating the updated data, ensuring that the model remains effective and relevant to the current dataset and operational environment. The machine learning process is often iterative; which continuously collects new data, periodically retrains the model, and refines its predictions over time to adapt to changing network conditions and requirements.
[0072] In an embodiment, the retraining unit 224 may perform steps, which includes:
Data Preparation: Before retraining, the updated data must be cleaned, preprocessed, and organized. This step involves handling missing values, normalizing data, and selecting relevant features to ensure the model learns effectively.
Model Selection: Depending on the nature of the updated data and the task at hand, the retraining unit may decide to use the same model architecture or explore different algorithms that better suit the updated dataset.
Training the Model: The model is then trained on the updated dataset. This involves feeding the data into the model, allowing it to adjust its parameters and learn from the new information. Various techniques, such as cross-validation, may be employed to ensure that the model generalizes well to unseen data. Evaluation: After retraining, the model’s performance is evaluated using validation metrics. This step helps assess whether the model has improved and if it is performing optimally with the updated data.
Deployment: Once the retrained model meets performance benchmarks, it can be deployed for operational use, effectively replacing or supplementing the previous model.
[0073] FIG. 3 illustrates an exemplary architecture for the system 108, according to one or more embodiments of the present invention. More specifically, FIG. 3 illustrates the system 108 for anomaly detection in the network 106. It is to be noted that the embodiment with respect to FIG. 3 will be explained with respect to the NFs 302 for the purpose of description and illustration and should nowhere be construed as limited to the scope of the present disclosure.
[0074] FIG. 3 shows communication between the NFs 302, and the system 108. For the purpose of description of the exemplary embodiment as illustrated in FIG. 3, the NFs 302, uses network protocol connection to communicate with the system 108. In an embodiment, the network protocol connection is the establishment and management of communication between the NFs 302, and the system 108 over the network 106 (as shown in FIG. 1) using a specific protocol or set of protocols. The network protocol connection includes, but not limited to, Session Initiation Protocol (SIP), System Information Block (SIB) protocol, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Network Management Protocol (SNMP), Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol Secure (HTTPS) and Terminal Network (TELNET).
[0075] In an embodiment, the NFs 302 are essential components within the network 106 that perform specific tasks related to data processing, transmission, and management. These NFs 302 are integral to the operation of the networks, providing essential services that enhance performance, security, and resource management. The NFs can be either hardware-based or software -based.
[0076] In an embodiment, the NFs 302 may include hardware components such as routers, switches, firewalls, access points, and servers, as well as software components such as network operating systems, protocols, and network management software. They are responsible for various functionalities, including firewalls, load balancers, intrusion detection systems (IDS), and routers and switches.
[0077] The firewalls protect the network by monitoring and controlling incoming and outgoing traffic based on predetermined security rules. The load balancers distribute network or application traffic across multiple servers to ensure that no single server becomes overwhelmed, enhancing performance and reliability. The IDS monitor network traffic for suspicious activity and potential threats, alerting administrators to possible security breaches. The routers and switches direct data packets between devices on a network, ensuring efficient data flow and connectivity.
[0078] In accordance with the exemplary embodiment, let us assume that the inventory unit 206 is hosted on the server 104. The inventory unit 206 is configured to store all the data received from the NFs 302. Furthermore, the receiving unit 208 is configured to receive data stored in the inventory unit 206. Upon receiving the data, it is segregated, and one or more policies are applied to split the data into a training dataset and a test dataset. Thereafter, the training dataset is utilized to train the model, and the one or more processors evaluate validation metrics based on a comparison of the trained model with a model trained using the test dataset. Finally, the one or more processors update the policies based on the evaluation of the validation metrics.
[0079] As mentioned earlier in FIG.2, the system 108 includes the processors 202, the memory 204, and the inventory unit 206, for managing operations in the network 106, which are already explained in FIG. 2. For the sake of brevity, a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition.
[0080] Further, as mentioned earlier the processor 202 includes the receiving unit 208, the segregating unit 210, the application unit 212, the splitting unit 214, the training unit 216, the evaluating unit 218, and the updating unit 220, which are already explained in FIG. 2. Hence, for the sake of brevity, a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition. The limited description provided for the system 108 in FIG. 3, should be read with the description provided for the system 108 in the FIG. 2 above, and should not be construed as limiting the scope of the present disclosure.
[0081] FIG. 4 is an architecture illustrating the flow for anomaly detection in the network, according to one or more embodiments of the present disclosure.
[0082] In one embodiment, the architecture 400 includes NFs 302, a data integration unit 402, a data preprocessing unit 404, a data lake 406, a model training unit 408, a prediction unit 410, an artificial intelligence Al/ machine learning ML model 412, and a user interface 414.
[0083] Initially, the NFs 302 which analyzes different types of network performance data transmits the data to the data integration unit 402. Herein, the data integration unit 402 is configured to receive and store the data pertaining to the particular operation in the data lake 406 for future analysis and retrieval.
[0084] The data preprocessing unit 404 is configured to prepare the data for analysis. This involves several key functions, including combining data from various sources as needed and splitting the data into training and testing sets. The data preprocessing unit 404 is responsible for data definition, which establishes the structure and format of the data, as well as data normalization, which ensures that the data is on a consistent scale. [0085] Additionally, the data preprocessing unit 404 performs data cleaning, which includes removing redundant data and addressing missing values such as NaN values. This process is crucial for enhancing the quality of the dataset, as it helps to identify and correct errors, eliminate inconsistencies, and ensure that the data is suitable for further analysis. By effectively preparing the data, the data preprocessing unit 404 enables more accurate and reliable outcomes in subsequent analytical processes.
[0086] The data lake 406 is a distributed data base used to store the processed data and model outputs in a highly scalable and flexible manner. Unlike traditional databases that often require structured data, the data lake 406 can accommodate both structured and unstructured data, allowing for greater versatility in data storage and management. The data lake 406 has the ability to handle diverse data types, scalability, and integration with analytics tools makes it an essential resource for organizations looking to leverage data for informed decision-making and strategic initiatives.
[0087] The model training unit 408 is responsible for training the model using the gathered data to discover patterns and connections between different variables. This process involves utilizing the training data, which is a subset of the data, ensuring that the model is exposed to a diverse range of scenarios and relationships. During the training phase, the selected model utilizes various algorithms to analyze the training data, learning from the information provided through an iterative process. Each iteration involves adjusting the model’s internal parameters to minimize prediction errors and enhance accuracy, thereby allowing the model to identify significant correlations and dependencies among the variables. This capability is essential for the model to generalize well, to make accurate predictions on new, unseen data based on the patterns learned during training. Furthermore, the model training unit 408 continually evaluates its performance using validation techniques, ensuring that the model not only fits the training data but also maintains robustness and effectiveness in real-world applications. [0088] The prediction unit 410 is crucial for automated anomaly detection in incoming data streams. Said real-time streaming data are continuously generated data that is processed and analyzed immediately as it arrives, rather than being stored for later processing. Further, the real-time streaming data helps to immediate identification of unusual patterns or behaviors that could indicate issues such as fraud, system failures, or security breaches.
[0089] Said prediction unit 410 is designed to continuously monitor and analyze incoming data in real time, identifying any irregularities or deviations from expected patterns. The prediction unit 410 employs advanced models to detect anomalies automatically, where anomalies are defined as data points that significantly deviate from the established norms or patterns identified during the model training phase. By implementing real-time monitoring, the prediction unit 410 can quickly identify and flag any anomalous data, ensuring that only accurate and reliable information is processed further. Upon detecting anomalies, the prediction unit 410 can automatically discard these data points to maintain the integrity of the dataset, helping to prevent skewed results that could arise from erroneous or outlier data. The prediction unit 410 operates under a "go policy," meaning it continuously evaluates incoming data and makes immediate decisions about which data to keep and which to discard based on its anomaly detection models. Additionally, the prediction unit 410 is not static, it adapts to changing data patterns over time. As new data flows in, the prediction unit 410 assesses the evolving trends and adjusts its detection models and policies accordingly. This dynamic capability ensures that the prediction unit 410 remains effective in identifying anomalies as data patterns shift. Furthermore, in the prediction unit 410, the trained model forecasts results based on the learned patterns.
[0090] The AI/ML model 412 is configured to execute a variety of models that facilitate predictive tasks, anomaly detection, and the generation of Al-driven outputs using Large Language Models (LLMs). The primary function of the Al/ML model 412 revolves around analyzing both network data and operational data, leveraging sophisticated machine learning techniques for comprehensive and in-depth analysis. This includes the implementation of various models tailored for specific tasks, such as classification, regression, and clustering, thereby enhancing the model’s ability to understand and interpret complex datasets.
[0091] Furthermore, integration of the user interface 414 allows users to interact with the Al/ML model 412 effectively. This provides a platform for the users to visualize the data, monitor the Al/ML model's outputs, and gain insights from the analyses performed. Through intuitive design and functionality, the user interface 414 facilitates seamless communication between the user and the Al/ML model 412, empowering users to make informed decisions based on data-driven insights.
[0092] FIG. 5 is a flow diagram of a method 500 for anomaly detection in the network 106, according to one or more embodiments of the present invention. For the purpose of description, the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0093] At step 502, the method 500 includes the step of receiving data from the one or more NFs 302 of the network 206. In one embodiment, the receiving unit 208 obtains data pertaining to the operation of the network 106 from the inventory unit 206, which itself receives data from the one or more NFs. For example, the receiving unit 208 collects data from a network data analytics function that is responsible for analyzing network performance metrics. The data may consist of raw data, which includes metrics such as signal strength, latency, and throughput. Alternatively, the data may be analyzed data, which comprises metrics derived from the raw data, such as trends in network usage, identification of potential bottlenecks, or alerts regarding unusual traffic patterns that could indicate a network anomaly.
[0094] At step 504, the method 500 includes the step of segregating the received data based on one or more features. In particular, subsequent to receiving the data from the inventory unit 206, the segregating unit 210 organizes the received data based on features that correspond to at least the time of day, day of the week, or day of the month. For example, after receiving data that includes raw metrics such as signal strength, latency, and throughput, the segregating unit 210 categorizes this information into distinct segments. For instance, it may identify that signal strength is consistently low during weekday mornings (e.g., 8 AM to 10 AM) and high during weekends.
[0095] At step 506, the method 500 includes the step of applying one or more policies corresponding to identification of one or more anomalies on the segregated data. For example, suppose the segregating unit 210 has categorized network performance data and identified a consistent pattern of unusually high latency during weekday afternoons. Upon detecting this anomaly, the system can apply specific policies designed to address such issues. For instance, one policy might trigger an automatic bandwidth allocation adjustment, reallocating resources to alleviate the congestion causing the latency spike. Another policy may involve sending alerts to network operators to investigate potential underlying causes, such as a malfunctioning router or an unexpected increase in user traffic due to a special event in the area.
[0096] At step 508, the method 500 includes the step of splitting the segregated data into one of a training dataset and a test dataset. The training dataset is used to train the model and the test dataset is used to evaluate the model. For example, the segregating unit 210 splits the data, allocating 80% of the data to the training dataset and the remaining 20% to the test dataset. The training dataset is then used to train the model, allowing it to learn patterns and relationships within the data, such as how different factors affect network performance. Meanwhile, the test dataset serves as an independent evaluation tool, enabling network operators to assess the model's accuracy and generalization capabilities by predicting outcomes based on unseen data.
[0097] At step 510, the method 500 includes the step of training the model utilizing the training dataset to identify trends and patterns within the training dataset. For example, consider a scenario where the training dataset consists of network performance metrics, including signal strength, latency, and throughput, collected over several months. During the training phase, the model analyzes this dataset to learn how different factors influence network performance. For instance, it might identify that latency tends to increase during peak usage hours, such as weekday evenings, or that signal strength is often lower in certain geographic areas. The model uses algorithms to process the data, adjusting its parameters to minimize prediction errors based on the observed patterns. As the training progresses, the model becomes adept at recognizing these trends, allowing to predict future network performance under similar conditions. For example, if the model has learned that high traffic on Fridays leads to increased latency, this can forecast potential performance issues for upcoming Fridays, enabling network operators to take proactive measures to mitigate these effects.
[0098] At step 512, the method 500 includes the step of evaluating validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. For example, after training the model using the training dataset, the next step is to evaluate its performance using the test dataset. Suppose the trained model is designed to predict network latency based on various input features such as time of day, user load, and geographic location. To evaluate the model, the processor may calculate several validation metrics, such as Mean Absolute Error (MAE), Root Mean Squared Error (RMSE), and R-squared (R2). For instance, after running the model on the test dataset, the processor may find that the MAE is 5 milliseconds, indicating that, on average, the model's predictions deviate from the actual latency values by 5 milliseconds. The RMSE might be calculated as 7 milliseconds, which provides insight into the model's performance by penalizing larger errors more significantly.
[0099] By comparing these validation metrics with those obtained from another model trained on the same test dataset, the processors can assess which model performs better. For example, if the alternative model has a higher MAE of 10 milliseconds, it would be clear that the first model is more effective at predicting network latency. [00100] Thereafter, at step 514, the method 500 includes the step of updating the one or more policies based on the evaluation of the validation metrics. For example, after evaluating the performance of the trained model using the test dataset, suppose the validation metrics indicate that the model struggles with accurately predicting network latency during peak usage hours. Specifically, the Mean Absolute Error (MAE) is significantly higher (e.g., 12 milliseconds) during these periods compared to off-peak times (e.g., 4 milliseconds). Based on these evaluation results, the processor decides to update the existing policies regarding network management such as policy adjustment for traffic management, dynamic resource allocation policy, alerting and investigation policy.
[00101] In the policy adjustment for traffic management, setting a policy that allocates a higher bandwidth to essential services, such as video conferencing or online gaming, when the model predicts high latency.
[00102] In dynamic resource allocation policy updating the resource allocation policy to allow for dynamic scaling of network resources. For example, during identified peak times, the system 108 may automatically provision additional bandwidth or even activate backup servers to handle increased traffic.
[00103] In alerting and investigation policy creating an alerting policy that triggers notifications for the network management team. This policy may include realtime alerts when latency predictions exceed a predetermined threshold, prompting immediate investigation and remediation efforts.
[00104] In user communication policy, sending alerts or notifications to users during peak times, managing their expectations and potentially advising on alternative connection options.
[00105] By updating these policies based on the insights gained from the validation metrics, network operators can enhance the performance and reliability of the network, ultimately improving the user experience during critical times. [00106] FIG. 6 is a flow chart 600 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
[00107] At step 602, the flow chart 600 includes the steps of the data collection and analysis. In one embodiment, the receiving unit 208 received data from the network 106, where the data pertains to the network performance data from one or more network functions (NFs) of the network 106. In an embodiment, the data is at least one of raw network data and analyzed network data, where said raw network data and analyzed network data are standardized and preprocessed to ensure consistency, making it easier to analyse and compare. This data serves as foundational input for further analysis or particularly as a training dataset for an artificial intelligence/machine learning model. For example, the receiving unit 208 collects data from a network data analytics function that is responsible for analyzing network performance metrics. The data may consist of raw data, which includes metrics such as signal strength, latency, and throughput. Alternatively, the data may be analyzed data, which comprises metrics derived from the raw data, such as trends in network usage, identification of potential bottlenecks, or alerts regarding unusual traffic patterns that could indicate a network anomaly.
[00108] At step 604, the flow chart 600 includes the step of the data preprocessing, which includes preparing and cleaning the data for analysis, combining data sources as needed, and splitting data for training and testing. The preparation and cleaning of the data may include identifying and eliminating duplicate records and identifying and fixing inconsistent values, such as NaN values. This process is crucial for enhancing the quality of the dataset, as it helps to identify and correct errors, eliminate inconsistencies, and ensure that the data is suitable for further analysis. The step of combining data from various sources is a crucial step in data pre-processing, especially when the target is to create a comprehensive dataset that can provide more insights for the model. The splitting unit 214 is configured to split the segregated data into one of a training dataset and a test dataset. This splitting process is essential for building robust machine learning models. The training dataset is the portion of the data used to train the machine learning model. This contains examples that the model learns from, adjusting its parameters to minimize error and improve accuracy. Typically, this dataset comprises a larger portion of the overall data, allowing the model to generalize better. The test dataset is used to evaluate the model's performance after training. This dataset is crucial for assessing how well the model can make predictions on unseen data. It acts as a benchmark to measure the model's accuracy, precision, recall, and other performance metrics. The data preprocessing step 604 is responsible for data definition, which establishes the structure and format of the data, as well as data normalization, which ensures that the data is on a consistent scale. By effectively preparing the data, the data preprocessing step 604 enables more accurate and reliable outcomes in subsequent analytical processes.
[00109] At step 606, the AI/ML model training includes training a model by utilizing the training dataset to identify trends and patterns within the training dataset. During this training process, the model learns the underlying patterns and relationships between the input features that may include threshold values for different parameters and the target variable such as anomaly detection based on current policy. In this step 606, the training unit 216 is responsible for core function of training the machine learning model, enabling it to learn and adapt by identifying trends and patterns within the data. The model is selected based on a characteristic of the training dataset, desired output, and a task. This process involves several key activities, such as feature extraction and learning relationships. For example, in feature extraction, the model identifies important features or attributes in the data that contribute to making predictions. In learning relationships, the model learns how different features relate to each other and how they correlate with the output labels. This understanding is crucial for various tasks, such as regression, where the model predicts continuous values, or classification, where it predicts discrete categories.
[00110] At step 608, the data visualization step allows the users to interact with the AI/ML model effectively, where the user can visualize the network performance results that is generated by the trained model. This provides a platform for the users to visualize the data, monitor the AI/ML model's outputs, and gain insights from the analyses performed. Through intuitive design and functionality, the user interface facilitates seamless communication between the user and the AI/ML model, empowering users to make informed decisions based on data-driven insights. The data presentation in the user interface may be in different manner such as line charts, bar graphs, heat maps, and scatter plots, depending on the nature of the data. For instance, time-series data might be best represented through line charts that show trends over time.
[00111] At step 610, the autonomous anomaly detection includes including automated anomaly detection in the incoming data; discarding data with anomalies and change the policy based on changing data pattern. In the step 610, the detecting unit 222 is configured to continuously detect incoming data based on updated policies and dynamically assess them for anomalies. The detecting unit 222 is designed to detect anomalies in real-time based on updated policies, allowing it to discard any data identified as anomalous upon detection. The “dynamically detect" implies that the detecting unit 222 operates in real-time, enabling it to analyze data as it arrives. This capability is crucial for timely responses to anomalies, which can help prevent further complications. After detection of the anomaly, the retraining unit 224 retrain the model using updated data. Said retraining unit enhances the machine learning model by incorporating the updated data, ensuring that the model remains effective and relevant to the current dataset and operational environment. Further, the processor changes the policy based on change in data pattern. The policy is not static, it changes as per changing data patterns over time. For example, as new data flows, the processor assesses the evolving trends and adjusts its detection models and policies accordingly. This dynamic capability ensures that the model remains effective in identifying anomalies as data patterns shift. Furthermore, the trained model forecasts results based on the learned patterns. [00112] At step 612, the closed loop reporting includes the monitoring step, forecasting step, and managing step. Said monitoring step of the closed loop includes monitoring, by one or more processors, the network performance data to dynamically detect the anomaly within the real-time incoming data. For example, a company implements a real-time network security monitoring system using a machine learning model to detect anomalies that could indicate security threats, such as unauthorized access. The forecasting step includes forecasting, by one or more processors, a load in the network based on the network performance data, which involves analyzing historical network performance data to predict future usage patterns. For example, an enterprise network team wants to forecast network load to ensure optimal performance during peak usage times, such as during business hours or major events. The forecasting techniques, such as ARIMA (Auto Regressive Integrated Moving Average) or Exponential Smoothing, are used to model the historical data and predict future loads. The managing step includes managing, by the one or more processors, one or more resources based on the forecasted load in a closed loop action, wherein if there are changes (increasing/decreasing) in one or more resources, a closed-loop reporting action is triggered. This means the system receives feedback about the changes, allowing it to take appropriate actions, such as updating inventory, balancing loads, notifying users, or refreshing the dashboard. For example, a cloud service provider offers a web application that experiences fluctuating traffic levels. To optimize performance and cost, the provider uses a system that forecasts server load and dynamically adjusts resources in a closed-loop manner. The present invention further discloses a non -transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by the processor 202. The processor 202 is configured to receive, data from the network, where the data pertains to the network performance data from one or more Network Functions (NFs) of the network. Said network functions (NFs) further may be one or more of VNFs/VNFCs, CNFs/CNFCs. The processor 202 is further configured to segregate, the received data based on one or more features. The processor 202 is further configured to apply, one or more policies corresponding to identification of one or more anomalies on the segregated data. The processor 202 is further configured to split, the segregated data into one of a training dataset and a test dataset. The processor 202 is further configured to train, a model utilizing the training dataset to identify trends and patterns within the training dataset. The processor 202 is further configured to evaluate, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset. The processor 202 is further configured to update, the one or more policies based on the evaluation of the validation metrics.
[00113] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1 -6) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[00114] The present disclosure offers a technical advancement by automating anomaly detection and policy adjustments, significantly minimizing manual effort and time needed for maintaining these systems. This automation enhances operational efficiency and enables near real-time identification of anomalies, facilitating prompt corrective actions that reduce impacts on network performance and customer satisfaction. The AI/ML model's ability to autonomously adapt to changing data patterns keeps the system effective without requiring constant manual updates. This not only decreases reliance on human resources for these tasks but also leads to cost savings, allowing staff to focus on more strategic activities. Additionally, the system 108 ensures that the training data for AI/ML models is free from anomalies, resulting in more accurate predictions and insights.
[00115] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.
REFERENCE NUMERALS
[00116] Environment - 100;
[00117] User Equipment (UE) - 102;
[00118] Server - 104;
[00119] Network- 106;
[00120] System -108;
[00121] Processor - 202;
[00122] Memory - 204;
[00123] Inventory unit - 206;
[00124] Receiving unit - 208;
[00125] Segregating unit - 210;
[00126] Application unit -212;
[00127] Splitting unit - 214;
[00128] Training unit -216;
[00129] Evaluating unit -218;
[00130] Updating unit -220
[00131] Detecting unit -222;
[00132] Retraining unit -224
[00133] Network functions -302
[00134] Data integration unit -402;
[00135] Data preprocessing unit 404;
[00136] Data lake -406;
[00137] Model training unit -408;
[00138] Prediction unit 410;
[00139] AI/ML model- 412;
[00140] User interface (UI) - 414;

Claims

CLAIMS We Claim
1. A method (500) of anomaly detection in a network (106), the method (500) comprising the steps of: receiving, by one or more processors (202), data from the network (106); segregating, by the one or more processors (202), the received data based on one or more features; applying, by the one or more processors (202), one or more policies corresponding to identification of one or more anomalies on the segregated data; splitting, by the one or more processors (202), the segregated data into one of a training dataset and a test dataset; training, by the one or more processors (202), a model utilizing the training dataset; evaluating, by the one or more processors (202), validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset; and updating, by the one or more processors (202), the one or more policies based on the evaluation of the validation metrics.
2. The method (500) as claimed in claim 1, wherein the data pertains to network performance data from one or more Network Functions (NFs) of the network (106).
3. The method (500) as claimed in claim 1, wherein the data is one of a raw data and an analysed data.
4. The method (500) as claimed in claim 1, wherein the one or more features correspond to at least a time of day or a day of week or a day of month.
5. The method (500) as claimed in claim 1, wherein the training dataset is used to train the model, and the test dataset is used to evaluate the model.
6. The method (500) as claimed in claim 1 , wherein the model is selected based on a characteristic of the training dataset, desired output, and a task.
7. The method (500) as claimed in claim 1, wherein the validation metrics is at least one of an accuracy and an error of the trained model over the model trained utilizing the test dataset.
8. The method (500) as claimed in claim 1, wherein based on updating the one or more policies, the method comprises the steps of: dynamically detecting, by the one or more processors (202), the anomaly in an incoming data in real time based on the updated policies; and discarding, by the one or more processors (202), the data with the anomaly in response to the detection.
9. The method (500) as claimed in claim 1, wherein the method (500) comprises the step of: retraining, by the one or more processors (202), the model utilizing updated data; wherein the updated data corresponds to the one or more NFs; and updating, by the one or more processors (202), the one or more policies based on the evaluation of the validation metrics of the trained model and the tested model utilizing the updated dataset.
10. The method (500) as claimed in claim 7, comprising: monitoring, by the one or more processors, the network performance data to dynamically detect the anomaly within the real time incoming data; forecasting, by the one or more processors, a load in the network based on the network performance data; and managing, by the one or more processors, one or more resources based on the forecasted load in a closed loop action, wherein the closed loop action corresponds to increasing or decreasing the one or more resources based on the forecasted load.
11. A system (108) for anomaly detection in a network, the system comprising: a receiving unit (208) configured to receive, data from the network (106); a segregating unit (210) configured to segregate, the received data based on one or more features; an application unit (212) configured to apply, one or more policies corresponding to identification of one or more anomalies on the segregated data; a splitting unit (214) configured to split, the segregated data into one of a training dataset and a test dataset; a training unit (216) configured to train, a model utilizing the training dataset; an evaluating unit (218) configured to evaluate, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset; and an updating unit (220) configured to update, the one or more policies based on the evaluation of the validation metrics.
12. The system (108) as claimed in claim 1, wherein the data pertains to network performance data from one or more Network Functions (NFs) of the network (106).
13. The system (108) as claimed in claim 11, wherein the data is one of a raw data and an analyzed data.
14. The system (108) as claimed in claim 11, wherein the one or more features correspond to at least a time of day or a day of week or a day of month.
15. The system (108) as claimed in claim 11, wherein the training dataset is used to train the model and the test dataset is used to evaluate the model.
16. The system (108) as claimed in claim 11, wherein the model is selected based on a characteristic of the training dataset, desired output, and a task.
17. The system (108) as claimed in claim 11, wherein the validation metrics is at least one of an accuracy and an error of the trained model over the model trained utilizing the test dataset.
18. The system (108) as claimed in claim 11, comprising a detecting unit (222) configured to: dynamically detect, the anomaly in an incoming data in real time based on the updated policies wherein based on updating the one or more policies; and discard, the data with the anomaly in response to the detection.
19. The system (108) as claimed in claim 11, wherein the system (108) comprising: a retraining unit (224) configured to retrain, the model utilizing updated data; wherein the updated data corresponds to the one or more NFs; and the updating unit (220) configured to update, the one or more policies based on the evaluation of the validation metrics of the trained model and tested model utilizing the updated dataset.
20. The system (108) as claimed in claim 18, wherein the detecting unit is configured to: monitor, network performance data to dynamically detect the anomaly within the real time incoming data; forecast, a load in the network based on the network performance data; and manage, one or more resources based on the forecasted load in a closed loop action, wherein the closed loop action corresponds to increasing or decreasing the one or more resources based on the forecasted load.
21. A non-transitory computer-readable medium having stored thereon computer- readable instructions that, when executed by a processor (202), cause the processor (202) to: receive, data from one or more Network Functions (NFs) (302) of the network (106); segregate, the received data based on one or more features; apply, one or more policies corresponding to identification of one or more anomalies on the segregated data; split, the segregated data into one of a training dataset and a test dataset; train, a model utilizing the training dataset to identify trends and patterns within the training dataset; evaluate, validation metrics based on a comparison of the trained model and a model trained utilizing the test dataset; and update, the one or more policies based on the evaluation of the validation metrics.
PCT/IN2024/051974 2023-10-06 2024-10-06 System and method for anomaly detection in a network Pending WO2025074414A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202321067266 2023-10-06
IN202321067266 2023-10-06

Publications (1)

Publication Number Publication Date
WO2025074414A1 true WO2025074414A1 (en) 2025-04-10

Family

ID=95284277

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2024/051974 Pending WO2025074414A1 (en) 2023-10-06 2024-10-06 System and method for anomaly detection in a network

Country Status (1)

Country Link
WO (1) WO2025074414A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190222601A1 (en) * 2016-07-05 2019-07-18 Palantir Technologies Inc. Network anomaly detection and profiling
CN113051552A (en) * 2019-12-27 2021-06-29 北京国双科技有限公司 Abnormal behavior detection method and device
CN115242600A (en) * 2021-04-23 2022-10-25 北京华为数字技术有限公司 A kind of network abnormality detection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190222601A1 (en) * 2016-07-05 2019-07-18 Palantir Technologies Inc. Network anomaly detection and profiling
CN113051552A (en) * 2019-12-27 2021-06-29 北京国双科技有限公司 Abnormal behavior detection method and device
CN115242600A (en) * 2021-04-23 2022-10-25 北京华为数字技术有限公司 A kind of network abnormality detection method and device

Similar Documents

Publication Publication Date Title
US11805005B2 (en) Systems and methods for predictive assurance
US20200364607A1 (en) Systems and methods for unsupervised anomaly detection using non-parametric tolerance intervals over a sliding window of t-digests
US20230291657A1 (en) Statistical Control Rules for Detecting Anomalies in Times Series Data
US20200401936A1 (en) Self-aware service assurance in a 5g telco network
US20240403437A1 (en) External api vulnerability assessments
US11935077B2 (en) Operational predictive scoring of components and services of an information technology system
WO2017214271A1 (en) Artificial intelligence-based network advisor
US12282379B2 (en) Error monitoring and prevention in computing systems based on future fault prediction and historical values of a network characteristic
WO2013072232A1 (en) Method to manage performance in multi-tier applications
Xu et al. Lightweight and adaptive service api performance monitoring in highly dynamic cloud environment
US11689641B2 (en) Resiliency control engine for network service mesh systems
EP3343839B1 (en) Mechanism for monitoring and alerts of computer system applications
US20240427899A1 (en) Operational characteristic-based container management
Yahia et al. CogNitive 5G networks: Comprehensive operator use cases with machine learning for management operations
US20230086473A1 (en) Smart retry policy for automated provisioning of online resources
WO2025074414A1 (en) System and method for anomaly detection in a network
US20240143777A1 (en) Instrumenting observability controls
US12255788B1 (en) Management system for computing platforms
WO2025079103A1 (en) Method and system for anomaly detection in a network
US20250371376A1 (en) Unsupervised relevancy sieve for log data
WO2025079108A1 (en) System and method for anomaly detection in a network
WO2025079094A1 (en) System and method for forecasting one or more alerts
WO2025017715A1 (en) System and method for detecting anomalies in a communication network
WO2025079107A1 (en) System and method for predicting one or more future alarms
Junior et al. A real-time and non-intrusive analyzer for anomalous behavior of computer networks with paraconsistent logic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24874238

Country of ref document: EP

Kind code of ref document: A1