[go: up one dir, main page]

WO2025017658A1 - Method and system for detecting anomalies in a communication network - Google Patents

Method and system for detecting anomalies in a communication network Download PDF

Info

Publication number
WO2025017658A1
WO2025017658A1 PCT/IN2024/051217 IN2024051217W WO2025017658A1 WO 2025017658 A1 WO2025017658 A1 WO 2025017658A1 IN 2024051217 W IN2024051217 W IN 2024051217W WO 2025017658 A1 WO2025017658 A1 WO 2025017658A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
pattern
kpi
determined
processors
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/IN2024/051217
Other languages
French (fr)
Inventor
Aayush Bhatnagar
Ankit Murarka
Gaurav Saxena
Meenakshi Shobharam
Mohit Bhanwria
Vinay Gayki
Durgesh KUMAR
Shashank Bhushan
Aniket Anil Khade
Jugal Kishore Kolariya
Rahul Verma
Gaurav Kumar
Sunil Meena
Kishan Sahu
Zenith KUMAR
Dharmendra Kumar Vishwakarma
Sajal Soni
Sanjana Chaudhary
Avinash Kushwaha
Supriya De
Kumar Debashish
Tilala Mehul
Kothagundla Vinay Kumar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jio Platforms Ltd
Original Assignee
Jio Platforms Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jio Platforms Ltd filed Critical Jio Platforms Ltd
Publication of WO2025017658A1 publication Critical patent/WO2025017658A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design

Definitions

  • the present invention generally relates to communication networks, and more particularly relates to a method and system for detecting anomalies in a communication network.
  • One or more embodiments of the present disclosure provide a system and method for detecting anomalies in a communication network.
  • a method of detecting anomalies in a communication network includes retrieving by one or more processors, a set of data from the communication network.
  • the set of data includes a raw data or an aggregated data. Further, the set of data corresponds to enriched New Radio Summary logs (NRSL) data.
  • the method further includes determining, a behavioral pattern of Key Performance Indicators (KPIs) utilizing the retrieved set of data.
  • KPIs Key Performance Indicators
  • the behavioral pattern of the KPI is determined utilizing data models modelled based on the set of data retrieved from the centralized database.
  • the determined behavioral patterns are stored in a centralized database. Further, the method includes comparing a first patterns with the determined behavioral pattern of KPI.
  • This comparison can include analyzing an incoming data for at least one user equipment subscription permanent identifier (SUPI) and at least one user equipment International Mobile Subscriber Identity (IMSI). Further, the incoming data corresponds to data of at least one user equipment subjected to a firmware release or data of a plurality of user equipment operational in a certain region and experiencing a drop in reference signal received power (RSRP). The method further includes, identifying a deviation of the first pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detecting anomalies.
  • SUPI user equipment subscription permanent identifier
  • IMSI International Mobile Subscriber Identity
  • a system for detecting anomalies in a communication network includes a retrieving unit configured to retrieve a set of data from a centralized database.
  • the centralized database stored the determined behavioral patterns of the KPI.
  • the system includes a determination unit configured to determine a behavioral pattern of Key Performance Indicators (KPI) utilizing the retrieved set of data.
  • the determination unit is configured to determine the behavioral patterns of the KPI utilizing data models modelled based on the set of data retrieved from the centralized database.
  • the system further includes, a comparing unit configured to compare a first pattern with the determined behavioral pattern of the of the KPI.
  • the first pattern corresponds to a behavioral pattern of KPI determined based on an incoming data from at least one user equipment.
  • the incoming data corresponds to a data of at least one user equipment subjected to a firmware release, or data of a plurality of user equipment operational in a certain region and experiencing a drop in reference signal received power (RSRP).
  • RSRP reference signal received power
  • the system further includes an identification unit configured to identify a deviation of the pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detecting anomalies.
  • FIG. 1 is an exemplary block diagram of an environment for detecting anomalies in a communication network, according to various embodiments of the present disclosure
  • FIG. 2 is a block diagram of a system provided in an enterprise system of FIG. 1, according to various embodiments of the present disclosure
  • FIG. 3 is an example schematic representation of the system of FIG. 1 in which various entities operations are explained, according to various embodiments of the present system;
  • FIG. 4 shows a sequence flow diagram illustrating a method for detecting anomalies in a communication network, according to various embodiments of the present disclosure.
  • FIG. 5 shows a flow diagram of a method for detecting anomalies in a communication network, according to various embodiments of the present disclosure.
  • the present invention discloses the system and method for detecting anomalies in a large data network.
  • a change in trend of a dimension or parameter is identified and analysed to detect an anomaly.
  • an end user can analyse the cases for a device, when an experience is suddenly degraded after any firmware release or a Generation NodeB (gNB)/ Software release.
  • the system also enables detection of sudden fluctuation in the network of a particular region or area by detecting a drop in a received signal received power (RSRP) and thereby enables the user to take an appropriate action.
  • RSRP received signal received power
  • a value of a particular CRR (call release reason) within a cell has started varying abnormally as compared to last hour or last day, the variation will be detected as an anomaly and operations would be alerted.
  • the end user can also analyse the cases such as for any given device Subscription Permanent Identifier (SUPI) or International Mobile Subscriber Identity (IMSI), experience is suddenly degraded after any firmware release or gNB Software release when compared to a previous experience summary of a device / SUPI.
  • SUPI Subscription Permanent Identifier
  • IMSI International Mobile Subscriber Identity
  • FIG. 1 illustrates an exemplary block diagram of an environment 100 for detecting anomalies in a communication network 106, according to various embodiments of the present disclosure.
  • the environment 100 comprises a plurality of user equipment’s (UEs) 102-1, 102-2, > ,102-n.
  • the at least one UE 102-n from the plurality of the UEs 102-1, 102-2, 102-n is configured to connect to an enterprise system 108 via a communication network 106.
  • the UE (102) is operated by an administrator.
  • the UE (102) is operated by a subscriber.
  • the enterprise system 108 is communicatively coupled to a server 104 via the communication network 106.
  • the server 104 can be, for example, but not limited to a standalone server, a server blade, a server rack, a bank of servers, a business telephony application server (BTAS), a server farm, a cloud server, an edge server, home server, a virtualized server, one or more processors executing code to function as a server, or the like.
  • the server 104 may operate at various entities or a single entity (include, but is not limited to, a vendor side, service provider side, a network operator side, a company side, an organization side, a university side, a lab facility side, a business enterprise side, a defense facility side, or any other facility) that provides service.
  • the plurality of UEs 102 may comprise a memory 204 (as shown in FIG. 2) such as a volatile memory (e.g., RAM), a non-volatile memory (e.g., disk memory, FLASH memory, EPROMs, etc.), an unalterable memory, and/or other types of memory.
  • the memory 204 might be configured or designed to store data. The data may pertain to attributes and access rights specifically defined for the plurality of UEs 102.
  • the UE 102 may be accessed by the user, to receive anomalies detected by the enterprise system 108.
  • the communication network 106 may use one or more communication interfaces/protocols such as, for example, Voice Over Internet Protocol (VoIP), 802.11 (Wi-Fi), 802.15 (including BluetoothTM), 802.16 (Wi-Max), 802.22, Cellular standards such as Code Division Multiple Access (CDMA), CDMA2000, Wideband CDMA (WCDMA), Radio Frequency Identification (e.g., RFID), Infrared, laser, Near Field Magnetics, etc.
  • VoIP Voice Over Internet Protocol
  • Wi-Fi Wi-Fi
  • 802.15 including BluetoothTM
  • Wi-Max Wi-Max
  • 802.22 Cellular standards such as Code Division Multiple Access (CDMA), CDMA2000, Wideband CDMA (WCDMA), Radio Frequency Identification (e.g., RFID), Infrared, laser, Near Field Magnetics, etc.
  • CDMA Code Division Multiple Access
  • WCDMA Wideband CDMA
  • RFID Radio Frequency Identification
  • the enterprise system 108 may include, by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a business telephony application server (BTAS), a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof.
  • BTAS business telephony application server
  • enterprise system 108 may operate at various entities or single entity (for example include, but is not limited to, a vendor side, service provider side, a network operator side, a company side, an organization side, a university side, a lab facility side, a business enterprise side, a defense facility side, or any other facility) that provides service.
  • the enterprise system 108 is configured to detect anomalies in the communication network 106.
  • the plurality of UEs 102 may be a wireless device or a communication device that may be a part of the enterprise system 108.
  • the wireless device or the UE 102 may include, but are not limited to, a handheld wireless communication device (e.g., a mobile phone, a smart phone, a phablet device, and so on), a wearable computer device (e.g., a head-mounted display computer device, a head-mounted camera device, a wristwatch computer device, and so on), a laptop computer, a tablet computer, or another type of portable computer, a media playing device, a portable gaming system, and/or any other type of computer device with wireless communication or VoIP capabilities.
  • a person skilled in the art will appreciate that the plurality of UEs 102 may include a fixed landline, a landline with assigned extension within the enterprise network.
  • the communication network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet- switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof.
  • PSTN Public-Switched Telephone Network
  • the communication network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
  • 3G Third Generation
  • 4G Fourth Generation
  • 5G Fifth Generation
  • 6G Sixth Generation
  • NR New Radio
  • NB-IoT Narrow Band Internet of Things
  • OF-RAN Open Radio Access Network
  • the communication network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth.
  • the communication network may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
  • PSTN Public-Switched Telephone Network
  • the system 108 may include one or more processors 202 coupled with a memory 204, wherein the memory 204 may store instructions which when executed by the one or more processors 202 may cause the enterprise system 108 to detect anomalies in the communication network 106.
  • the system 108 may include the one or more processor(s) 202.
  • the one or more processor(s) 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, edge or fog microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that process data based on operational instructions.
  • the one or more processor(s) 202 may be configured to fetch and execute computer-readable instructions stored in a memory 204 of the system 108.
  • the memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer readable storage medium, which may be fetched and executed to create or share data packets over a network service.
  • the memory 204 may comprise any non-transitory storage device including, for example, volatile memory such as Random-Access Memory (RAM), or nonvolatile memory such as Electrically Erasable Programmable Read-only Memory (EPROM), flash memory, and the like.
  • the system 200 includes an interface(s).
  • the system 200 further includes a user interface 206 also known as interface(s) 206.
  • the interface(s) 206 comprises a variety of interfaces, for example, interfaces for data input and output devices, referred to as input/output (RO) devices, storage devices, and the like.
  • the interface(s) 206 can facilitate communication for the system.
  • the interface(s) 206 also provides a communication pathway for one or more components of the system 200.
  • processing unit/engine(s) examples include, but are not limited to, processing unit/engine(s) and a database.
  • the processing unit/engine(s) may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processing engine(s).
  • the environment 100 further includes the enterprise system 108 communicably coupled to the remote server 104 and each UE 102-1 of the plurality of UEs 102-1 to 102-n via the communication network 106.
  • the remote server 104 is configured to manage the information related to anomalies in the communication network 106.
  • the enterprise system 108 is adapted to be embedded within the remote server 104 or is embedded as the individual entity.
  • the enterprise system 108 is designed to provide a centralized and unified view of enterprise data and facilitate efficient business operations.
  • the enterprise system 108 is authorized to access update/create/delete one or more parameters of their information related to anomalies, which gets reflected in real-time independent of the complexity of network.
  • the enterprise system 108 may include an enterprise provisioning server (for example), which may connect with the remote server 104.
  • the enterprise provisioning server provides flexibility for enterprises to update/create/delete information related to anomalies in real time as per their business needs. A user with administrator rights can access and retrieve the plurality of information and perform real-time analysis in the enterprise system 108.
  • the enterprise system 108 is described as an integral part of the remote server 104, without deviating from the scope of the present disclosure.
  • FIG. 2 illustrates a block diagram of the system 200 (i.e., enterprise system 108) provided for detecting anomalies in the communication network 106, according to one or more embodiments of the present invention.
  • an anomaly detection application may be embedded or hosted in the system 108.
  • the system 108 application may report the anomalies detected to a user (e.g., end user, service provider, network operator or the like).
  • the system 108 includes one or more processors 202, a memory 204, an input/output interface unit 206, a display 208, and an input device 210. Further the system 108 may comprise one or more processors 202.
  • the one or more processors 202 hereinafter referred to as the processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
  • the system 108 includes one processor 202. However, it is to be noted that the system 108 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure.
  • the information related to the anomalies may be provided or stored in the memory 204 of the system 108.
  • the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
  • the memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service.
  • the memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
  • the information related to the anomalies may further be configured to render on the user interface 206.
  • the user interface 206 may include functionality similar to at least a portion of functionality implemented by one or more computer system interfaces such as those described herein and/or generally known to one having ordinary skill in the art.
  • the user interface 206 may be rendered on a display 208, implemented using LCD display technology, OLED display technology, and/or other types of conventional display technology.
  • the display 208 may be integrated within the system 108 or connected externally.
  • the input device(s) 210 may include, but not limited to, keyboard, buttons, scroll wheels, cursors, touchscreen sensors, audio command interfaces, magnetic strip reader, optical scanner, etc.
  • the system 108 may further comprise a centralized database 220.
  • the centralized database 220 may be communicably connected to the processor 202, and the memory 204.
  • the centralized database 220 may be configured to store and retrieve data pertaining to features, or services of the, access rights, attributes, approved list, and authentication data provided by an administrator. Further the remote server 104 may allow the system 108 to update/create/delete one or more parameters of their information related to the anomalies, which provides flexibility to roll out multiple variants of the anomalies as per business needs.
  • the centralized database 220 may be outside the system 108 and communicated through a wired medium and wireless medium.
  • the processor 202 may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202.
  • programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor 202 may comprise a processing resource (for example, one or more processors), to execute such instructions.
  • the memory 204 may store instructions that, when executed by the processing resource, implement the processor 202.
  • the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource.
  • the processor 202 may be implemented by electronic circuitry.
  • the processor 202 includes a retrieving unit 212, a determination unit 214, a comparing unit 216 and an identification unit 218.
  • the system 108 as shown is in communication with the centralized database 220.
  • the retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218, in an embodiment, is implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways.
  • the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions.
  • the memory 204 may store instructions that, when executed by the processing resource, implement the processor.
  • the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource.
  • the processor 202 may be implemented by electronic circuitry.
  • the retrieving unit 212 is configured to retrieve a set of data from the centralized database 220.
  • the set of data is raw data.
  • the raw data can be, for example, but not limited to, a jitter, time delay, a quality of experience, signal strength, a power usage or the like.
  • the set of data includes aggregated data retrieved from a distributed file system. Further, the set of data corresponds to enriched New Radio Summary logs (NRSL) data.
  • NRSL New Radio Summary logs
  • the raw data and the aggregated data are used to create different types of data models, based on different techniques and for training purpose.
  • the data models can be, for example, but not limited to machine learning models and the artificial intelligence model.
  • the machine learning models and the artificial intelligence model called active learning models reduces the need for complex operations while increasing model accuracy.
  • the data models can be, for example, but not limited to the Linear Regression models, Logistic Regression models, Decision Tree models, Naive Bayes models, K-Means models and Random Forest models.
  • the raw data and the aggregated data can also be, for example, but not limited to, New Radio Summary logs (NRSL).
  • NRSL New Radio Summary logs
  • the NRSL can also be referred as session logs, summary logs, or Streaming Data Record (SDR).
  • the SDR can be a transaction or procedure in a fifth generation core (5G CN) or a call flow in a fourth generation (4G) network.
  • the SDR can also be a CDR written in network nodes or a debugging record (can be logs as well). Further, these NRSL can include information such as call release reason, clear codes, for each sessions of user.
  • the centralized database 220 stores the determined behavioral patterns of Key Performance Indicators (KPIs) also referred to as KPI.
  • KPIs Key Performance Indicators
  • the KPIs are received from the statistical measurements or the dynamic measurements from performance measurement (PM) Counters.
  • the PM Counters are associated with the system 108 or the server (104).
  • the Key Performance Indicator is used to measure the anomalies information.
  • the key performance indicators (KPIs) are system metrics that can be used for anomaly detection in the networks. Some examples of KPIs include: CPU utilization, Memory utilization, Network throughput, and System response time.
  • the behavioral pattern of KPIs refers to the trends or characteristics exhibited by these indicators over time.
  • the KPIs are metrics used to measure the performance of various aspects of a network, such as latency, throughput, availability, and packet loss.
  • the behavioral pattern of these KPIs typically includes the trend analysis, variability and anomalies (for example).
  • the trend analysis observes whether KPI values are increasing, decreasing, or remaining stable over time. In an example, increasing latency could indicate network congestion or performance degradation.
  • the variability examines the degree of fluctuation or stability in KPI values. Consistent fluctuations might indicate normal network operation, while sudden spikes or dips could signal issues.
  • the anomalies detects deviations from expected or normal behavior in KPIs, which could signal potential network problems or security incidents.
  • the determination unit 214 also referred to as an anomaly detection module 214 , is configured to determine a behavioral pattern of KPIs utilizing the retrieved set of data.
  • the determination unit 214 is configured to determine the behavioral patterns of the KPIs utilizing data models modelled based on the set of data retrieved from the centralized database 220.
  • the determination unit 214 is configured to create one or more data models or patterns from the raw data and the aggregated data.
  • the determination unit 214 is configured to continuously keep track of incoming data flowing with the computed behavioral pattern for the KPIs.
  • the determination unit 214 also saves the created patterns in the centralized database 220.
  • the patterns are then analysed by the determination unit 214 and any significant and sudden deviation from the above normal pattern will be detected as an anomaly and reported to an end user for analysis.
  • the comparing unit 216 is configured to compare a first pattern (or threshold) with the determined behavioral patterns of the KPI.
  • the first pattern corresponds to a behavioral pattern of KPI determined based on an incoming data from at least one user equipment.
  • the incoming data corresponds to a data of at least one user equipment subjected to a firmware release, or data of a plurality of user equipment operational in a certain region and experiencing a drop in reference signal received power (RSRP).
  • RSRP reference signal received power
  • the incoming data corresponds to a request from second UE, where the second UE is a network administrator at an operator side.
  • the incoming data KPI are compared with threshold, (where threshold is determined by the data model based on historical KPI of the data.
  • the identification unit 218 is configured to identify a deviation in the first pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detect the anomalies. The anomalies so detected are then provided to a user via a user equipment. A flow diagram explaining the process of detecting the anomalies will be further explained in FIG. 4. [0047] FIG. 3 is an example schematic representation of the system 108 of FIG. 1 in which various entities operations are explained, according to various embodiments of the present system.
  • FIG. 3 is an example illustration of the system of FIG. 2 interacting in which various entities.
  • FIG. 3 describes a system 300 for detecting the anomalies in the communication network 106.
  • the embodiment with respect to FIG. 3 will be explained with respect to the UE 102-1, the remote server 104 and the system 108 for the purpose of description and illustration and should nowhere be construed as limited to the scope of the present disclosure. The same explanation shall apply to multiple UEs 102-1 to 102-n.
  • the first UE 102-1 includes one or more primary processors 305 communicably coupled to the one or more processors 202 of the system 108.
  • the one or more primary processors 305 are coupled with a memory 310 storing instructions which are executed by the one or more primary processors 305. Execution of the stored instructions by the one or more primary processors 305 enables the first UE 102-1 to transmit an anomaly update request from the user via an interface module 320 to the system 108 in order to register for a service related to the anomaly update request.
  • the execution of the stored instructions by the one or more primary processors 305 further enables the first UE 102-1 to transmit location coordinates from where the anomaly update request is initiated to the one or more processors 202.
  • the one or more processors 202 is configured to transmit the response content related to the anomaly update request to the first UE 102-1. More specifically, the one or more processors 202 of the system 108 is configured to transmit the response content from a kernel 315 to at least one of the first UE 102-1 in response to modifying at least one response content by a plurality of response contents in response to receiving the anomaly update request from the administrator.
  • the kernel 315 is a core component serving as the primary interface between hardware components of the first UE 102-1 and the system 108.
  • the kernel 315 is configured to provide the plurality of response contents hosted on the system 108 to access resources available in the communication network 106.
  • the resources include one of a Central Processing Unit (CPU), memory components such as Random Access Memory (RAM) and Read Only Memory (ROM).
  • the system 108 includes the one or more processors 202, the memory 204, the input/output interface unit 206, the display 208, and the input device 210.
  • the operations and functions of the one or more processors 202, the memory 204, the input/output interface unit 206, the display 208, and the input device 210 are already explained in FIG. 2. For the sake of brevity, we are not explaining the same operations (or repeated information) in the patent disclosure.
  • the processor 202 includes the retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218.
  • the operations and functions of the retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218 are already explained in FIG. 2. For the sake of brevity, we are not explaining the same operations (or repeated information) in the patent disclosure.
  • the system 108 is communicably coupled to the remote server 104 and each UE of the plurality of UEs 102 via the communication network 106.
  • the system 108 is adapted to be embedded within the remote server 104 or is embedded as the individual entity.
  • the system 108 is designed to provide a centralized and unified view of an enterprise data and facilitate efficient business operations.
  • the system 108 is authorized to access to update/create/delete one or more parameters of their anomalies.
  • FIG. 4 shows a sequence flow diagram illustrating a method 400 for detecting anomalies in the communication network 106, according to various embodiments of the present disclosure.
  • the set of data being retrieved from the centralized database 220 into the retrieving unit 212.
  • the set of data is the raw data.
  • Y1 can be, for example, but not limited to, a jitter, time delay, a quality of experience, signal strength, a power usage or the like.
  • the set of data is the aggregated data.
  • aggregated data includes but is not limited to the obtained raw data and can correspond to a scheme like: ’TimeSlot, Geohash, AppGroup, Packets, Duration, Users, Flows’, where TimeSlot is a raw data, Geohash is a raw data, AppGroup is a raw data, Packets is a raw data, Duration is a raw data, users is a raw data and flows is a raw data, all of which are aggregated into the scheme as mentioned.
  • the raw data and the aggregated data are used to create different types of data models, based on different techniques and for training purpose.
  • the set of data corresponds to enriched NRSL data.
  • the NRSL enrich means creating new and dynamic fields using one or more operations on the collected NRSL data. Operations can be, for example, but not limited to concatenate, append, split, transform, etc.
  • the network protocols can be, for example, but not limited a Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), File Transfer Protocol (FTP), Secure Shell (SSH) Protocol, Telecommunication Network (Telnet) Protocol, Internet Control Message Protocol (ICMP), and TCP.
  • the data models can be, for example, but not limited to machine learning models and the artificial intelligence model.
  • the machine learning models and the artificial intelligence model called active learning models to reduces the need for complex operations while increasing model accuracy.
  • the data models can be, for example, but not limited to the Linear Regression models, Logistic Regression models, Decision Tree models, Naive Bayes models, K-Means models and Random Forest models.
  • the retrieving unit 212 forwards the retrieved set of data 404 to the determination unit 214.
  • the retrieving unit 212 is configured to retrieve the set of data from the centralized database 220.
  • the determination unit 214 receives the retrieved set of data from the retrieving unit 212.
  • the determination unit 214 is configured to determine the behavioral patterns of the KPIs utilizing data models modelled based on the set of data retrieved from the centralized database 220.
  • the determination unit 214 is further configured to provide the behavioral pattern of the Key Performance Indicators (KPIs) to the comparing unit 216.
  • KPIs Key Performance Indicators
  • the Key Performance Indicator may be received from the statistical measurements or the dynamic measurements from performance measurement (PM) Counters.
  • the (PM) Counters are associated with the system 108 or the server (104).
  • the Key Performance Indicator is used to measure the anomalies information.
  • the comparing unit 216 compares the behavioral pattern 408 with the first pattern and sends a comparison of the first pattern and the determined behavioral patterns of KPIs to the identification unit 218.
  • the first pattern corresponds to a behavioral pattern of the KPI determined based on the incoming data from one of the at least one user equipment 102.
  • the identification unit 218 detects the anomalies 410 by a series of comparisons. For example, the patterns are compared with predetermined thresholds for each KPI. Incase a pattern exceeds a predetermined threshold of a KPI, the identification unit 218 shall detect occurrence of an anomaly in the network parameter or network entity or process corresponding to the pattern.
  • the identification unit 218 reports the anomalies 412 to one or more of the plurality of user equipments 102-1 to 102-1, for example the user equipment 102-1.
  • the anomalies detected can be sent in a report format or a message format to the user equipment 102-1.
  • the proposed method can proactively identify occurrence of anomalies, so as to reduce a burden of manual work on an end user for issue detection to a great extent and also saves a lot of time.
  • a value of a particular call release reason (CRR) within a cell or a region has started varying abnormally as compared to last hour or last day or last week, the variation will be detected as an anomaly and operations would be alerted to the end user and the service provider.
  • CLR call release reason
  • the end user can also analyse the cases such as for any given device Subscription Permanent Identifier (SUPI) or International Mobile Subscriber Identity (IMSI), experience is suddenly degraded after any firmware release or gNB Software release when compared to a previous experience summary of the device / SUPI.
  • SUPI Subscription Permanent Identifier
  • IMSI International Mobile Subscriber Identity
  • the method also enables detection of sudden fluctuation in the communication network 106 of a particular region or area or cell by detecting the drop in the RSRP (or any other relevant parameter (e.g., SNR or the like) and thereby enables the user to take the appropriate action.
  • the drop in the RSRP or any other relevant parameter (e.g., SNR or the like)
  • FIG. 5 shows a flow diagram of a method 500 for detecting anomalies in the communication network 106, according to various embodiments of the present disclosure. More specifically, the method detects anomalies in the communication network 106.
  • the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
  • the method 500 includes the step of retrieving the set of data from the centralized database 220.
  • the set of data is the raw data.
  • the raw data can be, for example, but not limited to, a jitter, time delay, a quality of experience, signal strength, a power usage or the like.
  • the set of data includes the aggregated data retrieved from the distributed file system. Further, the set of data corresponds to the enriched NRSL data.
  • the raw data and the aggregated data are used to create different types of data models, based on different techniques and for training purpose.
  • the data models can be, for example, but not limited to machine learning models and the artificial intelligence model.
  • the method 500 includes the step of determining a behavioral pattern of Key Performance Indicators (KPI) that utilizes the retrieved set of data.
  • KPI Key Performance Indicators
  • the behavioral pattern of the KPI is determined utilizing data models modelled based on the set of data retrieved from the centralized database 220.
  • the determined behavioral pattern of the KPI is stored in the centralized database 220.
  • a trend or pattern of the specified key performance indicators (KPIs) are calculated and stored.
  • the determination unit 214 is configured to continuously keep track of incoming data flowing with the computed behavioral pattern for the key performance indicators (KPIs). The determination unit 214, also saves the created patterns. The patterns are then analysed by the determination unit 214 and any significant and sudden deviation from the above normal pattern will be detected as an anomaly and reported to an end user for analysis.
  • KPIs key performance indicators
  • a first pattern is compared with the determined behavioral pattern of the KPI.
  • the comparison further includes analyzing an incoming data for at least one user equipment Subscription Permanent Identifier (SUPI) and at least one user equipment International Mobile Subscriber Identity (IMSI). Further, the incoming data corresponds to at least one of data of at least one user equipment subjected to a firmware release, and data of a plurality of user equipment operational in a certain region and experiencing drop in a Reference Signal Received Power (RSRP).
  • RSRP Reference Signal Received Power
  • a deviation of the pattern is identified from the determined behavioral pattern of the KPI based on the comparison and thereby detect anomalies.
  • the deviation in the pattern is identified when the determined behavioral patterns exceed a predetermined threshold. Further, the detected anomalies are provided to a user equipment associated with the user.
  • the proposed method can proactively identify occurrence of anomalies, so as to reduce a burden of manual work on an end user for issue detection to a great extent and also saves a lot of time.
  • the present invention discloses the method 500 can be used for detecting anomalies in the communication network 106.
  • a value of a particular call release reason (CRR) within a cell or a region has started varying abnormally as compared to last hour or last day or last week, the variation will be detected as an anomaly and operations would be alerted to the end user and the service provider.
  • CLR call release reason
  • the end user can also analyse the cases such as for any given device Subscription Permanent Identifier (SUPI) or International Mobile Subscriber Identity (IMSI), experience is suddenly degraded after any firmware release or gNB Software release when compared to a previous experience summary of the device / SUPI.
  • SUPI Subscription Permanent Identifier
  • IMSI International Mobile Subscriber Identity
  • the method also enables detection of sudden fluctuation in the communication network 106 of a particular region or area or cell by detecting the drop in the RSRP (or any other relevant parameter (e.g., SNR or the like) and thereby enables the user to take the appropriate action.
  • the drop in the RSRP or any other relevant parameter (e.g., SNR or the like)
  • FIGs.1-5 A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIGs.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
  • the present disclosure incorporates technical advancement of automatically detecting anomalies by identifying any sudden change (increase or decrease) in a parameter of significant importance from its previous trend. Further, disclosed method facilitates, monitoring of huge data volume based on specific dimensions and identifying discrepancies in lesser time. Disclosed approach not only saves the sweat of end user’s brow but also provides near real-time inputs.
  • RAN Radio Access Network
  • the present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features.
  • the listed advantages are to be read in a non-limiting manner.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present disclosure relates to a system(108) and a method(400) for detecting anomalies in a communication network(106). The system(108) includes a retrieving unit(212) configured to retrieve a set of data from a centralized database(220). The system(108) further includes a determination unit(214) configured to determine a behavioral pattern of Key Performance Indicators (KPI) utilizing the retrieved set of data. The system(108) further includes a comparing unit(216) configured to compare a first pattern with the determined behavioral pattern of the KPI, and an identification unit(208) to identify a deviation of the pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detecting anomalies.

Description

METHOD AND SYSTEM FOR DETECTING ANOMALIES IN A
COMMUNICATION NETWORK
FIELD OF THE INVENTION
[0001] The present invention generally relates to communication networks, and more particularly relates to a method and system for detecting anomalies in a communication network.
BACKGROUND OF THE INVENTION
[0002] With fifth Generation (5G) adoption and technology enhancement, there has been an exponential increase in the data volume, the hardware footprint, and the operations required to perform daily monitoring activities. For a seamless network experience by users, continuous surveillance or tracking of data flowing through network is required, so that any failure can be detected and resolved as early as possible.
[0003] Further, in 5G telecommunications there is a large network infrastructure and the data volume across the network is also huge. Identifying an event or cause behind any network failure is not only a time-consuming task but also requires huge effort. Typically, an end user has to manually analyse through huge volume of data like system log data, by comparing with previous incoming data even if the data is provided in a form of daily or hourly level reports, and identify a reason for failure. Even with live streaming data dashboard, a user has to keep an eye on the data flow continuously for any significant deviation.
[0004] Further, only when the anomaly occurs, the user gets notified. There is a need for a system that can proactively identify occurrence of anomalies. There is a need for a system and method for detection anomalies in data networks, that not only reduces a burden of manual work on an end user for issue detection to a great extent but also saves a lot of time. SUMMARY OF THE INVENTION
[0005] One or more embodiments of the present disclosure provide a system and method for detecting anomalies in a communication network.
[0006] In one aspect of the present invention, a method of detecting anomalies in a communication network is provided. The method includes retrieving by one or more processors, a set of data from the communication network. In an embodiment, the set of data includes a raw data or an aggregated data. Further, the set of data corresponds to enriched New Radio Summary logs (NRSL) data. The method further includes determining, a behavioral pattern of Key Performance Indicators (KPIs) utilizing the retrieved set of data. The behavioral pattern of the KPI is determined utilizing data models modelled based on the set of data retrieved from the centralized database. The determined behavioral patterns are stored in a centralized database. Further, the method includes comparing a first patterns with the determined behavioral pattern of KPI. This comparison can include analyzing an incoming data for at least one user equipment subscription permanent identifier (SUPI) and at least one user equipment International Mobile Subscriber Identity (IMSI). Further, the incoming data corresponds to data of at least one user equipment subjected to a firmware release or data of a plurality of user equipment operational in a certain region and experiencing a drop in reference signal received power (RSRP). The method further includes, identifying a deviation of the first pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detecting anomalies.
[0007] In another aspect of the present invention a system for detecting anomalies in a communication network is disclosed. The system includes a retrieving unit configured to retrieve a set of data from a centralized database. In an embodiment, the centralized database stored the determined behavioral patterns of the KPI. Further, the system includes a determination unit configured to determine a behavioral pattern of Key Performance Indicators (KPI) utilizing the retrieved set of data. In an embodiment, the determination unit is configured to determine the behavioral patterns of the KPI utilizing data models modelled based on the set of data retrieved from the centralized database. The system further includes, a comparing unit configured to compare a first pattern with the determined behavioral pattern of the of the KPI. The first pattern corresponds to a behavioral pattern of KPI determined based on an incoming data from at least one user equipment. In an embodiment, the incoming data corresponds to a data of at least one user equipment subjected to a firmware release, or data of a plurality of user equipment operational in a certain region and experiencing a drop in reference signal received power (RSRP). The system further includes an identification unit configured to identify a deviation of the pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detecting anomalies.
[0008] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all- inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0010] FIG. 1 is an exemplary block diagram of an environment for detecting anomalies in a communication network, according to various embodiments of the present disclosure;
[0011] FIG. 2 is a block diagram of a system provided in an enterprise system of FIG. 1, according to various embodiments of the present disclosure;
[0012] FIG. 3 is an example schematic representation of the system of FIG. 1 in which various entities operations are explained, according to various embodiments of the present system;
[0013] FIG. 4 shows a sequence flow diagram illustrating a method for detecting anomalies in a communication network, according to various embodiments of the present disclosure; and
[0014] FIG. 5 shows a flow diagram of a method for detecting anomalies in a communication network, according to various embodiments of the present disclosure.
[0015] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0016] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0017] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0018] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0019] As per various embodiments depicted, the present invention discloses the system and method for detecting anomalies in a large data network. A change in trend of a dimension or parameter is identified and analysed to detect an anomaly. With the disclosed system, an end user can analyse the cases for a device, when an experience is suddenly degraded after any firmware release or a Generation NodeB (gNB)/ Software release. The system also enables detection of sudden fluctuation in the network of a particular region or area by detecting a drop in a received signal received power (RSRP) and thereby enables the user to take an appropriate action.
[0020] In an embodiment, if a value of a particular CRR (call release reason) within a cell has started varying abnormally as compared to last hour or last day, the variation will be detected as an anomaly and operations would be alerted. Further, using the dashboard, the end user, can also analyse the cases such as for any given device Subscription Permanent Identifier (SUPI) or International Mobile Subscriber Identity (IMSI), experience is suddenly degraded after any firmware release or gNB Software release when compared to a previous experience summary of a device / SUPI.
[0021] Referring to FIG. 1, FIG. 1 illustrates an exemplary block diagram of an environment 100 for detecting anomalies in a communication network 106, according to various embodiments of the present disclosure. The environment 100 comprises a plurality of user equipment’s (UEs) 102-1, 102-2, > ,102-n. The at least one UE 102-n from the plurality of the UEs 102-1, 102-2, 102-n is configured to connect to an enterprise system 108 via a communication network 106. In an embodiment, the UE (102) is operated by an administrator. In another embodiment, the UE (102) is operated by a subscriber. The enterprise system 108 is communicatively coupled to a server 104 via the communication network 106. The server 104 can be, for example, but not limited to a standalone server, a server blade, a server rack, a bank of servers, a business telephony application server (BTAS), a server farm, a cloud server, an edge server, home server, a virtualized server, one or more processors executing code to function as a server, or the like. In an implementation, the server 104 may operate at various entities or a single entity (include, but is not limited to, a vendor side, service provider side, a network operator side, a company side, an organization side, a university side, a lab facility side, a business enterprise side, a defense facility side, or any other facility) that provides service.
[0022] The plurality of UEs 102 may comprise a memory 204 (as shown in FIG. 2) such as a volatile memory (e.g., RAM), a non-volatile memory (e.g., disk memory, FLASH memory, EPROMs, etc.), an unalterable memory, and/or other types of memory. In one implementation, the memory 204 might be configured or designed to store data. The data may pertain to attributes and access rights specifically defined for the plurality of UEs 102. The UE 102 may be accessed by the user, to receive anomalies detected by the enterprise system 108. The communication network 106, may use one or more communication interfaces/protocols such as, for example, Voice Over Internet Protocol (VoIP), 802.11 (Wi-Fi), 802.15 (including Bluetooth™), 802.16 (Wi-Max), 802.22, Cellular standards such as Code Division Multiple Access (CDMA), CDMA2000, Wideband CDMA (WCDMA), Radio Frequency Identification (e.g., RFID), Infrared, laser, Near Field Magnetics, etc.
[0023] The enterprise system 108 may include, by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a business telephony application server (BTAS), a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an implementation, enterprise system 108 may operate at various entities or single entity (for example include, but is not limited to, a vendor side, service provider side, a network operator side, a company side, an organization side, a university side, a lab facility side, a business enterprise side, a defense facility side, or any other facility) that provides service. The enterprise system 108 is configured to detect anomalies in the communication network 106.
[0024] In accordance with yet another aspect of the exemplary embodiment, the plurality of UEs 102 may be a wireless device or a communication device that may be a part of the enterprise system 108. The wireless device or the UE 102 may include, but are not limited to, a handheld wireless communication device (e.g., a mobile phone, a smart phone, a phablet device, and so on), a wearable computer device (e.g., a head-mounted display computer device, a head-mounted camera device, a wristwatch computer device, and so on), a laptop computer, a tablet computer, or another type of portable computer, a media playing device, a portable gaming system, and/or any other type of computer device with wireless communication or VoIP capabilities. A person skilled in the art will appreciate that the plurality of UEs 102 may include a fixed landline, a landline with assigned extension within the enterprise network.
[0025] The communication network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet- switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The communication network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0026] The communication network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The communication network may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
[0027] An exemplary representation of the enterprise system 108 for such purpose, in accordance with embodiments of the present disclosure, is shown in FIG. 2 as the system 108. The system 108 may include one or more processors 202 coupled with a memory 204, wherein the memory 204 may store instructions which when executed by the one or more processors 202 may cause the enterprise system 108 to detect anomalies in the communication network 106. In an embodiment, the system 108 may include the one or more processor(s) 202. The one or more processor(s) 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, edge or fog microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that process data based on operational instructions. Among other capabilities, the one or more processor(s) 202 may be configured to fetch and execute computer-readable instructions stored in a memory 204 of the system 108. The memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer readable storage medium, which may be fetched and executed to create or share data packets over a network service.
[0028] The memory 204 may comprise any non-transitory storage device including, for example, volatile memory such as Random-Access Memory (RAM), or nonvolatile memory such as Electrically Erasable Programmable Read-only Memory (EPROM), flash memory, and the like. In an embodiment, the system 200 includes an interface(s). The system 200 further includes a user interface 206 also known as interface(s) 206. The interface(s) 206 comprises a variety of interfaces, for example, interfaces for data input and output devices, referred to as input/output (RO) devices, storage devices, and the like. The interface(s) 206 can facilitate communication for the system. The interface(s) 206 also provides a communication pathway for one or more components of the system 200. Examples of such components include, but are not limited to, processing unit/engine(s) and a database. The processing unit/engine(s) may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processing engine(s).
[0029] The environment 100 further includes the enterprise system 108 communicably coupled to the remote server 104 and each UE 102-1 of the plurality of UEs 102-1 to 102-n via the communication network 106. The remote server 104 is configured to manage the information related to anomalies in the communication network 106.
[0030] The enterprise system 108 is adapted to be embedded within the remote server 104 or is embedded as the individual entity. The enterprise system 108 is designed to provide a centralized and unified view of enterprise data and facilitate efficient business operations. The enterprise system 108 is authorized to access update/create/delete one or more parameters of their information related to anomalies, which gets reflected in real-time independent of the complexity of network.
[0031] In another embodiment, the enterprise system 108 may include an enterprise provisioning server (for example), which may connect with the remote server 104. The enterprise provisioning server provides flexibility for enterprises to update/create/delete information related to anomalies in real time as per their business needs. A user with administrator rights can access and retrieve the plurality of information and perform real-time analysis in the enterprise system 108.
[0032] However, for the purpose of description, the enterprise system 108 is described as an integral part of the remote server 104, without deviating from the scope of the present disclosure.
[0033] Operational and construction features of the enterprise system 108 will be explained in detail with respect to the following figures.
[0034] Referring to FIG. 2, FIG. 2 illustrates a block diagram of the system 200 (i.e., enterprise system 108) provided for detecting anomalies in the communication network 106, according to one or more embodiments of the present invention. Further, as per one embodiment, an anomaly detection application may be embedded or hosted in the system 108. In an aspect, the system 108 application may report the anomalies detected to a user (e.g., end user, service provider, network operator or the like).
[0035] As per the illustrated embodiment, the system 108 includes one or more processors 202, a memory 204, an input/output interface unit 206, a display 208, and an input device 210. Further the system 108 may comprise one or more processors 202. The one or more processors 202, hereinafter referred to as the processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. As per the illustrated embodiment, the system 108 includes one processor 202. However, it is to be noted that the system 108 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure.
[0036] The information related to the anomalies may be provided or stored in the memory 204 of the system 108. Among other capabilities, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204. The memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0037] The information related to the anomalies may further be configured to render on the user interface 206. The user interface 206 may include functionality similar to at least a portion of functionality implemented by one or more computer system interfaces such as those described herein and/or generally known to one having ordinary skill in the art. The user interface 206 may be rendered on a display 208, implemented using LCD display technology, OLED display technology, and/or other types of conventional display technology. The display 208 may be integrated within the system 108 or connected externally. Further the input device(s) 210 may include, but not limited to, keyboard, buttons, scroll wheels, cursors, touchscreen sensors, audio command interfaces, magnetic strip reader, optical scanner, etc. [0038] The system 108 may further comprise a centralized database 220. The centralized database 220 may be communicably connected to the processor 202, and the memory 204. The centralized database 220 may be configured to store and retrieve data pertaining to features, or services of the, access rights, attributes, approved list, and authentication data provided by an administrator. Further the remote server 104 may allow the system 108 to update/create/delete one or more parameters of their information related to the anomalies, which provides flexibility to roll out multiple variants of the anomalies as per business needs. In another embodiment, the centralized database 220 may be outside the system 108 and communicated through a wired medium and wireless medium.
[0039] Further, the processor 202, in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor 202 may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 204 may store instructions that, when executed by the processing resource, implement the processor 202. In such examples, the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource. In other examples, the processor 202 may be implemented by electronic circuitry.
[0040] In order for the system 108 to manage the anomalies, the processor 202 includes a retrieving unit 212, a determination unit 214, a comparing unit 216 and an identification unit 218. The system 108 as shown is in communication with the centralized database 220. [0041] The retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218, in an embodiment, is implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 204 may store instructions that, when executed by the processing resource, implement the processor. In such examples, the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource. In other examples, the processor 202 may be implemented by electronic circuitry.
[0042] In order for the system 108 to detect the anomalies, the retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218 are communicably coupled to each other. The retrieving unit 212 is configured to retrieve a set of data from the centralized database 220. In an embodiment, the set of data is raw data. The raw data can be, for example, but not limited to, a jitter, time delay, a quality of experience, signal strength, a power usage or the like. In another embodiment, the set of data includes aggregated data retrieved from a distributed file system. Further, the set of data corresponds to enriched New Radio Summary logs (NRSL) data. The raw data and the aggregated data are used to create different types of data models, based on different techniques and for training purpose. The data models can be, for example, but not limited to machine learning models and the artificial intelligence model. The machine learning models and the artificial intelligence model called active learning models reduces the need for complex operations while increasing model accuracy. The data models can be, for example, but not limited to the Linear Regression models, Logistic Regression models, Decision Tree models, Naive Bayes models, K-Means models and Random Forest models. The raw data and the aggregated data can also be, for example, but not limited to, New Radio Summary logs (NRSL). The NRSL can also be referred as session logs, summary logs, or Streaming Data Record (SDR). The SDR can be a transaction or procedure in a fifth generation core (5G CN) or a call flow in a fourth generation (4G) network. The SDR can also be a CDR written in network nodes or a debugging record (can be logs as well). Further, these NRSL can include information such as call release reason, clear codes, for each sessions of user.
[0043] In an embodiment, the centralized database 220 stores the determined behavioral patterns of Key Performance Indicators (KPIs) also referred to as KPI. In one embodiment, the KPIs are received from the statistical measurements or the dynamic measurements from performance measurement (PM) Counters. The PM Counters are associated with the system 108 or the server (104). The Key Performance Indicator is used to measure the anomalies information. The key performance indicators (KPIs) are system metrics that can be used for anomaly detection in the networks. Some examples of KPIs include: CPU utilization, Memory utilization, Network throughput, and System response time. The behavioral pattern of KPIs refers to the trends or characteristics exhibited by these indicators over time. The KPIs are metrics used to measure the performance of various aspects of a network, such as latency, throughput, availability, and packet loss. The behavioral pattern of these KPIs typically includes the trend analysis, variability and anomalies (for example). The trend analysis observes whether KPI values are increasing, decreasing, or remaining stable over time. In an example, increasing latency could indicate network congestion or performance degradation. The variability examines the degree of fluctuation or stability in KPI values. Consistent fluctuations might indicate normal network operation, while sudden spikes or dips could signal issues. The anomalies detects deviations from expected or normal behavior in KPIs, which could signal potential network problems or security incidents. [0044] Further, the determination unit 214, also referred to as an anomaly detection module 214 , is configured to determine a behavioral pattern of KPIs utilizing the retrieved set of data. In an embodiment, the determination unit 214 is configured to determine the behavioral patterns of the KPIs utilizing data models modelled based on the set of data retrieved from the centralized database 220. The determination unit 214 is configured to create one or more data models or patterns from the raw data and the aggregated data.
[0045] Further, the determination unit 214 is configured to continuously keep track of incoming data flowing with the computed behavioral pattern for the KPIs. The determination unit 214, also saves the created patterns in the centralized database 220. The patterns are then analysed by the determination unit 214 and any significant and sudden deviation from the above normal pattern will be detected as an anomaly and reported to an end user for analysis.
[0046] The comparing unit 216 is configured to compare a first pattern (or threshold) with the determined behavioral patterns of the KPI. The first pattern corresponds to a behavioral pattern of KPI determined based on an incoming data from at least one user equipment. In an embodiment, the incoming data corresponds to a data of at least one user equipment subjected to a firmware release, or data of a plurality of user equipment operational in a certain region and experiencing a drop in reference signal received power (RSRP). In an embodiment, the incoming data corresponds to a request from second UE, where the second UE is a network administrator at an operator side. In another embodiment, the incoming data KPI are compared with threshold, (where threshold is determined by the data model based on historical KPI of the data. The identification unit 218 is configured to identify a deviation in the first pattern from the determined behavioral pattern of the KPI based on the comparison, and thereby detect the anomalies. The anomalies so detected are then provided to a user via a user equipment. A flow diagram explaining the process of detecting the anomalies will be further explained in FIG. 4. [0047] FIG. 3 is an example schematic representation of the system 108 of FIG. 1 in which various entities operations are explained, according to various embodiments of the present system.
[0048] FIG. 3 is an example illustration of the system of FIG. 2 interacting in which various entities. Referring to FIG. 3, FIG. 3 describes a system 300 for detecting the anomalies in the communication network 106. It is to be noted that the embodiment with respect to FIG. 3 will be explained with respect to the UE 102-1, the remote server 104 and the system 108 for the purpose of description and illustration and should nowhere be construed as limited to the scope of the present disclosure. The same explanation shall apply to multiple UEs 102-1 to 102-n.
[0049] As mentioned earlier, the first UE 102-1 includes one or more primary processors 305 communicably coupled to the one or more processors 202 of the system 108. The one or more primary processors 305 are coupled with a memory 310 storing instructions which are executed by the one or more primary processors 305. Execution of the stored instructions by the one or more primary processors 305 enables the first UE 102-1 to transmit an anomaly update request from the user via an interface module 320 to the system 108 in order to register for a service related to the anomaly update request. The execution of the stored instructions by the one or more primary processors 305 further enables the first UE 102-1 to transmit location coordinates from where the anomaly update request is initiated to the one or more processors 202.
[0050] As mentioned earlier, the one or more processors 202 is configured to transmit the response content related to the anomaly update request to the first UE 102-1. More specifically, the one or more processors 202 of the system 108 is configured to transmit the response content from a kernel 315 to at least one of the first UE 102-1 in response to modifying at least one response content by a plurality of response contents in response to receiving the anomaly update request from the administrator. The kernel 315 is a core component serving as the primary interface between hardware components of the first UE 102-1 and the system 108. The kernel 315 is configured to provide the plurality of response contents hosted on the system 108 to access resources available in the communication network 106. The resources include one of a Central Processing Unit (CPU), memory components such as Random Access Memory (RAM) and Read Only Memory (ROM).
[0051] As per the illustrated embodiment, the system 108 includes the one or more processors 202, the memory 204, the input/output interface unit 206, the display 208, and the input device 210. The operations and functions of the one or more processors 202, the memory 204, the input/output interface unit 206, the display 208, and the input device 210 are already explained in FIG. 2. For the sake of brevity, we are not explaining the same operations (or repeated information) in the patent disclosure.
[0052] Further, the processor 202 includes the retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218. The operations and functions of the retrieving unit 212, the determination unit 214, the comparing unit 216 and the identification unit 218 are already explained in FIG. 2. For the sake of brevity, we are not explaining the same operations (or repeated information) in the patent disclosure.
[0053] The system 108 is communicably coupled to the remote server 104 and each UE of the plurality of UEs 102 via the communication network 106. The system 108 is adapted to be embedded within the remote server 104 or is embedded as the individual entity. The system 108 is designed to provide a centralized and unified view of an enterprise data and facilitate efficient business operations. The system 108 is authorized to access to update/create/delete one or more parameters of their anomalies.
[0054] FIG. 4 shows a sequence flow diagram illustrating a method 400 for detecting anomalies in the communication network 106, according to various embodiments of the present disclosure.
[0055] At 402, the set of data being retrieved from the centralized database 220 into the retrieving unit 212. In an embodiment, the set of data is the raw data. The raw data
Y1 can be, for example, but not limited to, a jitter, time delay, a quality of experience, signal strength, a power usage or the like. In another embodiment, the set of data is the aggregated data. Examples, of aggregated data includes but is not limited to the obtained raw data and can correspond to a scheme like: ’TimeSlot, Geohash, AppGroup, Packets, Duration, Users, Flows’, where TimeSlot is a raw data, Geohash is a raw data, AppGroup is a raw data, Packets is a raw data, Duration is a raw data, users is a raw data and flows is a raw data, all of which are aggregated into the scheme as mentioned. The raw data and the aggregated data are used to create different types of data models, based on different techniques and for training purpose. The set of data corresponds to enriched NRSL data. The NRSL enrich means creating new and dynamic fields using one or more operations on the collected NRSL data. Operations can be, for example, but not limited to concatenate, append, split, transform, etc. The network protocols can be, for example, but not limited a Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), File Transfer Protocol (FTP), Secure Shell (SSH) Protocol, Telecommunication Network (Telnet) Protocol, Internet Control Message Protocol (ICMP), and TCP. The data models can be, for example, but not limited to machine learning models and the artificial intelligence model. The machine learning models and the artificial intelligence model called active learning models to reduces the need for complex operations while increasing model accuracy. The data models can be, for example, but not limited to the Linear Regression models, Logistic Regression models, Decision Tree models, Naive Bayes models, K-Means models and Random Forest models.
[0056] At 404, the retrieving unit 212 forwards the retrieved set of data 404 to the determination unit 214. In an embodiment, the retrieving unit 212 is configured to retrieve the set of data from the centralized database 220.
[0057] The determination unit 214 receives the retrieved set of data from the retrieving unit 212. The determination unit 214 is configured to determine the behavioral patterns of the KPIs utilizing data models modelled based on the set of data retrieved from the centralized database 220. At 406, the determination unit 214 is further configured to provide the behavioral pattern of the Key Performance Indicators (KPIs) to the comparing unit 216. The Key Performance Indicator may be received from the statistical measurements or the dynamic measurements from performance measurement (PM) Counters. The (PM) Counters are associated with the system 108 or the server (104). The Key Performance Indicator is used to measure the anomalies information.
[0058] At 408, the comparing unit 216 compares the behavioral pattern 408 with the first pattern and sends a comparison of the first pattern and the determined behavioral patterns of KPIs to the identification unit 218. The first pattern corresponds to a behavioral pattern of the KPI determined based on the incoming data from one of the at least one user equipment 102.
[0059] At 410, the identification unit 218 detects the anomalies 410 by a series of comparisons. For example, the patterns are compared with predetermined thresholds for each KPI. Incase a pattern exceeds a predetermined threshold of a KPI, the identification unit 218 shall detect occurrence of an anomaly in the network parameter or network entity or process corresponding to the pattern.
[0060] At 412, the identification unit 218 reports the anomalies 412 to one or more of the plurality of user equipments 102-1 to 102-1, for example the user equipment 102-1. In an example, the anomalies detected can be sent in a report format or a message format to the user equipment 102-1.
[0061] The proposed method can proactively identify occurrence of anomalies, so as to reduce a burden of manual work on an end user for issue detection to a great extent and also saves a lot of time.
[0062] In an example, if a value of a particular call release reason (CRR) within a cell or a region has started varying abnormally as compared to last hour or last day or last week, the variation will be detected as an anomaly and operations would be alerted to the end user and the service provider. Further, using the dashboard, the end user, can also analyse the cases such as for any given device Subscription Permanent Identifier (SUPI) or International Mobile Subscriber Identity (IMSI), experience is suddenly degraded after any firmware release or gNB Software release when compared to a previous experience summary of the device / SUPI. Hence, the method also enables detection of sudden fluctuation in the communication network 106 of a particular region or area or cell by detecting the drop in the RSRP (or any other relevant parameter (e.g., SNR or the like) and thereby enables the user to take the appropriate action.
[0063] FIG. 5 shows a flow diagram of a method 500 for detecting anomalies in the communication network 106, according to various embodiments of the present disclosure. More specifically, the method detects anomalies in the communication network 106. For the purpose of description, the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0064] At step 502, the method 500 includes the step of retrieving the set of data from the centralized database 220. In an embodiment, the set of data is the raw data. The raw data can be, for example, but not limited to, a jitter, time delay, a quality of experience, signal strength, a power usage or the like. In another embodiment, the set of data includes the aggregated data retrieved from the distributed file system. Further, the set of data corresponds to the enriched NRSL data. The raw data and the aggregated data are used to create different types of data models, based on different techniques and for training purpose. The data models can be, for example, but not limited to machine learning models and the artificial intelligence model.
[0065] At step 504, the method 500 includes the step of determining a behavioral pattern of Key Performance Indicators (KPI) that utilizes the retrieved set of data. In an embodiment, the behavioral pattern of the KPI is determined utilizing data models modelled based on the set of data retrieved from the centralized database 220. The determined behavioral pattern of the KPI is stored in the centralized database 220. Typically, based on the data models, a trend or pattern of the specified key performance indicators (KPIs) are calculated and stored.
[0066] Further, the determination unit 214 is configured to continuously keep track of incoming data flowing with the computed behavioral pattern for the key performance indicators (KPIs). The determination unit 214, also saves the created patterns. The patterns are then analysed by the determination unit 214 and any significant and sudden deviation from the above normal pattern will be detected as an anomaly and reported to an end user for analysis.
[0067] At step 506, a first pattern is compared with the determined behavioral pattern of the KPI. The comparison further includes analyzing an incoming data for at least one user equipment Subscription Permanent Identifier (SUPI) and at least one user equipment International Mobile Subscriber Identity (IMSI). Further, the incoming data corresponds to at least one of data of at least one user equipment subjected to a firmware release, and data of a plurality of user equipment operational in a certain region and experiencing drop in a Reference Signal Received Power (RSRP).
[0068] At 508, a deviation of the pattern is identified from the determined behavioral pattern of the KPI based on the comparison and thereby detect anomalies. In an embodiment, the deviation in the pattern is identified when the determined behavioral patterns exceed a predetermined threshold. Further, the detected anomalies are provided to a user equipment associated with the user.
[0069] The proposed method can proactively identify occurrence of anomalies, so as to reduce a burden of manual work on an end user for issue detection to a great extent and also saves a lot of time.
[0070] The present invention discloses the method 500 can be used for detecting anomalies in the communication network 106. In an example, if a value of a particular call release reason (CRR) within a cell or a region has started varying abnormally as compared to last hour or last day or last week, the variation will be detected as an anomaly and operations would be alerted to the end user and the service provider. Further, using the dashboard, the end user, can also analyse the cases such as for any given device Subscription Permanent Identifier (SUPI) or International Mobile Subscriber Identity (IMSI), experience is suddenly degraded after any firmware release or gNB Software release when compared to a previous experience summary of the device / SUPI. Hence, the method also enables detection of sudden fluctuation in the communication network 106 of a particular region or area or cell by detecting the drop in the RSRP (or any other relevant parameter (e.g., SNR or the like) and thereby enables the user to take the appropriate action.
[0071] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIGs.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0072] The present disclosure incorporates technical advancement of automatically detecting anomalies by identifying any sudden change (increase or decrease) in a parameter of significant importance from its previous trend. Further, disclosed method facilitates, monitoring of huge data volume based on specific dimensions and identifying discrepancies in lesser time. Disclosed approach not only saves the sweat of end user’s brow but also provides near real-time inputs.
[0073] Further, by disclosed system and method, points or areas of deviations can be identified easily from past behaviour of data. Anomalies can be pointed out for proactive monitoring. Further, using anomaly detection, Radio Access Network (RAN) probes will be able to identify a data point of trend for a Generation NodeB (gNB) or call release reason (CRR) that does not fit a normal pattern.
[0074] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.
REFERENCE NUMERALS
[0075] Environment - 100;
[0076] User Equipment(s) - 102, 102-1-102-n;
[0077] Server - 104
[0078] Communication Network - 106;
[0079] System - 108;
[0080] Processor - 202
[0081] Memory - 204
[0082] User Interface - 206
[0083] Display - 208
[0084] Input device - 210
[0085] Retrieving Unit -212;
[0086] Determination Unit - 214;
[0087] Comparing Unit - 216; and
[0088] Identification Unit - 218;
[0089] Centralized Database - 220;
[0090] System - 300;
[0091] Primary processors -305; [0092] Memory Unit of User Equipment - 310;
[0093] Kernel - 315;

Claims

We Claim:
1. A method of detecting anomalies in a communication network (106), the method comprising the steps of: retrieving, by one or more processors (202), a set of data from a centralized database (220); determining, by the one or more processors (202), a behavioural pattern of Key Performance Indicators (KPI) utilizing the retrieved set of data; comparing, by the one or more processors (202), a first pattern with the determined behavioural pattern of the KPI; and identifying, by the one or more processors (202), a deviation of the first pattern from the determined behavioural pattern of the KPI based on the comparison, and thereby detecting anomalies.
2. The method as claimed in claim 1 , wherein the set of data is one of a raw data and an aggregated data.
3. The method as claimed in claim 1, wherein the behavioural pattern of the KPI is determined utilizing data models modelled based on the set of data retrieved from the centralized database (220).
4. The method as claimed in claim 1 , wherein the determined behavioural pattern of the KPI is stored in the centralized database (220).
5. The method as claimed in claim 1, wherein the first pattern corresponds to a behavioural pattern of KPI determined based on an incoming data from one of at least one of a user equipment.
6. The method as claimed in claim 1 , wherein comparing the first pattern with the determined behavioural pattern of the KPI further includes analysing an incoming data for at least one user equipment Subscription Permanent Identifier (SUPI) and at least one user equipment International Mobile Subscriber Identity (IMSI).
7. The method as claimed in claim 6, wherein the incoming data corresponds to at least one of data of an at least one user equipment subjected to a firmware release, and data of a plurality of user equipments operational in a certain region and experiencing a drop in Reference Signal Received Power (RSRP).
8. The method as claimed in claim 1, wherein the set of data corresponds to enriched New Radio Summary logs (NRSL) data.
9. A system (108) for detecting anomalies in a communication network (106), the system (108) comprising: a retrieving unit (212) configured to retrieve a set of data from a centralized database (220); a determination unit (214) configured to determine a behavioural pattern of Key Performance Indicators (KPI) utilizing the retrieved set of data; a comparing unit (216) configured to compare a first pattern with the determined behavioural pattern of the KPI; and an identification unit (218) configured to identify a deviation of the pattern from the determined behavioural pattern of the KPI based on the comparison, and thereby detecting anomalies.
10. The system (108) as claimed in claim 9, wherein the determination unit 214 is configured to determine the behavioural pattern of the KPI utilizing data models modelled based on the set of data retrieved from the centralized database (220).
11. The system (108) as claimed in claim 9, further comprising a centralized database (220) to store the determined behavioural pattern of the KPI.
12. The system (108) as claimed in claim 9, wherein the first pattern corresponds to a behavioural pattern of KPI determined based on an incoming data from one of at least one of a user equipment.
13. The system (108) as claimed in claim 9, wherein incoming data corresponds to at least one of data of an at least one user equipment subjected to a firmware release, and data of a plurality of user equipments operational in a certain region and experiencing a drop in Reference Signal Received Power (RSRP).
14. The system (108) as claimed in claim 9, wherein the set of data is one of a raw data and an aggregated data.
15. The system (108) as claimed in claim 9, wherein the set of data corresponds to enriched New Radio Summary logs (NRSL) data.
16. A non-transitory computer-readable medium having stored thereon computer- readable instructions that, when executed by a processor (202), cause the processor (202) to: retrieve, a set of data from a centralized database (220), the set of data corresponds to enriched New Radio Summary logs (NRSL) data; determine, a behavioural pattern of Key Performance Indicators (KPI) utilizing the retrieved set of data; compare, a first pattern with the determined behavioural pattern of the KPI; and identify, a deviation of the pattern from the determined behavioural pattern of the KPI based on the comparison, and thereby detecting anomalies.
7. A User Equipment (UE) (102-1), comprising: one or more primary processors (305) communicatively coupled to one or more processors (202) of a system (108), the one or more primary processors (305) coupled with a memory (310), wherein said memory (310) stores instructions which when executed by the one or more primary processors (305) causes the UE (102-1) to: receive anomalies from a system (108) to the one or more processers (202); wherein the one or more processors (202) is configured to perform the steps as claimed in claim 1
PCT/IN2024/051217 2023-07-14 2024-07-13 Method and system for detecting anomalies in a communication network Pending WO2025017658A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202321047715 2023-07-14
IN202321047715 2023-07-14

Publications (1)

Publication Number Publication Date
WO2025017658A1 true WO2025017658A1 (en) 2025-01-23

Family

ID=94281595

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2024/051217 Pending WO2025017658A1 (en) 2023-07-14 2024-07-13 Method and system for detecting anomalies in a communication network

Country Status (1)

Country Link
WO (1) WO2025017658A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220038332A1 (en) * 2020-07-31 2022-02-03 Verizon Patent And Licensing Inc. System and method for anomaly detection with root cause identification
US20230126260A1 (en) * 2021-10-25 2023-04-27 Rakuten Mobile, Inc. Method, device and computer program product for anomaly detection and root cause analysis

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220038332A1 (en) * 2020-07-31 2022-02-03 Verizon Patent And Licensing Inc. System and method for anomaly detection with root cause identification
US20230126260A1 (en) * 2021-10-25 2023-04-27 Rakuten Mobile, Inc. Method, device and computer program product for anomaly detection and root cause analysis

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
RAMÍREZ JUAN M., DÍEZ FERNANDO, ROJO PABLO, MANCUSO VINCENZO, FERNÁNDEZ-ANTA ANTONIO: "Explainable machine learning for performance anomaly detection and classification in mobile networks", COMPUTER COMMUNICATIONS., ELSEVIER SCIENCE PUBLISHERS BV, AMSTERDAM., NL, vol. 200, 1 February 2023 (2023-02-01), NL , pages 113 - 131, XP093268273, ISSN: 0140-3664, DOI: 10.1016/j.comcom.2023.01.003 *
XUE SHENG, CHEN HUALIANG, ZHENG XIAOLIANG: "Detection and quantification of anomalies in communication networks based on LSTM-ARIMA combined model", INTERNATIONAL JOURNAL OF MACHINE LEARNING AND CYBERNETICS, SPRINGER BERLIN HEIDELBERG, BERLIN/HEIDELBERG, vol. 13, no. 10, 1 October 2022 (2022-10-01), Berlin/Heidelberg, pages 3159 - 3172, XP093197964, ISSN: 1868-8071, DOI: 10.1007/s13042-022-01586-8 *

Similar Documents

Publication Publication Date Title
US11018958B2 (en) Communication network quality of experience extrapolation and diagnosis
US11637740B2 (en) Intelligent anomaly detection and root cause analysis in mobile networks
US10164850B2 (en) Wireless communication data analysis and reporting
US10938844B2 (en) Providing security through characterizing mobile traffic by domain names
US10200506B2 (en) Method, system and device for monitoring data
EP1875728B1 (en) Methods and apparatus for monitoring voice quality on a wireless communication device
US20170295078A1 (en) Systems and methods for measuring effective customer impact of network problems in real-time using streaming analytics
US20180005127A1 (en) Predicting problem events from machine data
US10484253B2 (en) Topology map update with service quality indicators
US11115287B2 (en) System and method for predicting key performance indicator (KPI) in a telecommunication network
US11283696B2 (en) Diagnostic testing in networks
US20230188440A1 (en) Automatic classification of correlated anomalies from a network through interpretable clustering
Nguyen et al. Absence: Usage-based failure detection in mobile networks
WO2024018257A1 (en) Early detection of irregular patterns in mobile networks
CN107241347B (en) Advertisement traffic quality analysis method and device
WO2025017658A1 (en) Method and system for detecting anomalies in a communication network
JP2018157431A (en) Information processing apparatus, information processing method, and program
US20240257069A1 (en) Predictive care of customer premises equipments
EP3829110B1 (en) Self-managing a network for maximizing quality of experience
WO2025017656A1 (en) Method and system for managing a device connected to a network
WO2025017715A1 (en) System and method for detecting anomalies in a communication network
WO2025012986A2 (en) Method and system for selecting path for communication within communication network
WO2025079103A1 (en) Method and system for anomaly detection in a network
WO2025022442A1 (en) Method and system for for creating procedure data records (pdr)
WO2025012982A2 (en) Method and system for handling errors between a home network and a foreign network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24842649

Country of ref document: EP

Kind code of ref document: A1