DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
METHOD AND SYSTEM OF DETECTION OF ONE OR MORE ANOMALIES IN A NETWORK
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention relates to anomalies in the communication network, more particularly relates to a method and a system of detection of one or more anomalies in a network.
BACKGROUND OF THE INVENTION
[0002] In general, the communication network is monitored by monitoring all the core networking components. The intent of monitoring these networking components is to detect faults or anomalies, if any.
[0003] In general, the challenges faced by network operators (consumers) while monitoring communication networks are not able to identify and address anomalies in a timely manner due to the manual process of analyzing network configurations. Since the manual process of analyzing network configurations is time consuming. The manual process of analyzing problems of network configurations is a reactive process. In other words, after detecting problems with the network configurations, the consumers may take actions to resolve the identified issue. This may lead to network disruptions and potential service outages.
[0004] In view of the above, computer network communication security control system is present, thus there is a dire need for a system and method for detecting anomalies efficiently and in a timely manner, which thereby leads to enhancing network reliability and performance.
SUMMARY OF THE INVENTION
[0005] One or more embodiments of the present disclosure provide a method and system of detection of one or more anomalies in a network.
[0006] In one aspect of the present invention, the system of detection of the one or more anomalies in the network is disclosed. The system includes a receiving unit configured to receive, alarm data from one or more network components. The system further includes an analyzing unit configured to analyze, one or more alarm triggers and corresponding configuration data from the received alarm data utilizing a model. The system further includes an identification unit configured to identify, the one or more alarm triggers associated with a change in the configuration data based on the analysis of the one or more alarm triggers. The system further includes a detection unit configured to detect, the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid. The system further includes a triggering unit configured to trigger, one or more actions on detection of the one or more anomalies.
[0007] In an embodiment, the received alarm data is pre-processed and standardized.
[0008] In an embodiment, the one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes. In an embodiment, the model is at least one of a machine learning model.
[0009] In an embodiment, the machine learning model is retrieved from a database, and wherein the machine learning model is trained utilizing historical data and machine learning data driven techniques.
[0010] In an embodiment, the receiving unit is configured to receive, unseen data received from the one or more network components on a continuous basis to refine the detection of the one or more anomalies.
[0011] In another aspect of the present invention, the method of detection of the one or more anomalies in the network is disclosed. The method includes the step of receiving alarm data from one or more network components. The method further includes the step of analyzing, one or more alarm triggers and corresponding configuration data from the received alarm data utilizing a model. The method further includes the step of identifying the one or more alarm triggers associated with a change in the configuration data based on the analysis of the one or more alarm triggers. The method further includes the step of detecting, the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid. The method further includes the step of triggering, one or more actions on detection of the one or more anomalies.
[0012] In another aspect of the invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions is disclosed. The computer-readable instructions are executed by a processor. The processor is configured to receive, alarm data from one or more network components. The processor is configured to analyze one or more alarm triggers and corresponding configuration data from the received alarm data utilizing a model. The processor is configured to identify, the one or more alarm triggers associated with a change in the configuration data based on the analysis of the one or more alarm triggers. The processor is configured to detect, the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid. The processor is configured to trigger, one or more actions on detection of the one or more anomalies.
[0013] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0014] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0015] FIG. 1 is an exemplary block diagram of an environment of detection of one or more anomalies in a network, according to one or more embodiments of the present invention;
[0016] FIG. 2 is an exemplary block diagram of a system of detection of the one or more anomalies in the network, according to one or more embodiments of the present invention;
[0017] FIG. 3 is an exemplary block diagram of an architecture implemented in the system of the FIG. 2, according to one or more embodiments of the present invention;
[0018] FIG. 4 is a flow diagram of detection of the one or more anomalies in the network, according to one or more embodiments of the present invention; and
[0019] FIG. 5 is a schematic representation of a method of detection of the one or more anomalies in the network, according to one or more embodiments of the present invention.
[0020] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0021] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0022] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0023] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0024] The present invention provides a unique approach of dynamically predicting network configurations related issues and taking preventive measures before leading to significant disruptions based on the historical data, alarm triggers and network configurations. The predicting of network configurations related issues ensures that the consumer may take precautionary measures for the problems that may occur in the future due to anomalies. In an embodiment, the present invention is related to detecting anomalies using alarm triggers in a network of cellular communication. The alarm is a potential trigger which provides the notification that what is going wrong in cellular network, fixed-line network, utility, transport network, telecommunications equipment.
[0025] FIG. 1 illustrates an exemplary block diagram of an environment 100 of detection of one or more anomalies in a network 106, according to one or more embodiments of the present disclosure. In this regard, the environment 100 includes a User Equipment (UE) 102, a server 104, the network 106 and a system 108 communicably coupled to each other for detection of one or more anomalies in the network 106.
[0026] In an embodiment, the one or more anomalies refers to unusual or unexpected behaviors, events, or patterns that deviate from normal or anticipated network operations. The one or more anomalies indicate the issues such as security breaches, configuration errors, performance degradation, hardware malfunctions, or other irregularities that could affect the reliability and stability of the network 106. The one or more anomalies includes, but not limited to, traffic anomalies, configuration anomalies, security anomalies, performance anomalies, alarm and event anomalies.
[0027] As per the illustrated embodiment and for the purpose of description and illustration, the UE 102 includes, but not limited to, a first UE 102a, a second UE 102b, and a third UE 102c, and should nowhere be construed as limiting the scope of the present disclosure. In alternate embodiments, the UE 102 may include a plurality of UEs as per the requirement. For ease of reference, each of the first UE 102a, the second UE 102b, and the third UE 102c, will hereinafter be collectively and individually referred to as the “User Equipment (UE) 102”.
[0028] In an embodiment, the UE 102 is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as a smartphone, virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0029] The environment 100 includes the server 104 accessible via the network 106. The server 104 may include, by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
[0030] The network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0031] The network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network 106 may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
[0032] The environment 100 further includes the system 108 communicably coupled to the server 104 and the UE 102 via the network 106. The system 108 is configured to detect the one or more anomalies in the network 106. As per one or more embodiments, the system 108 is adapted to be embedded within the server 104 or embedded as an individual entity.
[0033] Operational and construction features of the system 108 will be explained in detail with respect to the following figures.
[0034] FIG. 2 is an exemplary block diagram of the system 108 for detection of the one or more anomalies in the network 106, according to one or more embodiments of the present invention.
[0035] As per the illustrated embodiment, the system 108 includes one or more processors 202, a memory 204, a user interface 206, and a database 208. In an embodiment, the system 108 is communicable coupled with a one or more network components 220. For the purpose of description and explanation, the description will be explained with respect to one processor 202 and should nowhere be construed as limiting the scope of the present disclosure. In alternate embodiments, the system 108 may include more than one processor 202 as per the requirement of the network 106. The one or more processors 202, hereinafter referred to as the processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
[0036] As per the illustrated embodiment, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204. The memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0037] In an embodiment, the user interface 206 includes a variety of interfaces, for example, interfaces for a graphical user interface, a web user interface, a Command Line Interface (CLI), and the like. The user interface 206 facilitates communication of the system 108. In one embodiment, the user interface 206 provides a communication pathway for one or more components of the system 108. Examples of such components include, but are not limited to, the UE 102 and the database 208.
[0038] The database 208 is one of, but not limited to, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of database 208 types are non-limiting and may not be mutually exclusive e.g., a database can be both commercial and cloud-based, or both relational and open-source, etc.
[0039] In order for the system 108 for detection of the one or more anomalies in the network 106, the processor 202 includes one or more modules. In one embodiment, the one or more modules includes, but not limited to, a receiving unit 210, an analyzing unit 212, an identification unit 214, a detection unit 216, and a triggering unit 218 communicably coupled to each other for detection of the one or more anomalies in the network 106.
[0040] In one embodiment, the each of the one or more modules includes the receiving unit 210, the analyzing unit 212, the identification unit 214, the detection unit 216, and the triggering unit 218 can be used in combination or interchangeably for detection of the one or more anomalies in the network 106.
[0041] The receiving unit 210, the analyzing unit 212, the identification unit 214, the detection unit 216, and the triggering unit 218 in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 204 may store instructions that, when executed by the processing resource, implement the processor. In such examples, the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource. In other examples, the processor 202 may be implemented by electronic circuitry.
[0042] In one embodiment, the receiving unit 210 is configured to receive alarm data from the one or more network components 220. The alarm data refers to the information generated by network systems or devices when specific predefined conditions or thresholds are met, indicating a potential issue or event in the network 106. The alarm data includes, but is not limited to, alarm type, timestamp, severity level, source information, alarm description. The alarm type is a kind of issue being reported such as hardware failure, software error, configuration anomaly or performance issue. The timestamp is the time when the alarm was triggered. The severity level is a classification of the criticality of the alarm (e.g., minor, major, critical). The source information is the identification of the network component or device that generates the alarm. The alarm description is the additional information describing the nature of the problem or condition that triggered the alarm.
[0043] The one or more network components 220 refers to various elements that make up the network 106 and generates or receives alarm data. The one or more network components 220 includes, but not limited to, network devices, network functions, access points, storage devices. The network devices include, but are not limited to, routers, switches, firewalls, load balancers etc., which manage data flow within the network 106 or report alarms based on their operational status. The network functions incudes, but not limited to physical network functions or virtual network functions. The network function includes, but is not limited to, Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Policy Control Function (PCF) Policy Control Function (PCF), Unified Data Management (UDM). The access points include, but are not limited to, wireless access points, base stations or other radio network components in wireless networks. The storage devices include, but are not limited to, Network Attached Storage (NAS), Storage Area Networks (SAN).
[0044] In an embodiment, the alarm data is typically received from one or more network components 220 through a process involving monitoring, communication protocols, and centralized management systems. The monitoring refers to the one or more network components 220 continuously monitors the operational metrics and checks if predefined thresholds or conditions are met. The operational metrics includes, but are not limited to, Central Processing Unit (CPU) load, memory usage, traffic flow etc. When the threshold is breached, or an issue is detected the one or more network component generates an alarm event which contains details like the type, severity and timestamp of the issue. Further, the alarm data is generated by the one or more network components 220 is transmitted to the centralized management system using communication protocols. The centralized management system is at least one of Network Management System (NMS).
[0045] In an embodiment, the received alarm data is pre-processed and standardized. The received alarm data is pre-processed and standardized to ensure consistency, accuracy, and readiness for effective analysis. The preprocessing and standardizing of the received alarm data includes, but not limited to data normalization, data cleaning, data enrichment, standardized metadata assignment, event correlation, data conversion and formatting, noise reduction. The data normalization refers to the conversion of alarm data into a uniform format, making it easier to analyze and correlate. For example, standardizing date and time formats, categorizing alarm severity levels (e.g., critical, major, minor), and ensuring consistent naming conventions for alarm types. The data cleaning removes the redundant, irrelevant, or incomplete data points which is crucial for improving the quality of the analysis. The data cleaning includes filtering out false positives or duplicate alarms, as multiple network components might generate alarms for the same underlying issue. The data enrichment refers to the adding context to the alarm data, such as the geographical location of the component, device type, or network slice information. The standardized metadata refers to a metadata such as unique identifiers, timestamps, severity levels, alarm category (e.g., performance, security, configuration), and originating source is assigned to ensure that all alarms include consistent, machine-readable information. The event correlation includes correlating different alarm events that might be related. The data conversion and formatting include converting alarm data to a common format that is compatible with downstream analytics tools and machine learning models. The noise reduction includes techniques to reduce noise in the data. For example, some low-priority alarms may be filtered out if they do not require immediate action, focusing only on actionable and meaningful alarms.
[0046] In an embodiment, the receiving unit 210 is configured to receive unseen data from the one or more network components 220 on a continuous basis. The unseen data newly generated or real-time data that has not been previously analyzed. The unseen data from the one or more network components 220 are received to refine the detection of the one or more anomalies. The one or more anomalies refers to unexpected behaviors, deviations, or irregularities that indicate a problem or unusual activity within the network 106. The one or more anomalies includes, but are not limited to, performance anomalies, traffic anomalies, security anomalies, configuration anomalies, fault anomalies.
[0047] Upon receiving the data from the one or more network components 220, the analyzing unit 212 is configured to analyze one or more alarm triggers and corresponding configuration data from the received data utilizing a model. The model is at least one of a machine learning model. The one or more alarm triggers refers to specific conditions or events in the network 106 that cause an alarm to be raised. The one or more alarm triggers includes, but not limited to, high CPU or memory usage, bandwidth utilization, packet loss or transmission errors, unauthorized access attempts, unexpected parameter change, latency spike, jitter or fluctuations. The configuration data refers to information about the settings, parameters, and state of network components that determine how they operate. The configuration data includes, but is not limited to, device settings, network policies, topology information, firmware versions, operational parameters, provisioning information. The device setting includes parameters such as Internet Protocol (IP) addresses, routing protocols, Virtual Local Area Network (VLAN) configurations, and other network-specific settings for routers, switches, firewalls, etc. The network policies include rules or quality of service (QoS), security settings, and access control lists (ACLs) that govern how traffic flows through the network 106. The topology information includes the structure of the network 106 such as how devices are connected which links are active, and how traffic is routed. The firmware versions include the details of the current firmware versions running on network devices. The operational parameters include metrics like maximum bandwidth, thresholds for alarms, or other device-specific operational limits. The provisioning information includes configurations related to resource allocation such as virtualized network functions (VNFs), containerized applications, or network slices.
[0048] In an embodiment, the machine learning model is a computational representation of a problem, trained using data to make predictions or decisions without explicit programming for each specific scenario. The machine learning model is retrieved from a database 208. The machine learning model is trained utilizing historical data and machine learning data driven techniques. The historical data is a past network data that includes information about previous alarm events, configuration changes, network performance metrics, and known anomalies. The historical data helps the model learn what constitutes normal network behavior and what deviations are considered anomalies. The machine learning data driven techniques use statistical learning methods to identify patterns and make predictions based on input data. The patterns refer to recurring behaviors, trends, or relationships observed within the network data. The patterns can be used by the machine learning model to determine what constitutes normal network operations and to identify deviations that could indicate potential issues or anomalies. The patterns include, but not limited to network performance patterns, configuration change patterns, alarm trigger patterns, user behavior patterns, error and fault patterns. The machine learning data driven techniques includes, but not limited to supervised learning, unsupervised learning, reinforcement learning.
[0049] Upon analyzing the one or more alarm triggers and corresponding configuration data, the identification unit 214 is configured to identify the one or more alarm triggers associated with a change in the configuration data. In particular, the identification unit 214 identifies if any of the detected alarm triggers are associated with recent or ongoing changes in the network configuration. The identification unit 214 identifies which alarm triggers are related to recent configuration changes by checking the timing and nature of the alarms against the logged configuration modifications. For instance, if a high latency alarm is triggered shortly after a change in routing configurations, the identification unit 214 would flag this correlation. Further, the identification unit 214 identifies whether the changes in configuration were authorized or whether they deviate from expected norms. The identifying whether the changes in configuration were authorized or not helps in recognizing potential security incidents or misconfigurations that might lead to the network anomalies.
[0050] Upon identifying the one or more alarm triggers associated with a change in the configuration data, the detection unit 216 is configured to detect the one or more anomalies. The one or more anomalies are detected when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid. The detection unit 216 continuously monitors the results from the identification unit 214. When the identification unit 214 identifies the one or more alarm triggers that correspond to unauthorized changes or significant deviations from expected network behavior, the detection unit 216 flags these as potential anomalies. Subsequently, the detection unit 216 checks the validity of configuration changes against predefined rules or expected behavior patterns. If a configuration change leads to a condition that falls outside acceptable parameters (like exceeding a specific threshold for network latency), the detection unit 216 will classify this condition as an anomaly.
[0051] Uon detecting the one or more anomalies, the triggering unit 218 is configured to trigger one or more actions. When the detection unit 216 detects the one or more anomalies (e.g., an unauthorized configuration change that leads to abnormal network behavior), the triggering unit 218 activates the necessary actions to address the issue. The one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes. The transmitting one or more alerts to a service operator refers to the sending notifications or alerts to network operators or administrators about the detected anomaly, providing them with relevant information about the issue, including alarm details and configuration changes associated with it. The alert is a notification or warning to inform users or operators about a specific condition, event, or anomaly that requires attention. The alerts are typically triggered by predefined thresholds or conditions, such as performance degradation, security incidents, or system failures. The service operator refers to an individual or team responsible for managing and maintaining services within a network environment. The service operator typically monitors the system performance, responds to alerts, troubleshoots the issues and ensures the smooth operations of services. The initiating automatic remediation processes refers to the initiating the automated processes to remediate the issues. For example, reverting a configuration change that led to an anomaly or adjusting resource allocations to mitigate performance issues. In an embodiment, depending on the severity of the detected anomaly, the triggering unit 218 can prioritize the actions it takes. For example, critical anomalies might trigger immediate alerts and remediation actions, while less severe anomalies might lead to lower-priority notifications or logging for future reference.
[0052] Therefore, the system 108 proactively detects configuration anomalies through the use of alarm triggers, enabling early intervention. The system 108 helps minimize downtime and service outages by identifying configuration-related issues before they lead to disruptions. Further, the system 108 employs predictive analytics to anticipate potential configuration anomalies using historical data and alarm triggers. The system 108 saves processing time and reduces the risk of human error by replacing the manual configuration analysis with the automated anomaly detection. The system 108 reduces downtime and more efficient configuration management leads to cost savings for network operations. Further, the system 108 contributes to improved network performance and reliability.
[0053] FIG. 3 is an exemplary block diagram of an architecture 300 of the system 108 for detection of one or more anomalies in a network 106, according to one or more embodiments of the present invention.
[0054] The architecture 300 includes a one or more alarm sources such as alarm source 1 302a, alarm source 2 302b, alarm source n 302n, a Network management System (NMS) 304, machine learning (ML) service 306, data lake 312, workflow 314 and the user interface 206. The ML service 306 includes a pre-processor 308 and an algorithm execution 310.
[0055] In an embodiment, the one or more alarm sources such as alarm source 1 302a, alarm source 2 302b, alarm source n 302n are generated from the one or more network components 220. Each of the one or more alarm sources is responsible for producing alerts based on specific triggers, such as performance issues, security breaches, or configuration changes. Upon generating the one or more alarm sources such as alarm source 1 302a, alarm source 2 302b, alarm source n 302n, the one or more alarm sources such as alarm source 1 302a, alarm source 2 302b, alarm source n 302n are transmitted to the NMS 304. The NMS 304 is a centralized system responsible for monitoring, managing, and maintaining the performance of the one or mor network components 220. In an embodiment, the NMS 304 receives alarm data and a counter data from the one or more alarm sources such as alarm source 1 302a, alarm source 2 302b, alarm source n 302n. The alarm data refers to information generated by the one or more network components 220 to indicate that a specific condition or event has occurred, which requires attention. The counter data refers to performance metrics and statistical data collected from the one or more network components 220 to help assess the health and performance of the network 106. The NMS aggregates the alarm data from one or more alarm sources such as alarm source 1 302a, alarm source 2 302b, alarm source n 302n and compiles them into a structured format.
[0056] Upon receiving the alarm data and counter data, the NMS 304 transmits the data to the pre-processor 308. The pre-processor 308 pre-process the received data using the machine learning model. The pre-processor 308 ensures that both the alarm data and counter data are standardized to facilitate comparison. The preprocessing includes normalization and standardization, and cleaning. The normalization and standardization include converting timestamps to a common format or standardizing terminology. The data cleaning removes irrelevant or noisy data that may not contribute to the analysis, focusing on significant alarm triggers and meaningful configuration changes.
[0057] Upon preprocessing the data, the pre-processor 308 transmits the data to the algorithm execution 310. The algorithm execution 310 represents the process where collected data is analyzed to detect anomalies and improve network management. The algorithm execution 310 includes alarm trigger analysis, configuration deviation detection, continuous improvement. The algorithm execution 310 includes analyzing alarm triggers, which are events or thresholds that cause an alarm to be raised (e.g., CPU usage exceeding a defined threshold). The algorithm execution 310 analyzes the alarm triggers to understand the context and reason for the alarms, determine if these are genuine anomalies or normal fluctuations, and correlate them with configuration data. The analysis of alarm triggers helps in identify patterns and correlations between alarm events and network configuration changes, allowing for accurate root-cause analysis and efficient anomaly detection. Further, the algorithm execution 310 identifies the one or more alarm triggers associated with a change in the configuration data based on the analysis of the one or more alarm triggers. Upon identifying the one or more alarm triggers, the algorithm execution 310 detects the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid. The algorithm execution 310 continuously refine the identification process by using feedback from network operators or by incorporating new data. The iterative process ensures the model adapts to evolving network conditions and configurations.
[0058] Subsequently, the processed data and algorithm outputs are stored in the data lake 312 for future use. Upon detecting the one or more anomalies and storing in the data lake, the one or more actions are triggered at the workflow 314. The one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes. The workflow 314 further transmits the alerts to the user interface 206.
[0059] FIG. 4 is a flow diagram for detection of the one or more anomalies in the network 106, according to one or more embodiments of the present invention.
[0060] At step 402, the alarm data are received from the one or more network components 220. Upon receiving the alarm data from the one or more network components 220 the NMS 304 integrates the received data. The data integration is the process of combining the received data into a single unified view.
[0061] At step 404, upon integrating the received data, the data pre-processor processes the received data. The pre-processing includes data definition, normalization and cleaning.
[0062] At step 406, upon processing the received data, the algorithm execution 310 analyze the one or more alarm triggers and the corresponding configuration data from the received alarm data utilizing a machine learning model. Based on the analysis of the one or more alarm triggers, the one or more alarm triggers associated with a change in the configuration data are identified. Upon identifying the one or more alarm triggers, the one or more anomalies are detected. In particular, the one or more anomalies are detected when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid.
[0063] At step 408, subsequently, the preprocessed data, detected anomalies are stored in the data lake 312 for the future use.
[0064] At step 410, upon detecting the one or more anomalies, the one or more actions are triggered. The one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes. In an embodiment, the alert is transmitted to the user about the detected anomalies.
[0065] FIG. 5 is a flow diagram of a method 500 for detection of the one or more anomalies in the network 106, according to one or more embodiments of the present invention. For the purpose of description, the method 600 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0066] At step 502, the method 500 includes the step of receiving the alarm data from the one or more network components 220 by the receiving unit 210. The received alarm data is pre-processed and standardized. Further, the receiving unit 210 is configured to receive the unseen data from the one or more network components 220 on a continuous basis to refine the detection of the one or more anomalies.
[0067] At step 504, the method 500 includes the step of analyzing the one or more alarm triggers and corresponding configuration data from the received alarm data utilizing the machine learning model by the analyzing unit 212. The machine learning model is retrieved from the database 208. The machine learning model is trained utilizing historical data and machine learning data driven techniques.
[0068] At step 506, the method 500 includes the step of identifying the one or more alarm triggers associated with the change in the configuration data based on the analysis of the one or more alarm triggers by the identification unit 214.
[0069] At step 508, the method 500 includes the step of detecting the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid by the detection unit 216.
[0070] At step 510, the method 500 includes the step of triggering the one or more actions on detection of the one or more anomalies by the triggering unit 218. The one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes.
[0071] The present invention further discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by the processor 202. The processor 202 is configured to receive the alarm data from the one or more network components 220. The processor 202 is further configured to analyze the one or more alarm triggers and corresponding configuration data from the received alarm data utilizing the machine learning model. The processor 202 is further configured to identify the one or more alarm triggers associated with the change in the configuration data based on the analysis of the one or more alarm triggers. The processor 202 is further configured to detect the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid. The processor 202 is further configured to trigger the one or more actions on detection of the one or more anomalies.
[0072] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0073] The present disclosure incorporates technical advancement of proactively detecting anomalies through the use of alarm triggers, enabling early intervention. The present invention helps minimize downtime and service outages by identifying configuration-related issues before they lead to disruptions. Further, the present invention employs predictive analytics to anticipate potential configuration anomalies using historical data and alarm triggers. The present invention saves processing time and reduces the risk of human error by replacing the manual configuration analysis with the automated anomaly detection. The present invention reduces downtime and more efficient configuration management leads to cost savings for network operations. Further, the present invention contributes to improved network performance and reliability.
[0074] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS

[0075] Environment- 100
[0076] User Equipment (UE)- 102
[0077] Server- 104
[0078] Network- 106
[0079] System -108
[0080] Processor- 202
[0081] Memory- 204
[0082] User Interface- 206
[0083] Database- 208
[0084] Receiving Unit- 210
[0085] Analyzing Unit- 212
[0086] Identification Unit- 214
[0087] Detection Unit- 216
[0088] Triggering Unit- 218
[0089] One or more network components- 220
[0090] Alarm source 1- 302a
[0091] Alarm source 2- 302b
[0092] Alarm source n- 302n
[0093] NMS- 304
[0094] ML service – 306
[0095] Preprocessor- 308
[0096] Algorithm execution -310
[0097] Data lake- 312
[0098] Workflow- 314
,CLAIMS:CLAIMS:
We Claim:
1. A method (500) of detection of one or more anomalies in a network (106) , the method comprising the steps of:
receiving, by the one or more processors (202), alarm data from one or more network components (220);
analysing, by the one or more processors (202), one or more alarm triggers and corresponding configuration data from the received alarm data utilizing a model;
identifying, by the one or more processors (202), the one or more alarm triggers associated with a change in the configuration data based on the analysis of the one or more alarm triggers;
detecting, by the one or more processors (202), the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid; and
triggering, by the one or more processors (202), one or more actions on detection of the one or more anomalies.

2. The method (500) as claimed in claim 1, wherein the received alarm data is pre-processed and standardized.

3. The method (500) as claimed in claim 1, wherein the one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes.

4. The method (500) as claimed in claim 1, wherein the model is at least one of a machine learning model.

5. The method (500) as claimed in claim 1, wherein the machine learning model is retrieved from a database (208), and wherein the machine learning model is trained utilizing historical data and machine learning data driven techniques.

6. The method (500) as claimed in claim 1, wherein the method comprises the step of:
receiving, by the one or more processors, unseen data received from the one or more network components (220) on a continuous basis to refine the detection of the one or more anomalies.

7. A system (108) of detection of one or more anomalies in a network (106), the system (108) comprising:
a receiving unit (210) configured to receive, alarm data from one or more network components (220);
an analysing unit (212) configured to analyse, one or more alarm triggers and corresponding configuration data from the received alarm data utilizing a model;
an identification unit (214) configured to identify, the one or more alarm triggers associated with a change in the configuration data based on the analysis of the one or more alarm triggers;
a detection unit (216) configured to detect, the one or more anomalies when the change in the configuration data of the corresponding one or more alarm triggers is unauthorized or invalid; and
a triggering unit (218) configured to trigger, one or more actions on detection of the one or more anomalies.

8. The system (108) as claimed in claim 7, wherein the received alarm data is pre-processed and standardized.

9. The system (108) as claimed in claim 7, wherein the one or more actions comprises transmitting one or more alerts to a service operator or initiating automatic remediation processes.
10. The system (108) as claimed in claim 7, wherein the model is at least one of a machine learning model.

11. The system (108) as claimed in claim 7, wherein the machine learning model is retrieved from a database (208), and wherein the machine learning model is trained utilizing historical data and machine learning data driven techniques.

12. The system (108) as claimed in claim 7, wherein the receiving unit is configured to receive, unseen data received from the one or more network components (220) on a continuous basis to refine the detection of the one or more anomalies.