| CPC H04L 43/04 (2013.01) [G06N 20/00 (2019.01); H04L 41/147 (2013.01)] | 9 Claims |
|
1. A system comprising:
a plurality of access point (AP) devices in a wireless network; and
a network management system comprising:
a memory storing network event data received from the AP devices, wherein the network event data is indicative of operational behavior of the wireless network, and wherein the network event data defines a series of network events of one or more event types over a plurality of observation time periods; and
one or more processors coupled to the memory and configured to:
apply an unsupervised machine learning model to the network event data to dynamically determine, for a most recent one of the observation time periods: (i) predicted counts of occurrences of the network events for each event type of the one or more event types, and (ii) a minimum (MIN) threshold and a maximum (MAX) threshold for each event type of the one or more event types, wherein MIN thresholds and MAX thresholds define ranges of expected occurrences for the network events of the one or more event types; and
identify, based on the MIN thresholds and the MAX thresholds and actual network event data for the most recent one of the observation time periods, one or more of the network events as indicative of abnormal network behavior,
wherein the one or more processors are configured to, for each event type of the one or more event types:
determine a prediction error indicative of a difference between the predicted counts of occurrences of the network events as generated by the unsupervised machine learning model and counts of actual network events of the actual network event data for a corresponding event type; and
detect the abnormal network behavior when the prediction error is out of bounds of the MIN threshold and the MAX threshold for the corresponding event type.
|