Hybrid Model for Anomaly Detection on Call Detail Records by Time Series Forecasting

06/07/2020 ∙ by Aryan Mokhtari, et al. ∙ University of Tehran 23

Mobile network operators store an enormous amount of information like log files that describe various events and users' activities. Analysis of these logs might be used in many critical applications such as detecting cyber-attacks, finding behavioral patterns of users, security incident response, network forensics, etc. In a cellular network Call Detail Records (CDR) is one type of such logs containing metadata of calls and usually includes valuable information about contact such as the phone numbers of originating and receiving subscribers, call duration, the area of activity, type of call (SMS or voice call) and a timestamp. With anomaly detection, it is possible to determine abnormal reduction or increment of network traffic in an area or for a particular person. This paper's primary goal is to study subscribers' behavior in a cellular network, mainly predicting the number of calls in a region and detecting anomalies in the network traffic. In this paper, a new hybrid method is proposed based on various anomaly detection methods such as GARCH, K-means, and Neural Network to determine the anomalous data. Moreover, we have discussed the possible causes of such anomalies.



There are no comments yet.


page 5

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Today, a great deal of data is being produced by people and their interactions. In cellular networks, many continuously changing network parameters and measurements are obtained from subscribers. Mobile operators use these measurements as well as other information to improve the performance of their network. Call Detail Records (CDR) is one of these measurements that is widely employed to discover the behavioral patterns of subscribers in a network [1].

In the telecommunication network, the anomalies are those behaviors of the user in the network that are different or unusual from their usual or expected actions. Anomaly detection methods based on data mining techniques, such as statistical inference and machine learning, are extensively utilized in many industries and services such as financial systems, health insurance and healthcare, and cyber-defense


Anomaly detection has many applications in mobile networks, such as security incident detection, resource allocation, and load balancing [2]. Additionally, anomaly detection of CDR data can play an essential role in improving municipal services, such as public transportation planning and traffic management. Many of the anomaly detection methods are based on forecasting techniques [3]

. Forecasting problems are often classified into three categories: short-term, medium-term, and long-term

[3]. Short and medium-term forecasting problems are usually based on identification, modeling, and extrapolation of patterns found in previous data. Due to the lack of significant changes in these earlier data, statistical methods are useful for short-term and mid-term forecasting.

1.1 Contribution

In this paper, we utilized the CDR dataset from a real mobile cellular network, an example of short-time forecasting, which includes the prediction of future events in short periods of time, such as day, week, and month. Time-space information in these CDR helps us analyze aggregated subscriber’s behavior in a specific area on a particular date and time. Anomalies in the performance of a network can take place due to many reasons, such as sleeping cells, hardware failures, the surge in traffic, network attacks, and special occasions like national celebrations. In this paper, we propose a new method for anomaly detection in the time series of subscribers usage (measured by the number of calls) in a cellular network. Our approach is based on a combination of well-known methods such as GARCH, K-means, and Neural Networks, and outperforms all of them. We call this model a Hybrid model.

Our contributions towards anomaly detection in telecommunication domain are as follows:

  • We try to detect the unusual behavior of the users using a hybrid model that utilizes the benefits of three methods: GARCH, K-means, and Neural Networks.

  • We use logistic regression for causality inference.

  • We compare the results of the hybrid model with the previous works.

1.2 Paper Organization

The remainder of the paper is organized as follows. Section II describes the related work. Anomalies detection algorithms are discussed in Section III. In Section IV, the dataset is represented. In Section V, various methods used for anomaly detection and the errors of each way are discussed and compared with the previous works. Finally, section VI concludes the paper.

2 Related Work

Anomaly detection methods based on machine learning and neural networks have been used in many research [1, 2, 3, 4]

. Besides, methods based on statistical models such as Autoregressive Moving Average(ARMA), Autoregressive Integrated Moving Average(ARIMA), Autoregressive Conditional Heteroscedasticity(ARCH) and, Generalized Autoregressive Conditional Heteroscedasticity(GARCH) models have been used as well

[5, 6]. In [7], a framework for large-scale classification of contact details is proposed in various networks.

Anomaly detection using CDR data has already been extensively studied in various investigations, including in [8], where anomaly detection was performed using fuzzy logic on the duration of the calls in the CDR dataset. In [9, 10], the -means clustering method was used for CDR for purposes such as identification of administrative areas, parks, and commercial areas. -means clustering was also used in [11] to detect anomalies in the traffic data. The data included unlabeled records separated by the -means algorithm into normal and abnormal traffic. In [2],

-means clustering and hierarchical clustering methods have been used to detect anomalies as well as neural network techniques for prediction. The paper

[12] analyzes the main categories of abnormalities diagnostic procedures, including classification, statistical methods, information theory, and clustering that were used for network intrusion detection dataset. In [13], CDR-based anomaly detection using a rule-based technique and user-contact activity has been analyzed. In this article, the abnormal behavior of the user’s activity in a cellular network was detected using some CDR attributes such as LAC ID, cell ID, call date, and call time. Also, in [14], anomalies detection on mobile networks was investigated using billing information. In [15], the time series anomaly detection methods have been studied based on statistical purposes, clustering, deviation, distances, and densities.

In [16], first, a graphic is provided for displaying a voice call. Then using the cipher query language, CDR data is imported to the Neo4j graph database to understand subscriber behavior and abnormal behaviors.
Incapable accuracy and High False Positive Rates (FPR) alludes to the loss of rare resources, which eventually results in increased operational expenditure (OPEX) while interrupting the network’s quality of service (QoS) and user’s quality of experience (QoE). High FPR implies that false alarms may squander a substantial amount of OPEX and network resources. In the following, we want to allusion the efforts made to improve accuracy and FPR. Parwez et al. [2] imposed -means and hierarchical clustering algorithms to indicate rising traffic (that may lead to congestion) in a cell by analyzing past one-week data. They obtained accuracy. Imran et al. achieved accuracy for the detection of sleeping cells [17]. Hussain et al. [18] applied a semi-supervised machine learning algorithm to discover the anomalies in one-hour data using the CDR dataset that had information about the past several weeks’ user interactions. Their proposed method can achieve an accuracy of about ; however, they also obtained FPR.


is the first study that applies Deep Learning for the detection of anomalies. The authors utilized a comprehensive investigation of the

L-layer deep feedforward neural network fueled by a real CDR dataset. They achieved accuracy with a FPR, which are remarkable improvements and overcome the limitations of the previous studies. Hussain et al. [20]

proposed a framework that utilizes feedforward Deep Neural Network to detect anomalies in a single cell of a cellular network. It pre-processes real CDR to extract a 5- feature vector corresponding to user activities of a cell, that it accepts as an input. The output is a binary number indicating zero as usual and one as an anomaly. Their framework achieved

accuracy with FPR. These results for accuracy and FPR are summarized in table 1.

Literature Accuracy FPR
Parwez et al.[2] 90%
Imran et al.[17] 94%
Hussian et al.[18] 92.79% 14.13%
Hussian et al.[19] 94.4% 1.7%
Hussian et al.[20] 98.8% 0.44%
Table 1: Summerized result for accurary and FPR

Our work introduces a new method for anomaly detection based on various methods of data forecasting. GARCH, Neural Network, K-means, and Logistic Regression techniques are used on mobile network data. This type of information is well studied in the literature in terms of anomaly detection. The novelty of this paper is in using the prediction algorithm in a hybridized way. Data is predicted using GARCH and Neural Network techniques and evaluated in the hybrid model. This model is examined from two perspectives. In the first mode, each record will be identified as an anomaly if at least one of the methods detected it as an anomaly. In the second mode, a record must be recognized as an anomaly in all ways in order to be considered as an anomaly. By applying the proposed methods, proper solutions can be reached for minimizing the FPR and maximizing accuracy. Our approach delivered an FPR of for the first mode and for the second mode, which is significantly lower than the reported rates. Also, we achieve an accuracy of for the first mode and for the second mode. Both method have a significant improvement as compared with the reported results in table 1. Furthermore, we use logistic regression for causality inference.

In the following, we provide the technical background on different anomaly detection algorithms required to understand the rest of this paper.

2.1 Statistical Based Anomaly Detection

In this section, statistical methods such as ARIMA and GARCH are explained.

2.1.1 ARIMA Model

ARIMA is a generalization of the ARMA model. ARIMA models are used because they can reduce a non-stationary series to a stationary series utilizing a sequence of differencing steps. ARIMA models are applied in some cases where the data show evidence of non-stationarity. It is common to use ANOVA when the mean is stationary. The ANOVA is the generalized model of the t-test and is an adequate method for comparison of mean in the time series. We can utilize the Leven test or Bartlett test for evaluating stationary of variance. The non-stationary data can be converted to the stable data by the several uses of the differentiation technique, so it is possible to assess an ARMA model for the transformation data. The ARMA (p,q) model for the transformation data is the same ARIMA (p,d,q) model for the primary data with parameters

p , d , and q where p is the repetition number of utilizing the technique of differentiation, d is the degree of autoregressive and q is moving average. It can be used in other transformation techniques such as Box-Cox when the data remains non-stationary after several uses of differentiation [6].

2.1.2 GARCH Model

When the ARMA model is used for error variance, it will be the GARCH model that conditional difference at any moment depends on data and conditional variances of previous moments. In GRACH (p, q) model, parameter

q is the number of delays of error, and parameter p is the number of delayed series. The variance is defined as below [6]: σ_t^2=α_0+∑_i=1^qα_iϵ_t-i^2+∑_j=1^pβ_jσ_t-j^2 Where p is the order of the GARCH terms and q is the order of GARCH terms . and are coefficient for the GARCH model. It can be proven that the stochastic process based on the GARCH model is broad sense stationary when the below equation is established: ∑_i=1^qα_i+∑_j=1^pβ_j < 1

2.2 Machine Learning Based Anomaly Detection

In this section, different methods of machine learning, such as -means, clustering, and neural network are introduced, which are used for anomaly prediction and detection.

2.2.1 -means Clustering

-means clustering is one of the most straightforward, unsupervised clustering techniques used to solve clustering problems, especially when there are lots of data. The purpose of using the -means clustering method is splitting observations into clusters where every observation belongs to the cluster with the closest mean. It is supposed that the parameter is deterministic. Various methods, such as the elbow method, can be used for calculating parameter [2].

2.2.2 Neural Network Based Anomaly Detection

Artificial neural networks are predictive methods functioning based on modest mathematical models of the brain. Neural networks can be considered as a network of neurons that consists of several layers. The predictor consists of the lower layer (inputs) and predictions (outputs) of the upper layers. Also, the middle layers include hidden neurons. The simplest networks, which are linear regression, are without hidden layers. With time series data, delayed time series can be employed as inputs for a neural network. Given that the delayed values are used in the linear autoregressive model, they are called neural network autoregressive (NNAR). The NNAR(p,k) represents the latency of

p input and the k nodes in the hidden layer [21].

2.3 Logistic Regression

Logistic regression is a causality inference method for categorical variables and is one type of the generalized linear model (GLM). Here, GLM can be fitted by choosing the features as the explanatory variables and the anomaly as the categorical response variable. Each GLM has the following characteristics:

  • probability distribution describing the outcome variable.

  • A linear model η=β_0+∑_i=1^n β_iX_i.

  • A link function that relates the linear model to the parameter of the outcome distribution: g(p)=η, p=g^-1(η).

Because of response variable is binomial distribution, the common link function that connects


is the following logit function:

η=logit(p)=log(p1-p)   0≤p ≤1 Based on equation (2.3

), odd ratio of success to failure will be Euler’s number to the power of coefficients of fitted model


3 Call Detail Record Analysis

The data are divided into two sets: training data and test data, in which of data are training data, and the rest

are test data. All simulations of this paper are done with R and MINITAB software. Then, a suitable statistical model is chosen for the time series. In the next step, the predicted data and the detected anomaly can be acquired using this statistical model and techniques of K-means clustering and neural network. In most anomaly detection methods, the forecasted values are compared with the test data, and the difference between these two series is calculated as an outlier score. Finally, anomalies are detected based on these outlier scores. We consider the anomaly detection for two modes. First, less cautiously manner, where the anomaly detection is being conducted less guardedly, each record that is identified as an anomaly by at least one of the methods would be considered as an anomaly. In the second mode, which detects the anomalies more accurately, a record is considered anomaly only if it is identified as an anomaly by all the detection methods.

3.1 Dataset

In this paper, to recognize the anomaly behavior of users, we study the CDR dataset from a particular mobile phone operator over a period of 3 months. The data used in this paper is the anonymized CDR from one of the largest mobile phone operators in Iran. These records are gathered from 21 December 2016 to 20 March 2017 in a commercial area of a large city. CDR data is utilized for understanding the activity pattern of the user and identify the abnormal behavior. The dataset had the activity logs for every five minutes interval separately for call-in and call-out. We summed up the activities to calculate the log details for one hour time interval

3.2 Model Selection

First, we represented data as a time series (see Fig. 1). It seems that the mean and the variance are not constant over time, so the Leven test and ANOVA are used for investigating the stationary of these moments. Fig. 2

illustrates that the variance is not constant because all lines don’t overlap with each other. It also can be seen that the p-value is equal to zero, so the Null hypothesis (equality of variance) is rejected. In Fig.

3, it is clear that the mean of the time series is increased over time, so we conclude that the mean is not stationary. Due to this instability, data transformation is needed. The data are not still fixed after several uses of the differentiation technique, so Box-Cox transformation is applied. It is seen that the data remains unstable when the Leven test is done, so AR, MA, ARMA, and ARIMA models are not suitable for this data. In this situation, more advanced methods, such as the GARCH model, should be used. This method not only stable the mean but also because of its structure automatically make the variance stationary.

Figure 1: Time Series Data
Figure 2: Leven test for evaluating stationary of variance
Figure 3: ANOVA test for evaluting stationary of mean

3.3 GARCH Model

The GARCH model is utilized for the training data. In this situation, predicted time series and test time series are compared with each other, and their difference is considered as anomaly point. Then, the threshold level is defined. An experimental method has been used to calculate the threshold. Drawing an error plot in the threshold, we saw a linear decrease in error by decreasing threshold until we reached a point where the reduction in threshold led to an increase in error. We stopped at this point and considered it as a threshold. We compared the difference between the predicted time series and test time series with this threshold; if this difference is more than the threshold level, it will be an anomaly. In Fig. 4, the black line is threshold level, red points are differences between predicted and test time series, and blue triangular points above the threshold level line are the anomaly.

Figure 4: Anomaly detection for GARCH model; Anomaly (triangle)

3.4 -means Clustering

Parameter is defined equal to 2 because there are both sets of normal and anomaly. Fig. 5 shows the number of calls versus the time that anomalies are shown with blue color, which is acquired by -means method, likewise red color data are normal.

Figure 5: Anomaly detection by the use of -means; Anomaly (triangle) and normal data (circle)

3.5 Neural Network Autoregressive

Like the previous section, the data are divided into two parts: the training and test data. First, a neural network model is fitted to the training data. The fitted model is NNAR (29,15) which have fifteen neurons in hidden layer and 29 last observations are used as internal data. In the next step, the neural network model uses training data to predict. Then the predicted data are compared to the test data, and their differences are considered the anomaly. According to the previous section, the first threshold level is defined, and all points above the threshold level are the anomaly, as shown in Fig. 6

Figure 6: Anomaly points (triangle) and normal points (circle) in neural network model

3.6 Hybrid Model

The Hybrid model uses three methods: GARCH, K-means, and neural network. This method can detect anomaly in two different ways. Firstly, the detection of abnormality is done cautiously, and each record, which is recognized as an anomaly by at least one method, is considered an anomaly. Still, in the second type, a record can be an anomaly if all three methods detect it as an anomaly.

3.6.1 First Mode

In this method, a record is anomalous if at least one of the three methods identified it as an anomaly. After detection and verification of anomalies, we can also determine the date-time where such abnormalities occur. for example, in Fig. 7 anomalies at 17 o’clock on 2 February to 20 March are shown. This figure demonstrates that at 17 o’clock, three anomaly points are known. These anomalies occurred on March 1, 6, and 7. This is because March is the last month in Iran’s yearly calendar. Afterward, the New Year is celebrated, which might be a reason for encountering such anomalies in the number of calls in a commercial area where people go for shopping. All the predicted values are higher than the real value, indicating that the reason for these anomalies was not the failure of the telecommunication systems, but the more significant number of people who attend the area, the possible reason for which was mentioned above.

Figure 7: Anomaly detection at 17 o’clock for the first mode

3.6.2 Second Mode

In this method, every record which is detected as anomaly with all three methods (K-means, GARCH, and neural network) is considered an anomaly. After using this method, we can identify anomalies points and recognize the date-time in which these anomalies occur. For example, in Fig. 8 anomalies at 15 o’clock are shown. the anomalies happened at 15 o’clock on March 4, 7, 14, and 20. These anomalies are happened because of nearness to the Iranian New Year.

Figure 8: Anomaly detection at 15 o’clock for the second mode

3.7 Logistic Regression

Some features such as days, night, or day time, and the number of calls are chosen for finding the causes of anomalies and what features are effective, so hypothesis testing is exploited. These features are selected based on domain expert knowledge and existing work on anomaly detection in telecommunication data usage. The null hypothesis is that the coefficient of each element is zero. Likewise, the alternative hypothesis is that the coefficient of every feature is not zero. The coefficients in which p-values are very low can be effective in the response variable.

By applying logistic regression on the number of calls in every hour, we conclude that two features of Friday (weekend of Iranian people) and number of calls are effective in anomalies. The effectiveness of the number of calls in anomaly is evident because the anomaly is defined based on this feature. On Friday, the coefficient was -2.397 that means odd ratio on Friday to other days is equal to , so most of the anomalies have happened on the days of the week except Friday.

3.8 Error

Literature Accuracy FPR
Fist Mode 99.72% 0.01%
Second Mode 99.68% 0.012%
Table 2: Accuracy and FPR for Hybrid Model

Inept accuracy and high false rates (FPR) are two main limitations of the latest approaches for anomaly detection in cellular networks. By comparing acquired anomaly points with data labels, the accuracy and ratio of false positive are calculated. These results are shown in table 2 for the first mode and the second mode. The preliminary results in table 1 clarify the facility and superiority of our hybrid model for anomaly detection in terms of the first mode and the second mode. table 3 and table 4 show the improvement in accuracy and FPR for the first mode and the second mode, respectively. These results are obtained due to compare our hybrid model with the results in table 1.

Literature Accuracy FPR
Parwez et al.[2] 9.72%
Imran et al.[17] 5.72%
Hussian et al.[18] 6.93% 14.12%
Hussian et al.[19] 5.32% 1.69%
Hussian et al.[20] 0.92% 0.43%
Table 3: Improvement of first mode in accuracy and FPR
Literature Accuracy FPR
Parwez et al.[2] 9.68%
Imran et al.[17] 5.68%
Hussian et al.[18] 6.89% 14.118%
Hussian et al.[19] 5.28% 1.688%
Hussian et al.[20] 0.88% 0.428%
Table 4: Improvement of second mode in accuracy and FPR

4 Conclusion

In this paper, we operated some CDR data (i.e., the hourly number of calls in the time series) to identify anomaly behavior patterns in subscribers’ usage. Three methods (i.e., GARCH, -means, and Neural Networks) have been adapted to suggest a prediction method. This type of information is well studied in the literature in terms of anomaly detection, and the innovation of this paper is in using the prediction algorithm in a combination of these three methods. The decision is made based on the conclusion of the three used predictors. Solely, the algorithms have been used as a voting classifier to make the final decision if there is an anomaly usage or not. We called the new method as Hybrid model and investigated it in the first and second mode. We concluded that this method helps us to achieve high accuracy rates and low FPR. so by identification of unusual events, proper action such as resource distribution, sending small drone cells, etc. can be taken in advance and on time. Hence because of such actions, the users’ requirements will be fulfilled and will have the best QoS as well as network congestion will be avoided. Besides, by using logistic regression, we determined which features have a more significant role in the occurrence of the anomalies in this type of data. The restrictions in conducting this study were the limited set of data. For future work, we can predict and detect anomalies with different methods such as bootstrapping, vector autoregressions, and complex seasonality.


  • [1] V. Chandola, A. Banerjee and V. Kumar. Anomaly Detection: A Survey. ACM Computing Surveys, 2009, 41(3): 1-72.
  • [2] M. S. Parwez, D. B. Rawat and M. Garuba. Big Data Analytics for User-Activity Analysis and User-Anomaly Detection in Mobile Wireless Network. IEEE Transactions on Industrial Informatics, 2017, 13(4): 2058-2065.
  • [3] D. C. Montgomery, C. L. Jennings and M. Kulahci. Introduction to Time Series Analysis and Forecasting. New Jersey:Wiley, 2008.
  • [4] K. Sultan, H. Ali, Z. Zhang. Call Detail Record Driven Anomaly Detection and Traffic Prediction in Mobile Cellular Networks. IEEE Access, 2018, (6): 41728-41737.
  • [5] A. Yaacob, I. Tan, S. Chien and H. Tan. ARIMA Based Network Anomaly Detection. In Second International Conference on Communication Software and Network, Mar 2010, pp.205-209.
  • [6] T. Andrysiak, L. Saganowski, M. Maszewski and A. Marchewka. Detection of Network Attacks Using Hybrid ARIMA-GARCH Model. In Proceedings of the Twelfth International Conference on Dependability and Complex Systems DepCoS-RELCOMEX, Jul 2018, pp.1-12.
  • [7] D. Naboulsi, R. Stanica and M. Fiore. Classifying Call Profiles in Large-Scale Mobile Traffic Datasets. In Proceeding of the IEEE Conference on Computer Communications, May 2014, pp.1806-1814.
  • [8] Nithi and L. Dey. Anomaly Detection from Call Data Records. In

    Proceeding of International Conference on Pattern Recognition and Machine Intelligence.

    , Dec 2009, pp.237-242.
  • [9] V. Soto and E. F. Martinez. Automated Land Use Identification Using Cell-Phone Records. In Proceedings of the 3rd ACM International Workshop on MobiArch, Jun 2011, pp.17-22.
  • [10]

    M. Amer. Comparison of Unsupervised Anomaly Detection Techniques [B.Sc Thesis]. Multimedia Analysis and Data Mining Competence Center German Research Center for Artificial Intelligence, 2011.

  • [11] M. F. Lima, B. B. Zarpelao, L. H. Sampaio, J. JPC. Rodregues, T. Abrao and M. L. Proenca. Anomaly Detection Using Baseline and K-means Clustering. In International Conference on Software Telecommunications and Computer Networks., Sep 2010, pp.305-309.
  • [12] M. Ahmed, A. N. Mahmood and J. Hu. A Survey of Network Anomaly Detection Techniques. Journal of Network and Computer Applications, 2015, 60 :19-31.
  • [13] I. A. Karatepe and E. Zeydan. Anomaly Detection in Cellular Network Data Using Big Data Analytics. In 20th European Wireless Conference., May 2014.
  • [14] S. Papadopoulous, A. Drosou and D. Tzovaras. A Novel Graph-Based Descriptor for the Detection of Billing Related Anomalies in Cellular Mobile Networks. IEEE Transactions on Mobile Computing, 2016, 15(11): 2655-2668.
  • [15] H. S. Wu. A Survey of Research on Anomaly Detection for Time Series. In International Computer Conference on Wavelet Active Media Technology and Information Processing, Dec 2016.
  • [16] E. Geepalla, N. Abuhamoud and A. Abouda. Analysis of Call Detail Records for Understanding Users Behavior and Anomaly Detection Using Neo4j. 5th International Symposium on Data Mining Applications, March 2018, pp.74:83.
  • [17] A. Imran, A. Zoha, and A. Abu-Dayya, "Challenges in 5G: how to empower SON with big data for enabling 5G," IEEE Netw., vol. 28, no. 6, pp. 27-33, Nov.-Dec. 2014
  • [18]

    Hussain, Bilal, Qinghe Du, and Pinyi Ren. "Semi-supervised learning based big data-driven anomaly detection in mobile wireless networks." China Communications 15.4 (2018): 41-57.

  • [19] Hussain, Bilal, Qinghe Du, and Pinyi Ren. "Deep learning-based big data-assisted anomaly detection in cellular networks." 2018 IEEE Global Communications Conference (GLOBECOM). IEEE, 2018.
  • [20] Hussain, Bilal, et al. "Mobile Edge Computing-Based Data-Driven Deep Learning Framework for Anomaly Detection." IEEE Access 7 (2019): 137656-137667.
  • [21] R. J. Hyndman, Athanasopoulos G. Forecasting Principle and Practice. OTexts, 2018.
  • [22] D. M. Diez, C. D. Barr and M. C. Rundel. OpenIntro Statistics. CreateSpace, 2015.