DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
METHOD AND SYSTEM OF DETECTING ONE OR MORE ANOMALIES IN A NETWORK
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention relates to detection of one or more anomalies, more particularly relates to a method and a system of detecting one or more anomalies in a network.
BACKGROUND OF THE INVENTION
[0002] Generally, telecom networks consist of numerous NFs (Network functions). Each NF is responsible for specific tasks. Due to the vast expansion of telecom networks across different geographies, it is a cumbersome and exhaustive task for the network engineers to effectively monitor and manage the performance of telecom network infrastructure across different geographies.
[0003] For example, numerous network nodes and NFs (Network functions) are deployed and spread across different regions such as states and even for that matter across countries depending on the breadth of coverage of the network. Due to the geographical diversity of the network can lead to variations in network conditions and performance metrics. In simpler terms, geographical features of a region affect the network performance. For example, a region of high altitude may experience uneven network coverage due to inadequate strength of routing element of the network or due to sudden weather variability. Therefore, network engineers need to monitor and analyze numerous records generated by various NFs across which may differ depending on the jurisdiction. Further, each NF produces a considerable volume of failure records that makes analyzing failure records challenging to identify abnormal patterns. Timely detection of number of abnormal failure records is crucial for network maintenance. However, due to the existing approach to identify anomalies in real-time or near-real-time is a daunting and time-consuming task which would lead to solving the issues only after occurrence of the problem. Therefore, the existing approach of detection of anomalies or abnormalities geography wise can significantly impact network performance and customer experience.
[0004] In view of the above, there is a dire need for an efficient system and method for dynamically and proactively detecting abnormalities geography-wise.
SUMMARY OF THE INVENTION
[0005] One or more embodiments of the present disclosure provide a method and system of detecting one or more anomalies in a network.
[0006] In one aspect of the present invention, the system of detecting the one or more anomalies in the network is disclosed. The system includes a receiving unit, configured to receive, a first set of data pertaining to failure records from at least one of a plurality of Network Functions (NFs), wherein the first set of data pertaining to failure records is associated with one or more geographical regions. The system further includes a training unit, configured to train, a model utilizing the received first set of data to identify trends associated with behavior of the network. The system further includes a determining unit, configured to determine, a baseline failure threshold based on the identified trends. The system further includes the receiving unit, configured to receive, a second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs, wherein the second set of data pertaining to failure records is associated with the one or more geographical regions. The system further includes a comparing unit, configured to compare, the second set of data with the determined baseline failure threshold to identify a deviation between. The system further includes a detecting unit configured to detect the one or more anomalies in the at least one of the plurality of NFs based on identification of the deviation.
[0007] In an embodiment, each of the first and the second set of data includes at least one of, information on network failures, error codes, timestamps, and geographical details.
[0008] In an embodiment, on receiving the first and the second set of data, the system comprises, a preprocessing unit, configured to, preprocess, the received first and the second set of data by at least one of normalizing, cleaning, and transforming the first and the second set of data.
[0009] In an embodiment, the baseline failure threshold is dynamically updated based on changes in the behavior of the network.
[0010] In an embodiment, the system further comprises a generating unit, configured to generate one or more alerts and reports pertaining to the detected one or more anomalies in the at least one of the plurality of NFs. Further the system comprises a transmitting unit, configured to transmit the generated one or more alerts and reports pertaining to the detected one or more anomalies to a network operator.
[0011] In an embodiment, the one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same.
[0012] In another aspect of the present invention, the method of detecting the one or more anomalies in the network is disclosed. The method includes the step of receiving a first set of data pertaining to failure records from at least one of a plurality of Network Functions (NFs), wherein the first set of data pertaining to failure records is associated with one or more geographical regions. The method further includes the step of training a model utilizing the received first set of data to identify trends associated with behavior of the network. The method further includes the step of determining a baseline failure threshold based on the identified trends. The method further includes the step of receiving a second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs, wherein the second set of data pertaining to failure records is associated with the one or more geographical regions. The method further includes the step of comparing the second set of data with the determined baseline failure threshold to identify a deviation between. The method further includes the step of detecting the one or more anomalies in the at least one of the plurality of NFs based on identification of the deviation.
[0013] In another aspect of the invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions is disclosed. The computer-readable instructions are executed by a processor. The processor is configured to receive a first set of data pertaining to failure records from at least one of a plurality of Network Functions (NFs), wherein the first set of data pertaining to failure records is associated with one or more geographical regions. The processor is configured to train, a model utilizing the received first set of data to identify trends associated with behavior of the network. The processor is configured to determine, a baseline failure threshold based on the identified trends. The processor is configured to receive a second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs, wherein the second set of data pertaining to failure records is associated with the one or more geographical regions. The processor is configured to compare the second set of data with the determined baseline failure threshold to identify a deviation between. The processor is configured to detect one or more anomalies in the at least one of the plurality of NFs based on identification of the deviation.
[0014] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0016] FIG. 1 is an exemplary block diagram of an environment of detecting one or more anomalies in a network, according to one or more embodiments of the present invention;
[0017] FIG. 2 is an exemplary block diagram of a system of detecting the one or more anomalies in the network, according to one or more embodiments of the present invention;
[0018] FIG. 3 is an exemplary block diagram of an architecture implemented in the system of the FIG. 2, according to one or more embodiments of the present invention;
[0019] FIG. 4 is a flow diagram of detecting the one or more anomalies in the network, according to one or more embodiments of the present invention; and
[0020] FIG. 5 is a schematic representation of a method of detecting the one or more anomalies in the network, according to one or more embodiments of the present invention.
[0021] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0022] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0023] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0024] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0025] The present disclosure aims at dynamically detecting one or more anomalies in a network. More particularly a model learns the multiple traffic patterns, analyzes historical data patterns, learns the typical behavior of the network in different locations that facilitates the model to detect the one or more anomalies in real time of failure record count of each geographical areas. The model performs detection of the one or more anomalies utilizing the established baselines based on the historical data and learnt patterns of the failure record count. The model compares the current failure record counts with the established baselines for each geographical area. If any deviations or abnormal patterns are detected, the model identifies them as anomalies.
[0026] FIG. 1 illustrates an exemplary block diagram of an environment 100 of detecting one or more anomalies in a network 106, according to one or more embodiments of the present disclosure. In this regard, the environment 100 includes a User Equipment (UE) 102, a server 104, the network 106 and a system 108 communicably coupled to each other for detecting the one or more anomalies in a network 106.
[0027] In an embodiment, the one or more anomalies refers to deviations from expected behavior within the network 106. The one or more anomalies includes, but not limited to service interruptions, error code spikes, latency or throughput deviations, geographical irregularities, resource usage anomalies. The service interruptions refer to unexpected disconnections or service unavailability. The error code spikes refer to an unusual increase in error messages or codes generated by network functions. The latency or throughput deviations refer to a significant deviation in data transmission speeds or delays beyond expected thresholds. The geographical irregularities refer to issues affecting specific regions or locations that differ from normal operational behavior. The resource usage anomalies refer to sudden surges in Central Processing Unit (CPU), memory, or bandwidth consumption that don’t align with historical patterns.
[0028] As per the illustrated embodiment and for the purpose of description and illustration, the UE 102 includes, but not limited to, a first UE 102a, a second UE 102b, and a third UE 102c, and should nowhere be construed as limiting the scope of the present disclosure. In alternate embodiments, the UE 102 may include a plurality of UEs as per the requirement. For ease of reference, each of the first UE 102a, the second UE 102b, and the third UE 102c, will hereinafter be collectively and individually referred to as the “User Equipment (UE) 102”.
[0029] In an embodiment, the UE 102 is one of, but not limited to, any electrical, electronic, electro-mechanical or an equipment and a combination of one or more of the above devices such as a smartphone, virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device.
[0030] The environment 100 includes the server 104 accessible via the network 106. The server 104 may include, by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise side, a defense facility side, or any other facility that provides service.
[0031] The network 106 includes, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof. The network 106 may include, but is not limited to, a Third Generation (3G), a Fourth Generation (4G), a Fifth Generation (5G), a Sixth Generation (6G), a New Radio (NR), a Narrow Band Internet of Things (NB-IoT), an Open Radio Access Network (O-RAN), and the like.
[0032] The network 106 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network 106 may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
[0033] The environment 100 further includes the system 108 communicably coupled to the server 104 and the UE 102 via the network 106. The system 108 is configured to detect the one or more anomalies in the network 106. As per one or more embodiments, the system 108 is adapted to be embedded within the server 104 or embedded as an individual entity.
[0034] Operational and construction features of the system 108 will be explained in detail with respect to the following figures.
[0035] FIG. 2 is an exemplary block diagram of the system 108 for detecting one or more anomalies in the network 106, according to one or more embodiments of the present invention.
[0036] As per the illustrated embodiment, the system 108 includes one or more processors 202, a memory 204, a user interface 206, and a database 208. In an embodiment, the system 108 is communicable coupled with a plurality of network functions 226.
[0037] For the purpose of description and explanation, the description will be explained with respect to one processor 202 and should nowhere be construed as limiting the scope of the present disclosure. In alternate embodiments, the system 108 may include more than one processor 202 as per the requirement of the network 106. The one or more processors 202, hereinafter referred to as the processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions.
[0038] As per the illustrated embodiment, the processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204. The memory 204 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as disk memory, EPROMs, FLASH memory, unalterable memory, and the like.
[0039] In an embodiment, the user interface 206 includes a variety of interfaces, for example, interfaces for a graphical user interface, a web user interface, a Command Line Interface (CLI), and the like. The user interface 206 facilitates communication of the system 108. In one embodiment, the user interface 206 provides a communication pathway for one or more components of the system 108. Examples of such components include, but are not limited to, the UE 102 and the database 208.
[0040] The database 208 is one of, but not limited to, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of database 208 types are non-limiting and may not be mutually exclusive e.g., a database can be both commercial and cloud-based, or both relational and open-source, etc.
[0041] In order for the system 108 for detecting the one or more anomalies in the network 106, the processor 202 includes one or more modules. In one embodiment, the one or more modules includes, but not limited to, a receiving unit 210, a preprocessing unit 212, a training unit 214, a determining unit 216, a comparing unit 218, a detecting unit 220, a generating unit 222, and a transmitting unit 224 communicably coupled to each other for detecting the one or more anomalies in the network 106.
[0042] In one embodiment, each of the one or more modules the receiving unit 210, the preprocessing unit 212, the training unit 214, the determining unit 216, the comparing unit 218, the detecting unit 220, the generating unit 222, and the transmitting unit 224 can be used in combination or interchangeably for detecting the one or more anomalies in the network 106.
[0043] The receiving unit 210, the preprocessing unit 212, the training unit 214, the determining unit 216, the comparing unit 218, the detecting unit 220, the generating unit 222, and the transmitting unit 224 in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 202. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 202 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 204 may store instructions that, when executed by the processing resource, implement the processor. In such examples, the system 108 may comprise the memory 204 storing the instructions and the processing resource to execute the instructions, or the memory 204 may be separate but accessible to the system 108 and the processing resource. In other examples, the processor 202 may be implemented by electronic circuitry.
[0044] In one embodiment, the receiving unit 210 is configured to receive a first set of data pertaining to failure records from at least one of a plurality of Network Functions (NFs) 226. The first set of data pertaining to failure records is associated with one or more geographic regions. The first set of data includes at least one of information on network failures, error codes, timestamps and geographical details. The information on network failures includes detailed records of any failures or malfunctions that occurred within the network such as dropped connections or service outages. The error codes include specific numerical or alphanumeric codes that classify or describe the type of error or failure encountered in the network 106. The timestamps include the precise time and date when each failure or error occurred, which helps in tracking and analyzing the timeline of events. The geographical details include information about the location or region where the network failure happened, which is crucial for identifying region-specific issues or patterns. In an embodiment, the first set of data pertains to failure records. The failure records are detailed logs or reports that capture information about instances where the network 106 or one of its components did not perform as expected. The failure records provide critical information for diagnosing problems, tracking trends, and improves the network’s reliability and performance.
[0045] The plurality of NFs 226 refers to multiple distinct functions or services that are part of a network infrastructure, each responsible for a task or operation. The plurality of NFs 226 includes, but not limited to, Access and Mobility Management Function (AMF), Session Management Function (SMF), Policy Control Function (PCF), User Plane Function (UPF), Unified Data Management (UDM). The one or more geographic regions refers to specific areas or locations where network services are deployed and managed. For example, the one or more geographic regions includes, but not limited to, city or metro-level, country or national level, regional clusters.
[0046] Upon receiving the first set of data from the plurality of NFs 226, the preprocessing unit 212 pre-processes the received first set of data by at least one of normalizing, cleaning and transforming the first set of data. The term pre-processing refers to the set of operations applied to raw data before it is used for analysis, training models, or other processing tasks. The preprocessing includes at least one of normalizing, cleaning and transforming. The normalizing involves scaling or adjusting the data so that it falls within a standard range or format. For example, timestamp formats may be standardized, or error codes might be normalized to a common scale for comparison. The cleaning involves identifying and correcting errors or inconsistencies in the data. The cleaning includes removing duplicate records, handling missing values, or correcting erroneous information (e.g., corrupted data entries or outliers). The transformation refers to converting data into a more suitable format or structure. The transformation makes the data more suitable for analysis or processing.
[0047] Upon preprocessing the data, the training unit 214 is configured to train a model. In an embodiment, the model is at least one of Artificial Intelligence/ Machine Learning (AI/ML) model. The model is trained utilizing the received and preprocessed first set of data. The model is trained to identify trends associated with behavior of the network 106. The trends refer to recurring events in the network’s performance, traffic or operational characteristics over time. The trends include, but are not limited to, traffic patterns, failure and error trends, performance degradation, geographical trends, security-related trends. The behavior of the network refers to the overall performance, operational characteristics, and response patterns of the network 106 as it handles data traffic, processes requests, and interacts with users and other network functions. The key aspects of the network behavior include, but not limited to, traffic flow and load management, performance metrics, reliability and availability, error and failure patterns, resource utilization, security and threat response, scalability and elasticity. The traffic flow and load management include, but not limited to, data transfer and load balancing. The performance metrics include, but are not limited to, latency, throughput, packet loss, jitter. The reliability and availability include, but is not limited to, uptime, failure recovery. The error and failure patterns include, but are not limited to, network failures and error rates. The resource utilization includes, but is not limited to, bandwidth usage, CPU and memory load. The security and threat response includes, but is not limited to, attack detection and intrusion prevention. The scalability and elasticity include, but is not limited to, dynamic scaling and elastic resource management.
[0048] In an embodiment, the model is trained by selecting the model and then training the model. The selecting the algorithm refers to selecting an appropriate machine learning algorithm from the one or more machine learning algorithms depending on the goals such as trend identification, anomaly detection etc. The one or more machine learning algorithms includes, but are not limited to, linear regression, decision trees, random forests, neural network, Support Vector Machines (SVM), time series models. Upon selecting the appropriate algorithm, the training unit 214 feeds the preprocessed data to the model. The model uses the selected algorithm to analyze the fed data and learns from it. In an embodiment, the training process is iterative and involves continuous refinement to achieve the desired accuracy and reliability in identifying trends related to network behavior.
[0049] Upon training the model, the determining unit 216 is configured to determine a baseline failure threshold based on the identified trends. The baseline refers to a standard or reference point against which future data, performance, or behavior is compared. The baseline represents the typical, expected, or historical level of a certain metric, allowing deviations or anomalies to be detected when current data exceeds or falls below this reference. The baseline failure threshold refers to a predefined or dynamically determined value that sets the acceptable limit for network failure rates or errors. The baseline failure threshold is established based on patterns or trends identified in historical data, such as network failure records, error codes, and performance metrics. The baseline failure threshold is dynamically updated based on changes in the behavior of the network 106. As the behavior of the network 106 changes due to increased traffic, new network components, or evolving usage patterns, the baseline failure threshold is continuously adjusted. For example, during peak traffic hours, a temporary rise in latency might be normal, and the threshold can adjust accordingly.
[0050] In an embodiment, the receiving unit 210 is configured to receive a second set of data pertaining to failure records in real-time. The second set of data is received from the at least one of the plurality of NFs 226. The second set of data pertaining to failure records is associated with the one or more geographical regions. The second set of data refers to the real-time failure records received from the one or more NFs 226 that operate in various geographical regions. Unlike the first set of data, which may represent historical or aggregated failure records, the second set focuses on current, live data reflecting the immediate status of the network. The second set of data is crucial for ongoing monitoring and quick detection of network issues. The second set of data includes at least one of information on network failures, the error codes, the timestamps, and the geographical details. Upon receiving the second set of data, the received second set of data is preprocessed utilizing the pre-processing unit 212. The pre-processing includes at least one of the normalization, cleaning and the transformation.
[0051] Upon receiving the second set of data, the comparing unit 218 is configured to compare the second set of data with the determined baseline failure threshold. The second set of data is compared with the determined baseline failure threshold to identify a deviation between. The deviation refers to the difference or divergence between the second set of data and the established baseline failure threshold. In particular, the deviation indicates that the current network performance is not in line with the expected normal behavior as defined by the baseline.
[0052] The deviation includes, but is not limited to, positive deviation, negative deviation, absolute deviation, outlier deviation, cumulative deviation, threshold deviation. The positive deviation refers to the real time data that exceeds the baseline or expected value. For example, a network failure rate is higher than the normal threshold. If the baseline failure rate is 2%, and the real-time failure rate is 5%, this indicates a positive deviation of 3%. The negative deviation refers to the real-time data that is lower than the baseline or expected value. For example, latency or failure rates drop below the baseline. If the baseline latency is 100ms, but the current latency is only 50ms, this would be a negative deviation. The absolute deviation refers to the absolute value of the difference between real-time data and the baseline, regardless of direction (positive or negative). For example, if the baseline packet loss is 1% and real-time packet loss is 3%, the absolute deviation is 2%. This applies even if the real-time data is lower than the baseline. The outlier deviation is a deviation that is far outside the normal range or expected behavior. The outliers often signal rare but significant anomalies. For example, if typical latency ranges between 50ms and 100ms, but the current latency spikes to 500ms, this would be the outlier deviation. The cumulative deviation refers to the total or aggregated deviation over a period of time. For example, if the baseline failure rate is 2% but over several hours the real-time failure rate averages 5%, the cumulative deviation considers the sustained difference between the real-time data and the baseline over time.
[0053] Upon comparing the second set of data with the determined baseline failure threshold and identifying the deviation, the detecting unit 220 is configured to detect the one or more anomalies in the at least one the plurality of NFs 226. Once the deviation is identified, the detecting unit 220 evaluates whether this deviation qualifies as an anomaly. The anomaly refers to a behavior or performance pattern that significantly deviates from the expected norm or baseline, indicating potential issues such as failures, disruptions, or performance degradation in the network 106. For example, if the baseline failure threshold for a particular NF in Region A is set at 2% error rate, and the real-time data shows a 5% error rate for a sustained period, this significant deviation would be flagged by the detecting unit. The detecting unit 220 would then label this as the anomaly because the error rate is unusually high compared to the established baseline.
[0054] Upon detecting the one or more anomalies, the generating unit 222 is configured to generate one or more alerts and reports. The one or more alerts are notifications generated to inform network operators or administrators about specific events, conditions, or anomalies that require their attention. The alerts include, but are not limited to, type of anomaly, affected NFs, geographical information, severity level, timestamp. The alerts are at least one of, threshold alerts, anomaly alerts, event alerts, performance alerts. The one or more alerts and reports pertain to the detected one or more anomalies in the at least one of the plurality of NFs 226. The one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same. The specific NFs affected refers to the one or more alerts and reports provide detailed identification of which specific NFs are experiencing issues. The geographical regions affected refer to the information regarding the geographical locations where the anomalies have been detected and help in pinpointing the areas requiring immediate attention. The type of anomalies detected include, but are not limited to, performance anomalies, failure anomalies, and security anomalies. The potential root causes refer to the alerts that include initial assessments or hypotheses about what might be causing the detected anomalies.
[0055] Upon generating the one or more alerts and reports, the transmitting unit 224 is configured to transmit the generated one or more alerts and reports pertaining to the detected one or more anomalies to the network operator. The network operator is an individual or organization responsible for overseeing the operation, management, and maintenance of a telecommunications or data network. The network operators play a critical role in ensuring that network services are reliable, secure, and efficient. The network operator is at least one of network administrators, network engineers, network technicians, telecommunication operators.
[0056] Therefore, the system 108 minimizes network disruptions and enhances the overall network quality by detecting the one or more anomalies. The system 108 undertakes the proactive measures for network problems. Further, the system 108 reduces the manual effort required for monitoring and analysis and improves operational efficiency. The timely detection and resolution of network issues by the system 108 leads to a better customer experience and reduces service interruptions. Further, the system 108 scales up to handle the growing demands of a rapidly expanding telecom network.
[0057] FIG. 3 is an exemplary block diagram of an architecture 300 of the system 108 for anomaly detection in the network 106, according to one or more embodiments of the present invention.
[0058] The architecture 300 includes a probing unit 302, and a processing hub 304. The processing hub 304 includes a data collection and integration unit 306, a data pre-processing unit 308, a model training unit 310, a real-time monitoring unit 312 and an anomaly detection unit 314. Further, the processing hub 304 is communicably coupled with the user interface 206. Further a data lake 316 is communicably coupled with the real-time monitoring unit 312.
[0059] In an embodiment, the probing unit 302 is a critical component of a network monitoring system that gathers the data from the network 106. The probing unit 302 is responsible for receiving the data from the plurality of NFs 226 associated with one or more geographical regions. The data includes, at least one of, information on network failures, error codes, timestamps, and geographical details. In an embodiment, the probing unit 302 transmits the data to the processing hub 304 via a processing hub-probing unit interface.
[0060] Upon receiving the data from the plurality of NFs 226, the received data is transmitted to the data collection and integration unit 306. The data collection and integration unit 306 collects and integrates the data received from the probing unit 302. Subsequently, the collected and integrated data is transmitted to the data pre-processing unit 308 for pre-processing the collected integrated data. The data pre-processing includes normalization, cleaning and transformation of the collected and integrated data.
[0061] Upon pre-processing the collected and integrated data, the pre-processed data is transmitted to model training unit 310. The model training unit 310 trains the model by utilizing the pre-processed data. The model is trained to identify trends associated with the behavior of the network 106. Further, the trained model helps in determining the baseline threshold failure. The baseline threshold failure is determined based on the identified trends. The baseline failure threshold is dynamically updated based on changes in the behavior of the network 106.
[0062] Upon training the model, the real-time monitoring unit 312 continuously monitors the real-time data by comparing the real-time data and the determined baseline failure threshold to identify the deviation. In an embodiment, the data lake 316 stores the received data and the real-time data. The data lake 316 ensures the updating of the baseline failure threshold as the behavior of the network changes over time. Upon identifying the deviation, the anomaly detection unit 314 detects the one or more anomalies in the at least one of the plurality of NFs 226.
[0063] Upon detecting the one or more anomalies in the at least one of the plurality of NFs 226, the one or more alerts and reports are generated pertaining to the detected one or more anomalies in the at least one of the plurality of NFs 226. Thereafter, the generated one or more alerts and reports pertaining to the detected one or more anomalies are transmitted to the user interface 206. The one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same.
[0064] FIG. 4 is a flow diagram for anomaly detection in the network 106, according to one or more embodiments of the present invention.
[0065] At step 402, the data is received from the probing unit 302 via the processing hub-probing unit interface. The data includes at least one of, information on network failures, error codes, timestamps, and geographical details.
[0066] At step 404, upon receiving the data from the probing unit 302, the received data is collected at the data collection.
[0067] At step 406, upon collecting the received data, from the probing unit 302, the received data is integrated into a centralized platform. The integration of the received data ensures that data from all NFs and geographic regions is consolidated for analysis.
[0068] At step 408, upon integrating the data, the received and integrated data is pre-processed. The pre-processing includes normalization, cleaning and transformation of the received and integrated data. In an embodiment, the invalid or inconsistent values are removed, and the received and integrated data is standardized to make it suitable for analysis.
[0069] At step 410, upon pre-processing the received and integrated data, the model is trained utilizing the pre-processed data. The model is trained to identify trends associated with the behavior of the network 106. The models analyze historical data patterns, learning the typical behavior of the network 106 in different locations and from the plurality of NFs 226. Further, the trained model helps in determining the baseline threshold failure. The baseline threshold failure is determined based on the identified trends. The baseline failure threshold is dynamically updated based on changes in the behavior of the network 106.
[0070] At step 412, upon training the model and determining the baseline threshold failure, the real-time failure threshold is continuously monitored. The real-time failure threshold is continuously monitored by comparing the real-time data with the determined baseline failure threshold to identify the deviation. Upon identifying the deviation, the one or more anomalies are detected in the at least one of the plurality of NFs 226.
[0071] At step 414, upon detecting the one or more anomalies in the at least one of the plurality of NFs 226, the one or more alerts and reports are generated pertaining to the detected one or more anomalies in the at least one of the plurality of NFs 226. Thereafter, the generated one or more alerts and reports pertaining to the detected one or more anomalies are transmitted to the user interface 206. The one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same. Upon receiving the one or more alerts and reports, the network operators can take proactive measures to address the anomalies and network issues swiftly. The proactive approach minimizes service disruptions, enhances network quality, and ensures a better customer experience. Further, the data-driven insights provided by the system 108 empower network operators with valuable information for optimizing network performance and maintenance. By making informed decisions based on the anomalies detected, the network operators can enhance overall network quality and customer satisfaction. Alternatively, if the one or more anomalies are not detected, the model is retrained.
[0072] FIG. 5 is a flow diagram of a method 500 for anomaly detection in the network 106, according to one or more embodiments of the present invention. For the purpose of description, the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0073] At step 502, the method 500 includes the step of receiving the first set of data pertaining to failure records from at least one of the plurality of NFs 226 by the receiving unit 210. The first set of data pertaining to failure records is associated with one or more geographical regions. The first set of data includes at least one of, information on network failures, error codes, timestamps, and geographical details. Upon receiving the first set of data, the pre-processing unit 212 is configured to pre-process the received first set of data by at least one of normalizing, cleaning, and transforming the first set of data.
[0074] At step 504, the method 500 includes the step of training the model utilizing the received first set of data to identify trends associated with behavior of the network 106 by the training unit 214.
[0075] At step 506, the method 500 includes the step of determining the baseline failure threshold based on the identified trends by the determining unit 216. The baseline failure threshold is dynamically updated based on changes in the behavior of the network 106.
[0076] At step 508, the method 500 includes the step of receiving the second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs 226 by the receiving unit 210. The second set of data pertaining to failure records is associated with the one or more geographical regions. The second set of data includes at least one of, information on network failures, error codes, timestamps, and geographical details. Further, the second set of data is also pre-processed by the pre-processing unit 212.
[0077] At step 510, the method 500 includes the step of comparing the second set of data with the determined baseline failure threshold to identify the deviation between by the comparing unit 218.
[0078] At step 512, the method 500 includes the step of detecting the one or more anomalies in the at least one of the plurality of NFs 226 based on identification of the deviation by the detecting unit 220. Further, the generating unit 222 is configured to generate the one or more alerts and reports pertaining to the detected one or more anomalies in the at least one of the plurality of NFs 226. Subsequently, the generated one or more alerts and reports pertaining to the detected one or more anomalies are transmitted to the network operator by the transmitting unit 224. The one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same.
[0079] The present invention further discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by the processor 202. The processor 202 is configured to receive the first set of data pertaining to failure records from at least one of the plurality of NFs 226. The first set of data pertaining to failure records is associated with one or more geographical regions. The processor 202 is further configured to train the model utilizing the received first set of data to identify trends associated with behavior of the network 106. The processor 202 is further configured to determine the baseline failure threshold based on the identified trends. The processor 202 is further configured to receive the second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs 226. The second set of data pertaining to failure records is associated with the one or more geographical regions. The processor 202 is further configured to compare the second set of data with the determined baseline failure threshold to identify a deviation between. The processor 202 is further configured to detect the one or more anomalies in the at least one of the plurality of NFs 226 based on identification of the deviation.
[0080] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0081] The present disclosure incorporates technical advancement of minimizing network disruptions and enhances the overall network quality by detecting the one or more anomalies. The present invention undertakes the proactive measures for network problems. Further, the present invention reduces the manual effort required for monitoring and analysis and improves operational efficiency. The timely detection and resolution of network issues by the present invention leads to a better customer experience and reduces service interruptions. Further, the present invention scales up to handle the growing demands of a rapidly expanding telecom network. The present invention reduces network downtime and improves overall network reliability. The present invention improves the accuracy of trend detection, anomaly identification, and report generation, leading to better system performance and resource optimization
[0082] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS

[0083] Environment- 100
[0084] User Equipment (UE)- 102
[0085] Server- 104
[0086] Network- 106
[0087] System -108
[0088] Processor- 202
[0089] Memory- 204
[0090] User Interface- 206
[0091] Database- 208
[0092] Receiving Unit- 210
[0093] Pre-processing Unit- 212
[0094] Training Unit- 214
[0095] Determining Unit- 216
[0096] Comparing Unit- 218
[0097] Detecting Unit- 220
[0098] Generating Unit- 222
[0099] Transmitting Unit-224
[00100] Plurality of Network Functions (NFs)- 226
[00101] Probing Unit-302
[00102] Processing hub-304
[00103] Data collection and integration unit- 306
[00104] Data pre-processing unit-308
[00105] Model training unit-310
[00106] Real-time monitoring unit- 312
[00107] Anomaly detection unit-314
[00108] Data lake-316

,CLAIMS:CLAIMS:
We Claim:
1. A method (500) of detecting one or more anomalies in a network (106), the method (500) comprising the steps of:
receiving, by one or more processors (202), a first set of data pertaining to failure records from at least one of a plurality of Network Functions (NFs) (226), wherein the first set of data pertaining to failure records is associated with one or more geographical regions;
training, by the one or more processors (202), a model utilizing the received first set of data to identify trends associated with behaviour of the network (106);
determining, by the one or more processors (202), a baseline failure threshold based on the identified trends;
receiving, by the one or more processors (202), a second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs (226), wherein the second set of data pertaining to failure records is associated with the one or more geographical regions;
comparing, by the one or more processors (202), the second set of data with the determined baseline failure threshold to identify a deviation between; and
detecting, by the one or more processors (202), the one or more anomalies in the at least one of the plurality of NFs (226) based on identification of the deviation.

2. The method (500) as claimed in claim 1, wherein each of the first and the second set of data includes at least one of, information on network failures, error codes, timestamps, and geographical details.

3. The method (500) as claimed in claim 1, wherein on receiving the first and the second set of data, the method (500) includes the step of:
preprocessing, by the one or more processors (202), the received first and the second set of data by at least one of normalizing, cleaning, and transforming the first and the second set of data.

4. The method (500) as claimed in claim 1, wherein the baseline failure threshold is dynamically updated based on changes in the behaviour of the network (106).

5. The method (500) as claimed in claim 1, wherein the method (500) further comprises the step of:
generating, by the one or more processors (202), one or more alerts and reports pertaining to the detected one or more anomalies in the at least one of the plurality of NFs (226); and
transmitting, by the one or more processors (202), the generated one or more alerts and reports pertaining to the detected one or more anomalies to a network operator.

6. The method (500) as claimed in claim 5, wherein the one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same.

7. A system (108) of detecting one or more anomalies in a network (106), the system (108) comprising:
a receiving unit (210), configured to, receive, a first set of data pertaining to failure records from at least one of a plurality of Network Functions (NFs) (226), wherein the first set of data pertaining to failure records is associated with one or more geographical regions;
a training unit (214), configured to, train, a model utilizing the received first set of data to identify trends associated with behaviour of the network (106);
a determining unit (216), configured to, determine, a baseline failure threshold based on the identified trends;
the receiving unit (210), configured to, receive, a second set of data pertaining to failure records in real-time from the at least one of the plurality of NFs (226), wherein the second set of data pertaining to failure records is associated with the one or more geographical regions;
a comparing unit (218), configured to, compare, the second set of data with the determined baseline failure threshold to identify a deviation between; and
a detecting unit (220), configured to, detect, the one or more anomalies in the at least one of the plurality of NFs (226) based on identification of the deviation.

8. The system (108) as claimed in claim 7, wherein each of the first and the second set of data includes at least one of, information on network failures, error codes, timestamps, and geographical details.

9. The system (108) as claimed in claim 7, wherein on receiving the first and the second set of data, the system (108) comprises:
a preprocessing unit (212), configured to, preprocess, the received first and the second set of data by at least one of normalizing, cleaning, and transforming the first and the second set of data.

10. The system (108) as claimed in claim 7, wherein the baseline failure threshold is dynamically updated based on changes in the behaviour of the network (106).

11. The system (108) as claimed in claim 7, wherein the system (108) further comprises:
a generating unit (222), configured to, generate, one or more alerts and reports pertaining to the detected one or more anomalies in the at least one of the plurality of NFs (226); and
a transmitting unit (224), configured to, transmit, the generated one or more alerts and reports pertaining to the detected one or more anomalies to a network operator.

12. The system (108) as claimed in claim 11, wherein the one or more alerts and reports include details of at least one of, any specific NFs or geographical regions affected, type of anomalies detected, and potential root causes for the same.