DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
METHOD AND SYSTEM OF DETECTING ANOMALY IN A NETWORK
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention generally relates to wireless communication networks, and more particularly relates to a method and system for detecting anomaly in the wireless communication network.
BACKGROUND OF THE INVENTION
[0002] In existing legacy metrics methods and legacy metrics systems, a lot of manual processes need to be done for running agents and collecting metrics. There is no completely automated process for deploying a system in a cloud environment to detect an anomaly in a network. The manual processes, configuration, and management of monitoring running agents and collecting metrics processes require significant time and effort from a service provider. In this regard, the detection of the anomaly may be delayed. It slows down the deployment and operational performance of systems.
[0003] Hence, there is a need for a system and a method for ensuring seamless cloud infrastructure monitoring in a cloud environment by using a closed-loop automation in an effective manner.
SUMMARY OF THE INVENTION
[0004] One or more embodiments of the present disclosure provide a method and a system of detecting anomaly in a network.
[0005] In one aspect of the present invention, the method of detecting anomaly in the network is disclosed. The method includes the step of fetching, by one or more processors, metrics of a plurality of network functions stored in a database. The method includes the step of analyzing, by the one or more processors, utilizing a trained model, the metrics fetched from the database. The method includes the step of detecting, by the one or more processors, an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed. The method includes the step of triggering, by the one or more processors, one or more actions in order to address the detected anomaly.
[0006] In one embodiment, the metrics of the plurality of network functions include at least one of, Central Processing Unit (CPU) usage, memory utilization, network latency, or any other relevant performance indicators.
[0007] In another embodiment, the one or more actions includes at least one of, restarting services, generating alerts, predefined responses including scaling up or scaling down resources, triggering remediation processes.
[0008] In yet another embodiment, the trained model is at least one of a, an Artificial Intelligence/Machine Learning (AI/ML) model.
[0009] In yet another embodiment the model is trained utilizing historical data pertaining to the metrics of the plurality of network functions.
[0010] In yet another embodiment, the trained model learns trends/patterns related to the metrics of the plurality of network functions.
[0011] In yet another embodiment, the pre-defined threshold is set by the one or more processors utilizing the metrics which are analyzed based on the trained model. The trained model includes the learnt trends/patterns related to the metrics of the plurality of network functions.
[0012] In yet another embodiment, the pre-defined threshold is dynamically adjusted by the one or more processors for the metrics of the plurality of network functions based on a change in network conditions.
[0013] In yet another embodiment, the dynamic adjustment of the pre-defined threshold includes the steps of detecting, by the one or more processors, utilizing the trained model, a change in network conditions based on the learnt trends/patterns from the historical data of a network behavior. The dynamic adjustment of the pre-defined threshold includes the steps of dynamically adjusting, by the one or more processors, utilizing the trained model, the pre-defined threshold based on detection of change in network conditions.
[0014] In yet another embodiment, the step of detecting, an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed, includes the steps of comparing, by the one or more processors, the metrics fetched from the database with the predefined threshold. The step of detecting, an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed, includes the steps of in response to determining, a breach in at least one of the fetched metrics in comparison to the predefined threshold, detecting, by the one or more processors, the anomaly in the network.
[0015] In yet another embodiment, the method includes the steps of proactive monitoring, by the one or more processors, the plurality of network functions in order to pull metrics from one or more container on a host based on determining the availability of at least one of, a host network function. The method includes the steps of providing, by the one or more processors, one or more alerts on determination of non-availability of the host network function.
[0016] In another aspect of the present invention, the system for detecting anomaly in the network is disclosed. The system includes an analysis manager, configured to, fetch, metrics of a plurality of network functions stored in a database. The system further includes the analysis manger configured to, analyze, utilizing a trained model, the metrics fetched from the database. The system includes a detection unit, configured to detect an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed. The system includes a triggering unit, configured to trigger, one or more actions in order to address the detected anomaly.
[0017] In yet another aspect of the present invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions that, when executed by a processor is disclosed. The processor is configured to fetch metrics of a plurality of network functions stored in a database. The processor is configured to analyze, utilizing a trained model, the metrics fetched from the database. The processor is configured to detect an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed. The processor is configured to trigger one or more actions in order to address the detected anomaly.
[0018] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0019] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0020] FIG. 1 is an exemplary block diagram of an environment for detecting anomaly in a network, according to one or more embodiments of the present disclosure;
[0021] FIG. 2 is an exemplary block diagram of a system for detecting the anomaly in the network, according to one or more embodiments of the present disclosure;
[0022] FIG. 3 is a sequence flow diagram illustrating the system for detecting the anomaly in the network, according to one or more embodiments of the present disclosure;
[0023] FIG. 4 is a flow diagram illustrating a method for detecting the anomaly in the network, according to one or more embodiments of the present disclosure; and
[0024] FIG. 5 is a flow diagram illustrating a method for detecting the anomaly in the network pertaining to fetched metrics of at least one of a plurality of Network Functions (NFs);
[0025] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0026] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0027] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0028] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0029] FIG. 1 illustrates an exemplary block diagram of an environment 100 for detecting anomaly in a network 105, according to one or more embodiments of the present disclosure. The environment 100 includes the network 105, a User Equipment (UE) 110, a server 115, and a system 120. The UE 110 aids a user to interact with the system 120 for detecting anomaly in the network 105.
[0030] As per the illustrated embodiment and for the purpose of description and explanation, the description will be explained with respect to the UE 110, or to be more specific will be explained with respect to a first UE 110a, a second UE 110b, and a third UE 110c, and should nowhere be construed as limiting the scope of the present disclosure. Each of the first UE 110a, the second UE 110b, and the third UE 110c connected to the network 105, will hereinafter be collectively and individually referred to as the “User Equipment (UE) 110”.
[0031] In an embodiment, the UE 110 is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0032] The network 105 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 105 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0033] The network 105 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network 105 may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
[0034] The environment 100 includes the server 115 accessible via the network 105. The server 115 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
[0035] The environment 100 further includes the system 120 communicably coupled to the server 115 and the UE 110 via the network 105. The system 120 is adapted to be embedded within the server 115 or is embedded as the individual entity.
[0036] Operational and construction features of the system 120 will be explained in detail with respect to the following figures.
[0037] FIG. 2 illustrates an exemplary block diagram of the system 120 for detecting the anomaly in the network 105, according to one or more embodiments of the present disclosure. The system 120 includes one or more processors 205, a memory 210, and a distributed data lake 240. The one or more processors 205, hereinafter referred to as the processor 205 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. As per the illustrated embodiment, the system 120 includes one processor 205. However, it is to be noted that the system 120 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure. In alternate embodiments, the system 108 may include more than one processor 205 as per the requirement of the network 105.
[0038] Among other capabilities, the processor 205 is configured to fetch and execute computer-readable instructions stored in the memory 210. The memory 210 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 210 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as EPROMs, FLASH memory, unalterable memory, and the like.
[0039] The distributed data lake 240 is a data repository providing storage and computing for structured and unstructured data, such as for machine learning, streaming, or data science. The distributed data lake 240 allows the user and/or an organization to ingest and manage large volumes of data in an aggregated storage solution for business intelligence or data products. The distributed data lake 240 may be implemented and utilize different technologies.
[0040] Further, the processor 205, in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 205. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 205 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for processor 205 may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 210 may store instructions that, when executed by the processing resource, implement the processor 205. In such examples, the system 120 may comprise the memory 210 storing the instructions and the processing resource to execute the instructions, or the memory 210 may be separate but accessible to the system 120 and the processing resource. In other examples, the processor 205 may be implemented by electronic circuitry.
[0041] In order for the system 120 to detect an anomaly in the network 105, the processor 205 includes an analysis manager 215, a detection unit 220, a triggering unit 225, a monitoring unit 230, and an alert unit 235 communicably coupled to each other for detecting the anomaly in the network 105.
[0042] The analysis manager 215, the detection unit 220, the triggering unit 225, the monitoring unit 230, and the alert unit 235, in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 205. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 205 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 210 may store instructions that, when executed by the processing resource, implement the processor. In such examples, the system 120 may comprise the memory 210 storing the instructions and the processing resource to execute the instructions, or the memory 210 may be separate but accessible to the system 120 and the processing resource. In other examples, the processor 205 may be implemented by electronic circuitry.
[0043] The analysis manager 215 is configured to fetch metrics of a plurality of Network Functions (NFs) stored in a distributed data lake 240. The plurality of NFs refers to a specific functional component within the network 105 that performs particular tasks or roles related to network operations, authorizations, mobility, policy management, charging, billing, security, traffic management, and service delivery. The analysis manager 215 interacts with the plurality of NFs on a southbound interface. The plurality of NFs performs one or more tasks. In an embodiment, the one or more tasks can range from basic data forwarding and routing to more complex operations such as security enforcement, load balancing, or data analytics. In one embodiment, the metrics of the plurality of NFs include at least one of, a Central Processing Unit (CPU) usage, a memory utilization, and a network latency, or any other relevant performance indicators. In another embodiment, the metrics are collected for containers, and the containers are hosted on the server 115. The one or more Agent Managers (AMs) 310 (shown in FIG.3) are hosted on the first and the second host 315, 320 (shown in FIG.3). The one or more AMs 310 are allocated to each of the first and second host 315, 320 by providing IP addresses of the first and second host 315, 320.
[0044] In another embodiment, the analysis manager 215 is configured to collect the container, docker, image, volumes, and daemon type of service statistics along with Kubernetes. A mapping of the first and the second host 315, 320 are completed at the one or more AMs 310. The metrics are collected of each individual container running on the server 115 effectively. The analysis manager 215 is configured to analyze the metrics fetched from the distributed data lake 240 by utilizing a trained model. In an embodiment, the trained model is at least one of a, Artificial Intelligence/Machine Learning (AI/ML) model 340 (shown in FIG.3). The AI/ML model 340 is configured to run on the metrics to determine anomalies or trigger forecasting for the metrics. The AI/ML model 340 is responsible for running the AI/ML techniques on the metrics that are stored in the distributed data lake 240. The AI/ML model 340 is used to identify the anomalies in the metrics or to forecast future trends. The AI/ML model 340 utilizes a variety of ML techniques, such as supervised learning, unsupervised learning, and reinforcement learning.
[0045] In one embodiment, the supervised learning is a type of machine learning algorithm, which is trained on a labeled dataset. The supervised learning refers to each training example paired with an output label. The supervised learning algorithm learns to map inputs to a correct output. In one embodiment, the unsupervised learning is a type of machine learning algorithm, which is trained on data without any labels. The unsupervised learning algorithm tries to learn the underlying structure or distribution in the data in order to discover patterns or groupings. In one embodiment, the reinforcement learning is a type of machine learning where an agent learns to make decisions by performing actions in an environment to maximize cumulative reward. The agent receives feedback in the form of rewards or penalties based on the actions it takes, and it learns a path that maps states of the environment to the best actions.
[0046] The AI/ML model 340 is trained utilizing at least one of, historical data pertaining to the metrics of the plurality of NFs. The historical data is used to analyze past network performance and identify trends or patterns. In an embodiment, the trained model learns the trends/patterns related to the metrics of the plurality of NFs. The trained AI/ML model 340 is configured to analyze the trends over time, such as gradual increases in bandwidth usage or recurring patterns of downtime, which aids in understanding the long-term behavior of the network 105. The trained AI/ML model 340 learns trends/patterns related to the metrics of the plurality of NFs. For instance, the patterns may refer to detecting periodic increases in error rates that correspond with specific events or identify correlations between high packet loss rates and certain network configurations.
[0047] Upon analyzing the metrics fetched from the distributed data lake 240 utilizing the trained model, the detection unit 220 is configured to detect the anomaly in the network 105 pertaining to the fetched metrics of at least one of the plurality of NFs. Further, the detection unit 220 is configured to detect the anomaly in the network 105 based on a pre-defined threshold set utilizing the metrics analyzed. In an embodiment, the pre-defined threshold is set by the detection unit 220 utilizing the metrics which are analyzed based on the trained model. The trained model includes the learnt trends/patterns related to the metrics of the plurality of NFs. In one embodiment, the pre-defined threshold is dynamically adjusted by the detection unit 220 for the metrics of the plurality of NFs based on a change in network conditions. In another embodiment, the pre-defined threshold is dynamically adjusted by using the trained model to analyze the historical data and predict future trends. The trained model aids in identifying patterns and making predictive adjustments to the pre-defined threshold.
[0048] The detection unit 220 is configured to perform dynamic adjustment of the pre-defined threshold by detecting the change in network conditions. The detection unit 220 is configured to perform dynamic adjustment of the pre-defined threshold based on the learnt trends/patterns from the historical data of the network behavior utilizing the trained model. Upon dynamically adjusting the pre-defined threshold, the detection unit 220 is configured to detect the anomaly in the network 105 by comparing the metrics fetched from the distributed data lake 240. Further, the detection unit 220 is configured to determine a breach in at least one of the fetched metrics in comparison to the predefined threshold for detecting the anomaly in the network 105.
[0049] Upon detecting the anomaly in the network 105, the triggering unit 225 is configured to trigger one or more actions in order to address the detected anomaly. In an embodiment, the one or more actions includes at least one of, restarting services, generating alerts, predefined responses including scaling up or scaling down resources or new instances of the plurality of NFs, triggering remediation processes. Let us consider for an example, sending an email or Short Message Service (SMS) alert to the network administrator when an anomaly such as unusual traffic patterns or unauthorized access attempts is detected. In an embodiment, scaling up resources can increase the bandwidth allocation for a particular network segment experiencing heavy traffic. In an embodiment, scaling down resources reduces CPU and memory resources allocated to a service that is underutilized. In an embodiment, the triggering remediation processes refers to the one or more actions designed to address and resolve issues within the network 105 without need for manual intervention. The triggering remediation processes are performed to improve system health, ensure uptime, and improve efficiency.
[0050] Further, the monitoring unit 230 is configured to proactively monitor the plurality of NFs in order to pull the metrics from the container of the host based on determining the availability of at least one of, a host network function. Upon proactively monitoring the plurality of NFs, the alert unit 235 is configured to provide one or more alerts on determination of non-availability of the host network function.
[0051] By detecting anomaly in the network 105, the system 120 enables closed-loop automation, where the system 120 automatically responds to the threshold violations without manual intervention. Based on the AI/ML analysis, the system 120 initiates the one or more actions to address the identified anomalies. The closed-loop automation helps in maintaining system health, optimizing performance, reducing manual efforts, improving user experience. Further, the system 120 implement the one or more actions and continuously monitors the network metrics, which ensures that the network 105 operates efficiently and predicts future requirements of the one or more resources utilizing the trained model, thus improving processing speed of the processor 205, avoiding the network traffic, and reducing requirement of memory space.
[0052] FIG. 3 is a sequence flow diagram illustrating the system 120 for detecting anomaly in the network 105, according to one or more embodiments of the present disclosure.
[0053] In an example, the system 120 includes an infrastructure manager 305 that is a central component of the system 120. The infrastructure manager 305 interacts with a Graphical User Interface (GUI)/dashboard on the southbound and the one or more AMs 310 on the northbound via a Hypertext Transfer Protocol (HTTP) interface. The infrastructure manager 305 allocates host Internet Protocols (IPs) to the one or more AMs 310 and manages the provisioning and scaling of the new instance of the plurality of NFs. The network instance is a virtual or logical representation of the network 105 within a physical network infrastructure. The network instance allows for the segmentation and isolation of one or more resources, configurations, and traffic, providing enhanced security, scalability, and flexibility.
[0054] In an example, the system 120 includes the one or more AMs 310 included in the first host 315 and the second host 320 that interacts with the NFs on the southbound interface. The one or more AMs 310 receives the metrics from the at least one of the plurality of NFs, such as network traffic, CPU utilization, and memory usage. The one or more AMs 310 are configured to transmit the metrics to a metric ingestion layer 325. In an embodiment, the metric ingestion layer refers as a broker topic, which is a messaging system that distributes the network metrics to other components of the system 120.
[0055] The one or more AMs 310 are responsible for collecting the network metrics from the at least one of the plurality of NFs. The one or more AMs 310 uses a variety of methods to collect the network metrics, such as polling, sampling, and event-based collection. The one or more AMs 310 are configured to transmit the collected network metrics to the broker in a format that is easy for the other components of the system 120 to understand. Further, the one or more AMs 310 running at the first and second host 315, 320, which fetch the metrics of the server 115. Each of the one or more AMs 310 are defined with one or more servers/containers/processes to collect the one or more metrics from each allocated server/container/process. The one or more AMs 310 are allocated the server 115/container/process using one or more identifiers. In an embodiment, the one or more identifiers include, but not limited to, IP address, process ID, container ID, and the like.
[0056] Further, the infrastructure manager 305 is responsible for managing the provisioning and scaling of the new instance of the plurality of NFs. The infrastructure manager 305 is configured to receive one or more requests from the AM 310 for new network instances. The infrastructure manager 305 is configured to allocate the host IPs to the AM 310 and provision the network instance. The infrastructure manager 305 is also configured to monitor the performance of the network instance and scale the network instance up or down as required.
[0057] The infrastructure manager 305 interacts with the GUI/dashboard on the southbound interface, which allows a user to view and manage the system 120. In an embodiment, the user includes at least one of a network operator. The infrastructure manager 305 also interacts with the AM 310 on the northbound interface, which allows the AM 310 to communicate with the other components of the system 120.
[0058] In an example, the system 120 further includes a metric ingestion layer 325 that consumes the network metrics from the broker topics and creates a Comma-Separated Values (CSV) file for the same. The CSV file is processed by an infrastructure enrichment layer 330. The metric ingestion layer 325 is responsible for consuming the metrics from the broker topics. The broker topics are the channels through which the AM 310 transmits the metrics to the other components of the system 120. The metric ingestion layer 325 creates the CSV file for the metrics, which is easy to process by the infrastructure enrichment layer 330. The metric ingestion layer 325 also performs some data cleansing, such as removing duplicate records and correcting typos, which ensures that the network metrics sent to the infrastructure enrichment layer 330 are accurate and consistent.
[0059] Upon transmitting the metrics from the metric ingestion layer 325, the infrastructure enrichment layer 330 is configured to fetch/pull the CSV files which are being created by the metric ingestion layer 325. The CSV files are pushed to an infrastructure normalizer 335 for processing. The infrastructure enrichment layer 330 is responsible for enriching the network metrics that are received from the metric ingestion layer 325. The infrastructure enrichment layer 330 adds additional information to the metrics, such as timestamps and metadata. The infrastructure enrichment layer 330 also performs some basic data analysis on the data, such as identifying trends and anomalies. The information is used by the other components of the system 120 to make better decisions about network resource provisioning and scaling of the new instance of the plurality of NFs.
[0060] Upon receiving the CSV files from the infrastructure enrichment layer 330, the infrastructure normalizer 335 is a data normalization platform which intelligently processes the network metrics, filters out and stores the filtered network metrics in the distributed data lake 240. The infrastructure normalizer 335 is responsible for normalizing the network metrics that is received from the infrastructure enrichment layer 330. The infrastructure normalizer 335 is configured to convert the data into a standard format and removes any outliers or anomalies. The normalized data is then stored in the distributed data lake 240, which is a repository for storing large amounts of data. The infrastructure normalizer 335 also performs some basic data mining on the data, such as identifying patterns and correlations. The information is used by the other components of the system 120 to make better decisions about network resource provisioning and scaling of the new instance of the plurality of NFs.
[0061] Upon processing the metrics from the infrastructure normalizer 335, the AI/ML model 340 runs the metrics to find any anomalies or triggers forecasting for the network metrics. The AI/ML model 340 is configured to transmit the results to the forecasting engine 345, a reporting & alarm engine 350, and an anomaly detection engine 355. The AI/ML model 340 is responsible for running the AI/ML techniques on the network metrics that are stored in the distributed data lake 240. The AI/ML techniques are used to identify any anomalies in the network metrics or to forecast future trends. The results of the AI/ML techniques are sent to the forecasting engine 345, a reporting & alarm engine 350, and an anomaly detection engine 355.
[0062] Upon receiving the results of the AI/ML techniques, the system 120 further includes the forecasting engine 345 that receives a request from the AI/ML model 340 to take one or more actions using the pre-defined threshold. The forecasting engine 345 has the capability to network expansion based on data trends from the AI/ML techniques. The forecasting engine 345 is responsible for taking the one or more actions based on the results of the AI/ML techniques. The forecasting engine 345 uses the metrics from the AI/ML model 340 to forecast future demand for network resources. The forecasting engine 345 compares the forecast to the current demand and takes one or more actions if the forecast indicates that the demand will exceed the current capacity.
[0063] Further, the system 120 further includes the reporting & alarm engine 350 that receives the request from the AI/ML model 340 to generate alarms based on using the pre-defined threshold. The reporting & alarm engine 350 is configured for generating the alarms based on the results of the AI/ML techniques. The reporting & alarm engine 350 is configured to generate one or more alerts such as "network congestion" or "network outage." The reporting & alarm engine 350 also sends reports to the user about the system's performance. The reports include information such as the current demand for the one or more resources, the forecast for future demand, and the actions that have been taken by the forecasting engine 345.
[0064] Further, the system 120 further includes the anomaly detection engine 355 that receives an anomaly request from the AI/ML model 340 to take action in a closed loop. The anomaly detection engine 355 has the capability to expand the network 105 in the closed loop automation. The anomaly detection engine 355 is responsible for detecting anomalies in the metrics. The anomaly detection engine 355 can detect anomalies such as "spikes in network traffic" or "sudden drops in CPU utilization." The anomaly detection engine 355 sends reports to the user about the anomalies that have been detected. The reports include information such as the type of anomaly, the time at which it occurred, and the impact of the anomaly on the system 120.
[0065] FIG. 4 is a flow diagram illustrating the method of detecting anomaly in the network 105, according to one or more embodiments of the present disclosure. For the purpose of description, the method 400 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0066] At step 405, the method 400 includes the step of fetching metrics of the plurality of network functions stored in the distributed data lake 240. The analysis manager 215 interacts with the plurality of NFs on the southbound interface. The plurality of NFs performs one or more tasks. In an embodiment, the one or more tasks can range from basic data forwarding and routing to more complex operations such as security enforcement, load balancing, or data analytics. In an embodiment, the metrics of the plurality of NFs include at least one of, a Central Processing Unit (CPU) usage, a memory utilization, and a network latency, or any other relevant performance indicators. In an embodiment, the metrics are collected for containers as well as the first and the second host 315, 320 of the containers. In another embodiment, the analysis manager 215 is configured to collect the container, docker, image, volumes, and daemon type of service statistics along with Kubernetes.
[0067] At step 410, the method 400 includes the step of analyzing, utilizing a trained model, the metrics fetched from the distributed data lake 240 by the analysis manager 215. In an embodiment, the trained model is at least one of a, Artificial Intelligence/Machine Learning (AI/ML) model 340. The AI/ML model 340 is configured to run on the metrics to determine anomalies or trigger forecasting for the metrics. The AI/ML model 340 is responsible for running AI/ML techniques on the metrics that are stored in the distributed data lake 240. The AI/ML model 340 is used to identify the anomalies in the metrics or to forecast future trends. The ML model utilizes a variety of ML techniques, such as supervised learning, unsupervised learning, and reinforcement learning.
[0068] At step 415, the method 400 includes the step of detecting the anomaly in the network 105 pertaining to the fetched metrics of at least one of the plurality of NFs by the detection unit 220. Further, the detection unit 220 is configured to detect the anomaly in the network 105 based on a pre-defined threshold set utilizing the metrics analyzed. In an embodiment, the pre-defined threshold is set by the detection unit 220 utilizing the metrics which are analyzed based on the trained model. The trained model includes the learnt trends/patterns related to the metrics of the plurality of NFs. In one embodiment, the pre-defined threshold is dynamically adjusted by the detection unit 220 for the metrics of the plurality of NFs based on a change in network conditions. In another embodiment, the pre-defined threshold is dynamically adjusted by using the trained model to analyze the historical data and predict future trends. The trained model aids in identifying patterns and making predictive adjustments to the pre-defined threshold.
[0069] The detection unit 220 is configured to perform dynamic adjustment of the pre-defined threshold by detecting the change in network conditions. The detection unit 220 is configured to perform dynamic adjustment of the pre-defined threshold based on the learnt trends/patterns from the historical data of the network behavior utilizing the trained model. Upon dynamically adjusting the pre-defined threshold, the detection unit 220 is configured to detect the anomaly in the network 105 by comparing the metrics fetched from the distributed data lake 240. Further, the detection unit 220 is configured to determine a breach in at least one of the fetched metrics in comparison to the predefined threshold for detecting the anomaly in the network 105.
[0070] At step 420, the method 400 includes the step of triggering one or more actions in order to address the detected anomaly by the triggering unit 225. In an embodiment, the one or more actions includes at least one of, restarting services, generating alerts, predefined responses including scaling up or scaling down resources or new instances of the plurality of NFs, triggering remediation processes. Further, the monitoring unit 230 is configured to proactively monitor the plurality of NFs in order to pull the metrics from the container of the host based on determining the availability of at least one of, a host network function. Upon proactively monitoring the plurality of NFs, the alert unit 235 is configured to provide one or more alerts on determination of non-availability of the host network function.
[0071] FIG. 5 is a flow diagram illustrating the method 500 for detecting an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of NFs based on a pre-defined threshold set utilizing the metrics analyzed, according to one or more embodiments of the present disclosure.
[0072] At step 505, the method 415 includes the step of comparing the metrics fetched from the distributed data lake 240 with the predefined threshold. If the metrics fetched from the distributed data lake 240 exceed the predefined threshold, the detection unit 220 is configured to detect the anomaly in the network 105. In an exemplary embodiment, the CPU usage is correlated with network traffic, which increases the network traffic, and also increases CPU utilization. If the CPU utilization exceeds the predefined threshold, then the detection unit 220 is configured to detect the anomaly in the network 105.
[0073] At step 510, the method 415 includes the step of determining a breach in at least one of the fetched metrics in comparison to the predefined threshold for detecting the anomaly in the network 105. For example, the memory usage increases, which reduces throughput and increases latency, and also affects system performance. If the memory usage exceeds the predefined threshold, then the detection unit 220 is configured to detect the anomaly in the network 105 and generates the one or more alerts on determination of non-availability of the host network function.
[0074] The present invention discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by a processor 205. The processor 205 is configured to fetch metrics of a plurality of Network Functions (NFs) stored in a distributed data lake 240. The processor 205 is configured to analyze, utilizing a trained model, the metrics fetched from the distributed data lake 240. The processor 205 is configured to detect an anomaly in the network 105 pertaining to the fetched metrics of at least one of the plurality of NFs based on a pre-defined threshold set utilizing the metrics analyzed. The processor 205 is configured to trigger one or more actions in order to address the detected anomaly.
[0075] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0076] The present disclosure incorporates technical advancement for detecting an anomaly in the network pertaining to the fetched metrics of at least one of the plurality of network functions utilizing the trained model. The trained model learns the trends/patterns related to the metrics. The present invention enables closed-loop automation, and automatically responds to the threshold violations without manual intervention. Based on the AI/ML analysis, the present invention initiates the one or more actions to address the identified anomalies. The closed-loop automation helps in maintaining system health, optimizing performance, reducing manual efforts, improving user experience. Further, the present invention implementing the one or more actions and continuously monitoring the network metrics, which ensures that the network operates efficiently and predict future requirements of the one or more resources utilizing the trained model, thus improving processing speed of the processor, avoiding the network traffic, and reducing requirement of memory space.
[0077] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS
[0078] Environment – 100;
[0079] Network – 105;
[0080] UE- 110;
[0081] Server – 115;
[0082] System – 120;
[0083] Processor -205;
[0084] Memory – 210;
[0085] Analysis Manager– 215;
[0086] Detection unit– 220;
[0087] Triggering unit– 225;
[0088] Monitoring unit– 230;
[0089] Alert unit-235;
[0090] Distributed data lake- 240;
[0091] Infrastructure manger- 305;
[0092] Agent Manager (AM)-310;
[0093] First host-315;
[0094] Second host-320;
[0095] Metric ingestion layer-325;
[0096] Infrastructure enrichment layer-330;
[0097] Infrastructure normalizer-335;
[0098] AI/ML model-340;
[0099] Forecasting engine-345;
[00100] Reporting and alarm engine- 350;
[00101] Anomaly detection engine-355.

,CLAIMS:CLAIMS
We Claim:
1. A method (400) of detecting anomaly in a network (105), the method (400) comprising the steps of:
fetching (405), by one or more processors (205), metrics of a plurality of network functions stored in a distributed data lake (240);
analyzing (410), by the one or more processors (205), utilizing a trained model, the metrics fetched from the distributed data lake (240);
detecting (415), by the one or more processors (205), an anomaly in the network (105) pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed; and
triggering (420), by the one or more processors (205), one or more actions in order to address the detected anomaly.

2. The method (400) as claimed in claim 1, wherein the metrics of the plurality of network functions includes at least one of, Central Processing Unit (CPU) usage, memory utilization, network latency, or any other relevant performance indicators.

3. The method (400) as claimed in claim 1, wherein the one or more actions includes at least one of, restarting services, generating alerts, predefined responses including scaling up or scaling down resources, triggering remediation processes.

4. The method (400) as claimed in claim 1, wherein the trained model is at least one of a, Artificial Intelligence/Machine Learning (AI/ML) model (340).

5. The method (400) as claimed in claim 1, wherein the model is trained utilizing historical data pertaining to the metrics of the plurality of network functions.

6. The method (400) as claimed in claim 1, wherein the trained model learns trends/patterns related to the metrics of the plurality of network functions.

7. The method (400) as claimed in claim 1, wherein the pre-defined threshold is set by the one or more processors (205) utilizing the metrics which are analyzed based on the trained model, the trained model including the learnt trends/patterns related to the metrics of the plurality of network functions.

8. The method (400) as claimed in claim 1, wherein the pre-defined threshold is dynamically adjusted by the one or more processors (205) for the metrics of the plurality of network functions based on a change in network conditions.

9. The method (400) as claimed in claim 8, wherein the dynamic adjustment of the pre-defined threshold includes the steps of:
detecting, by the one or more processors (205), utilizing the trained model, a change in network conditions based on the learnt trends/patterns from the historical data of a network behavior; and
dynamically adjusting, by the one or more processors (205), utilizing the trained model, the pre-defined threshold based on detection of change in network conditions.

10. The method (400) as claimed in claim 1, wherein the step of detecting (415), an anomaly in the network (105) pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed, includes the steps of:
comparing (505), by the one or more processors (205), the metrics fetched from the distributed data lake (240) with the predefined threshold; and
in response to determining, a breach in at least one of the fetched metrics in comparison to the predefined threshold, detecting, by the one or more processors (205), the anomaly in the network (105).

11. The method (400) as claimed in claim 1, wherein the method (400) includes the steps of:
proactive monitoring, by the one or more processors (205), the plurality of network functions in order to pull metrics from one or more containers on a host based on determining the availability of at least one of, a host network function; and
providing, by the one or more processors (205), one or more alerts on determination of non-availability of the host network function.

12. A system (120) for detecting anomaly in a network (105), the system comprising:
an analysis manager (215), configured to, fetch, metrics of a plurality of network functions stored in a distributed data lake (240);
the analysis manager (215), configured to, analyze, utilizing a trained model, the metrics fetched from the distributed data lake (240);
a detection unit (220), configured to, detect, an anomaly in the network (105) pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed; and
a triggering unit (225), configured to, trigger, one or more actions in order to address the detected anomaly.

13. The system (120) as claimed in claim 12, wherein the metrics of the plurality of network functions includes at least one of, Central Processing Unit (CPU) usage, memory utilization, network latency, or any other relevant performance indicators.

14. The system (120) as claimed in claim 12, wherein the one or more actions includes at least one of, restarting services, generating alerts, predefined responses including scaling up or scaling down resources, triggering remediation processes.

15. The system (120) as claimed in claim 12, wherein the trained model is at least one of a, Artificial Intelligence/Machine Learning (AI/ML) model (340).

16. The system (120) as claimed in claim 12, wherein the model is trained utilizing historical data pertaining to the metrics of the plurality of network functions.

17. The system (120) as claimed in claim 12, wherein the trained model learns trends/patterns related to the metrics of the plurality of network functions.

18. The system (120) as claimed in claim 12, wherein the pre-defined threshold is set by the detection unit (220) utilizing the metrics which are analyzed based on the trained model, the trained model including the learnt trends/patterns related to the metrics of the plurality of network functions.

19. The system (120) as claimed in claim 12, wherein the pre-defined threshold is dynamically adjusted by the detection unit (220) for the metrics of the plurality of network functions based on a change in network conditions.

20. The system (120) as claimed in claim 19, wherein the detection unit (220) performs dynamic adjustment of the pre-defined threshold, by:
detecting, utilizing the trained model, a change in network conditions based on the learnt trends/patterns from the historical data of a network behavior; and
dynamically adjusting, utilizing the trained model, the pre-defined threshold based on detection of change in network conditions.

21. The system (120) as claimed in claim 12, wherein the detection unit (220) detects, an anomaly in the network (105) pertaining to the fetched metrics of at least one of the plurality of network functions based on a pre-defined threshold set utilizing the metrics analyzed, by:
comparing, the metrics fetched from the distributed data lake (240) with the predefined threshold; and
in response to determining, a breach in at least one of the fetched metrics in comparison to the predefined threshold, detecting, the anomaly in the network (105).

22. The system (120) as claimed in claim 12, comprising:
a monitoring unit (230) configured to proactively monitor the plurality of network functions in order to pull metrics from one or more containers on a host based on determining the availability of at least one of, a host network function; and
an alert unit (235) configured to provide one or more alerts on determination of non-availability of the host network function.