DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
METHOD AND SYSTEM FOR ANOMALY DETECTION IN A NETWORK
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention relates to the field of network management, more particularly relates to a method and a system of anomaly detection in a network.
BACKGROUND OF THE INVENTION
[0002] With increase in number of users, the network service provisions have to be upgraded to incorporate increased users and to enhance the service quality so as to keep pace with such high demand. The Network Functions (NF) play a vital role in improving the quality of a network by the way of managing traffic, delegating node allocation, managing performance of routing device etc. The network function is associated with micro-services executing several tasks in parallel. The data generated by the network services is vast and analysis of such data is essential for enhancement of user experience and to improve service quality.
[0003] A communication network operates with lots of network elements executing micro-services and network functions. They generate large amount of data that needs processing so as to determine how the network is performing, what are the problems, what improvements can be implemented, what is the state of network devices, which region is experiencing user surplus, how the resources are distributed etc. However, there may be cases when data value comes outside a normal range and as unnatural. The generated data may be in the form of counters or KPIs. The usual practice is network operators monitor large number of KPIs and counters to assess the performance of NFs. Delta monitoring involves comparing the current values to baseline data to identify any significant changes. However, manually performing these delta calculations and anomaly detection processes was extremely complex and time-consuming. Moreover, with a high volume of KPI and counter data generated by NFs, the task of analyzing, calculating deltas, and identifying anomalies became overwhelming. This data overload made it challenging to maintain network performance efficiently.
[0004] Due to the complexity and manual nature of delta monitoring, the contemporary network management approach is primarily reactive i.e., addressing issues only after they were reported by users or when they resulted in noticeable service disruptions. This reactive approach negatively impacts the reliability of the network. Further, insufficient and erroneous data analysis leads to inefficient resource allocation. The inability to promptly detect performance anomalies meant that resources are often misallocated, leading to operational inefficiencies and increased costs.
[0005] There is a need for a system and a method thereof which would provide accurate analysis of data for any unnatural behavior and anomaly, based on KPIs and counter data. The system also should be capable of predicting the errors and possible causes of the abnormal data readings.
SUMMARY OF THE INVENTION
[0006] One or more embodiments of the present disclosure provide a method and system for anomaly detection in a network.
[0007] In one aspect of the present invention, the system for anomaly detection in the network is disclosed. The system includes a retrieving unit, configured to retrieve, performance metrics data from one or more network functions. The system further includes a training unit, configured to train, a model with the retrieved performance metrics data. The system further includes a transceiver, configured to receive current data pertaining to performance metrics from the one or more network functions subsequent to training the model. The system further includes a computing engine, configured to compute, a delta between the current data and the trained data based on comparing the current data with the trained data. The system further includes a detection unit, configured to detect an anomaly with respect to the current data when one or more values of the computed delta are greater than one or more pre-defined thresholds.
[0008] In an embodiment, the performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data.
[0009] In an embodiment, the training unit trains the model with the retrieved performance metrics data, by extracting one or more values from the retrieved performance metrics data and training the model with the extracted one or more values.
[0010] In an embodiment, the computing engine, computes the delta between the current data and the trained data, by extracting, the one or more values from the current data and comparing, the one or more values of the current data with trained one or more values of the trained data.
[0011] In an embodiment, the system further comprising a notification unit, configured to notify, a user by generating at least one of, alerts and notifications pertaining to detection of the anomaly with respect to the current data.
[0012] In another aspect of the present invention, the method for anomaly detection in the network is disclosed. The method includes the step of retrieving performance metrics data from one or more network functions. The method further includes the step of training a model with the retrieved performance metrics data. The method further includes the step of receiving current data pertaining to performance metrics from the one or more network functions subsequent to training the model. The method further includes the step of pre- computing, a delta between the current data and the trained data based on comparing the current data with the trained data. The method further includes the step of detecting an anomaly with respect to the current data when one or more values of the computed delta are greater than one or more pre-defined thresholds.
[0013] In another aspect of the invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions is disclosed. The computer-readable instructions are executed by a processor. The processor is configured to retrieve performance metrics data from one or more network functions. The processor is configured to train, a model with the retrieved performance metrics data. The processor is configured to receive current data pertaining to performance metrics from the one or more network functions subsequent to training the model. The processor is configured to compute, utilizing, the trained model, a delta between the current data and the trained data based on comparing the current data with the trained data. The processor is configured to detect an anomaly with respect to the current data when one or more values of the computed delta are greater than one or more pre-defined thresholds.
[0014] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0016] FIG. 1 is an exemplary block diagram of an environment for anomaly detection in a network, according to one or more embodiments of the present invention;
[0017] FIG. 2 is an exemplary block diagram of a system for anomaly detection in the network, according to one or more embodiments of the present invention;
[0018] FIG. 3 is an exemplary block diagram of an architecture implemented in the system of the FIG. 2, according to one or more embodiments of the present invention;
[0019] FIG. 4 is a flow diagram for anomaly detection in the network, according to one or more embodiments of the present invention; and
[0020] FIG. 5 is a schematic representation of a method for anomaly detection in the network, according to one or more embodiments of the present invention.
[0021] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0022] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0023] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0024] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0025] The present disclosure relates to a system and a method, to detect anomaly in a network by delta monitoring of KPIs (Key performance Indicators) and counters. The system has various modules to collect data and process the obtained data. The data is analyzed using a uniquely trained machine leaning model. The system is configured to perform automated delta monitoring and anomaly detection on KPIs and counters in real-time. The system also comprises of an interface to perform the required processes. The system having AI/ML integrated anomaly detection module, is further configured to understand network behavior and identify anomalies without manual intervention which helps in reduced downtime, enhanced user experience.
[0026] FIG. 1 illustrates an exemplary block diagram of an environment 100 for anomaly detection in a network 106, according to one or more embodiments of the present disclosure. In this regard, the environment 100 includes a User Equipment (UE) 102, a server 104, the network 106 and a system 108 communicably coupled to each other for anomaly detection in the network 106.
[0027] In an embodiment, the anomaly detection refers to detecting unusual or abnormal performance metrics, behaviors, or events within the network 106 that could indicate potential issues such as failures, security breaches, or performance degradation. The detected anomalies are at least one of, high latency, increased packet loss, unusual bandwidth usage, unexpected spikes in Central Processing Unit (CPU) or memory usage, network congestion, traffic anomalies, frequent connection drops, security breaches or intrusions.
[0028] As per the illustrated embodiment and for the purpose of description and illustration, the UE 102 includes, but not limited to, a first UE 102a, a second UE 102b, and a third UE 102c, and should nowhere be construed as limiting the scope of the present disclosure. In alternate embodiments, the UE 102 may include a plurality of UEs as per the requirement. For ease of reference, each of the first UE 102a, the second UE 102b, and the third UE 102c, will hereinafter be collectively and individually referred to as the “User Equipment (UE) 102”.
[0029] In an embodiment, the UE 102 is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as a smartphone, virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0030] The environment 100 includes the server 104 accessible via the network 106. The server 104 may include, by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
[0031] The network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0032] The network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network 106 may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
[0033] The environment 100 further includes the system 108 communicably coupled to the server 104 and the UE 102 via the network 106. The system 108 is configured to detect anomaly in the network 106. As per one or more embodiments, the system 108 is adapted to be embedded within the server 104 or embedded as an individual entity.
[0034] Operational and construction features of the system 108 will be explained in detail with respect to the following figures.
[0035] FIG. 2 is an exemplary block diagram of the system 108 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
[0036] As per the illustrated embodiment, the system 108 includes one or more processors 202, a memory 204, a user interface 206, and a database 208. In an embodiment, the system 108 is communicable coupled with a one or more network functions 222.
[0037] For the purpose of description and explanation, the description will be explained with respect to one processor 202 and should nowhere be construed as limiting the scope of the present disclosure. In alternate embodiments, the system 108 may include more than one processor 202 as per the requirement of the network 106. The one or more processors 202, hereinafter referred to as the processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
[0038] As per the illustrated embodiment, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204. The memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0039] In an embodiment, the user interface 206 includes a variety of interfaces, for example, interfaces for a graphical user interface, a web user interface, a Command Line Interface (CLI), and the like. The user interface 206 facilitates communication of the system 108. In one embodiment, the user interface 206 provides a communication pathway for one or more components of the system 108. Examples of such components include, but are not limited to, the UE 102 and the database 208.
[0040] The database 208 is one of, but not limited to, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of database 208 types are non-limiting and may not be mutually exclusive e.g., a database can be both commercial and cloud-based, or both relational and open-source, etc.
[0041] In order for the system 108 for anomaly detection in the network 106, the processor 202 includes one or more modules. In one embodiment, the one or more modules includes, but not limited to, a retrieving unit 210, a training unit 212, a transceiver 214, a computing engine 216, a detection unit 218, and a notification unit 220 communicably coupled to each other for anomaly detection in the network 106.
[0042] In one embodiment, each of the one or more modules the retrieving unit 210, the training unit 212, the transceiver 214, the computing engine 216, the detection unit 218, and the notification unit 220 can be used in combination or interchangeably for anomaly detection in the network 106.
[0043] The retrieving unit 210, the training unit 212, the transceiver 214, the computing engine 216, the detection unit 218, and the notification unit 220 in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 204 may store instructions that, when executed by the processing resource, implement the processor. In such examples, the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource. In other examples, the processor 202 may be implemented by electronic circuitry.
[0044] In one embodiment, the retrieving unit 210 is configured to retrieve performance metrics data from the one or more network functions 222. The one or more network functions 222 refers to individual or multiple operations, processes, or components within the network 106 that perform tasks necessary for the network's functionality and management. The one or more network functions 222 includes, but not limited to routing, switching, firewalls, load balancing, session management, Quality of Service (QoS), Access and Mobility Management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), network firewall function, Network Address Translation (NAT) function. The performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data. The performance metrics are quantitative data points or measurements that provide insights into the efficiency, reliability, and overall health of the network 106. The performance metrics reflect the behavior and status of network functions 222 and help monitor key aspects like traffic, resource usage, and error rates. The performance metrics are used to assess whether the network is operating within the expected parameters or if there are issues that need attention, such as latency, throughput, or packet loss. The KPI is a specific, high-level performance metric that is used to evaluate the success of the one or more network functions 222 in achieving operational objectives. The KPIs in the network 106 include, but are not limited to latency, throughput, packet loss rate, uptime. The counter data refers to numerical counts of events or occurrences within the network 106. The counter data typically tracks low-level activities or events that contribute to the overall performance of the network 106. The counter data can be used to provide detailed insight into how frequently certain actions or events happen, such as the number of packets transmitted, errors encountered, or requests made over a period. The counter data include, but are not limited to, packet counters, error counters, session counters.
[0045] Upon retrieving the performance metrics, the training unit 212 is configured to train a model with the retrieved performance metrics data. The model is at least one of an Artificial Intelligence /Machine Learning (AI/ML) model. The AI/ML model is a system designed to automatically learn patterns and make decisions or predictions based on the data the AI/ML model is trained on. The performance metrics data refers to the KPIs and the counter data collected from the one or more network functions 222, reflecting the network's performance and operational state. The training of the AI/ML model includes feeding of the historical data into the AI/ML model. The AI/ML model analyzes the data to identify patterns, trends and correlations of the performance metrics data. The patterns refer to recurring behaviors or structures in the data that appear consistently over time. The trends are general directions in which data points move over a period of time. The correlations refer to relationships between two or more metrics, showing how changes in one metric are linked to changes in another.
[0046] In an embodiment, the training unit 212 trains the AI/ML model with retrieved performance metrics by extracting one or more values from the retrieved performance metrics data. The one or more values refers to data points or metrics extracted from the performance metrics data, which are used to train the AI/ML model. The one or more values includes, but are not limited to, latency, throughput, packet loss, CPU usage. Upon extracting the one or more values, the training unit 212 is configured to train the AI/ML model with the extracted one or more values.
[0047] Subsequently, the transceiver 214 is configured to receive current data pertaining to performance metrics from the one or more network functions 222. The data refers to real-time or recently collected performance data pertaining to the one or more network functions 222. The current data includes, but is not limited to, real-time latency, current throughput, live packet loss rate, instantaneous CPU utilization.
[0048] Upon receiving the current data pertaining to performance metrics from the one or more network functions 222, the computing engine 216 is configured to compute a delta between the current data and the trained data. Further, the computing engine 216 computes the delta between the current data and the trained data based on comparing the current data with the trained data. The delta refers to the difference or variation between two sets of data points, in particular the difference between the current data pertaining to the performance metrics and the trained data. The delta is a numerical value that quantifies the extent of change, difference, or discrepancy between the two data sets. The delta helps to identify whether the current network performance is within acceptable limits or if there are significant deviations.
[0049] The computing engine 216 computes the delta between the current data and the trained data by extracting the one or more values from the current data. The one or more values form the current data refers to the performance metrics or data points that are extracted from the real-time or recently collected performance data, which reflect the current state of the network 106. The one or more values from the current data includes, but are not limited to, current latency, current throughput, current packet loss, current CPU utilization, current memory usage. Upon extracting the one or more values from the current data, the computing engine 216 compares the one or more values of the current data with the one or more values of the trained data.
[0050] Upon computing the delta between the current data and the trained data, the detection unit 218 is configured to detect an anomaly with respect to the current data by utilizing the trained model. The anomaly refers to an unusual or unexpected behavior in the network’s performance metrics. The anomaly is detected with respect to the current data when one or more values of the computed delta are greater than one or more predefined thresholds. The predefined thresholds are the limits set for performance metrics such as latency, throughput, packet loss etc., that define acceptable ranges. For example, if the current latency is 250 ms which is extracted from current data, the trained latency is 100 ms and the threshold is set to 120 ms, then if the delta between the current latency and the trained latency is 150 ms which is greater than the predefined threshold i.e., 120ms, the anomaly is detected in the network latency.
[0051] Upon detecting the anomaly with respect to current data, the notification unit 220 is configured to notify a user. The user is notified by the notification unit 220 by generating at least one of alerts and notifications pertaining to detection of the anomaly with respect to the current data.
[0052] Therefore, the system 108 enhances the ability of a network system to automatically detect anomalies in performance metrics. The system 108 reduces the need for manual monitoring and allows for real-time detection of anomalies, which improves network reliability. The system 108 can identify performance degradation or issues that may not be immediately apparent, contributing to more accurate diagnostics of network health. The delta computation and threshold comparison introduce a way to flag abnormal behavior based on predefined standards, hence the system 108 ensures that only significant deviations trigger alerts, thereby reducing false positives and unnecessary notifications. The system enhances the response time and enables quicker resolution of potential network issues.
[0053] FIG. 3 is an exemplary block diagram of an architecture 300 of the system 108 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
[0054] The architecture 300 includes an Integrated Performance Manager (IPM) 302, and a processing hub 304. The processing hub 304 includes a data integrator 306, data pre-processing unit 308, model training unit 310 and an anomaly detection unit 312. Further, the processing hub 304 is communicably coupled with the user interface 206. Further a data lake 314 is communicably coupled with the model training unit 310.
[0055] In an embodiment, the data integrator 306 collects the performance metrics data from the IPM 302. The performance metrics data is collected from the IPM 302 via a processing hub and IPM interface. The performance metrics data is at least one of the KPI and the counter data.
[0056] Upon collecting the performance metrics data, the data integrator 306 transmits the performance metrics data to the data pre-processing unit 308. The data pre-processing unit 308 pre-processes the received performance metrics data.
[0057] Upon pre-processing the performance metrics data, the model training unit 310 trains the AI/ML model with the pre-processed performance metrics data. The model training unit 310 trains the AI/ML model by extracting the one or more values from the pre-processed performance metrics data. Upon extracting the one or more values, the model training unit 310 trains the AI/ML model with the extracted one or more values. In an embodiment, the AI/ML model is trained by utilizing the historical data. The historical data is retrieved from the data lake 314.
[0058] Subsequent to training the AI/ML model, the current data pertaining to the performance metrics data is received from the IPM 302. Upon receiving the current data pertaining to the performance metrics data, the anomaly detection unit 312 detects the anomaly with respect to the current data. The anomaly is detected by computing the delta between the current data and the trained data by comparing the current data and the trained data. The anomaly is detected when the one or more values of the computed data are greater than the one or more predefined thresholds.
[0059] Upon detecting the anomaly, the anomaly detection unit 312 generates and transmits the alerts and notifications pertaining to detection of the anomaly with respect to the current data to the user interface 206. In another embodiment, the upon receiving the notification via the user interface 206, the user rectifies the issue based on the received alert or notification. Upon rectifying the user transmits the feedback to the IPM 302, so that the raised alert is closed and the same is updated in the trained model.
[0060] FIG. 4 is a flow diagram for anomaly detection in the network 106, according to one or more embodiments of the present invention.
[0061] At step 402, the performance metrics data are collected from the IPM 302 via the processing hub-IPM interface. The performance metrics data is at least one of the KPI and the counter data.
[0062] At step 404, upon collecting the performance metrics data, the AI/ML model is trained. The AI/ML model is trained by extracting the one or more values from the pre-processed performance metrics data. Upon extracting the one or more values, the AI/ML model is trained with the extracted one or more values.
[0063] At step 406, upon training the AI/ML model, the delta calculation is automated. The delta calculation is performed between the current data and the historical data for the performance metrics data.
[0064] At step 408, upon automated delta calculation, the AI/ML models compare the calculated deltas with the pre-defined threshold values to detect the anomalies. The anomaly is detected when the calculated deltas are greater than the pre-defined threshold values.
[0065] At step 410, if an anomaly is detected while comparing the calculated deltas with the pre-defined threshold values to detect the anomalies. Upon detecting the anomaly, the real-time alerts and notifications are transmitted to the user. Upon receiving the notification, the user can identify the issue and perform necessary changes in the IPM 302. Alternatively, if the anomaly is not detected while comparing the calculated deltas with the pre-defined threshold value, the AI/ML model is retrained.
[0066] FIG. 5 is a flow diagram of a method 500 for anomaly detection in the network 106, according to one or more embodiments of the present invention. For the purpose of description, the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0067] At step 502, the method 500 includes the step of retrieving the performance metrics data from the one or more network functions by the retrieving unit 210. The performance metrics data is at least one of the KPI and the counter data.
[0068] At step 504, the method 500 includes the step of training the AI/ML model with the retrieved performance metrics data by the training unit 212. The training unit 212 trains the AI/ML model with the retrieved performance metrics data by extracting the one or more values from the retrieved performance metrics data. Upon extracting the one or more values, the training unit 212 is further configured to train the AI/ML model with the extracted one or more values.
[0069] At step 506, the method 500 includes the step of receiving the current data pertaining to performance metrics from the one or more network functions 222 subsequent to training the AI/ML model by the transceiver 214.
[0070] At step 508, the method 500 includes the step of computing the delta between the current data and the trained data based on comparing the current data with the trained data by utilizing the trained AI/ML model. The computing engine 216 computes the delta between the current data and the trained data by extracting the one or more values from the current data. Upon extracting the one or more values, the computing engine 216 compares the one or more values of the current data with the trained one or more values of the trained model.
[0071] At step 510, the method 500 includes the step of detecting the anomaly with respect to the current data when one or more values of the computed delta are greater than one or more pre-defined thresholds by the detection unit 218. Upon detecting the anomaly, the notification unit 220 is configured to notify the user by generating at least one of the alerts and notifications pertaining to detection of the anomaly with respect to the current data.
[0072] The present invention further discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by the processor 202. The processor 202 is configured to retrieve the performance metrics data from the one or more network functions. The processor 202 is further configured to train the AI/ML model with the retrieved performance metrics data. The processor 202 is further configured to receive the current data pertaining to performance metrics from the one or more network functions subsequent to training the AI/ML model. The processor 202 is further configured to compute, utilizing, the trained AI/ML model, the delta between the current data and the trained data based on comparing the current data with the trained data. The processor 202 is further configured to detect the anomaly with respect to the current data when the one or more values of the computed delta are greater than one or more pre-defined thresholds.
[0073] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0074] The present disclosure incorporates technical advancement of improved network quality results in higher customer satisfaction and retention. The present invention enhances the ability of a network system to automatically detect anomalies in performance metrics. The present invention reduces the need for manual monitoring and allows for real-time detection of anomalies, which improves network reliability. The present invention can identify performance degradation or issues that may not be immediately apparent, contributing to more accurate diagnostics of network health. The delta computation and threshold comparison introduce a way to flag abnormal behavior based on predefined standards, hence the present invention ensures that only significant deviations trigger alerts, thereby reducing false positives and unnecessary notifications. Further, the present invention enhances the response time and enables quicker resolution of potential network issues.
[0075] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS

[0076] Environment- 100
[0077] User Equipment (UE)- 102
[0078] Server- 104
[0079] Network- 106
[0080] System -108
[0081] Processor- 202
[0082] Memory- 204
[0083] User Interface- 206
[0084] Database- 208
[0085] Retrieving Unit- 210
[0086] Training Unit- 212
[0087] Transceiver- 214
[0088] Computing Engine- 216
[0089] Detection Unit- 218
[0090] Notification Unit- 220
[0091] One or more Network Function- 222
[0092] IPM-302
[0093] Processing hub-304
[0094] Data integrator- 306
[0095] Data pre-processing unit-308
[0096] Model training unit-310
[0097] Anomaly detection unit-312
[0098] Data lake-314

,CLAIMS:CLAIMS:
We Claim:
1. A method (500) for anomaly detection in a network (106), the method (500) comprising the steps of:
retrieving, by the one or more processors (202), performance metrics data from one or more network functions (222);
training, by the one or more processors (202), a model with the retrieved performance metrics data;
receiving, by the one or more processors (202), current data pertaining to performance metrics from the one or more network functions subsequent to training the model;
computing, by the one or more processors (202), utilizing, the trained model, a delta between the current data and the trained data based on comparing the current data with the trained data; and
detecting, by the one or more processors (202), an anomaly with respect to the current data when one or more values of the computed delta are greater than one or more pre-defined thresholds.

2. The method (500) as claimed in claim 1, wherein the performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data.

3. The method (500) as claimed in claim 1, wherein the step of, training, the model with the retrieved performance metrics data, includes the steps of:
extracting, by the one or more processors (202), one or more values from the retrieved performance metrics data; and
training, by the one or more processors (202), the model with the extracted one or more values.

4. The method (500) as claimed in claim 1, wherein the step of, computing, utilizing the trained model, a delta between the current data and the trained data based on comparing the current data with the trained data, includes the steps of:
extracting, by the one or more processors (202), the one or more values from the current data; and
comparing, by the one or more processors (202), the one or more values of the current data with one or more values of the trained data.

5. The method (500) as claimed in claim 1, wherein the method (500) further comprises the step of:
notifying, a user by generating at least one of, alerts and notifications pertaining to detection of the anomaly with respect to the current data.

6. A system (108) for anomaly detection in a network (106), the system (108) comprising:
a retrieving unit (210), configured to, retrieve, performance metrics data from one or more network functions (222);
a training unit (212), configured to, train, a model with the retrieved performance metrics data;
a transceiver (214), configured to, receive, current data pertaining to performance metrics from the one or more network functions (222) subsequent to training the model;
a computing engine (216), configured to, compute, a delta between the current data and the trained data based on comparing the current data with the trained data; and
a detection unit (218), configured to, detect, an anomaly with respect to the current data when one or more values of the computed delta are greater than one or more pre-defined thresholds.

7. The system (108) as claimed in claim 6, wherein the performance metrics data is at least one of, a Key Performance Indicator (KPI) and counter data.

8. The system (108) as claimed in claim 6, wherein the training unit (212), trains, the model with the retrieved performance metrics data, by:
extracting, one or more values from the retrieved performance metrics data; and
training, the model with the extracted one or more values.

9. The system (108) as claimed in claim 6, wherein the computing engine (216), computes the delta between the current data and the trained data, by:
extracting, the one or more values from the current data; and
comparing, the one or more values of the current data with one or more values of the trained data.

10. The system (108) as claimed in claim 6, wherein the system (108) further comprising a notification unit (220), configured to, notify, a user by generating at least one of, alerts and notifications pertaining to detection of the anomaly with respect to the current data.