• sh7786

The secret to precise anomaly detection for mobile networks has been in front of you all along

Deployment of anomaly detection systems as a network cyber security layer has greatly increased in popularity over the past few years. The reason is simple- anomaly detection and management provide proactive and preventative security via real-time detection and alerts, as well as quick mitigation. Anomaly detection can be performed using a variety of methodologies for every step of the process: learning, detection, investigation, mitigation, etc. Today we're turning our focus to "learning process" methodologies, specifically to a method called “Supervised Learning.”

What is anomaly detection?

In layman's terms, anomaly detection algorithms identify items, events or observations which do not conform to expected patterns or other items in a dataset. An anomaly is a change in the behavior of an entity compared to itself or compared to its peers. That change could be a singular deviation from legal or normal behavior, as well as a statistical or volumetric deviation from routine. When compared to itself, then it is compared to past activity patterns of its normal and accepted behavior. When compared to peers, then its activity analysis and comparison is in reference to other similar entities

Sounds simple enough? Not quite. First, anomaly detection systems need to learn what “normal behavior” is. How do you learn what normal behavior is? The process is not straight forward and requires taking into account multiple factors (please see our previous blog for examples).

Supervised learning is the preferred method to guarantee better model accuracy.

Supervised Learning

Supervised learning is a method to accurately “teach” anomaly detection systems positive and negative behaviors. For example, in the case of image processing you can have a computer analyze pictures of apples and manually label each image as “apple”. Using the correct machine learning algorithms, once the system has analyzed enough labeled images, it can identify the next image containing an apple. The huge benefit of this approach is its high accuracy rate - since the system is taught the “absolute truth”, it can detect the n+1 example with minimum error rate.

This can be true for mobile networks as well. Ideally, when an anomaly detection system is implemented in a mobile network, every packet is learnt in conjunction with pre-defined labeling, during the learning phase. This will result in a system which can detect anomalies with maximum efficiency.

In the case of mission critical systems, such as mobile networks, supervised learning is a must-have to deliver real time high detection accuracy, which enables operators to detect and handle significant events as soon as possible and minimize false positives. This optimizes the meaningful and effective use of human resources, together saving valuable time and money. The likelihood, however, that mobile operators will implement supervised learning is extremely low. Why? Because the process of data labeling is very expensive, requires expert skills and takes a lot of time.

This is where imVision Technologies comes in

Thanks to our unique combination of telecom expertise and anomaly management knowledge, we incorporated a built-in reference “model” into our Anomaly Management Platform (AMP). This “model” contains all the information relating to communication standards – Diameter, S1AP, GTP, GTPV2 and SIP and is able to tell if a particular message seen in the network complies with the standard.

This way, during the learning period, communication messages are first verified that they are valid and don’t carry mistakes. Only then the system is allowed to learn the pattern the message is carrying.

Let’s look at an example: assume that during the learning process the system sees a message that has 2 mandatory fields and 3 optional. The system looks at these fields and goes to the reference “model” to check that the existence of these 2 mandatory fields and 3 optional is legitimate. It sees that it is in fact legitimate. So the system is now allowed to learn the pattern “for this network, message x uses 2 mandatory fields and these 3 optional.”

Now, during the detection phase, when a similar message comes in, the system will expect it to have the same format it observed during the learning period. If the message will suddenly show that it has the 2 mandatory, the 3 optional and a 4th field which it has not seen in use before – it will classify it as an anomaly.

Zero effort required

imVision's Anomaly Management Platform (AMP) for mobile networks employs advanced supervised learning methods to optimize detection and reduce the rate of false alarms.

By providing an out-of-the-box reference model created by imVision telecom and cybersecurity experts, operators are able to utilize supervised learning-based detection without any work on their part.

And a teaser…

But that's not all. Not all of the behaviors in network communication can be detected using supervised learning. So what do we do then? Stay tuned to discover the answer in our next post!