CPC H04L 43/04 (2013.01) [G06N 20/00 (2019.01); H04L 41/147 (2013.01)] | 20 Claims |
1. A method comprising:
obtaining network event data indicative of operational behavior of a network, wherein the network event data defines a series of network events of one or more event types;
dynamically determining, based on the network event data, corresponding minimum (MIN) and maximum (MAX) thresholds that define a range of expected counts of occurrences of network events for each event type of the one or more event types;
constructing an unsupervised machine learning model based on the network event data and the corresponding MIN and MAX thresholds for each event type of the one or more event types without requiring labelling of each of the network events of the network event data, wherein constructing the unsupervised machine learning model comprises:
dividing the network event data into at least two time series subgroups, each of the time series subgroups comprising a portion of the series of network events of the one or more event types,
training the unsupervised machine learning model to predict counts of occurrences of network events for each event type using a first one of the time series subgroups, and
validating the unsupervised machine learning model using a second one of the time series subgroups;
after constructing the unsupervised machine learning model, processing additional network event data with the unsupervised machine learning model to determine predicted counts of occurrences of network events of the additional network event data for each event type of the one or more event types; and
identifying, based on the predicted counts of occurrences and the corresponding MIN and MAX thresholds for each event type of the one or more event types, one or more of the network events of the additional network event data as indicative of abnormal network behavior.
|