DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
SYSTEM AND METHOD FOR PREDICTING ONE OR MORE FUTURE ALARMS
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention relates to the field of wireless communication systems, more particularly relates to a method and a system for predicting one or more future alarms.
BACKGROUND OF THE INVENTION
[0002] In general, the communication network is monitored by monitoring all the core networking components such as, routers, switches, firewalls, servers, and VMs. The intent of monitoring these networking components is to detect faults or anomaly, if any. Anomaly detection is the identification of rare events, items, or observations which are suspicious because they differ significantly from standard behaviors or patterns.
[0003] Generally, the alarms may be set by the consumers in order to get notification pertaining to anomaly detection. The consumer may get notified about the multiple alarms raised on the dashboards. However, in practice, there may be instances when multiple alarms are triggered, where there is no indication whether any of those alarms are critical in nature. Due to which, there may be possibilities of some critical alarms going unnoticed. The alarm management is generally performed manually by the consumers. The consumers such as network operators and administrators had to manually go through the multiple alarms, determine their severity, and decide the appropriate response or action. Due to this there may be a delay in resolving the problems notified by the critical alarms that may lead to significant disruptions in the network. Without predictive analytics, network issues were often addressed reactively. The consumers would only take action once a problem had already impacted services or caused outages. Due to the lack of the proper severity assessment and prediction, resources were often allocated reactively. So, the critical issues receive attention of the consumers, but less severe issues might not be addressed by the consumers until the less severe issues are escalated.

[0004] In view of the above, there is a dire need for a system and method for managing alarms, which ensures the critical alarm may be detected and resolved before they cause issues.
SUMMARY OF THE INVENTION
[0005] One or more embodiments of the present disclosure provides a method and a system for predicting one or more future alarms.
[0006] In one aspect of the present invention, the method for predicting one or more future alarms is disclosed. The method includes the step of retrieving, by the one or more processors, historic network performance data from one or more data sources. The method further includes the step of determining, by the one or more processors, an anomaly when one or more metrics of the network performance data exceed a threshold. The method further includes the step of categorizing, by the one or more processors, one or more alarms generated into severity levels based on one or more alarm parameters, the one or more alarms are generated in response to the determined anomaly. The method further includes the step of training, by the one or more processors, a model with at least one of, the historic network performance data and the categorized one or more alarms. The method further includes the step of predicting, by the one or more processors, utilizing the trained model, the one or more future alarms.
[0007] In another embodiment, the historic performance data includes at least one of, alarms, counters, performance metrics, logs and event records.
[0008] In yet another embodiment, the one or more metrics include at least one of, but not limited to, network traffic, Central Processing Unit (CPU) usage, latency and packet loss.
[0009] In yet another embodiment, the one or more alarm parameters include at least one of, type of alarms and impact on services.
[0010] In yet another embodiment, the one or more severity levels include at least one of, critical alarms, major alarms, minor alarms and warning alarms.
[0011] In yet another embodiment, the one or more processors enable the model to learn at least one of, patterns, trends and behaviour of the anomaly from the historic performance data and the categorized one or more alarms.
[0012] In yet another embodiment, the one or more processors, utilizing the trained model, predict the one or more future alarms based on at least one of, learnt patterns, trends and behaviour of the anomaly.
[0013] In yet another embodiment, the one or more future alarms include at least one of, future anomalies.
[0014] In yet another embodiment, the method further comprising the steps of triggering, by the one or more processors, one or more pre-defined actions based on severity levels of the one or more alarms, wherein the one or more pre-defined actions include at least one of, automatic notifications, escalations or runbook automation and enabling, by the one or more processors, the trained model to learn an outcome of the one or more pre-defined actions taken.
[0015] In yet another embodiment, the step of, retrieving, by the one or more processors, historic network performance data from one or more data sources, includes the step of preprocessing, by the one or more processors, the retrieved historic network performance data.
[0016] In another aspect of the present invention, the system for predicting one or more future alarms is disclosed. The system includes a retrieving unit, configured to, retrieve, historic network performance data from one or more data sources. The system further includes a determining unit, configured to, determine, an anomaly when one or more metrics of the network performance data exceed a threshold. The system further includes a categorizing unit, configured to, categorize, one or more alarms generated into severity levels based on one or more alarm parameters, the one or more alarms are generated in response to the determined anomaly. The system further includes a training unit, configured to, train, a model with at least one of, the historic network performance data and the categorized one or more alarms. The system further includes a predicting unit, configured to, predict, utilizing the trained model, the one or more future alarms.
[0017] In yet another aspect of the present invention, a non-transitory computer-readable medium stored thereon computer-readable instructions that, when executed by a processor. The processor is configured to retrieve historic network performance data from one or more data sources. The processor is further configured to determine an anomaly when one or more metrics of the network performance data exceed a threshold. The processor is further configured to categorize, one or more alarms generated into severity levels based on one or more alarm parameters, the one or more alarms are generated in response to the determined anomaly. The processor is further configured to train, a model with at least one of, the historic network performance data and the categorized one or more alarms. The processor is further configured to predict, utilizing the trained model, the one or more future alarms.
[0018] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0019] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0020] FIG. 1 is an exemplary block diagram of an environment for predicting one or more future alarms, according to one or more embodiments of the present invention;
[0021] FIG. 2 is an exemplary block diagram of a system for predicting the one or more future alarms, according to one or more embodiments of the present invention;
[0022] FIG. 3 is an exemplary architecture of the system of FIG. 2, according to one or more embodiments of the present invention;
[0023] FIG. 4 is an exemplary architecture for predicting the one or more future alarms, according to one or more embodiments of the present disclosure;
[0024] FIG. 5 is an exemplary signal flow diagram illustrating the flow for predicting the one or more future alarms, according to one or more embodiments of the present disclosure; and
[0025] FIG. 6 is a flow diagram of a method for predicting the one or more future alarms, according to one or more embodiments of the present invention.
[0026] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0027] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0028] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0029] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0030] Various embodiments of the present invention provide a system and method for predicting one or more future alarms. The most unique aspect of the invention lies in its ability to combine advanced technologies like machine learning and predictive analytics with real-time network and application monitoring. The disclosed system and method aim at categorizing alarms by severity of alarms, due to which the system can differentiate between critical alarms associated with the critical issues that require immediate attention and minor alarms associated with the less severe issues. The system predicts one or more future alarms based on patterns and anomalies in the data. This proactive approach enables organizations to address problems before they impact services. In other words, the present invention provides a unique approach of automatically/dynamically categorizing alarms by severity, detecting and notifying the critical alarms, automatically triggering predefined actions in order to resolve critical issues notified by the critical alarms.
[0031] Referring to FIG. 1, FIG. 1 illustrates an exemplary block diagram of an environment 100 for predicting one or more future alarms according to one or more embodiments of the present invention. The environment 100 includes a User Equipment (UE) 102, a server 104, a network 106, a system 108, and one or more data sources 110. Herein, predicting one or more future alarms pertains to predicting future anomalies and future alarms. In one embodiment, system 108 predicts one or more future alarms related to one or more issues that may occur in the network 106 in future. For example, let us consider a scenario where a sensor monitors the temperature of a network function. While monitoring, the sensor determines that the temperature of the network function is rising unusually and then the system 108 determines that the temperature will reach a threshold based on which the system 108 predicts that and one or more alarms will be raised in the future. The system 108 also predicts the one or more anomalies if the one or more alarms are ignored which could lead to one or more issue such as at least one of, but not limited to, hardware failures and downtime.
[0032] For the purpose of description and explanation, the description will be explained with respect to one or more user equipment’s (UEs) 102, or to be more specific will be explained with respect to a first UE 102a, a second UE 102b, and a third UE 102c, and should nowhere be construed as limiting the scope of the present disclosure. Each of the at least one UE 102 namely the first UE 102a, the second UE 102b, and the third UE 102c is configured to connect to the server 104 via the network 106.
[0033] In an embodiment, each of the first UE 102a, the second UE 102b, and the third UE 102c is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as smartphones, Virtual Reality (VR) devices, Augmented Reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0034] The network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0035] The network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth.
[0036] The environment 100 includes the server 104 accessible via the network 106. The server 104 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, a processor executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
[0037] The environment 100 further includes the one or more data sources 110. In one embodiment, the one or more data sources 110 are origins from which the data is collected and utilized for at least one of, but not limited to, analysis, research, and decision-making. In one embodiment, the one or more data sources 110 is at least one of, but not limited to, server 104, applications, sensors, one or more databases, network functions, network elements, network devices such as routers and switches. In particular, the one or more data sources 110 is associated with the sources included within the network 106 and outside the network 106.
[0038] The environment 100 further includes the system 108 communicably coupled to the server 104, the UE 102, and the one or more data sources 110 via the network 106. The system 108 is adapted to be embedded within the server 104 or is embedded as the individual entity.
[0039] Operational and construction features of the system 108 will be explained in detail with respect to the following figures.
[0040] FIG. 2 is an exemplary block diagram of the system 108 for predicting the one or more future alarms, according to one or more embodiments of the present invention.
[0041] As per the illustrated and preferred embodiment, the system 108 for predicting the one or more future alarms, includes one or more processors 202, a memory 204, a storage unit 206 and a model 220. The one or more processors 202, hereinafter referred to as the processor 202, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. However, it is to be noted that the system 108 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure. Among other capabilities, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
[0042] As per the illustrated embodiment, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204 as the memory 204 is communicably connected to the processor 202. The memory 204 is configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed for predicting the one or more future alarms. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0043] The environment 100 further includes the storage unit 206. As per the illustrated embodiment, the storage unit 206 is configured to store network performance data retrieved from the one or more data sources 110. The storage unit 206 is one of, but not limited to, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of the storage unit 206 types are non-limiting and may not be mutually exclusive e.g., the database can be both commercial and cloud-based, or both relational and open-source, etc.
[0044] As per the illustrated embodiment, the system 108 includes the model 220. In an alternate embodiment, the system 108 includes a plurality of models 220. In one embodiment, the model 220 is at least one of, but not limited to, an Artificial Intelligence/Machine Learning (AI/ML) model 220. The model 220 is a powerful tool that can automate tasks such as recognizing patterns, detecting anomalies, correlating anomalies, making predictions, solving problems, enhance decision-making, and provide insights across various fields. For example, the model 220 is designed to automate the process of applying machine learning to real-world problems, making the process easier without extensive manual intervention.
[0045] As per the illustrated embodiment, the system 108 includes the processor 202 for predicting the one or more future alarms. The processor 202 includes a retrieving unit 208, a determining unit 210, a categorizing unit 212, a training unit 214, a predicting unit 216, a triggering unit 218, a transceiver 222. The processor 202 is communicably coupled to the one or more components of the system 108 such as the memory 204, the storage unit 206 and the model 220. In an embodiment, operations and functionalities of the retrieving unit 208, the determining unit 210, the categorizing unit 212, the training unit 214, the predicting unit 216, the triggering unit 218, the transceiver 222 and the one or more components of the system 108 can be used in combination or interchangeably.
[0046] In one embodiment, initially the retrieving unit 208 of the processor 202 is configured to retrieve network performance data from the one or more data sources 110. Herein, the network performance data includes at least one of, but not limited to, alarms, counters, performance metrics, logs and event records.
[0047] In one embodiment, the alarms are notifications or signals that indicates a specific condition or event requiring attention. In particular, the alarms serve to alert users about one or more issues such as at least one of, but not limited to, node failures, network traffic, performance degradation, or security breaches. For example, the alarms are visual alarms such as lights on a device, audible sound alerts, or digital (notifications in monitoring systems). In one embodiment, the counters are measurement tools or variables that keep track of quantities or occurrences of specific events. The counters provide insights into traffic, errors, and overall health of the network 106. For example, the counters are traffic counters, error counters, and connection counters.
[0048] In one embodiment, the logs are essential records generated by system 108 that documents one or more future alarms and processes over time. The logs are stored in at least one of, but not limited to, the storage unit 206. The logs serve for various purposes such as at least one of, but not limited to, troubleshooting, performance monitoring and detecting anomalies. In one embodiment, the event records are detailed logs that capture significant occurrences of the one or more future alarms within the system 108. The event records include at least one of, but not limited to, a time stamp and a type of the one or more future alarms.
[0049] In an alternate embodiment, historic network performance data is retrieved from the one or more data sources 110. Herein, the retrieving unit 208 retrieves network performance data from the one or more data sources 110 which are present within the network 106 and outside the network 106. In one embodiment, the one or more data sources 110 periodically transmits the network performance data to the system 108.
[0050] In one embodiment, the retrieving unit 208 retrieves the network performance data from a Network Management System (NMS). Herein, the NMS acts as the mediator between the one or more data sources 110 and the retrieving unit 208. Herein, the NMS collects the network performance data from the one or more data sources 110. In one embodiment, the NMS identifies, configure, monitor, update and troubleshoot nodes within the network 106. In one embodiment, the nodes refer to the individual points or devices that connect and communicates with each other. Herein, the one or more data sources 110 are at least one among the nodes. In an alternate embodiment, the one or more data sources 110 is at least one of, but not limited to, the NMS which derives/collects performance data and logs from the network devices or Network Functions (NF). Herein, the NFs are at least one of, but not limited to, Virtual Network Functions (VNF), Virtual Network Functions Components (VNFC), Container Network Functions (CNF) and Container Network Functions Components (CNFC) etc.
[0051] In one embodiment, the retrieving unit 208 retrieves the network performance data from the one or more data sources 110 via an interface. In one embodiment, the interface includes at least one of, but not limited to, one or more Application Programming Interfaces (APIs) which are used for retrieving the network performance data from the one or more data sources 110. The one or more APIs are sets of rules and protocols that allow different entities to communicate with each other. The one or more APIs define the methods and data formats that entities can use to request and exchange information, enabling integration and functionality across various platforms. In particular, the APIs are essential for integrating different systems, accessing services, and extending functionality.
[0052] In one embodiment, upon retrieving the network performance data from the one or more data sources 110, the retrieving unit 208 is further configured integrate the network performance data retrieved from the one or more data sources 110 within the network 106 and the one or more data sources 110 outside the network 106. Herein, integrating the network performance data involves combining data from the one or more data sources 110 to provide a unified view or to enable comprehensive analysis.
[0053] Upon integrating the network performance data, the retrieving unit 208 is further configured to preprocess the integrated network performance data. In particular, the retrieving unit 208 is configured to preprocess the network performance data to ensure the data consistency and quality of the data within the system 108. The retrieving unit 208 performs at least one of, but not limited to, data normalization, data definition and data cleaning procedures.
[0054] While preprocessing, the retrieving unit 208 performs at least one of, but not limited to, reorganizing the data, removing the redundant data, formatting the data, removing null values from the data, cleaning the data, handling missing values. The main goal of the preprocessing is to achieve a standardized data format across the entire system 108. The preprocessing eliminates duplicate data and inconsistencies from the network performance data. The retrieving unit 208 ensures that the preprocessed data is stored appropriately in at least one of, the storage unit 206 for subsequent retrieval and analysis.
[0055] Upon preprocessing the network performance data, the determining unit 210 of the processor 202 is configured to determine an anomaly within the network performance data when one or more metrics of the network performance data exceeds a threshold. Herein, the one or more metrics include at least one of, but not limited to, network traffic, a Central Processing Unit (CPU) usage, a latency and a packet loss.
[0056] In one embodiment, the network traffic refers to the flow of data packets across the network 106 at any given time. In one embodiment, the CPU usage refers to the percentage of the CPU's capacity that is actively being utilized by at least one of, but not limited to, the system 108 within the network 106 at any given time. In one embodiment, the latency refers to the delay or time taken for data to travel from one point to another in the network 106 or the system 108. In one embodiment, the packet loss refers to a phenomenon where the data packets traveling across the network 106 fails to reach their intended destination.
[0057] In one embodiment, in order to detect the anomaly within the network performance data, the determining unit 210 utilizes the model 220. In an embodiment, the model 220 continuously or periodically monitors the network performance data in order to detect the anomaly. Based on historical data pertaining to the one or more metrics of the network performance data, the model 220 sets the thresholds. In an alternate embodiment, a user sets the thresholds for detecting the anomaly. Further, the determining unit 210 utilizes the model 220 to compare the one or more metrics of the network performance data with the thresholds.
[0058] Based on comparison, when determining unit 210 determines that the one or more metrics of the network performance data exceeds the thresholds, then the determining unit 210 infers the presence of the anomaly in the network performance data. In one embodiment, whenever the one or more metrics of the network performance data exceeds the thresholds, one or more alarms are generated or triggered by the determining unit 210. In other words, the one or more alarms are generated in response to the determined anomaly.
[0059] Upon determining the anomaly and generating the one or more alarms, the categorizing unit 212 of the processor 202 is configured to categorize the generated one or more alarms into severity levels based on one or more alarm parameters. In one embodiment, the one or more alarm parameters include at least one of, but not limited to, type of alarms and impact on services. In one embodiment, the type of alarms refers to the various categories or classifications of alarms based on specific events such as at least one of, but not limited to, the performance or service degradation and security breach. The type of alarms includes at least one of, but not limited to, a performance alarm which is generated when the CPU utilization exceeds the threshold, an operational alarm which is generated when the services are down, and a user behavior alarm which is generated when patterns of the user behavior deviate from normal user behaviors. In one embodiment, the service includes at least one of, but not limited to, communication services, and database services.
[0060] In one embodiment, the impact on services refers to the one or more issues faced by the services due to the presence of the anomalies in the network 106. Herein, the one or more issues includes at least one of, but not limited to, degradation in quality of the service, and unavailability of the service. For example, let us assume that the user is using a real time service such as video conferencing and there is a sudden increase in the network traffic for which the alarm is raised by the system 108. Herin, the increase in the network traffic negatively impacts the real time services due to increased latency which slows down communication within the video conferencing.
[0061] In one embodiment, to categorize the generated one or more alarms into severity levels based on the one or more alarm parameters, the categorizing unit 212 consider factors such as at least one of, but not limited to, the network traffic, error rates, and the historical data. In particular, the categorizing unit 212 consider the factors such as at least one of, but not limited to, the network traffic, the error rates, and the historical data for the severity assessment to the generated one or more alarms.
[0062] In one embodiment, the categorizing unit 212 categories the generated one or more alarms into the severity levels which includes at least one of, but not limited to, critical alarms, major alarms, minor alarms, and warning alarms. In one embodiment, the categorizing unit 212 utilizes the model 220 to assign a severity score or level to each alarm among the generated one or more alarms. Herein, the critical alarms indicate the anomaly that requires immediate attention, and other alarms indicate less severe anomaly as compared to the anomaly indicated by the critical alarm.
[0063] For example, multiple anomalies may be detected by the model 220 and respective one or more alarms are generated for the detected anomalies. The categorizing unit 212 utilizes the model 220 to compare the detected anomalies and depending on severity of impact of the detected anomalies on the services, the model 220 assigns the severity score or level to each alarm among the generated one or more alarms. The alarm with the highest score is considered as critical alarm, the alarm with the second highest score is considered as the major alarm and so on. Advantageously, by promptly identifying and addressing the critical alarms, the system 108 facilitates minimizing downtime and service disruptions, leading to improved availability and reliability of services.
[0064] In another example, let us consider that there are one or more criteria for assigning the severity score or level to each alarm among the generated one or more alarms. Herein the generated alarms are alarm A and alarm B. The one or more criteria includes the at least one criteria of impact such as how many users or services are affected. The one or more criteria further includes at least one criteria of urgency such as how quickly the issue needs to be addressed or whether there is risk of escalation. The one or more criteria further includes at least one criteria of type of alarm such that security alarms are more seriously than performance alert alarm.
[0065] Let us consider a formula where the one or more criteria are used to assign the severity score or level to each alarm such as severity score = (impact weight × impact rating) + (urgency weight × urgency rating) + (type weight × type rating). Herein, the impact weight indicates importance of the impact in the overall score (e.g., 0.5), the urgency weight indicates importance of the urgency (e.g., 0.3) and the type weight indicates the importance of the alarm type (e.g., 0.2). Herein, the weights and the ratings are predefined by the users based on the one or more criteria’s. The ratings are on a scale (e.g., 1-5). For alarm A, the one or more criteria’s and the ratings are high impact (5), high urgency (4), and security type of alarm (5). Then score for alarm A is: (0.5×5) + (0.3×4) + (0.2×5) = 2.5 + 1.2 + 1.0 = 4.7. Based on the score, the alarm A is categorized as the critical alarm. For alarm B, the one or more criteria’s and the ratings are medium impact (3), low urgency (2), and performance type of alarm (3). Then score for alarm B is: (0.5×3) + (0.3×2) + (0.2×3) =1.5 + 0.6 + 0.6=2.7. Based on the score, the alarm B is categorized as the major or minor alarm.
[0066] In embodiment, the critical alarms indicate the anomaly that requires immediate attention. Herein, the critical alarms indicate threat to at least one of, but not limited to, safety, security, or system integrity. For example, when the services are down the alarms \are considered critical. In embodiment, the major alarms are the alarms that require prompt action but are not severe as compared to the critical alarms. For example, the system 108 operating at over 90% Central Processing Unit (CPU) usage, then major alarm is raised which indicates potentially leading to slow performance. In embodiment, the minor alarms are manageable alarms which may not require immediate action but should be addressed to prevent escalation. For example, the minor alarms are related to slightly elevated temperatures detected in a server room, requiring monitoring but not critical enough to trigger emergency cooling measures. In embodiment, the warning alarms are alarms that provide notifications of potential issues that may escalate if not monitored but do not require immediate action. For example, the memory utilization is reaching near the maximum capacity which requires attention to avoid future anomalies.
[0067] Upon categorizing the generated one or more alarms into the severity levels, the training unit 214 of the processor 202 is configured to train the model 220 with at least one of, but not limited to, the historic network performance data and the categorized one or more alarms. In an alternate embodiment, the training unit 214 of the processor 202 is configured to train the model 220 with at least one of, but not limited to, the preprocessed network performance data which is stored in the storage unit 206.
[0068] In an alternate embodiment, the system 108 includes a plurality of models 220 from which the training unit 214 selects an appropriate model 220 for training. Thereafter, the selected model 220 is trained using the historic network performance data and the categorized one or more alarms. Further, the training unit 214 configures one or more hyperparameters of the model 220 in order to train the model 220. Herein, the one or more hyperparameters of the model 220 includes at least one of, but not limited to, a learning rate, a batch size, and a number of epochs. Subsequent to configuring the one or more hyperparameters of the model 220, the training unit 214 infers that the model 220 is ready for training.
[0069] In one embodiment, for training the model 220, the training unit 214 splits the historical data and the categorized one or more alarms data into at least one of, but not limited to, training data and testing data. Further, the training unit 214 feeds the training data to the model 220. Subsequent to training, the trained model 220 is fed with the testing data in order to evaluate performance of the trained model 220.
[0070] In one embodiment, when the trained model 220 generates an output based on the testing data, the training unit 214 evaluates the performance of the trained model 220. In one embodiment, the output generated by the trained model 220 is again fed back to the trained model 220 by the training unit 214, so that based on the generated output, the trained model 220 is trained again. In particular, after generating the output, the model 220 keeps on training and updating itself in order to achieve better output.
[0071] In alternate embodiment, based on the performance evaluation of the trained model 220, the training unit 214 may again configure the one or more hyperparameters of the trained model 220 to optimize the performance of the trained model 220. In one embodiment, when the performance of the trained model 220 is optimized, then the trained model 220 is inferred as the optimal model 220 which can be used for further analysis.
[0072] In one embodiment, based on training, the model 220 learns at least one of, but not limited to, patterns, trends and behaviour of the determined anomaly from the historic network performance data and the categorized one or more alarms by applying one or more logics. The patterns refer to recurring behaviors or structures in the data that appear consistently over time. The trends are general directions in which data points move over a period of time. The behaviour of the determined anomaly refers to the unusual patterns or deviations from normal operations that indicate a potential issue, such as a security breach or network failure. In one embodiment, the one or more logics may include at least one of, but not limited to, a k-means clustering, a hierarchical clustering, a Principal Component Analysis (PCA), an Independent Component Analysis (ICA), a deep learning logics such as Artificial Neural Networks (ANNs), a Convolutional Neural Networks (CNNs), a Recurrent Neural Networks (RNNs), a Long Short-Term Memory Networks (LSTMs), a Generative Adversarial Networks (GANs), a Q-Learning, a Deep Q-Networks (DQN), a Reinforcement Learning Logics, etc.
[0073] Upon training the model 220, the predicting unit 216 of the processor 202 is configured to predict, the one or more future alarms utilizing the trained model 220. In one embodiment, the predicting unit 216 predicts the one or more future alarms based on learnt at least one of, but not limited to, patterns, trends and behaviour of the anomaly. Herein, predicting the one or more future alarms includes at least one of, but not limited to, predicting the future anomalies and related future alarms along with the expected severity of the future alarms. In particular, the future anomalies pertain to one or more potential issues that may occur in the network 106.
[0074] In an embodiment, the predicting unit 216 performs a predictive analysis using the model 220 to predict one or more future alarms based on the historic network performance data and the categorized one or more alarms. For example, let us assume that multiple anomalies are detected by the system 108 and multiple alarms are generated by the system 108 associated with the multiple anomalies. Further the predicting unit 216 utilizes the trained model 220 to check similarities between the multiple anomalies and the multiple alarms. Herein, the similarities include at least one of, but not limited to, the multiple alarms are generated due to a common anomaly. Based on the similarities between the multiple anomalies and the multiple alarms, the predicting unit 216 predicts the future anomalies and related future alarms.
[0075] More particularly, let us assume alarm 1 is raised due to the anomaly such as high traffic. So based on the learnt patterns, trends and behaviour of the determined anomaly and the similarities between the multiple anomalies and the multiple alarms, the predicting unit 216 predicts that an alarm 2 will be raised pertaining to delay in serving the request due to the high traffic. In one embodiment, the predicting unit 216 also infers the severity of the alarm 2 utilizing the trained model 220. In one embodiment, based on one or more pre-defined actions undertaken previously for a similar type of the alarm 2 in the past, the predicting unit 216 predicts the one or more pre-defined actions for the alarm 2.
[0076] Upon predicting the one or more future alarms, the triggering unit 218 of the processor 202 is configured to trigger one or more pre-defined actions in real time based on severity levels of the one or more alarms. In one embodiment, whenever at least one of, but not limited to, a critical alarm is predicted, then the triggering unit 218 is configured to trigger the one or more pre-defined actions. In another embodiment, whenever at least one of, but not limited to, the critical alarm is categorized by the categorizing unit 212, the triggering unit 218 is configured to trigger the one or more pre-defined actions.
[0077] In one embodiment, the one or more pre-defined actions include at least one of, but not limited to, automatic notifications to the user to resolve the critical alarm, escalations or Runbook Automation (RBA). Herein, the RBA is an operation process that enables users to turn manual solutions into automated processes. Advantageously this reduces the risk of delays caused by manual processes. Herein. automatic notifications are alerts provided to the users regarding the critical alarm or about specific events, thresholds, or anomalies. For example, the notifications can be sent via various channels such as email, Short Messaging Services (SMS), or messaging platforms. In one embodiment, the escalations are predefined processes that ensure that alerts are brought to the attention of higher levels of authority or specialized teams when the alarms meet certain thresholds. This escalation typically involves notifying management or specialized personnel if the critical alarm remains unresolved after a set time or if it reaches a critical level, ensuring timely response and resolution. For example, if the critical alarm is unsolved within the predefined threshold time limit, then the notification regarding the unsolved critical alarm is escalated to higher management or security teams. In one embodiment, the RBA involves the use of automated scripts or workflows to execute predefined operational procedures (runbooks) in response to critical alarms. The predefined operational procedures include tasks such as at least one of but not limited to, gathering logs, restarting, and scaling resources. For example, the critical alarm is related to the traffic which is among the common alarm scenarios. Then RBA initiates predefined actions such as automatically scaling the network resources or rerouting the traffic for resolving the critical alarm.
[0078] In an embodiment, the one or more pre-defined actions are triggered by the triggering unit 218 to resolve the anomaly and the one or more alarms as per the severity levels. For example, firstly the one or more pre-defined actions are taken to resolve the critical alarms. Thereafter, the one or more pre-defined actions are taken to resolve the major alarms and minor alarms. In one embodiment, the one or more pre-defined actions are triggered by the triggering unit 218 based on one or more pre-defined actions undertaken previously for a similar type of the one or more alarms in the past.
[0079] Upon triggering the one or more pre-defined actions, the triggering unit 218 of the processor 202 is further configured to feed an outcome of the one or more pre-defined actions taken to the trained model 220. In one embodiment, the triggering unit 218 enables the trained model 220 to learn the outcome of the one or more pre-defined actions taken. For example, if a particular pre-defined action successfully resolves the anomaly and the one or more alarms, the model 220 adapts and refines the one or more logics for future incidents similar to the current incidents that have occurred. In addition to learning the outcome of the pre-defined actions, the trained model 220 also learns the manual action or customized action which are taken by the user in order to resolve the anomaly and the one or more alarms. The trained model 220 adapts and refines the learned dataset will further strengthen the prediction of the trained model 220. Advantageous due to the one or more pre-defined actions, the system 108 enables users to proactively identify and address the one or more alarms associated with the anomaly before they escalate into critical problems.
[0080] In one embodiment, the triggering unit 218 of the processor 202 is further configured to generate a report which includes at least one of, but not limited to, the one or more pre-defined actions taken along with the outcomes and predicted the one or more future alarms. Further, the generated report is transmitted to the user in real time. In particular, the transceiver 222 of the processor 202 is configured to transmit the generated report to the user. In one embodiment, the user may view the generated reports on the UI 306 of the UE 102.
[0081] In one embodiment, the system 108 simplifies the process of meeting regulatory compliance requirements by maintaining detailed logs of the generated reports related to the network performance. In one embodiment, the processor 202 stores logs related to at least one of, but not limited to, the network performance data, detected anomalies, categorized one or more alarms, predicted one or more future alarms and the predicted one or more future anomalies, the one or more pre-defined actions and the outcome of the one or more pre-defined actions. In particular, the processor 202 stores logs in at least one of, storage unit 206 which are used by the model 220 for future learning which leads to taking better decisions. The logs are added in the report generated which provides insights including at least one of, but not limited to application performance, issue resolution rates, and prediction accuracy on the dashboard of the UE 102.
[0082] In one embodiment, the system 108 ability to scale effectively enables system 108 to manage the growing complexity and size of networks and applications, which is crucial for predicting one or more future alarms. As the network 106 expands, the volume of network performance data and interactions among the system 108 and the components in the network 106 increases. The system 108 adapts to the large volume of network performance data and enhances the ability of predicting one or more future alarms.
[0083] The retrieving unit 208, the determining unit 210, the categorizing unit 212, the training unit 214, the predicting unit 216, the triggering unit 218, and the transceiver 222 in an exemplary embodiment, are implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 204 may store instructions that, when executed by the processing resource, implement the processor 202. In such examples, the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource. In other examples, the processor 202 may be implemented by electronic circuitry.
[0084] FIG. 3 illustrates an exemplary architecture for the system 108, according to one or more embodiments of the present invention. More specifically, FIG. 3 illustrates the system 108 for predicting the one or more future alarms. It is to be noted that the embodiment with respect to FIG. 3 will be explained with respect to the UE 102 for the purpose of description and illustration and should nowhere be construed as limited to the scope of the present disclosure.
[0085] FIG. 3 shows communication between the UE 102, the system 108, and the one or more data sources 110. For the purpose of description of the exemplary embodiment as illustrated in FIG. 3, the UE 102, uses network protocol connection to communicate with the system 108, and the one or more data sources 110. In an embodiment, the network protocol connection is the establishment and management of communication between the UE 102, the system 108, and the one or more data sources 110 over the network 106 (as shown in FIG. 1) using a specific protocol or set of protocols. The network protocol connection includes, but not limited to, Session Initiation Protocol (SIP), System Information Block (SIB) protocol, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Network Management Protocol (SNMP), Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol Secure (HTTPS) and Terminal Network (TELNET).
[0086] In an embodiment, the UE 102 includes a primary processor 302, and a memory 304 and a User Interface (UI) 306. In alternate embodiments, the UE 102 may include more than one primary processor 302 as per the requirement of the network 106. The primary processor 302, may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
[0087] In an embodiment, the primary processor 302 is configured to fetch and execute computer-readable instructions stored in the memory 304. The memory 304 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed for predicting the one or more future alarms. The memory 304 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0088] In an embodiment, the User Interface (UI) 306 includes a variety of interfaces, for example, a graphical user interface, a web user interface, a Command Line Interface (CLI), and the like. The UI 306 of the UE 102 allows the user to view the generated report. In one embodiment, the user may be at least one of, but not limited to, a network operator.
[0089] As mentioned earlier in FIG.2, the system 108 includes the processors 202, the memory 204 and the storage unit 206, for predicting the one or more future alarms, which are already explained in FIG. 2. For the sake of brevity, a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition.
[0090] Further, as mentioned earlier the processor 202 includes the retrieving unit 208, the determining unit 210, the categorizing unit 212, the training unit 214, the predicting unit 216, the triggering unit 218, and the transceiver 222 which are already explained in FIG. 2. Hence, for the sake of brevity, a similar description related to the working and operation of the system 108 as illustrated in FIG. 2 has been omitted to avoid repetition. The limited description provided for the system 108 in FIG. 3, should be read with the description provided for the system 108 in the FIG. 2 above, and should not be construed as limiting the scope of the present disclosure.
[0091] FIG. 4 is an exemplary the system 108 architecture 400 for predicting the one or more future alarms, according to one or more embodiments of the present disclosure.
[0092] The architecture 400 includes the one or more data sources 110 such as Alarm source 1, Alarm source 2 and Alarm source 3 from which multiple alarms may be triggered. For example, the one or more data sources 110 are one or more network functions linked with the multiple alarms. When the performance of the one or more data sources 110 are degraded or the one or more issues are faced by the one or more data sources 110, then the multiple alarms are triggered by the one or more data sources 110.
[0093] The architecture 400 further includes the NMS 402, a pre-processor 404, an alarm data categorization and resolution predictor engine 406, a Machine Learning (ML) service 408, the storage unit 206, workflow 410 and the UI 306 communicably coupled to each other via the network 106.
[0094] In one embodiment, the NMS 402 periodically collects the network performance data from at least one of, the Alarm source 1, the Alarm source 2 and the Alarm source 3. In an alternate embodiment, the NMS 402 collects network performance data based on demand of the user. The network performance data is crucial for monitoring network performance, identifying anomaly, and ensures that system 108 operates smoothly.
[0095] In one embodiment, the pre-processor 404 receives the collected network performance data from the NMS 402 and preprocesses the network performance data. For example, the network performance data undergoes preprocessing to ensure data consistency within the system 108. In particular, the preprocessing involves tasks like data cleaning, normalization, removing unwanted data like outliers, duplicate records and handling missing values.
[0096] In one embodiment, the alarm data categorization and resolution predictor engine 406 is designed to analyze and manage multiple alarms in real time. Herein, based on real time network performance data received from the NMS 402, the alarm data categorization and resolution predictor engine 406 analyzes multiple alarms included in the real time network performance and thereafter categorizes the multiple alarms and resolves the multiple alarms in real time based on the one or more alarm parameters and the severity levels of the multiple alarms. In particular, alarm data categorization and resolution predictor engine 406 categorizes alarms based on one or more alarm parameters and severity levels. For example, let us assume that alarms are Based on the categorization of alarms, the alarm data categorization and resolution predictor engine 406 performs predictive analytics to forecasts of one or more future alarms. In other words, the alarm data categorization and resolution predictor engine 406 predicts = one or more alarms related to future anomalies along with the expected severity and the resolutions for the one or more future alarms.
[0097] For example, the model 220 facilities the alarm data categorization and resolution predictor engine 406 to performs the predictive analytics. Herein the model 220 learns patterns of the normal traffic over time, which is useful for forecasting one or more alarms related to normal traffic based on historical data and sets one or more thresholds. In particular, if the alarm data categorization and resolution predictor engine 406 determines that the traffic is reaching near the one or more thresholds, then the alarm data categorization and resolution predictor engine 406 forecast that one or more future alarms related to the traffic will be raised.
[0098] In one embodiment, the ML service 408 refers to platform and tool that provide resources for building, deploying, and managing model 220. The ML service 408 performs the model 220 selection and the model 220 training. Herein, the model 220 learns the patterns, trends and behaviour of the anomaly. Based on the learnt patterns, trends and behaviour of the anomaly, the model 220 facilities the alarm data categorization and resolution predictor engine 406 to performs the predictive analytics. For example, let us assume that Auto Regressive Integrated Moving Average (ARIMA) is an ML logic to predict one or more future alarms. The ARIMA facilitates predicting the number of alarms (or alerts) based on historical alarm data. The ARIMA takes an input of dataset which includes the time stamp of the alarms and number of alarms triggered hourly. Herein for timestamp (2024-10-01 00:00) 5 alarms were raised, for time stamp (2024-10-01 01:00) 8 alarms were raised. Thereafter, the ARIMA is trained on the historical alarm data. Based on training, the trained ARIMA predicts future one or more alarm counts for a specified time such as next hour or day. Herein the trained ARIMA predicts that for timestamp (2024-10-02 01:00) 9 alarms will be raised, for time stamp (2024-10-02 02:00) 11 alarms were raised.
[0099] In one embodiment, the storage unit 206 includes a structured collection of the preprocessed data, the categorized alarms, the predicted one or more future alarms which are managed and organized in a way that allows system 108 for easy access, retrieval, and manipulation. The storage unit 206 is used to store, manage, and retrieve large amounts of information efficiently.
[00100] In one embodiment, the workflow 410 is a defined sequence of processes or tasks that are carried out to complete a specific goal or project. The workflow 410 involves the coordination of components in the architecture, resources, and tools to ensure that work is completed efficiently and effectively. In particular, the workflow 410 retrieves the categorized alarms and the predicted one or more future alarms from the storage unit 206 and provides the visual representation on the UI 306.
[00101] FIG. 5 is a signal flow diagram illustrating the flow for predicting the one or more future alarms, according to one or more embodiments of the present disclosure.
[00102] At step 502, the system 108 retrieves historic network performance data from the one or more data sources 110. In one embodiment, the system 108 transmits at least one of, but not limited to, a HTTP request to the one or more data sources 110 to retrieve at least one of, the historic network performance data. In one embodiment, a connection is established between the system 108 and the one or more data sources 110 before retrieving the data. Further, the historic network performance data are integrated and preprocessed.
[00103] At step 504, the system 108 utilizes the retrieved at least one of, historic network performance data to determine the anomaly by using the model 220. Herein, the system 108 detects the anomaly when the one or more metrics of the network performance data breaches the thresholds.
[00104] At step 506, the system 108 categorizes the one or more alarms into severity levels based on based on the one or more alarm parameters. Herein, the one or more alarms are generated when the one or more metrics of the network performance data breaches the thresholds. For example, the severity levels are critical alarms, major alarms and minor alarms.
[00105] At step 508, the system 108 predicts the one or more future alarms based on the patterns, trends and behaviour of the anomaly which are learnt by the system 108 using the historic network performance data and the categorized one or more alarms. Herein, the system 108 predicts the one or more future alarms such as future anomalies and related future alarms by performing the predictive analysis.
[00106] At step 512, the system 108 triggers one or more pre-defined actions such as automatic notifications, escalation, and the Runbook Automation (RBA) to resolve the critical alarms which are detected by the system 108.
[00107] At step 512, the system 108 transmits the report to the user regarding the predicted one or more future alarms and the one or more pre-defined actions taken to resolve the critical alarms. Herein, the system 108 transmits the report to the user by at least one of, but not limited to, the HTTP request. The user can view report on the UI 306 of the UE 102. For example, if the user is interacting with the Graphical User Interface (GUI) based system, the report can be provided to the GUI via an API call which allows users to see reports in real-time. In another example, let us assume the user is at least one of, but not limited to, an application, a microservice, or a service which enables the system 108 to transmit the report including at least one of, but not limited to, the predicted one or more future alarms, notifications and pre-defined actions to the user via the HTTP request.
[00108] FIG. 6 is a flow diagram of a method 600 for predicting the one or more future alarms, according to one or more embodiments of the present invention. For the purpose of description, the method 600 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[00109] At step 602, the method 600 includes the step of retrieving, at least one of, historic network performance data from the one or more data sources 110. In one embodiment, the retrieving unit 208 retrieves the historic network performance data from the one or more data sources 110. In particular, the retrieving unit 208 utilizes the one or more APIs for retrieving the historic network performance data from the one or more data sources 110. Further, the the historic network performance data retrieved from the one or more data sources 110 is integrated by the retrieving unit 208. Thereafter, the integrated data is preprocessed by the the retrieving unit 208 to ensure the data consistency and quality within the system 108.
[00110] At step 604, the method 600 includes the step of determining, the anomaly when one or more metrics of the network performance data exceed the threshold. In one embodiment, the determining unit 210 determines the anomaly using the model 220. For example, let us assume that the network traffic handling capacity of the system 108 or the server 104 is 1000 requests per hour which acts as the threshold for the network traffic. Subsequently, let us say in next hour, the load of the network traffic increases to 5000 requests. Herein, using the trained model 220, the determining unit 210 determines unusual patterns in the network traffic. During this situation, since the network traffic (5000 requests) exceeds the thresholds (1000 requests), an alarm is generated, and the unusual pattern in network traffic is inferred as an anomaly.
[00111] At step 606, the method 600 includes the step of categorizing, one or more alarms generated into a number of severity levels based on one or more alarm parameters. In one embodiment, the categorizing unit 212 categorizes the one or more alarms generated into severity levels. Herin, the one or more alarms are generated in response to the determined anomaly. For example, let us consider 3 alarms are generated in the network 106. Herein the alarm 1 pertains to anomaly such as at least one of, but not limited to, high network traffic, the alarm 2 pertains to anomaly such as at least one of, but not limited to, excess CPU utilization and the alarm 3 pertains to such as anomaly such as at least one of, but not limited to, excess latency. Further, the categorizing unit 212 checks for the impact on services. The alarm with the highest impact on the services is considered as the critical alarm. The alarm with the lowest impact on the services is considered as the warning alarm. For example, let us assume that a first alarm is related to the network traffic. Herein the network traffic can lead to service disruptions, causing downtime and affecting all users relying on the service. So, the first alarm is considered as the critical alarm. In another example, let us assume that a second alarm is related to the temperature of the server room which exceeds a certain threshold (e.g., 75°F), then warning alarm is triggered which leads to hardware failures, downtime, impacting service availability. So, the second alarm is considered as the warning alarm.
[00112] At step 608, the method 600 includes the step of training the model 220 with at least one of, the historic performance data and the categorized one or more alarms. In one embodiment, the training unit 214 trains the model 220. The training unit 214 feeds the model 220 using the historic network performance data and the categorized one or more alarms. While training, the model 220 learns at least one of, but not limited to, patterns, trends and behaviour of the anomaly.
[00113] At step 610, the method 600 includes the step of predicting, utilizing the trained model 220, the one or more future alarms. In one embodiment, the predicting unit 216 predicts the one or more future alarms. For example, let us assume that alarm 1 is raised due to anomaly such as 95% of the memory consumption. Then the predicting unit 216 utilizes the trained model 220 to check similarities between the anomaly such as 95% of the memory consumption and any other alarms that are not been generated yet. Based on the historical data, the predicting unit 216 checks that which alarm will be raised when the memory consumption is full. Based on checking, the predicting unit 216 predicts that alarm 2 will be raised due to the full memory consumption. Herein, the alarm 2 indicates failures in reading or writing memory which is inferred as the critical alarm.
[00114] In one embodiment, when the critical alarm is detected, the triggering unit 218 triggers the one or more pre-defined actions to resolve the critical alarm. The one or more pre-defined actions automatically resolves the critical alarm. Further the triggering unit 218 generates the report which includes at least one of, but not limited to, the one or more pre-defined actions taken along with the outcomes and predicted the one or more future alarms. In one embodiment, the generated report is provided to the user via the transceiver 222 and the user can view the generated reports on the UI 306.
[00115] In yet another aspect of the present invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions that, when executed by a processor 202. The processor 202 is configured to retrieve, historic network performance data from one or more data sources 110. The processor 202 is further configured to determine an anomaly when one or more metrics of the performance data exceed a threshold. The processor 202 is further configured to categorize, one or more alarms generated into severity levels based on one or more alarm parameters, the one or more alarms are generated in response to the determined anomaly. The processor 202 is further configured to configured to train, a model 220 with at least one of, the historic performance data and the categorized one or more alarms. The processor 202 is further configured to predict, utilizing the trained model 220, the one or more future alarms.
[00116] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-6) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[00117] The present disclosure provides technical advancements in reducing the risk of human error by automatically categorizing the alarms and severity assessment of the alarms. By promptly identifying and addressing critical alarms, the systems help minimize downtime and service disruptions, leading to improved availability and reliability of services. With automated severity assessment, organizations can allocate resources more efficiently. Organizations can gather valuable data on alarm patterns, response times, and issue resolutions which can be used to optimize network and application performance and make informed decisions. The present invention enables organizations/users to proactively identify and address one or more issues before they escalate into critical problems.
[00118] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS

[00119] Environment - 100;
[00120] User Equipment (UE) - 102;
[00121] Server - 104;
[00122] Network- 106;
[00123] System -108;
[00124] One or more data sources – 110;
[00125] Processor - 202;
[00126] Memory - 204;
[00127] Storage unit – 206;
[00128] Retrieving unit – 208;
[00129] Determining unit – 210;
[00130] Categorizing unit – 212;
[00131] Training unit – 214;
[00132] Predicting unit – 216;
[00133] Triggering unit – 218;
[00134] Transceiver - 222;
[00135] Model – 220;
[00136] Primary Processor – 302;
[00137] Memory – 304;
[00138] User Interface (UI) – 306;
[00139] NMS– 402;
[00140] Pre-processor - 404;
[00141] Alarm data categorization and Resolution predictor engine – 406;
[00142] ML service – 408;
[00143] Workflow – 410.

,CLAIMS:CLAIMS
We Claim:
1. A method (600) for predicting one or more future alarms, the method (600) comprising the steps of:
retrieving, by the one or more processors (202), historic network performance data from one or more data sources (110);
determining, by the one or more processors (202), an anomaly when one or more metrics of the network performance data exceed a threshold;
categorizing, by the one or more processors (202), one or more alarms generated into severity levels based on one or more alarm parameters, the one or more alarms are generated in response to the determined anomaly;
training, by the one or more processors (202), a model (220) with at least one of, the historic network performance data and the categorized one or more alarms; and
predicting, by the one or more processors (202), utilizing the trained model (220), the one or more future alarms.

2. The method (600) as claimed in claim 1, wherein the historic network performance data includes at least one of, alarms, counters, performance metrics, logs and event records.

3. The method (600) as claimed in claim 1, wherein the one or more metrics include at least one of, but not limited to, network traffic, Central Processing Unit (CPU) usage, latency and packet loss.

4. The method (600) as claimed in claim 1, wherein the one or more alarm parameters include at least one of, type of alarms and impact on services.

5. The method (600) as claimed in claim 1, wherein the one or more severity levels include at least one of, critical alarms, major alarms, minor alarms and warning alarms.

6. The method (600) as claimed in claim 1, wherein the one or more processors (202) enables the model (220) to learn at least one of, patterns, trends and behaviour of the anomaly from the historic network performance data and the categorized one or more alarms.

7. The method (600) as claimed in claim 1, wherein the one or more processors (202), utilizing the trained model (220), predicts the one or more future alarms based on at least one of, learnt patterns, trends and behaviour of the anomaly.

8. The method (600) as claimed in claim 1, wherein the one or more future alarms include at least one of, future anomalies.

9. The method (600) as claimed in claim 1, wherein the method (600) further comprising the steps of:
triggering, by the one or more processors (202), one or more pre-defined actions based on severity levels of the one or more alarms, wherein the one or more pre-defined actions include at least one of, automatic notifications, escalations or runbook automation; and
enabling, by the one or more processors (202), the trained model (220) to learn an outcome of the one or more pre-defined actions taken.

10. The method (600) as claimed in claim 1, wherein the step of, retrieving, by the one or more processors (202), historic network performance data from one or more data sources (110), includes the step of:
preprocessing, by the one or more processors, the retrieved historic network performance data.

11. A system (108) for predicting one or more alarms, the system (108) comprising:
a retrieving unit (208), configured to, retrieve, historic network performance data from one or more data sources (110);
a determining unit (210), configured to, determine, an anomaly when one or more metrics of the performance data exceed a threshold;
a categorizing unit (212), configured to, categorize, one or more alarms generated into severity levels based on one or more alarm parameters, the one or more alarms are generated in response to the determined anomaly;
a training unit (214), configured to, train, a model (220) with at least one of, the historic network performance data and the categorized one or more alarms; and
a predicting unit (216), configured to, predict, utilizing the trained model (220), the one or more future alarms.

12. The system (108) as claimed in claim 11, wherein the historic network performance data includes at least one of, alarms, counters, performance metrics, logs and event records.

13. The system (108) as claimed in claim 11, wherein the one or more metrics include at least one of, but not limited to, network traffic, Central Processing Unit (CPU) usage, latency and packet loss.

14. The system (108) as claimed in claim 11, wherein the one or more alarm parameters include at least one of, type of alarms and impact on services.

15. The system (108) as claimed in claim 11, wherein the one or more severity levels include at least one of, critical alarms, major alarms, minor alarms and warning alarms.

16. The system (108) as claimed in claim 11, wherein the training unit (214) enables the model (220) to learn at least one of, patterns, trends and behaviour of the anomaly from the historic network performance data and the categorized one or more alarms.

17. The system (108) as claimed in claim 11, wherein the predicting unit (216), utilizing the trained model (220), predicts the one or more future alarms based on at least one of, learnt patterns, trends and behaviour of the anomaly.

18. The system (108) as claimed in claim 11, wherein the one or more future alarms include at least one of, future anomalies.

19. The system (108) as claimed in claim 11, wherein the system (108) further comprising a triggering unit (218), configured to:
trigger, one or more pre-defined actions based on severity levels of the one or more alarms, wherein the one or more pre-defined actions include at least one of, automatic notifications, escalations or runbook automation; and
enable, the trained model (220) to learn an outcome of the one or more pre-defined actions taken.

20. The system (108) as claimed in claim 11, wherein the retrieving unit (208), is further configured to:
preprocess, the retrieved historic network performance data.