DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
SYSTEM AND METHOD FOR DETECTING ONE OR MORE ANOMALIES IN A NETWORK
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present subject matter relates to the field of cloud networks. More particularly, the invention pertains to a system and method for detecting anomalies by analysing hysteresis pattern of metrics in a cloud network.

BACKGROUND OF THE INVENTION
[0002] Currently, various metrics and performance related data of a cloud network such as server CPU utilization, memory usage, network traffic, and other relevant performance indicators are not looked into for determining anomalies that exist or may occur in future. Generally, aforesaid metrics and performance related data need to be looked into and observed over a duration of time, in order to recognize any abnormal patterns occurring in the network. For example, when a power consumption metric of a server is observed over time, a power surge can be predicted or detected, from historical power consumption information of the server.
[0003] There is a need for a system and method, that continuously monitors various performance related metrics of a cloud network, and that raises an alarm upon analysing a hysteresis pattern in the metrics. Accordingly, a system and method for detecting anomalies from hysteresis pattern of metrics of a cloud network is disclosed.

SUMMARY OF THE INVENTION
[0004] One or more embodiments of the present disclosure provide a system and method for detecting one or more anomalies in a network.
[0005] In one aspect of the present invention, a system for detecting one or more anomalies in a network is disclosed. The system includes a fetching unit configured to fetch a plurality of metrics related to a performance of the network. The system further includes an analysing unit configured to analyse the plurality of metrics to identify one or more hysteresis patterns in the plurality of metrics. The system further includes a detection unit configured to detect the one or more anomalies in the one or more identified hysteresis patterns.
[0006] In one aspect, the plurality of metrics includes Central Processing Unit (CPU) utilization, memory usage, and network traffic. The system further comprises an enrichment unit configured to enrich and normalize the plurality of metrics. The system further comprises a reporting and alarm unit configured to raise an alarm to indicate an action is required to be performed to resolve the one or more anomalies.
[0007] In another aspect of the present invention, a method of detecting one or more anomalies in a network is disclosed. The method includes the step of fetching a plurality of metrics related to a performance of the network. The method further includes analyzing the plurality of metrics to identify one or more hysteresis patterns in the plurality of metrics. The method further includes detecting the one or more anomalies in the one or more hysteresis patterns.
[0008] In one aspect, the plurality of metrics includes Central Processing Unit (CPU) utilization, memory usage, and network traffic. The method further comprises enriching and normalizing the plurality of fetched metrics. On detection of the one or more anomalies, the method comprises the step of raising an alarm to indicate an action is required to be performed to resolve the one or more anomalies.
[0009] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0011] FIG. 1 illustrates an environment including a system for detecting anomalies from hysteresis pattern of metrics related to a network, according to one or more embodiments of the present disclosure;
[0012] FIG. 2 illustrates a block diagram of the system for detecting anomalies from hysteresis pattern of metrics related to a network, according to various embodiments of the present system;
[0013] FIG. 3 illustrates a block diagram of the environment including the system for detecting anomalies from hysteresis pattern of metrics related to a network, according to various embodiments of the present system; and
[0014] FIG. 4 illustrates a flow chart of a method of detecting anomalies from hysteresis pattern of metrics of a network, according to one or more embodiments of the present disclosure.
[0015] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0016] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0017] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0018] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0019] Various embodiments of the invention address the aforementioned challenges by providing a system and method for detecting anomalies from hysteresis pattern of metrics of a cloud network. The system also referred to as a Cloud-Native Infrastructure System (CNIS) is designed to collect and analyse various metrics from an infrastructure, such as CPU utilization, memory usage, network traffic, or any other relevant performance indicators. The CNIS looks for patterns in aforementioned metrics over a period of time, and is configured by advanced Artificial Intelligence / Machine Learning (AI/ML) algorithms to identify hysteresis patterns in the metrics. The AI/ML algorithms are trained on historical data to recognise normal patterns, and abnormal deviations.
[0020] The CNIS is configured to take an appropriate action upon determining a hysteresis in the metrics is obtained. In an embodiment, the CNIS is configured to raise an alarm when a hysteresis pattern is detected in the metrics. Various components of the system are explained further with reference to FIG. 1 and FIG. 2.
[0021] FIG. 1 illustrates an environment 100 including a system 115 for detecting anomalies from hysteresis pattern of metrics related to a network. The network may be a local network, a cloud network 110, or a hybrid network. Although different embodiments have been described successively with reference to the cloud network 110, it must be understood that the teachings could also be implemented for any other type of network. The environment 100 includes a plurality of hosts 105 (represented as a first host 105-1, a second host 105-2, and nth host 105-n) connected with the cloud network 110. The hosts 105 can be understood as computing devices communicating with each other in a computer network. The cloud network 110 can be understood as a Wide Area Network (WAN) hosting users and resources and allowing the two to communicate via cloud-based technologies. The cloud network 110 may consist of server, memories, virtual routers, firewalls, and network management software. The cloud network 110 may be a public, private, hybrid, or a community cloud network.
[0022] The environment 100 further includes the system 115 for detecting one or more anomalies in the cloud network 110. The system 115 is communicably coupled with the plurality of hosts 105 and the cloud network 110. The system 115 may be a computing device having a User Interface (UI), such as a smartphone, laptop, general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer.
[0023] In some implementations, the system 115 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof.
[0024] The environment 100 further includes a distributed data lake 120 communicably coupled to the system 115. The distributed data lake 120 is a data repository providing storage for structured and unstructured data, such as for machine learning, streaming, or data science. The distributed data lake 120 allows users and/or organizations to ingest and manage large volumes of data in an aggregated storage solution for business intelligence or data products.
[0025] Operational and construction features of the system 115 will be explained in detail successively with respect to different figures. FIG. 2 illustrates a block diagram of the system 115 for detecting anomalies from hysteresis pattern of metrics related to a network, according to one or more embodiments of the present disclosure.
[0026] As per the illustrated embodiment, the system 115 includes one or more processors 205, a memory 210, and an input/output interface unit 215. The one or more processors 205, hereinafter referred to as the processor 205 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. As per the illustrated embodiment, the system 115 includes one or more processors 205. However, it is to be noted that the system 115 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure. Among other capabilities, the one or more processors 205 are configured to fetch and execute computer-readable instructions stored in the memory 210. The memory 210 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 210 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as EPROM, flash memory, and the like.
[0027] In an embodiment, the input/output (I/O) interface unit 215 includes a variety of interfaces, for example, interfaces for data input and output devices, referred to as Input/Output (I/O) devices, storage devices, and the like. The I/O interface unit 215 facilitates communication of the system 115. In one embodiment, the I/O interface unit 215 provides a communication pathway for one or more components of the system 115. Examples of such components include, but are not limited to, a backend database 220 and a distributed cache 225.
[0028] The database 220 is one of, but is not limited to, a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache database, and so forth. The foregoing examples of the database 220 types are non-limiting and may not be mutually exclusive e.g., a database can be both commercial and cloud-based, or both relational and open-source, etc.
[0029] The distributed cache 225 is a pool of Random-Access Memory (RAM) of multiple networked computers into a single in-memory data store for use as a data cache to provide fast access to data. The distributed cache 225 is essential for applications that need to scale across multiple servers or are distributed geographically. The distributed cache 225 ensures that data is available close to where it’s needed, even if the original data source is remote or under heavy load.
[0030] Further, the processor 205, in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processor 205. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processor 205 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processor 205 may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 210 may store instructions that, when executed by the processing resource, implement the processor 205. In such examples, the system 115 may comprise the memory 210 storing the instructions and the processing resource to execute the instructions, or the memory 210 may be separate but accessible to the system 115 and the processing resource. In other examples, the processor 205 may be implemented by electronic circuitry.
[0031] For the system 115 to detect one or more anomalies in the cloud network 110, the processor 205 includes a fetching unit 230 configured to fetch a plurality of metrics related to a performance of the cloud network 110. The plurality of metrics may include, but not limited to, Central Processing Unit (CPU) utilization, memory usage, and network traffic. The processor 205 further includes an enrichment unit 235 configured to enrich and normalize the plurality of metrics. Data enrichment refers to the process of enhancing raw data i.e. the metrics with additional information to make it more valuable, informative, and actionable for analysis, decision-making, and other purposes. This enhancement typically involves adding context, metadata, or supplementary data to the metrics. In some implementation, the data enrichment may include merging of data fields to obtain a single data field or splitting of a data field to obtain multiple data fields. Normalizing the metrics data involves transforming the metrics data to a standard format or scale to facilitate meaningful comparisons and analysis. The metrics data could be normalized using a variety of techniques including Min-Max Normalization involving scaling of data to a fixed range, such as [0, 1] and Z-score normalization involving transformation of the data to have a mean of 0 and a standard deviation of 1. Normalization could be performed using libraries or functions provided by different programming languages and data analysis tools.
[0032] The processor 205 further includes an analysing unit 240 configured to analyse the plurality of metrics to identify one or more hysteresis patterns in the plurality of metrics. The hysteresis patterns correspond to historical performance patterns related to cloud networks. For example, hysteresis pattern of resource (CPU, memory, and disk usage) utilization may help in identifying peak usage periods and optimizing resource allocation. Further, hysteresis pattern of network bandwidth may help in optimizing network infrastructure, implementing effective traffic management strategies, and ensuring sufficient bandwidth during peak periods. Further, hysteresis pattern of response time may provide insights into application performance and user experience. Further, hysteresis pattern of downtime and availability may provide visibility of reliability and availability of cloud services.
[0033] The processor 205 further includes a detection unit 245 configured to detect one or more anomalies in the one or more hysteresis patterns. The anomalies in hysteresis pattern of the metrics data refer to deviations or irregularities from expected patterns or norms in various metrics that are monitored within the cloud environment. The anomalies are detected based on comparison of current values of the metric data with historical values of predefined thresholds. For example, a sudden increase or decrease in metrics, such as CPU usage may be identified as an anomaly. Further, a sudden increase in consumption of memory by an application could also be identified as an anomaly. The processor 205 further includes a reporting and alarm unit 250 configured to raise an alarm to indicate an action required to be performed to resolve the one or more anomalies.
[0034] Referring to FIG. 3 illustrating a block diagram of the environment 100 including the system 115 for detecting anomalies in the cloud network 110, a preferred embodiment of the system 115 is described. The system 115 is alternatively referred as a Cloud-Native Infrastructure System (CNIS).
[0035] In an embodiment, the system 115 includes the first host 105-1, the second host 105-2, the cloud network 110, the distributed data lake 120, the reporting and alarm unit 250, an infrastructure manger 304, a metric ingestion unit 306, an infrastructure enrichment unit 308, an infrastructure normalizer unit 310, a machine learning/artificial intelligence (AI) unit 312, an anomaly detection unit 314, and a forecasting unit 316. The first host 105-1 and the second host 105-2 include at least one agent manager (AM).
[0036] The infrastructure manger 304 is connected with the first host 105-1, the second host 105-2, and the cloud network 110. The first host 105-1 and the second host 105-2 also communicate with the metric ingestion unit 306 which is coupled with the infrastructure enrichment unit 308. The infrastructure enrichment unit 308 is connected with the infrastructure normalizer unit 310. The machine learning/AI unit 312 is connected with the anomaly detection unit 314, the reporting and alarm unit 250, and the forecasting unit 316. The machine learning/AI unit 312, the anomaly detection unit 314, the reporting and alarm unit 250, and the forecasting unit 316 are connected with the distributed data lake 120.
[0037] The infrastructure manger 304 is configured to fetch a plurality of metrics (metrics data) related to performance of the cloud network 110. The metrics data obtained by the infrastructure manger 304 is passed to the metric ingestion unit 306. The infrastructure enrichment unit 308 performs enrichment of the metrics data. Data enrichment refers to the process of enhancing raw data i.e. the metrics with additional information to make it more valuable, informative, and actionable for analysis, decision-making, and other purposes. This enhancement typically involves adding context, metadata, or supplementary data to the metrics. In some implementation, the data enrichment may include merging of data fields to obtain a single data field or splitting of a data field to obtain multiple data fields.
[0038] The enriched data is normalized by passing through an infrastructure normalizer unit 310. Normalizing the metrics data involves transforming the metrics data to a standard format or scale to facilitate meaningful comparisons and analysis. The metrics data could be normalized using a variety of techniques including Min-Max Normalization involving scaling of data to a fixed range, such as [0, 1] and Z-score normalization involving transformation of the data to have a mean of 0 and a standard deviation of 1. Normalization could be performed using libraries or functions provided by different programming languages and data analysis tools.
[0039] The metrics are then stored in the distributed data lake 120. The ML/AI unit 312 is configured to run ML/AI algorithms on the enriched metrics stored in the distributed data lake 120 and provide result to the anomaly detection unit 314. If an anomaly is detected in a hysteresis pattern by the anomaly detection unit 314, the reporting and alarm unit 250 is instructed to raise an alarm. The hysteresis pattern corresponds to historical performance patterns related to cloud networks. For example, hysteresis pattern of resource (CPU, memory, and disk usage) utilization may help in identifying peak usage periods and optimizing resource allocation. Further, hysteresis pattern of network bandwidth may help in optimizing network infrastructure, implementing effective traffic management strategies, and ensuring sufficient bandwidth during peak periods. Further, hysteresis pattern of response time may provide insights into application performance and user experience. Further, hysteresis pattern of downtime and availability may provide visibility of reliability and availability of cloud services.
[0040] The reporting and alarm unit 250 is configured to raise the alarm based on an input received from the anomaly detection unit 314. For example, if the anomaly is serious in nature that requires immediate intervention, an urgent alarm can be raised. Further, based on historical trends of the metrics data and analysis of the metrics data, the forecasting engine 316 predicts occurrence of an anomaly. Detailed working of each component is provided herein below.
[0041] The agent managers refer to software components or modules that perform specific tasks or functions within the cloud infrastructure. The agent managers are typically deployed on virtual machines (VMs), containers, or directly on cloud services to facilitate various operational, management, security, or monitoring tasks.
[0042] The agent managers deployed by the infrastructure manager 304 are responsible for collecting metrics from the containers and the hosts (105-1 and 105-2). The containers in a cloud environment refer to lightweight, portable, and self-contained units of software that package application code and all its dependencies, including libraries and runtime environments, into a single package. These containers are designed to run consistently across different computing environments, whether on-premises or in the cloud.
[0043] The agent managers collect information such as CPU usage, memory utilization, network statistics, and other relevant metrics necessary for monitoring the cloud network 110. The system 115 provides a centralized management interface to configure and monitor the agent managers. The centralized management interface allows operators to control the number of the agent managers, their deployment, and monitoring parameters in a centralized manner.
[0044] The agent managers interact with network functions on a southbound interface. In a cloud environment, the network functions refer to capabilities and services provided by an underlying networking infrastructure to facilitate communication, connectivity, security, and management of resources. The network functions may include load balancing, content delivery network, security services, network monitoring and management, and network automation and orchestration. The hosts (105-1 and 105-2) integrate over a Transmission Control Protocol (TCP) interface with an agent manager container. The agent managers obtain all counter metric data from the hosts (105-1 and 105-2). All the processes are defined at the agent managers so that the agent managers can process and ingest all metrics data from containers running on the virtual machine. Once the metrics is received from the containers, at least one of the agent managers evaluate the data and send the evaluated data to a broker (not shown).
[0045] The infrastructure manger 304 is a central component of a platform (or system (115)) which interacts with a graphical user interface (GUI)/dashboard on the southbound and the at least one agent manager on a northbound via a Hypertext Transfer Protocol (HTTP) interface. The infrastructure manger 304 allocates host internet protocols (IPs) to the at least one agent manager which is basically configurable. The infrastructure manger 304 provides a support for a set of APIs through which the host (115-1 and 115-2) can be easily provisioned as well. Further, the infrastructure manger 304 can add and remove the hosts (115-1 and 115-2) based on the requirement.
[0046] The metric ingestion unit 306 consumes data from brokers topics (also referred as a broker). A broker refers to a service or component that facilitates communication, messaging, or event-driven interactions between different components or services within the cloud environment. The metric ingestion unit 306 may create a CSV file for the consumed data, which is being pulled by the infrastructure enrichment unit 308. The metric ingestion unit 306 validates the metrics obtained from the broker topics and performs the data enrichment. Data enrichment refers to the process of enhancing raw data i.e. the metrics with additional information to make it more valuable, informative, and actionable for analysis, decision-making, and other purposes. This enhancement typically involves adding context, metadata, or supplementary data to the metrics. In some implementation, the data enrichment may include merging of data fields to obtain a single data field or splitting of a data field to obtain multiple data fields.
[0047] Further, the metric ingestion unit 306 pushes the files to the infrastructure normalizer unit 310, for processing the data, through the infrastructure enrichment unit 308. The infrastructure normalizer unit 310 is placed on a path of data flow. The infrastructure normalizer unit 310 intelligently processes the incoming data from the metric ingestion unit 306 and the infrastructure enrichment unit 308. The infrastructure normalizer unit 310 shrinks the data through filtering and stores the data into the distributed data lake 120.
[0048] The ML/AI unit 312 executes Artificial Intelligence / Machine Learning algorithms on the metrics data filtered by the infrastructure normalizer unit 310 to find metric anomalies or trigger forecasting for metrics, as soon as any new metric is identified. The anomalies in hysteresis pattern of the metrics data refer to deviations or irregularities from expected patterns or norms in various metrics that are monitored within the cloud environment. The anomalies are detected based on comparison of current values of the metric data with historical values of predefined thresholds. For example, a sudden increase or decrease in metrics, such as CPU usage may be identified as an anomaly. Further, a sudden increase in consumption of memory by an application could also be identified as an anomaly.
[0049] The ML/AI unit 312 sends the metric anomalies to the anomaly detection unit 314 for reporting to a user. The ML/AI unit 312 also sends information associated with the anomalies to the forecasting unit 316 and the reporting and alarm unit 250 to take a preemptive action for the same.
[0050] In one implementation, the preemptive action taken to address the anomaly may include scaling of resources. When the anomaly indicates increased resource utilization (e.g., CPU or memory spikes), the resources could be scaled temporarily or permanently to handle increased demand. This could involve adding more virtual machines, increasing instance sizes, or utilizing auto-scaling capabilities provided by cloud services. Further, load balancing could be performed to address the anomaly. Load balancing would involve implementing load balancing strategies to distribute traffic evenly across multiple instances or servers. This helps prevent overloading of specific resources and ensures consistent performance during spikes in traffic. Further, optimization of resource allocation could be done to address the anomaly. It includes analyzing resource usage patterns and adjusting allocation settings (e.g., CPU shares, memory limits) to optimize resource utilization and minimize waste. Further, data integrity checks could be made to address the anomaly. Data integrity and consistency could be validated when the anomalies are related to data processing or storage. Data integrity checks and audits could be done to ensure that data remains accurate and reliable.
[0051] The forecasting unit 316 gets a request from the ML/AI unit 312 to take preemptive action based on a threshold value set for an operational or performance parameter related to the cloud network. The forecasting unit 316 has a capability to perform network expansion based on data trends determined by the AI/ML algorithms. The network expansion refers to scaling and extending of network infrastructure for accommodating growing needs, increased demand, or new requirements within a cloud-based architecture. The network expansion could be done via horizontal scaling or vertical scaling. Horizontal scaling means adding more resources (e.g., virtual machines, containers) to handle increased workload and traffic. Vertical scaling means increasing the capacity of existing resources (e.g., upgrading instance sizes) to meet performance requirements. In one scenario, the threshold value of CPU utilization may be set as 92%, and when such value is surpassed, the network expansion may be performed.
[0052] The reporting and alarm unit 250 gets a request from the ML/AI unit 312 to generate an alarm based on a threshold value. The reporting and alarm unit 250 has capability to perform network expansion in a closed loop automation.
[0053] FIG. 4 illustrates a flow chart of a method 400 of detecting anomalies from hysteresis pattern of metrics of a network, according to one or more embodiments of the present disclosure. For the purpose of description, the method 400 is described with the embodiments as illustrated in FIGS. 1 and 3 and should nowhere be construed as limiting the scope of the present disclosure. A person of ordinary skill in the art will readily ascertain that the illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0054] At step S402, one or more Agent Managers (AMs) fetch network metrics. The network metrics include parameters for monitoring and managing performance of resources of cloud infrastructure, such as uptime, error rate, compute cost, and requests per minute.
[0055] At step S404, the network metrics are enriched by an infrastructure enrichment unit. Further, the network metrics are normalized by an infrastructure normalizer unit. Successively, the network metrics are stored into a distributed data lake.
[0056] At step S406, an AI/ML algorithm is run on data i.e., the network metrics stored in the distributed data lake, to analyse a trend in the network metrics. Analysing the trend in the network metrics refer to analysis of values of a parameter included in the network metrics over a period of time. Such parameters may include throughput, latency, packet loss, error rates, and utilization.
[0057] At step S408, if an anomaly is found in the trend, an alarm is raised by a reporting an alarm unit. The anomaly may refer to sudden spikes or drops in metrics, which may signify network congestion, hardware failures, or security incidents. Raising an alarm indicates, to a user, that an action is required to resolve the anomaly.
[0058] The present invention further discloses a non-transitory computer-readable medium having stored thereon computer-readable instructions. The computer-readable instructions are executed by the processor 205. The processor 205 is configured to fetch a plurality of metrics related to a performance of a network. The processor 205 is further configured to analyze the plurality of metrics to identify one or more hysteresis patterns in the plurality of metrics. The processor 205 is further configured to detect one or more anomalies in the one or more identified hysteresis patterns.
[0059] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIGS.1-4) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0060] The above described techniques (of detecting one or more anomalies in a network) of the present invention provide multiple advantages, including identification of anomalies in hysteresis pattern of metrics related to a network, and taking preemptive actions to address the anomalies. The preemptive actions would increase performance, availability, and reliability of the network.
[0061] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.
[0062] Server: A server may include or comprise, by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise, a defence facility, or any other facility that provides content.
[0063] System (for example, computing system): A system may include one or more processors coupled with a memory, wherein the memory may store instructions which when executed by the one or more processors may cause the system to perform offloading/onloading of broadcasting or multicasting content in networks. An exemplary representation of the system for such purpose, in accordance with embodiments of the present disclosure. In an embodiment, the system may include one or more processor(s). The one or more processor(s) may be implemented as one or more microprocessors, microcomputers, microcontrollers, edge or fog microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that process data based on operational instructions. Among other capabilities, the one or more processor(s) may be configured to fetch and execute computer-readable instructions stored in a memory of the system. The memory may be configured to store one or more computer-readable instructions or routines in a non-transitory computer readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory may comprise any non-transitory storage device including, for example, volatile memory such as Random-Access Memory (RAM), or non-volatile memory such as Electrically Erasable Programmable Read-only Memory (EPROM), flash memory, and the like. In an embodiment, the system may include an interface(s). The interface(s) may comprise a variety of interfaces, for example, interfaces for data input and output devices, referred to as input/output (I/O) devices, storage devices, and the like. The interface(s) may facilitate communication for the system. The interface(s) may also provide a communication pathway for one or more components of the system. Examples of such components include, but are not limited to, processing unit/engine(s) and a database. The processing unit/engine(s) may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processing engine(s). In examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processing engine(s) may be processor executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processing engine(s) may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the machine-readable storage medium may store instructions that, when executed by the processing resource, implement the processing engine(s). In such examples, the system may include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to the system and the processing resource. In other examples, the processing engine(s) may be implemented by electronic circuitry. In an aspect, the database may comprise data that may be either stored or generated as a result of functionalities implemented by any of the components of the processor or the processing engines.
[0064] Computer System: A computer system may include an external storage device, a bus, a main memory, a read-only memory, a mass storage device, communication port(s), and a processor. A person skilled in the art will appreciate that the computer system may include more than one processor and communication ports. The communication port(s) may be any of an RS-232 port for use with a modem-based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports. The communication port(s) may be chosen depending on a network, such a Local Area Network (LAN), Wide Area Network (WAN), or any network to which the computer system connects. The main memory may be random access memory (RAM), or any other dynamic storage device commonly known in the art. The read-only memory may be any static storage device(s) including, but not limited to, a Programmable Read Only Memory (PROM) chips for storing static information e.g., start-up or basic input/output system (BIOS) instructions for the processor. The mass storage device may be any current or future mass storage solution, which may be used to store information and/or instructions. The bus communicatively couples the processor with the other memory, storage, and communication blocks. The bus can be, e.g. a Peripheral Component Interconnect (PCI) / PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), universal serial bus (USB), or the like, for connecting expansion cards, drives, and other subsystems as well as other buses, such a front side bus (FSB), which connects the processor to the computer system. Optionally, operator and administrative interfaces, e.g. a display, keyboard, and a cursor control device, may also be coupled to the bus to support direct operator interaction with the computer system. Other operator and administrative interfaces may be provided through network connections connected through the communication port(s). In no way should the aforementioned exemplary computer system limit the scope of the present disclosure.

REFERENCE NUMERALS
[0065] Environment – 100;
[0066] Host – 105;
[0067] Cloud network - 110;
[0068] CNIS/System - 115;
[0069] Distributed data lake - 120;
[0070] One or more processors -205;
[0071] Memory – 210;
[0072] Input/output interface unit – 215;
[0073] Database – 220;
[0074] Distributed cache – 225;
[0075] Fetching unit – 230;
[0076] Enrichment unit – 235;
[0077] Analysing unit – 240;
[0078] Detection unit – 245;
[0079] Reporting and alarm unit – 250;
[0080] Infrastructure manager – 304;
[0081] Metric ingestion unit – 306;
[0082] Infrastructure enrichment unit – 308;
[0083] Infrastructure normalizer unit – 310;
[0084] Machine Learning/AI unit – 312;
[0085] Anomaly detection unit – 314; and
[0086] Forecasting unit – 316.

,CLAIMS:CLAIMS
We Claim:
1. A method of detecting one or more anomalies in a network (110), the method comprising the steps of:
fetching, by one or more processors (205), a plurality of metrics related to a performance of the network (110);
analysing, by the one or more processors (205), the plurality of metrics to identify one or more hysteresis patterns in the plurality of metrics; and
detecting, by the one or more processors (205), the one or more anomalies in the one or more hysteresis patterns.

2. The method as claimed in claim 1, wherein the plurality of metrics includes Central Processing Unit (CPU) utilization, memory usage, and network traffic.

3. The method as claimed in claim 1, comprising enriching and normalizing, by the one or more processors (205), the plurality of fetched metrics.

4. The method as claimed in claim 1, wherein on detection of the one or more anomalies, the method comprises the step of raising, by the one or more processors (205), an alarm to indicate an action is required to be performed to resolve the one or more anomalies.

5. A system (115) for detecting one or more anomalies in a network (110), the system (115) comprising:
a fetching unit (230) configured to fetch a plurality of metrics related to a performance of the network (110);
an analysing unit (240) configured to analyse the plurality of metrics to identify one or more hysteresis patterns in the plurality of metrics; and
a detection unit (245) configured to detect the one or more anomalies in the one or more identified hysteresis patterns.

6. The system (115) as claimed in claim 5, wherein the plurality of metrics includes Central Processing Unit (CPU) utilization, memory usage, and network traffic.

7. The system (115) as claimed in claim 5, comprising an enrichment unit (235) configured to enrich and normalize the plurality of metrics.

8. The system (115) as claimed in claim 5, comprising a reporting and alarm unit (250) configured to raise an alarm to indicate an action is required to be performed to resolve the one or more anomalies.