DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
SYSTEM AND METHOD FOR ANOMALY DETECTION IN A NETWORK

2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3. PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention pertains to anomaly detection in network systems. Specifically, the invention focuses on a method and system for detecting anomalies using Artificial Intelligence/Machine Learning (AI/ML) models.
BACKGROUND OF THE INVENTION

[0002] With the increase in the number of network users, the demand for better service quality has grown significantly. As a result, network service providers must upgrade their infrastructure to handle more users while maintaining high service standards. This involves constant monitoring of several critical factors, such as the performance of network elements and functions. Network functions are crucial as they manage traffic, allocate nodes, and optimize the performance of routing devices, all of which contribute to maintaining the overall health and quality of the network. These functions generate a vast amount of performance data, including Key Performance Indicators (KPIs) and counter values, which are critical for assessing the network’s status, performance, and security.

[0003] However, manually analyzing these KPIs and counter values to detect unusual patterns can be time-consuming and resource intensive. Network issues, security threats, or abnormalities often manifest as deviations in these performance metrics. The conventional approach involves manually identifying such deviations, which not only delay resolution but also negatively impacts customer experience due to service disruptions. The traditional, reactive network management method addresses issues after they occur, resulting in downtime and unsatisfactory user experiences. This approach is not only inefficient but also costly in terms of resource allocation and operational expense

[0004] The present invention addresses the aforementioned challenges by offering a system and method for proactive anomaly detection in network performance data using trained models. By analyzing historical KPI and counter data that pertains to the performance of the network, the system can train models to identify patterns and detect potential anomalies before they escalate into more significant issues. This allows network operators to receive timely notifications about potential problems, enabling proactive interventions. Such an approach reduces downtime, enhances customer satisfaction, and optimizes resource allocation by preventing issues before they impact the network’s overall performance.

[0005] The present invention utilizes trained models to address the limitations of traditional, reactive network management by providing a predictive, automated anomaly detection system. The core of this system 108 lies in its ability to utilize historical performance metrics data to train the models that recognize patterns and trends in normal network behavior. Once trained, the trained model can identify anomalies in real-time data by comparing it against these established patterns. This means that deviations in network performance, whether caused by increasing traffic loads, hardware malfunctions, or security breaches, can be detected almost immediately. By flagging anomalies early, the system allows network operators to resolve issues before they become service-disrupting problems.

[0006] Furthermore, the system’s dynamic nature offers significant flexibility in anomaly detection. It can adapt to varying conditions by assigning threshold ranges or anomaly scores to performance metrics based on real-time data. This dynamic threshold assignment ensures that the system accounts for fluctuations in network traffic, time zones, or geographic factors, which could otherwise trigger false positives in a static threshold-based system. The integration of machine learning enables the system to continuously improve its accuracy, learning from past data to refine its detection capabilities. By minimizing manual intervention and enabling proactive network management, this invention not only enhances network reliability but also reduces operational costs, making it a highly efficient solution for modern network environments.
[0007] The present invention addresses challenges in network performance monitoring and anomaly detection by providing an AI-driven method for proactive identification of anomalies. Utilizing historical performance data and machine learning models, the present invention enables efficient and accurate detection of potential issues, reducing downtime and improving service quality. The said approach offers an automated and intelligent solution for real-time network management.

SUMMARY OF THE INVENTION
[0008] One or more embodiments of the present disclosure provide a system and a method for anomaly detection in a network.
[0009] In one aspect of the present invention, a method for anomaly detection in a network is disclosed. The method includes the step of retrieving, by one or more processors, historic performance metrics data from one or more data sources. The method further includes the step of selecting, by the one or more processors, one or more features from the retrieved historic performance metrics data. The method further comprises the step of loading, by the one or more processors, with at least one of the historic performance metrics data and the selected features. The method further includes the step of training, by the one or more processors, the model with an anomaly trend based on the loaded historic performance metrics data and selected features. The method further comprises the step of receiving, by the one or more processors, real-time data related to performance metrics from the one or more data sources subsequent to training the model. The method further includes the step of determining, by the one or more processors, utilizing the trained model, whether the real-time data contains one or more anomalies.
[0010] In one embodiment, the one or more data sources includes at least one of, one or more network functions or repositories including at least one of, the historic and the real time performance metrics data.
[0011] In another embodiment, the performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data pertains to performance of the network.
[0012] In another embodiment, the one or more features includes at least one of, time or geography type.
[0013] In yet another embodiment, the step of training, by the one or more processors, the model with an anomaly trend includes the steps of extracting, by the one or more processors, one or more historic values from the loaded historic performance metrics data. The step further includes comparing, by the one or more processors, the one or more historic values with one or more thresholds. The method further comprises detecting, by the one or more processors, one or more anomaly events when the one or more historic values are not compliant with the thresholds, and correlating, by the one or more processors, the anomaly events with at least one of the time and geography of occurrence of the anomaly events. The model is then trained, by the one or more processors, with the anomaly trend based on the detected anomaly events and the correlated time and geography.
[0014] In yet another embodiment, the method further comprises the step of dynamically assigning, by the one or more processors, at least one of, a threshold range or an anomaly score for the loaded historic performance metrics data in the model when the historic performance metric data includes a range of values.
[0015] In yet another embodiment, the method further includes the steps of performing, by the one or more processors, an evaluation on the trained model by generating validation metrics including at least one of, accuracy and errors. The method further includes the step of transmitting, by the one or more processors, the generated validation metrics to the user.
[0016] In another aspect of the present invention, a system for anomaly detection in a network is disclosed. The system includes a retrieving unit, configured to retrieve historic performance metrics data from one or more data sources. The system further includes a selection unit, configured to select one or more features from the retrieved historic performance metrics data. The system further includes a loading unit, configured to load a model with at least one of the historic performance metrics data and the selected features. The system further includes a training unit, configured to train the model with an anomaly trend based on the loaded historic performance metrics data and the selected features. The system also includes a transceiver, configured to receive current performance metrics data from the one or more data sources subsequent to training the model. Finally, the system includes a determining unit, configured to determine, utilizing the trained model, if the real-time data includes one or more anomalies.
[0017] In yet another embodiment of the present invention, a non-transitory computer-readable medium is provided having stored thereon computer-readable instructions that, when executed by a processor, cause the processor to retrieve historic performance metrics data from one or more data sources. The processor is configured to select one or more features from the retrieved historic performance metrics data. The processor is further configured to load a model with at least one of the historic performance metrics data and the selected features. The processor is configured to train the model with an anomaly trend based on the loaded historic performance metrics data and the selected features. The processor is further configured to receive current performance metrics data from the one or more data sources subsequent to training the model. Finally, the processor is configured to determine, utilizing the trained model, if the real-time data includes one or more anomalies.
[0018] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0019] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0020] FIG. 1 is an exemplary block diagram of an environment for anomaly detection in a network, according to one or more embodiments of the present invention;
[0021] FIG. 2 is an exemplary block diagram of the system for anomaly detection in the network, according to one or more embodiments of the present invention;
[0022] FIG. 3 is an exemplary block diagram of the system of FIG. 2, according to one or more embodiments of the present invention;
[0023] FIG. 4 is an exemplary architecture for the system anomaly detection in the network, according to one or more embodiments of the present disclosure;
[0024] FIG. 5 is a signal flow diagram illustrating the flow of the system for anomaly detection in the network, according to one or more embodiments of the present invention; and
[0025] FIG. 6 is a flow diagram of the method for anomaly detection in the network, according to one or more embodiments of the present invention.
[0026] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0027] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0028] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0029] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0030] Various embodiments of the present invention provide a system and method for anomaly detection in a network. The disclosed system and method enhance network performance and security by identifying abnormal patterns in performance metrics through a) model. The model utilizes historical data and anomaly trend analysis to accurately detect and predict potential issues within the network. By dynamically monitoring and analyzing performance metrics in real-time, the system enables proactive issue detection, allowing operators to address anomalies before they affect service quality. This approach ensures improved network reliability and customer experience by minimizing service disruptions and optimizing resource allocation.
[0031] Referring to FIG. 1, FIG. 1 illustrates an exemplary block diagram of an environment 100 a system 108 for anomaly detection in a network 106, according to one or more embodiments of the present invention. The environment 100 includes a User Equipment (UE) 102, a server 104, a communication network 106, a system 108, data sources 110, and a storage unit 112. The UE 102 aids a user to interact with the system 108 by transmitting a request in order to manage anomaly detection in the network 106.
[0032] In the present invention, anomaly detection refers to the process of identifying unusual or abnormal patterns within the performance metrics of the network 106 that deviate from expected behavior. This is achieved by employing the model 220 trained on historical performance data, which includes various Key Performance Indicators (KPIs) and other metrics. The model 220 learns to recognize normal patterns and can subsequently detect anomalies when current network data diverges from these established patterns. The detected anomalies could signify network performance issues, security threats, or potential system failures.
[0033] In the context of the present invention, the assignment of thresholds for anomaly detection can be approached in two ways: static thresholds and dynamic thresholds. Static thresholds are established based on historical data analysis and domain expertise. For instance, prior studies on network performance metrics may indicate that certain KPI values, such as latency or packet loss, should not exceed specific limits during normal operations. These limits can be set as fixed thresholds, allowing the model 220 to flag any data points that exceed these values as anomalies. On the other hand, dynamic thresholds are more flexible and are determined based on real-time data and patterns recognized by the model 220. This approach involves continuously analyzing the incoming performance metrics data to adjust the thresholds as needed. For example, the model 220 may learn that during peak hours, certain KPIs naturally fluctuate, which could lead to adjusting the thresholds higher during these times to prevent false positives. The model 220 employs statistical techniques, such as standard deviation calculations or moving averages, to dynamically set thresholds that accurately reflect current network conditions. This dual approach ensures that the system can effectively identify anomalies, providing a robust mechanism for maintaining optimal network performance while minimizing service disruptions. By leveraging both static and dynamic thresholds, the present invention enhances its capability to adapt to varying network demands and conditions.
[0034] The detection of anomalies in network performance is determined when current performance metrics deviate from expected values or when trends indicate potential issues that could impact overall network health. The determination of anomalies is influenced by various factors, such as historical performance data, thresholds, and evolving patterns in network usage. Data from sources like historic and current performance metrics, geographic data, and network activity logs are analyzed to detect anomalies. Anomalies may be triggered by unusual patterns in traffic flow, sudden changes in performance metrics, or potential security threats. Failing to detect and address anomalies promptly can result in degraded network performance, service disruptions, and compromised security. Accurate detection and proactive response to anomalies are essential to maintaining network stability, improving service quality, and ensuring efficient issue resolution.
[0035] In an embodiment, the one or more data sources utilized in the present invention encompass various network functions and repositories, which include both historic and real-time performance metrics data. Network functions refer to operational components within the network infrastructure, such as routers and switches, which generate real-time metrics including throughput, latency, and error rates. Repositories, including databases and data lakes, store historic performance metrics essential for training models. Historic performance data enables the identification of trends and anomalies over time, while real-time performance metrics provide immediate insights into current network conditions. This integration of diverse data sources enhances the system's 108 capability to analyze network performance comprehensively, facilitating effective anomaly detection and informed predictions regarding future network behavior, thereby improving overall network reliability and user experience.
[0036] In an exemplary embodiment, a sudden and sustained increase in network latency, which goes beyond the threshold of normal performance, is detected as an anomaly. Such an anomaly could indicate congestion in the network, hardware malfunction, or a Denial of Service (DoS). In another example, a sharp decline in data transmission rates, when compared to historic values for the same time frame and region, may be flagged as an anomaly. This could result from faulty equipment, bandwidth issues, or external interference in the network infrastructure. In yet another example, if the error rates of certain network functions, such as packet loss or failed connections, exceed their normal levels without an apparent cause, the system 108 would detect these events as anomalies. These anomalies could point to software bugs or infrastructure failures requiring attention.
[0037] For the purpose of description and clarification, the following discussion will refer to one or more user equipment (UE) devices, specifically a first UE 102a, a second UE 102b, and a third UE 102c. This should not be interpreted as limiting the scope of the present invention. Each of these UE devices, namely the first UE 102a, the second UE 102b, and the third UE 102c, is configured to connect to the server 104 through the communication network 106. Each UE is associated with a user who requests the generation of optimized anomaly detection plans within the network, utilizing data-driven analysis and predictions from the trained model.
[0038] In an embodiment, each of the first UE 102a, the second UE 102b, and the third UE 102c is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as Virtual Reality (VR) devices, Augmented Reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0039] The communication network involved in the anomaly detection process may encompass a variety of architectures, including but not limited to, Long-Term Evolution (LTE) networks, Fifth Generation (5G) networks, and combinations of legacy systems such as the Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS). The anomaly detection methodology described in the present invention can be implemented across various advanced networks, including emerging technologies like Sixth Generation (6G) or New Radio (NR) networks. These networks support a diverse array of infrastructure types, such as terrestrial cellular networks, satellite systems, fiber-optic installations, and fixed wireless setups. Furthermore, the communication network is compatible with multiple communication protocols and standards, including but not limited to, enhanced Mobile Broadband (eMBB), Ultra-Reliable Low-Latency Communications (URLLC), and massive Machine-Type Communications (mMTC). The present invention facilitates the identification of anomalies across these varied network types and standards, thereby improving overall network reliability and enhancing the user experience.
[0040] The environment 100 includes a processing unit 204 that operates within a network monitoring framework, where anomaly detection in network performance is facilitated. The processing unit 204 may encompass various configurations, including but not limited to, a dedicated server, a cluster of servers, a virtualized computing environment, or a hybrid cloud infrastructure. In one embodiment, the processing unit 204 could be associated with multiple stakeholders, such as network administrators, service providers, enterprise IT departments, or organizations leveraging AI/ML for real-time data analysis and anomaly detection. The processing unit 204 is responsible for executing tasks related to retrieving historical performance metrics, selecting relevant features, training Trained models, analyzing current performance data, and determining the presence of anomalies to enhance network reliability and operational efficiency.
[0041] The environment 100 includes the data sources 110 that are communicably coupled to the server 104 via the communication network 106, which is utilized for anomaly detection in the network 106. The data sources 110 includes various types of repositories and feeds, including real-time performance monitoring tools, historical database systems, and third-party analytics services. It is designed to aggregate, store, and deliver performance metrics data, such as Key Performance Indicators (KPIs) and counter data that pertains to performance of the network an essential for the anomaly detection process. The data source 110 plays a vital role in providing the necessary input for the processing unit 204, facilitating accurate model training and real-time analysis. This configuration ensures timely data acquisition and synchronization, supporting the proactive identification of anomalies and enhancing the overall reliability of the network 106.
[0042] The performance metrics data utilized in the present invention encompasses various forms of quantitative information crucial for evaluating network performance, with particular emphasis on Key Performance Indicators (KPIs) and counter data. KPIs serve as critical measurements that reflect the network's 106 operational efficiency, reliability, and user experience. Examples of KPIs include network latency, which measures the time taken for data packets to travel from one point to another, and packet loss percentage, indicating the number of packets lost during transmission relative to the total packets sent. Counter data, on the other hand, represents specific quantifiable values recorded by network devices over time. This data may include metrics such as the total number of bytes transmitted or received, the number of active connections, and error counts, which provide insights into the network's performance under various conditions.
[0043] For instance, a telecommunications provider may track the average latency (a KPI) experienced by users during peak hours to assess the quality of service. Concurrently, the provider may analyze counter data reflecting the total bytes sent and received during that period to determine the correlation between traffic volume and latency. By integrating both KPI and counter data, the system 108 can comprehensively monitor network performance, allowing for more accurate anomaly detection and proactive management. For example, if the average latency KPI exceeds acceptable thresholds while counter data indicates a significant increase in data traffic, the system 108 can promptly identify potential congestion issues and notify network operators to take corrective measures, thus enhancing overall network efficiency and user satisfaction.
[0044] The environment 100 incorporates the system 108, which serves as a fundamental component for anomaly detection within the network 106. The system 108 is an integrated framework designed to facilitate the retrieval, analysis, and processing of performance metrics data essential for identifying anomalies. The system 108 encompasses but is not limited to: a model for training on historical data and anomaly trends; a data processing unit for analyzing current performance metrics against historical benchmarks; a user interface for visualizing anomaly detection results; real-time monitoring tools that provide updates on network performance; and configuration management systems that track network changes and adjustments. Additionally, the system 108 relies on the data sources 110, which serve as critical repositories for relevant information, including Key Performance Indicators (KPIs), network utilization statistics, and historical performance metrics. These data sources 110 facilitate the extraction of essential data needed for training the model, ensuring accurate analysis of current performance metrics against historical benchmarks. With the integration of these components, the system 108 creates a robust infrastructure for continuous performance assessment, enabling timely detection of anomalies and enhancing overall network reliability and operational efficiency.
[0045] The environment 100 further includes the system 108, communicably coupled to the server 104, the storage unit 112, and other network components via the network 106. The system 108 is designed to either be integrated within the server 104 or function as a standalone entity. It is responsible for managing the various processes related to anomaly detection in the network, including data retrieval, preprocessing, training of the model, analysis of current performance metrics, and determination of potential anomalies based on the trained model. The system 108 operates efficiently to ensure accurate anomaly detection and timely responses to maintain network integrity.
[0046] Operational and construction features of the system 108 will be explained in detail with respect to the following figures.
[0047] FIG. 2 is an exemplary block diagram of the system 108 for managing network slicing in the network 106, according to one or more embodiments of the present invention.
[0048] As per the illustrated and preferred embodiment, the system 108 includes one or more processors 202, a memory 204, a user interface 206, a database 222 and a model 220. The one or more processors 202 includes a retrieving unit 208, a selection unit 210, a loading unit 212, a training unit 214, a transceiver 216 and a determining unit 218.
[0049] In a further embodiment, the data stored in the database 222 encompasses various categories essential for the anomaly detection process within the network. The categories include historic performance metrics data, such as key performance indicators (KPIs) and counter data pertains to performance of the network, as well as current performance metrics that facilitate real-time analysis. The stored data also includes features extracted from historical data, anomaly event records, and associated thresholds for anomaly detection. Additionally, the database 222 maintains parameters and configurations related to the model 220, enabling effective training and fine-tuning based on emerging trends. This diverse collection of data elements empowers the system 108 to accurately identify anomalies and respond promptly, ensuring the reliability and integrity of network operations.
[0050] The one or more processors 202, hereinafter referred to as the processor 202, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. However, it is to be noted that the system 108 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure. Among other capabilities, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
[0051] In the illustrated embodiment, the processor 202 is configured to retrieve and execute computer-readable instructions stored in the memory 204, with the memory 204 being communicably connected to the processor 202. The memory 204 is designed to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which can be retrieved and executed for managing network slicing and predicting new slicing plans. The memory 204 may include any non-transitory storage unit 114, such as volatile memory like RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, and other types of unalterable memory.
[0052] In the illustrated embodiment, the model 220 is configured to perform anomaly detection in the network 106 using artificial intelligence and machine learning techniques. The model 220 is distinct from other components in the system 108 and operates in conjunction with the one or more processors 202 to analyze network performance data. The model 220 can be implemented as one of, but not limited to, a supervised learning model, an unsupervised learning model, a semi-supervised learning model, a deep learning model, a neural network, a statistical model, a clustering model, an outlier detection model, a time series analysis model, or any combination thereof. It is optimized for real-time anomaly detection and pattern recognition, supporting the dynamic nature of network performance monitoring and analysis. The model 220 utilizes advanced features such as feature extraction, dimensionality reduction, and adaptive thresholding to ensure accurate identification of anomalies in network performance metrics. The model can process various types of data including, but not limited to, network traffic patterns, performance counters, error logs, and KPIs. The aforementioned examples of model 220 types are non-limiting and may be used in combination, such as an ensemble of supervised and unsupervised models or a hybrid of statistical and deep learning approaches, depending on the specific requirements of the anomaly detection task and the complexity of the network 106 being monitored. In an embodiment, after the model is trained, model evaluation is performed. The model evaluation includes calculation of one or more validation metrics, such as accuracy, precision, recall, and error rates. The one or more validation metrics provides insights into the model performance. Furthermore, the trained model is stored in the storage unit 112. Each model checkpoint is associated with a unique training name, enabling users to quickly identify and access the specific model for various training use cases or future experiments. The systematic approach facilitates immediate utilization of the model but also supports version control and tracking of model performance over time.
[0053] In an embodiment, the storage unit 112, as described in the present invention, performs several critical functions that complement the model 220. The said functions include high-speed temporary data storage, where the storage unit 112 holds intermediate results, such as feature vectors, preprocessed performance metrics, and temporary datasets during the anomaly detection process. The storage unit 112 also maintains detailed system logs and audit trails, recording anomaly detection outcomes, model performance metrics, and historical trends essential for system optimization and compliance reporting. Additionally, the storage unit 112 functions as a caching layer to improve system performance by storing frequently accessed historical data used for anomaly comparison. It also stores machine learning model parameters, threshold values, and configuration data, which are essential for real-time anomaly detection, trend analysis, and the calibration of detection sensitivity.
[0054] Furthermore, the storage unit 112 plays a crucial role in backup and recovery operations, providing temporary backup for critical anomaly detection data to ensure swift recovery from system failures or model degradation. The storage unit 112 also handles data preprocessing tasks such as normalization, outlier removal, and feature extraction, which are essential before the data is fed into the model for anomaly detection. For systems handling high volumes of network performance data and real-time processing requests, the storage unit 112 incorporates queue management structures to facilitate orderly and efficient processing of incoming network metrics. Additionally, the storage unit 112 supports caching and buffering mechanisms to improve anomaly detection response times and manage computational loads during peak network operations. It is configured to handle the dynamic and resource-intensive requirements of network anomaly detection, utilizing technologies like solid-state drives (SSDs), RAM-based storage, or distributed in-memory data grids tailored to specific performance needs. This ensures optimized performance, scalability, and resilience in network monitoring and anomaly detection operations.
[0055] In an embodiment, the system 108 initiates the anomaly detection process by retrieving relevant data, such as historical performance metrics, network traffic patterns, and current performance indicators, from the data source 110 upon receiving a request transmitted by the user via the UE 102. In an alternate embodiment, the system 108 autonomously detects network anomalies without requiring a user-initiated request. This is accomplished by utilizing real-time data analytics and thresholds for network performance, traffic patterns, and historical trends collected from the network 106. The system utilizes the model 220 to analyze the data continuously and identify potential anomalies or irregularities in network behavior. This autonomous approach streamlines the network monitoring process, enhances operational reliability, and ensures network issues are detected and addressed proactively without manual intervention.
[0056] In an embodiment, the retrieving unit 208 is configured to extract one or more data sets related to network performance and anomaly patterns from multiple sources. The data sets include, but are not limited to, historical performance metrics, real-time network traffic data, error logs, system alerts, device status information, and service-level performance indicators. To facilitate the extraction of these data sets, the retrieving unit 208 interfaces with external monitoring systems, network probes, logging facilities, and performance measurement tools, ensuring the availability of comprehensive and timely information. This step enables the system 108 to continuously collect and analyze data necessary for detecting anomalies in network behavior and maintaining optimal network performance for end users.
[0057] In the context of the present invention, detecting network anomalies refers to evaluating specific criteria that determine deviations from normal network behaviour based on historical patterns and established performance thresholds. The criteria serve as foundational guidelines that the determining unit 218 uses to assess real-time network data against historical benchmarks. In an embodiment, the determining unit 218 employs the model 220 to perform this evaluation continuously, ensuring timely detection of potential anomalies or irregularities in network performance. The model's ability to adapt to changing network conditions and learn from new patterns ensures that the anomaly detection system remains effective and relevant over time, minimizing false positives while maximizing the accuracy of genuine anomaly identification.
[0058] In an embodiment, the model 220 is designed to execute multiple advanced algorithms that serve distinct functions, including prediction, anomaly detection, and the generation of outputs through large language models (LLMs). The model leverages ML techniques to analyze both network data and operational data to deliver a comprehensive and intelligent analysis. The model 220 uses predictive algorithms to forecast future network behaviors and trends. Based on historical and real-time network data, such as traffic patterns, user demand, and performance metrics, the model 220 can predict events like network congestion, resource depletion, or peak usage times. The model 220 also incorporates anomaly detection algorithms to identify deviations or irregularities in the network’s 106 behavior. By continuously monitoring network and operational data, the model 220 can flag unusual patterns, such as performance degradation, security threats, or hardware failures, prompting timely interventions to prevent service disruptions or system failures. Additionally, the model 220 utilizes LLMs to generate outputs that assist with decision-making, documentation, or automated responses. This generative AI capability can synthesize complex information into human-readable formats, provide actionable recommendations for network management, or even generate scripts for automating network configurations based on the analyzed data.
[0059] In another embodiment, the model 220 is developed using a combination of historical performance metrics data, anomaly event data, and current network performance metrics sourced from the retrieving unit 208. The identified criteria include, but are not limited to, factors such as anomaly frequency patterns, current network function performance, geographic distribution of anomalies, time-based performance fluctuations, and threshold values. These factors collectively inform the process of predicting and detecting potential network anomalies, allowing for proactive identification and resolution of performance issues in the network.
[0060] In an embodiment, the retrieved performance metrics data is processed by the one or more processors 202 to prepare the data for analysis by the trained model 220. The retrieving unit 208 retrieves historical performance data, current network metrics, and other relevant information from various data sources 110. The selection unit 210 then identifies key features such as time, geography, and performance thresholds, which are critical for anomaly detection. The loading unit 212 ensures that the selected one or more features and historical performance data are efficiently fed into the model 220 for training. Once trained, the model uses these inputs to identify patterns in the data that may signify network anomalies. This systematic approach improves the accuracy of anomaly detection by focusing on key metrics while eliminating unnecessary data, ensuring efficient processing and reliable outcomes.
[0061] In an embodiment of the present invention, the retrieving unit 208 retrieves multiple types of data to facilitate anomaly detection in the network. This includes performance logs, key performance indicators (KPIs), and counter data that pertains to the performance of the network, from internal and external sources. After retrieval, the selection unit 210 chooses relevant features such as time, location, and specific network performance metrics that are essential for anomaly detection.
[0062] In an embodiment of the present invention, the step of loading the model, with at least one of, the historic performance metrics data and the selected one or more features, further includes the step of loading, by the one or more processors, the model with at least one of, configured hyper parameters and train-split data.
[0063] Hyperparameters are the configuration settings used to optimize the performance of a machine learning model. Unlike regular parameters that are learned from the training data, hyperparameters are set prior to the training process and influence how the model learns. They can control various aspects of the training process, such as the learning rate, the number of iterations, the size of the neural network layers, and the batch size. Proper tuning of hyperparameters is critical because they can significantly affect the model's accuracy and generalization ability. In the context of the present invention, the step of loading the model 220 with configured hyperparameters involves establishing specific settings that will guide the training process of the model aimed at predicting anomalies in network performance. These hyperparameters are crucial for ensuring that the model 220 effectively learns from the historic performance metrics data (e.g., KPIs and counter data) and selected features (e.g., network conditions, time of day). Properly configured hyperparameters help determine how quickly the model learns, the complexity of the model, and how it manages the data during the training phase.
[0064] For instance, consider a scenario in which a telecommunications company is training the model 220 to detect network anomalies. During the step of loading the model 220, the company sets the hyperparameters as follows: a learning rate of 0.01, which is a moderate value that allows for stable convergence; a batch size of 32, enabling efficient processing while retaining sufficient variability in the data; and a number of epochs set to 100, providing enough iterations for the model 220 to learn without overfitting. These hyperparameters are then loaded into the model 220 alongside the historic performance metrics data 110 and selected features, such as historical data and network configurations. By fine-tuning these settings, the company enhances the model's 220 ability to effectively analyze and predict anomalies in network performance, thereby leading to improved operational efficiency and reduced service disruptions.

[0065] In the context of the present invention, the train-split data refers to the division of the historic performance metrics data into distinct subsets, typically training data and validation data, to properly train the model 220. This process is crucial for ensuring that the model 220 can learn from one portion of the data while being evaluated on another, ensuring that it generalizes well to new, unseen data. The training set is used to adjust the model 220 internal parameters based on the historical network performance metrics, such as KPIs, while the validation set is used to test the model's 220 accuracy in detecting anomalies without being biased by overfitting.

[0066] For instance, in a telecommunications scenario, the data could be split so that 80% is used for training, containing a wide range of network conditions, while the remaining 20% serves as validation to verify that the model can accurately identify potential anomalies in real-time network performance. This split ensures the model 220 is robust enough to predict issues before they occur, leading to more proactive network management. Without such train-split data, the model 220 would likely perform poorly in real-world conditions, potentially missing critical network anomalies and failing to minimize service disruptions effectively.

[0067] In an embodiment of the present invention, the evaluation of the model 220 is a crucial step that ensures the model's effectiveness in detecting anomalies within network performance metrics. This evaluation is carried out by the one or more processors 202 and involves generating validation metrics that assess how well the model performs against a set of known data. During this process, the model 220 is subjected to a test dataset, which consists of performance metrics that were not used during the training phase. This dataset is crucial as it provides an unbiased evaluation of the model's predictive capabilities. The generated validation metrics include key performance indicators such as accuracy, which measure the proportion of correctly identified anomalies and normal data points, and errors, which quantify the number of incorrect predictions made by the model 220. For instance, if the model 220 predicts that 80 out of 100 instances of network performance data are anomalies and 70 of those predictions are correct, the accuracy would be calculated as 70%. Conversely, if 30 instances are incorrectly flagged as anomalies when they are not, those represent the model's 220 errors. After the evaluation is complete, the processors 202 transmit these validation metrics to the user or network operator. This step is vital as it provides insights into the model's 220 performance and allows stakeholders to understand the model's reliability in real-world applications. By reviewing these metrics, users can make informed decisions regarding the deployment of the model for active monitoring and anomaly detection in network performance.

[0068] The loading unit 212 ensures the model 220 is loaded with the required historical data and selected one or more features to perform accurate trend analysis. The cleaned and structured data is stored in the database 222, ensuring it is available for subsequent analysis by the model 220 to detect anomalies in real-time network operations.

[0069] In an embodiment, the loading unit 212 is configured to load the retrieved historic performance metrics data and selected one or more features into the model 220 for anomaly detection. The loading unit 212 interacts with the retrieving unit 208 and the selection unit 210 to gather and organize the data, which includes key performance indicators (KPIs), counter data that pertains to the performance of the network, and other network-related metrics. This data is prepared in a format compatible with the trained model’s input requirements, enabling efficient anomaly detection. The loading process is continuous, allowing the system 108 to adapt to the dynamic nature of network operations. As the model is continuously fed with updated data, it improves its capability to identify potential anomalies in real-time.

[0070] Additionally, the loading unit 212 manages the flow of data into the model 220 to prevent data overload or processing delays. In one embodiment, the loading unit 212 operates in real-time, ensuring that current network performance data is immediately sent to the model after being selected and structured. This ensures that the system 108 can swiftly detect anomalies as they occur in the network, allowing for timely responses to potential issues. The loading unit 212 can also categorize the data based on factors like time of occurrence or geographic region, helping the model 220 focus on relevant data subsets, which enhances the accuracy of anomaly detection.

[0071] For example, in a network monitoring system, the loading unit 212 retrieves historical KPI data showing a steady network performance, while the real-time data reveals a sudden spike in latency in a specific geographic area. This data is loaded into the trained model 220, which compares the real-time data against the one or more thresholds and detects the anomaly. In an embodiment, the retrieved data is loaded into the trained model 220, which compares the current data against the one or more thresholds and detects the anomaly. The real-time nature of the loading process ensures that the issue is flagged immediately, enabling the network administrator to take corrective action.

[0072] Upon loading the model 220 with at least one of the historic performance metrics data and the selected one or more features. The training unit 214 is configured to train the model 220 to extract one or more historic values from the loaded historic performance metrics data. The training unit 214 is configured to compare the extracted one or more historic values from the loaded historic performance metrics data. Upon comparing the one or more historic values from the loaded historic performance metrics data, the training unit 214 detects the one or more anomaly events when the one or more historic values are not compliant with the one or more thresholds. In an embodiment, the training unit 214 detects the one or more anomaly events when the one or more historic values at least one of greater than or less than with the one or more thresholds. Upon detecting the one or more anomaly events, the training unit 214 correlates the one or more anomaly events with corresponding at least one of, time and geography of occurrence of the one or more anomaly events. The system 108 gathers data on various events, including timestamps and geographic coordinates (e.g., GPS data). The one or more anomaly events are identified through predefined criteria or learning model that flag unusual patterns in the data. Upon correlating the one or more anomaly events with corresponding at least one of, time and geography of occurrence of the one or more anomaly events, the training unit 214 trains the model 220 with the anomaly trend pertaining to the one or more anomaly events along with the correlated at least one of, the time and geography.

[0073] In an embodiment, the determining unit 218 utilizes the trained model 220 to perform data analysis for identifying potential network anomalies. Upon receiving current performance metrics data from the transceiver 216, the determining unit 218 extracts relevant patterns and insights essential for detecting anomalies. It evaluates parameters including network traffic, equipment performance, and geographic data to identify deviations from normal operational thresholds. Through the application of machine learning algorithms, the determining unit 218 uncovers correlations between historical anomaly trends and real-time data inputs, thereby enhancing the accuracy and timeliness of anomaly detection, ensuring prompt identification of network issues.

[0074] In one embodiment, the system 108 executes an analytical process whereby the retrieved performance metrics data, subsequent to retrieval from the one or more data sources 110, is subjected to anomaly detection using the trained model 220. This analytical process involves evaluating the retrieved data to identify deviations from thresholds or patterns, which could indicate potential anomalies in the network. The system 108 is configured to perform both retrospective analysis on historical data and concurrent analysis on real-time performance metrics, allowing for dynamic identification of anomalies as new data is received. The anomaly detection process further includes generating alerts based on the identified anomalies, which may indicate issues such as network performance degradation, equipment failure, or unusual traffic patterns. This real-time anomaly detection enables network operators to respond proactively, preventing potential disruptions or service degradation.

[0075] Furthermore, the system 108 is configured to refine its anomaly detection capabilities through continuous learning, as the trained model 220 is updated with new performance metrics data over time. The system 108 compares real-time data to historical anomalies and correlates the one or more anomaly events with corresponding at least one of, time and geographical location of occurrence of the one or more anomaly events, to improve the accuracy of its predictions.

[0076] The transceiver 216 is responsible for communicating the identified anomalies to relevant network monitoring systems or administrators, providing detailed reports that highlight the nature of the anomaly, its likely cause, and the affected areas. This process ensures timely resolution of network issues and enhances overall network reliability.

[0077] For instance, the system 108 retrieves real-time performance metrics from a 5G network and detects a sudden spike in packet loss in a specific region. The model 220, trained on historical network data, recognizes this as a deviation from normal operation, signaling a potential anomaly. The system 108 immediately generates an alert and sends it to the network operations team, allowing them to investigate and rectify the issue before it affects end-user experience. The ability to analyze both current and past data enhances the system's accuracy in detecting and mitigating network anomalies.
[0078] The determining unit 218 further customizes the anomaly detection process based on parameters or network-specific configurations, ensuring that the output is tailored to the operational needs of the network provider. By incorporating various threshold ranges and anomaly scoring mechanisms, the determining unit 218 enhances the accuracy and relevance of the anomaly detection results, enabling decision-makers to swiftly assess network health and prioritize remedial actions. For example, if the model 220 detects a performance degradation in a specific geographic region, the system can flag the area for immediate attention. The anomaly detection process is designed to be intuitive and actionable, empowering stakeholders to make informed decisions and maintain efficient network operations.
[0079] In an embodiment, the results of the anomaly detection process are transmitted to at least one of the users or the entity. The user refers to a network administrator or operator responsible for overseeing network performance and anomaly management. Upon detecting anomalies, the one or more processors 202 transmit the results to the user for review, investigation, or further action. The entity includes at least one network functions, application, or service. The network function may represent hardware or software components, such as routers or load balancers, which require adjustments based on detected anomalies. The application refers to software services impacted by performance issues, while the service refers to individual components within a distributed system that may need attention due to detected anomalies.
[0080] The present invention provides several key technical advantages, including automated anomaly detection using the trained models, significantly enhancing the accuracy and efficiency of network performance monitoring. The system 108 automates the identification of anomalies in real-time by processing historic and current performance metrics, reducing the reliance on manual network monitoring efforts. It supports dynamic configuration and assignment of thresholds and anomaly scores, ensuring adaptability to various network environments. The system 108 also facilitates proactive network management by predicting potential issues before they result in service disruptions, improving overall network reliability. Additionally, the architecture enables continuous refinement of the trained models through iterative learning from historical data, ensuring the system's ability to evolve with the network. This automated, data-driven approach reduces operational costs, improves customer satisfaction, and enhances network performance by identifying and addressing issues swiftly and accurately.
[0081] FIG. 3 illustrates an exemplary block diagram of the system 108, according to one or more embodiments of the present invention. More specifically, FIG. 3 illustrates the system 108 for anomaly detection in the network 106. It is to be noted that the embodiment with respect to FIG. 3 will be explained with respect to the UE 102 for the purpose of description and illustration and should nowhere be construed as limited to the scope of the present disclosure.
[0082] FIG. 3 illustrates the communication between the UE 102, the system 108, and the storage unit 114. In the context of the present invention, the UE 102 and the storage unit 114 utilize network protocol connections to communicate with the system 108. In an embodiment, the network protocol connection involves the establishment and management of communication between the UE 102, the system 108, and the storage unit 114 using specific protocols tailored for anomaly detection operations. The network protocol connection may include, but is not limited to, Session Initiation Protocol (SIP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), and Simple Network Management Protocol (SNMP). These protocols facilitate the real-time allocation, monitoring, and adjustment of network slices to ensure optimal resource distribution and performance across the network.
[0083] In an embodiment, the UE 102 includes a primary processor 302, a memory 304, and a user interface 306. In alternate embodiments, the UE 102 may include more than one primary processor, 302, as per the requirement of the communication network 106. The primary processor 302, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
[0084] In an embodiment, the primary processor 302 is configured to fetch and execute computer-readable instructions stored in the memory 304. The memory 304 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to transmit requests for detecting anomalies within the network. The memory 304 may include any non-transitory storage device, such as volatile memory like RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0085] In an embodiment, the user interface 306 of the UE 102 includes various interfaces, such as a graphical user interface, a web user interface, a Command Line Interface (CLI), and the like. The user interface 306 is configured to allow users to transmit requests related to detecting anomalies in network performance metrics. Through the user interface 306, users can interact with the system 108, submitting requests for data processing, analysis, and anomaly detection based on performance metrics. These requests are transmitted to the processor 202 via the user interface 306, enabling the efficient detection and identification of anomalies within the network, and facilitating proactive network management by operators.
[0086] In one embodiment, the processor 202 is configured for anomaly detection in the network 106.
[0087] As mentioned earlier in FIG. 2, the system 108 includes the processors 202, and the memory 204, for managing the call between the user and the storage unit 114, which are already explained in FIG. 2. For the sake of brevity, a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition.
[0088] Further, as mentioned earlier, the processor 202 includes the retrieving unit 208, the selection unit 210, the loading unit 212, the training unit 214, the transceiver 216, and the determining unit 218, which are already explained in FIG. 2. Hence, for the sake of brevity, a similar description related to the operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition. The limited description provided for the system 108 in FIG. 3 should be read in conjunction with the description provided for the system 108 in FIG. 2 above and should not be construed as limiting the scope of the present disclosure.
[0089] FIG. 4 is an exemplary architecture of the system 108 for managing network slicing within the network, according to one or more embodiments of the present disclosure. The system 108 is designed to retrieve, process, analyze, and generate network slicing configurations, ensuring optimal resource allocation and network performance.
[0090] The architecture 400 pertains to the system 108 which includes, an Integrated Performance Management (IPM) interface 402, a data integrator unit 404, a data pre-processing module 406, a model training unit 406, a data lake 408, a prediction unit 412, and a User Interface 414.
[0091] In an embodiment of the present invention, the system architecture 400 is designed to monitor, predict, and address performance issues using AI/ML methodologies. The system 108 includes the IPM Interface 402, which is configured to proactively monitor KPIs and counter values in real-time. This interface detects anomalies and threshold breaches, generating KPI reports at regular intervals, thereby ensuring continuous monitoring and performance evaluation. In another embodiment of the present invention, the data integrator unit 404 module is responsible for integrating data from various sources, including KPI data, network conditions, weather factors, and historical abnormal KPI values. The comprehensive data set is fed into the system for further analysis and anomaly detection.

[0092] In a further embodiment of the present invention, the data pre-processing module 406 cleanses and normalizes the integrated data. By removing unnecessary elements and ensuring consistency, the data pre-processing unit prepares the data for input into the model 220, improving the accuracy and reliability of anomaly detection. In yet another embodiment of the present invention, the model training unit 408 is designed to configure and train the model 220 using the pre-processed data. It includes a configuration module for setting hyper-parameters, an input module for feeding data to the model, and an evaluation module that tests the model's accuracy by comparing predictions with actual data. The model training unit 408 can adjust hyper-parameters if retraining is required.

In the context of the present invention, once the model 220 has been trained utilizing historic performance metrics data and selected features, it is essential to store the trained model in a structured manner to facilitate efficient access and management for future applications. The one or more processors 202 are configured to store the trained model 220 in the data lake 410, a centralized repository designed for the storage of large volumes of structured and unstructured data. This approach allows for scalability and flexibility, enabling the organization to effectively manage multiple models over time. To ensure optimal organization and retrieval of the trained model 220, it is stored with a unique training name, which encapsulates specific characteristics related to the model's 220 development, such as the dataset used for training, the date of training, or particular hyperparameters employed during the training process.
[0093] In an embodiment of the present invention, all data collected, processed, and generated by the system is stored in the data lake 410, providing a central repository for future retrieval and analysis. This allows for ongoing model refinement and performance review. The system 108 further includes the prediction unit 412, which assigns anomaly scores and predicts future anomalies based on current and past data. The prediction unit 412 works in tandem with the model 220 to provide insights into potential root causes of anomalies and offers predictive analysis for future occurrences.

[0094] In an embodiment of the present invention, system 108 includes the user interface 414, which allows users to interact with the system, view real-time alerts, and receive reports on detected anomalies, predictions, and identified causes. The user interface 414 also enables users to set threshold ranges and customize reports for specific KPIs, enhancing the system's usability and flexibility. Each component of the system architecture 400 is designed to function cohesively, enabling real-time performance management and proactive anomaly detection. This automated approach reduces manual intervention, enhances operational efficiency, and improves the overall reliability of network performance management.

[0095] In an embodiment of the present invention, a key feature lies in the integration of AI/ML algorithms that enable automated anomaly detection, significantly enhancing the system's 108 capability to maintain network health proactively. The system 108 is designed to analyze historical performance metrics, compare them with real-time data, and detect anomalies before they cause significant disruptions. This predictive capability is essential for identifying potential network issues early on, allowing operators to take preemptive actions to mitigate these problems. By continuously monitoring KPIs, the system can predict anomalies with a high degree of accuracy, offering insights into when and where future anomalies might occur, thus ensuring network stability.

[0096] In another embodiment of the present invention, the system's 108 models 220 are trained on historical data to identify patterns that may lead to network degradation. Once trained, the system 108 can autonomously monitor network performance and send notifications to operators when a threshold breach or anomaly is detected. These notifications serve as a prompt for network operators to implement optimal measures, reducing the risk of service interruptions or performance deterioration. The model's 220 predictive capabilities extend beyond real-time anomaly detection, as it can forecast potential future issues based on trends in the network's 106 performance, allowing for strategic planning and resource allocation.

[0097] Furthermore, in yet another embodiment of the present invention, the system 108 is configured to dynamically adjust to evolving network conditions. By continuously learning from new data, the model refines its predictions and improves its accuracy over time. This continuous learning process ensures that the system 108 remains adaptable, providing an efficient and intelligent solution for maintaining network health and minimizing service disruptions in a rapidly changing network environment. The automated nature of this system 108 also reduces the need for manual intervention, allowing operators to focus on higher-level tasks, ultimately improving the overall efficiency and reliability of network operations.

[0098] FIG. 5 is the flow diagram illustrating the method for detecting network anomalies in the network, according to one or more embodiments of the present invention. At step 502, the user equipment 102 transmits a request for retrieving the data to the system 108. At step 504, the system 108 retrieves the historic performance metrics data from the one or more data sources. At step 506, the system 108 selects one or more features from the retrieved historic performance metrics data for analysis. At step 508, the selected one or more features are used to train the model 220. At step 510, the trained model is stored in the storage unit 114. At step 512, the system 108 sets one or more thresholds based on the trained model for anomaly detection. At step 514 and 516, the system 108 receives the real-time network data against the established one or more thresholds to detect one or more anomalies in network performance. At step 518, the system 108 generates alert notifications regarding any detected anomalies and transmits the detected anomalies to the User Equipment 102, enabling prompt response to network issues.
[0099] For example, in a scenario where a telecommunications provider is aiming to detect and address potential network performance issues, the User Equipment (UE) 102 initiates the process by transmitting network performance data to the system 108, requesting proactive anomaly detection. At step 502, the system 108 receives the data and proceeds to step 504, where it retrieves historical performance metrics data from the storage unit 114. This data includes previous KPI measurements, network usage patterns, and other performance indicators.
[00100] At step 506, the system 108 selects one or more features from the retrieved historic performance metrics data. For instance, it might identify key performance metrics like latency, packet loss, and bandwidth consumption, which are critical for determining network anomalies. Following this, at step 508, these selected one or more features are used to train the model 220, which is designed to detect abnormal patterns in the network’s performance metrics. This establishes a connection between the system 108 and the model 220, ensuring real-time data flow and continuous updates to the model's training set. At step 510, the trained model 220 is stored in the storage unit 114.
[00101] At step 512, the system 108 sets one or more thresholds based on the trained model for detecting one or more anomalies. For example, consider a situation where the network normally operates with an average latency of 50 milliseconds. The system, using the trained model, sets a threshold that flags latency above 70 milliseconds as potentially anomalous. At step 514 and 516, the system 108 receives real-time network performance data against the one or more thresholds to detect one or more anomalies. Suppose that during a specific time period, the system 108 detects that latency in a certain region exceeds the established threshold, indicating a potential issue with the network’s performance. Finally, at step 518, the system 108 generates alert notifications regarding any detected anomalies. In this case, an alert might be sent to the UE 102, informing the network operator of the increased latency in the identified region. The alert includes details such as the anomaly type, affected KPIs, and potential causes, allowing the operator to take prompt corrective actions to resolve the issue and maintain optimal network performance.
[00102] FIG. 6 illustrates a flow chart of the method 600 for anomaly detection in the network, according to one or more embodiments of the present invention. The method 600 described below outlines the sequential steps involved in retrieving performance metrics data, training the model, and detecting anomalies in real-time. It is purely exemplary in nature and should not be construed as limiting the scope of the present invention.

[00103] In an embodiment, the method 600 for detecting network anomalies is disclosed. At step 602, the method 600 includes the step of retrieving historic performance metrics data from one or more data sources 110. This data includes historical trends related to network performance, such as latency, throughput, and packet loss. At step 604, the method 600 includes the step of selecting one or more features from the retrieved historic performance metrics data. The one or more features include Key Performance Indicators (KPIs), device configurations, and time-based factors that are essential for identifying network anomalies.

[00104] At step 606, the method 600 includes the step of loading the model 220 with at least one of, the selected one or more features and the historic performance metrics data. The model 220 is pre-configured to detect anomaly patterns based on historical data trends. At step 608, the method 600 includes the step of training the model 220 with the anomaly trend based on the loaded historic performance metrics data and the selected one or more features and data to develop an understanding of normal network behavior and identify any deviation from these patterns that might indicate an anomaly. This training process ensures that the model can detect both minor performance irregularities and significant disruptions. Once the model is trained, at step 610, the method 600 includes the step of receiving real time data pertaining to the performance metrics from the one or more data sources subsequent to training the model. The system 108 continuously monitors real-time network data to assess if any network anomalies are developing. Finally, at step 612, the method 600 includes the step of determining if the real-time data includes one or more anomalies based on the one or more thresholds set during the training phase. If the one or more anomalies are detected, alert notifications are generated, enabling prompt corrective actions by the network operator to maintain optimal network performance.

[00105] In an embodiment of the present invention, the model evaluation unit is an integral component designed to assess the performance of the model 220 following its development. This evaluation unit is configured to generate validation metrics that quantitatively evaluate the model's predictive capabilities, focusing on key performance indicators such as accuracy and error rates. Accuracy provides insights into the proportion of correctly identified anomalies versus total predictions made by the model, while error metrics indicate the frequency of false positives and false negatives. By systematically generating these metrics, the model evaluation unit enables users to gain a comprehensive understanding of the model's effectiveness in detecting anomalies within network performance data.

[00106] Furthermore, the model evaluation unit is responsible for transmitting these validation metrics to the user, ensuring that stakeholders are informed of the model's performance status in a timely manner. This feedback loop is essential for operational transparency and allows users to make data-driven decisions regarding the deployment and ongoing refinement of the model. By regularly evaluating and communicating the model’s performance metrics, the present invention enhances the reliability of network anomaly detection processes, ultimately contributing to improved network health and reduced service disruptions.
[00107] The present invention further discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions that are executed by the one or more processors 202 to detect anomalies in a network. In the initial step, the one or more processors 202 gather real-time performance metrics data from various sources, including network performance logs, historical usage data, and device-specific metrics. The gathered data is then processed by selecting relevant features and configuring the necessary parameters using a trained model 220. Once the relevant features and parameters are configured, the processors 202 input this data into the trained model 220 to initiate the anomaly detection process. By utilizing the trained model 220, the processors 202 analyze the data to detect any anomalies based on thresholds and historical trends. The model 220 identifies potential network issues before they escalate, allowing for proactive measures. Finally, the one or more processors 202 generate a visual representation of any detected anomalies and transmit alerts or notifications to the operator, with all processed data stored in the storage unit 114 for further analysis. This methodology ensures early detection of anomalies, enhancing network stability and minimizing service disruptions.
[00108] Finally, the one or more processors 202 automatically execute actions to analyze the current performance metrics data using the assessments conducted by the trained model 220 to determine the presence of anomalies. This automation is crucial for enhancing operational efficiency and reducing the need for manual intervention. By automating the anomaly detection process, the system 108 ensures that potential network issues are quickly identified, allowing operators to respond effectively and implement corrective measures promptly.
[00109] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-6) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[00110] The present invention offers substantial advantages through the implementation of the trained model for automated anomaly detection in network performance metrics, significantly reducing the need for manual oversight. The invention automates the processes of data retrieval, feature selection, training, and anomaly identification, thereby optimizing the workflow and ensuring prompt detection of potential network issues. Furthermore, the present invention enables continuous monitoring and analysis of performance data, enhancing overall system reliability by proactively addressing anomalies before they escalate into significant problems. Additionally, the invention's automated approach to network management is highly adaptable, allowing the system to efficiently respond to varying network conditions and effectively process large volumes of performance data with accuracy and dependability.
[00111] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS

[00112] Environment - 100;
[00113] User Equipment (UE) - 102;
[00114] Server - 104;
[00115] Communication Network- 106;
[00116] System -108;
[00117] Data Sources- 110;
[00118] Storage unit – 112;
[00119] Processor - 202;
[00120] Memory - 204;
[00121] User Interface – 206;
[00122] Retrieving unit– 208;
[00123] Selection unit – 210
[00124] Loading unit – 212;
[00125] Training unit - 214;
[00126] Transceiver –216;
[00127] Determining Unit –218;
[00128] Model –220;
[00129] Database–222;
[00130] Primary processor- 302;
[00131] Memory- 304;
[00132] User Interface – 306;
[00133] IPM–402;
[00134] Data Integration unit– 404;
[00135] Data Preprocessing module – 406;
[00136] Model Training Unit – 408;
[00137] Data Lake– 410;
[00138] Prediction Unit – 412;
[00139] User Interface – 414;
,CLAIMS:CLAIMS:
We Claim:
1. A method (600) for anomaly detection in a network, the method (600) comprising the steps of:
retrieving (602), by the one or more processors (202), historic performance metrics data from one or more data sources;
selecting (604), by the one or more processors (202), one or more features from the retrieved historic performance metrics data;
loading (606), by the one or more processors (202), a model (220), with at least one of, the historic performance metrics data and the selected one or more features;
training (608), by the one or more processors (202), the model (220) with an anomaly trend based on the loaded historic performance metrics data and the selected one or more features;
receiving (610), by the one or more processors (202), real time data pertaining to performance metrics from the one or more data sources subsequent to training the model (220); and
determining (612), by the one or more processors (202), utilizing the trained model (220), if the real time data includes one or more anomalies.

2. The method (600) as claimed in claim 1, wherein the one or more data sources includes at least one of, one or more network functions or repositories including at least one of, the historic and the real time performance metrics data.

3. The method (600) as claimed in claim 1, wherein the performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data pertains to performance of the network.

4. The method (600) as claimed in claim 1, wherein the one or more features are at least one of, time or geography type.

5. The method (600) as claimed in claim 1, wherein the step of, loading, the model (220), with at least one of, the historic performance metrics data and the selected one or more features, further includes the step of:
loading, by the one or more processors (202), the model (220), with at least one of, configured hyper parameters and train-split data.

6. The method (600) as claimed in claim 1, wherein the step of, training, the model (220), with an anomaly trend includes the steps of:
extracting, by the one or more processors (202), one or more historic values from the loaded historic performance metrics data;
comparing, by the one or more processors (202), the one or more historic values with one or more thresholds;
detecting, by the one or more processors (202), one or more anomaly events when the one or more historic values are not compliant with the one or more thresholds;
correlating, by the one or more processors (202), the one or more anomaly events with corresponding at least one of, time and geography of occurrence of the one or more anomaly events; and
training, by the one or more processors (202), the model (220), with the anomaly trend pertaining to the one or more anomaly events along with the correlated at least one of, the time and geography.

7. The method (600) as claimed in claim 1, wherein the step of, determining, utilizing the model (220), if the real time data includes one or more anomalies, includes the steps of:
extracting, by the one or more processors (202), one or more current values from the real time data;
comparing, by the one or more processors (202), the one or more current values with one or more historic values of the one or more anomaly events; and
determining, by the one or more processors (202), the real time data includes the one or more anomalies, when the one or more current values matches at least in portion with the one or more historic values of the one or more anomaly events.

8. The method (600) as claimed in claim 1, wherein the method further comprises the step of:
dynamically assigning, by the one or more processors (202), at least one of, a threshold range or an anomaly score for the loaded historic performance metrics data in the model (220), when the historic performance metric data includes a range of values.

9. The method (600) as claimed in claim 1, wherein the method further comprising the steps of:
performing, by the one or more processors (202), an evaluation on the trained model (220) by generating validation metrics including at least one of, accuracy and errors; and
transmitting, by the one or more processors (202), the generated validation metrics to the user.

10. The method (600) as claimed in claim 1, wherein the one or more processors (202) stores the trained model (220), in a data lake based on at least one of, unique training name.

11. A system (108) for anomaly detection in a network, the system (108) comprising:
a retrieving unit (208), configured to, retrieve, historic performance metrics data from one or more data sources;
a selection unit (210), configured to, select, one or more features from the retrieved historic performance metrics data;
a loading unit (212), configured to, load, a model (220), with at least one of, the historic performance metrics data and the selected one or more features;
a training unit (214), configured to, train, the model (220), with an anomaly trend based on the loaded historic performance metrics data and the selected one or more features;
a transceiver (216), configured to, receive, real time data pertaining to performance metrics from the one or more data sources subsequent to training the model (220); and
a determining unit (218), configured to, determine, utilizing the trained model (220), if the real time data includes one or more anomalies.

12. The system (108) as claimed in claim 11, wherein the one or more data sources includes at least one of, one or more network functions or repositories including at least one of, the historic and the real time performance metrics data.

13. The system (108) as claimed in claim 11, wherein the performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data pertains to performance of the network.

14. The system (108) as claimed in claim 11, wherein the one or more features are at least one of, time or geography type.

15. The system (108) as claimed in claim 11, wherein the loading unit (212), further loads, the model (220), with at least one of, configured hyper parameters and train-split data.

16. The system (108) as claimed in claim 11, wherein the training unit (214), trains the model (220), with the anomaly trend by:
extracting, one or more historic values from the loaded historic performance metrics data;
comparing, the one or more historic values with one or more thresholds;
detecting, one or more anomaly events when the one or more historic values are not compliant with the one or more thresholds;
correlating, the one or more anomaly events with corresponding at least one of, time and geography of occurrence of the one or more anomaly events; and
training, the model (220) with the anomaly trend pertaining to the one or more anomaly events along with the correlated at least one of, the time and the geography.

17. The system (108) as claimed in claim 11, wherein the determining unit (218), determines utilizing the model (220), if the real time data includes one or more anomalies, by:
extracting, one or more current values from the real time data;
comparing, the one or more current values with one or more historic values of the one or more anomaly events; and
determining, the real time data includes the one or more anomalies, when the one or more current values matches at least in portion with the one or more historic values of the one or more anomaly events.

18. The system (108) as claimed in claim 11, wherein the system (108) further comprising an assigning unit, configured to, dynamically assign, at least one of, a threshold range or an anomaly score for the loaded historic performance metrics data in the model (220), when the historic performance metric data includes a range of values.

19. The system (108) as claimed in claim 11, wherein a model evaluation unit is configured to:
perform, an evaluation on the trained model (220), by generating validation metrics including at least one of, accuracy and errors; and
transmit, the generated validation metrics to the user.

20. The system (108) as claimed in claim 11, wherein the training unit (214) stores the trained model (220), in a data lake based on at least one of, unique training name.