1 Introduction
Today, a great deal of data is being produced by people and their interactions. In cellular networks, many continuously changing network parameters and measurements are obtained from subscribers. Mobile operators use these measurements as well as other information to improve the performance of their network. Call Detail Records (CDR) is one of these measurements that is widely employed to discover the behavioral patterns of subscribers in a network [1].
In the telecommunication network, the anomalies are those behaviors of the user in the network that are different or unusual from their usual or expected actions. Anomaly detection methods based on data mining techniques, such as statistical inference and machine learning, are extensively utilized in many industries and services such as financial systems, health insurance and healthcare, and cyberdefense
[1].Anomaly detection has many applications in mobile networks, such as security incident detection, resource allocation, and load balancing [2]. Additionally, anomaly detection of CDR data can play an essential role in improving municipal services, such as public transportation planning and traffic management. Many of the anomaly detection methods are based on forecasting techniques [3]
. Forecasting problems are often classified into three categories: shortterm, mediumterm, and longterm
[3]. Short and mediumterm forecasting problems are usually based on identification, modeling, and extrapolation of patterns found in previous data. Due to the lack of significant changes in these earlier data, statistical methods are useful for shortterm and midterm forecasting.1.1 Contribution
In this paper, we utilized the CDR dataset from a real mobile cellular network, an example of shorttime forecasting, which includes the prediction of future events in short periods of time, such as day, week, and month. Timespace information in these CDR helps us analyze aggregated subscriber’s behavior in a specific area on a particular date and time. Anomalies in the performance of a network can take place due to many reasons, such as sleeping cells, hardware failures, the surge in traffic, network attacks, and special occasions like national celebrations. In this paper, we propose a new method for anomaly detection in the time series of subscribers usage (measured by the number of calls) in a cellular network. Our approach is based on a combination of wellknown methods such as GARCH, Kmeans, and Neural Networks, and outperforms all of them. We call this model a Hybrid model.
Our contributions towards anomaly detection in telecommunication domain are as follows:

We try to detect the unusual behavior of the users using a hybrid model that utilizes the benefits of three methods: GARCH, Kmeans, and Neural Networks.

We use logistic regression for causality inference.

We compare the results of the hybrid model with the previous works.
1.2 Paper Organization
The remainder of the paper is organized as follows. Section II describes the related work. Anomalies detection algorithms are discussed in Section III. In Section IV, the dataset is represented. In Section V, various methods used for anomaly detection and the errors of each way are discussed and compared with the previous works. Finally, section VI concludes the paper.
2 Related Work
Anomaly detection methods based on machine learning and neural networks have been used in many research [1, 2, 3, 4]
. Besides, methods based on statistical models such as Autoregressive Moving Average(ARMA), Autoregressive Integrated Moving Average(ARIMA), Autoregressive Conditional Heteroscedasticity(ARCH) and, Generalized Autoregressive Conditional Heteroscedasticity(GARCH) models have been used as well
[5, 6]. In [7], a framework for largescale classification of contact details is proposed in various networks.Anomaly detection using CDR data has already been extensively studied in various investigations, including in [8], where anomaly detection was performed using fuzzy logic on the duration of the calls in the CDR dataset. In [9, 10], the means clustering method was used for CDR for purposes such as identification of administrative areas, parks, and commercial areas. means clustering was also used in [11] to detect anomalies in the traffic data. The data included unlabeled records separated by the means algorithm into normal and abnormal traffic. In [2],
means clustering and hierarchical clustering methods have been used to detect anomalies as well as neural network techniques for prediction. The paper
[12] analyzes the main categories of abnormalities diagnostic procedures, including classification, statistical methods, information theory, and clustering that were used for network intrusion detection dataset. In [13], CDRbased anomaly detection using a rulebased technique and usercontact activity has been analyzed. In this article, the abnormal behavior of the user’s activity in a cellular network was detected using some CDR attributes such as LAC ID, cell ID, call date, and call time. Also, in [14], anomalies detection on mobile networks was investigated using billing information. In [15], the time series anomaly detection methods have been studied based on statistical purposes, clustering, deviation, distances, and densities.In [16], first, a graphic is provided for displaying a voice call. Then using the cipher query language, CDR data is imported to the Neo4j graph database to understand subscriber behavior and abnormal behaviors.
Incapable accuracy and High False Positive Rates (FPR) alludes to the loss of rare resources, which eventually results in increased operational expenditure (OPEX) while interrupting the network’s quality of service (QoS) and user’s quality of experience (QoE). High FPR implies that false alarms may squander a substantial amount of OPEX and network resources. In the following, we want to allusion the efforts made to improve accuracy and FPR.
Parwez et al. [2] imposed means and hierarchical clustering algorithms to indicate rising traffic (that may lead to congestion) in a cell by analyzing past oneweek data. They obtained accuracy.
Imran et al. achieved accuracy for the detection of sleeping cells [17].
Hussain et al. [18] applied a semisupervised machine learning algorithm to discover the anomalies in onehour data using the CDR dataset that had information about the past several weeks’ user interactions. Their proposed method can achieve an accuracy of about ; however, they also obtained FPR.
[19]
is the first study that applies Deep Learning for the detection of anomalies. The authors utilized a comprehensive investigation of the
Llayer deep feedforward neural network fueled by a real CDR dataset. They achieved accuracy with a FPR, which are remarkable improvements and overcome the limitations of the previous studies. Hussain et al. [20]proposed a framework that utilizes feedforward Deep Neural Network to detect anomalies in a single cell of a cellular network. It preprocesses real CDR to extract a 5 feature vector corresponding to user activities of a cell, that it accepts as an input. The output is a binary number indicating zero as usual and one as an anomaly. Their framework achieved
accuracy with FPR. These results for accuracy and FPR are summarized in table 1.Literature  Accuracy  FPR 

Parwez et al.[2]  90%  — 
Imran et al.[17]  94%  — 
Hussian et al.[18]  92.79%  14.13% 
Hussian et al.[19]  94.4%  1.7% 
Hussian et al.[20]  98.8%  0.44% 
Our work introduces a new method for anomaly detection based on various methods of data forecasting. GARCH, Neural Network, Kmeans, and Logistic Regression techniques are used on mobile network data. This type of information is well studied in the literature in terms of anomaly detection. The novelty of this paper is in using the prediction algorithm in a hybridized way. Data is predicted using GARCH and Neural Network techniques and evaluated in the hybrid model. This model is examined from two perspectives. In the first mode, each record will be identified as an anomaly if at least one of the methods detected it as an anomaly. In the second mode, a record must be recognized as an anomaly in all ways in order to be considered as an anomaly. By applying the proposed methods, proper solutions can be reached for minimizing the FPR and maximizing accuracy. Our approach delivered an FPR of for the first mode and for the second mode, which is significantly lower than the reported rates. Also, we achieve an accuracy of for the first mode and for the second mode. Both method have a significant improvement as compared with the reported results in table 1. Furthermore, we use logistic regression for causality inference.
In the following, we provide the technical background on different anomaly detection algorithms required to understand the rest of this paper.
2.1 Statistical Based Anomaly Detection
In this section, statistical methods such as ARIMA and GARCH are explained.
2.1.1 ARIMA Model
ARIMA is a generalization of the ARMA model. ARIMA models are used because they can reduce a nonstationary series to a stationary series utilizing a sequence of differencing steps. ARIMA models are applied in some cases where the data show evidence of nonstationarity. It is common to use ANOVA when the mean is stationary. The ANOVA is the generalized model of the ttest and is an adequate method for comparison of mean in the time series. We can utilize the Leven test or Bartlett test for evaluating stationary of variance. The nonstationary data can be converted to the stable data by the several uses of the differentiation technique, so it is possible to assess an ARMA model for the transformation data. The ARMA (p,q) model for the transformation data is the same ARIMA (p,d,q) model for the primary data with parameters
p , d , and q where p is the repetition number of utilizing the technique of differentiation, d is the degree of autoregressive and q is moving average. It can be used in other transformation techniques such as BoxCox when the data remains nonstationary after several uses of differentiation [6].2.1.2 GARCH Model
When the ARMA model is used for error variance, it will be the GARCH model that conditional difference at any moment depends on data and conditional variances of previous moments. In GRACH (p, q) model, parameter
q is the number of delays of error, and parameter p is the number of delayed series. The variance is defined as below [6]: σ_t^2=α_0+∑_i=1^qα_iϵ_ti^2+∑_j=1^pβ_jσ_tj^2 Where p is the order of the GARCH terms and q is the order of GARCH terms . and are coefficient for the GARCH model. It can be proven that the stochastic process based on the GARCH model is broad sense stationary when the below equation is established: ∑_i=1^qα_i+∑_j=1^pβ_j < 12.2 Machine Learning Based Anomaly Detection
In this section, different methods of machine learning, such as means, clustering, and neural network are introduced, which are used for anomaly prediction and detection.
2.2.1 means Clustering
means clustering is one of the most straightforward, unsupervised clustering techniques used to solve clustering problems, especially when there are lots of data. The purpose of using the means clustering method is splitting observations into clusters where every observation belongs to the cluster with the closest mean. It is supposed that the parameter is deterministic. Various methods, such as the elbow method, can be used for calculating parameter [2].
2.2.2 Neural Network Based Anomaly Detection
Artificial neural networks are predictive methods functioning based on modest mathematical models of the brain. Neural networks can be considered as a network of neurons that consists of several layers. The predictor consists of the lower layer (inputs) and predictions (outputs) of the upper layers. Also, the middle layers include hidden neurons. The simplest networks, which are linear regression, are without hidden layers. With time series data, delayed time series can be employed as inputs for a neural network. Given that the delayed values are used in the linear autoregressive model, they are called neural network autoregressive (NNAR). The NNAR(p,k) represents the latency of
p input and the k nodes in the hidden layer [21].2.3 Logistic Regression
Logistic regression is a causality inference method for categorical variables and is one type of the generalized linear model (GLM). Here, GLM can be fitted by choosing the features as the explanatory variables and the anomaly as the categorical response variable. Each GLM has the following characteristics:

probability distribution describing the outcome variable.

A linear model η=β_0+∑_i=1^n β_iX_i.

A link function that relates the linear model to the parameter of the outcome distribution: g(p)=η, p=g^1(η).
Because of response variable is binomial distribution, the common link function that connects
tois the following logit function:
η=logit(p)=log(p1p) 0≤p ≤1 Based on equation (2.3), odd ratio of success to failure will be Euler’s number to the power of coefficients of fitted model
[22].3 Call Detail Record Analysis
The data are divided into two sets: training data and test data, in which of data are training data, and the rest
are test data. All simulations of this paper are done with R and MINITAB software. Then, a suitable statistical model is chosen for the time series. In the next step, the predicted data and the detected anomaly can be acquired using this statistical model and techniques of Kmeans clustering and neural network. In most anomaly detection methods, the forecasted values are compared with the test data, and the difference between these two series is calculated as an outlier score. Finally, anomalies are detected based on these outlier scores. We consider the anomaly detection for two modes. First, less cautiously manner, where the anomaly detection is being conducted less guardedly, each record that is identified as an anomaly by at least one of the methods would be considered as an anomaly. In the second mode, which detects the anomalies more accurately, a record is considered anomaly only if it is identified as an anomaly by all the detection methods.
3.1 Dataset
In this paper, to recognize the anomaly behavior of users, we study the CDR dataset from a particular mobile phone operator over a period of 3 months. The data used in this paper is the anonymized CDR from one of the largest mobile phone operators in Iran. These records are gathered from 21 December 2016 to 20 March 2017 in a commercial area of a large city. CDR data is utilized for understanding the activity pattern of the user and identify the abnormal behavior. The dataset had the activity logs for every five minutes interval separately for callin and callout. We summed up the activities to calculate the log details for one hour time interval
3.2 Model Selection
First, we represented data as a time series (see Fig. 1). It seems that the mean and the variance are not constant over time, so the Leven test and ANOVA are used for investigating the stationary of these moments. Fig. 2
illustrates that the variance is not constant because all lines don’t overlap with each other. It also can be seen that the pvalue is equal to zero, so the Null hypothesis (equality of variance) is rejected. In Fig.
3, it is clear that the mean of the time series is increased over time, so we conclude that the mean is not stationary. Due to this instability, data transformation is needed. The data are not still fixed after several uses of the differentiation technique, so BoxCox transformation is applied. It is seen that the data remains unstable when the Leven test is done, so AR, MA, ARMA, and ARIMA models are not suitable for this data. In this situation, more advanced methods, such as the GARCH model, should be used. This method not only stable the mean but also because of its structure automatically make the variance stationary.3.3 GARCH Model
The GARCH model is utilized for the training data. In this situation, predicted time series and test time series are compared with each other, and their difference is considered as anomaly point. Then, the threshold level is defined. An experimental method has been used to calculate the threshold. Drawing an error plot in the threshold, we saw a linear decrease in error by decreasing threshold until we reached a point where the reduction in threshold led to an increase in error. We stopped at this point and considered it as a threshold. We compared the difference between the predicted time series and test time series with this threshold; if this difference is more than the threshold level, it will be an anomaly. In Fig. 4, the black line is threshold level, red points are differences between predicted and test time series, and blue triangular points above the threshold level line are the anomaly.
3.4 means Clustering
Parameter is defined equal to 2 because there are both sets of normal and anomaly. Fig. 5 shows the number of calls versus the time that anomalies are shown with blue color, which is acquired by means method, likewise red color data are normal.
3.5 Neural Network Autoregressive
Like the previous section, the data are divided into two parts: the training and test data. First, a neural network model is fitted to the training data. The fitted model is NNAR (29,15) which have fifteen neurons in hidden layer and 29 last observations are used as internal data. In the next step, the neural network model uses training data to predict. Then the predicted data are compared to the test data, and their differences are considered the anomaly. According to the previous section, the first threshold level is defined, and all points above the threshold level are the anomaly, as shown in Fig. 6
3.6 Hybrid Model
The Hybrid model uses three methods: GARCH, Kmeans, and neural network. This method can detect anomaly in two different ways. Firstly, the detection of abnormality is done cautiously, and each record, which is recognized as an anomaly by at least one method, is considered an anomaly. Still, in the second type, a record can be an anomaly if all three methods detect it as an anomaly.
3.6.1 First Mode
In this method, a record is anomalous if at least one of the three methods identified it as an anomaly. After detection and verification of anomalies, we can also determine the datetime where such abnormalities occur. for example, in Fig. 7 anomalies at 17 o’clock on 2 February to 20 March are shown. This figure demonstrates that at 17 o’clock, three anomaly points are known. These anomalies occurred on March 1, 6, and 7. This is because March is the last month in Iran’s yearly calendar. Afterward, the New Year is celebrated, which might be a reason for encountering such anomalies in the number of calls in a commercial area where people go for shopping. All the predicted values are higher than the real value, indicating that the reason for these anomalies was not the failure of the telecommunication systems, but the more significant number of people who attend the area, the possible reason for which was mentioned above.
3.6.2 Second Mode
In this method, every record which is detected as anomaly with all three methods (Kmeans, GARCH, and neural network) is considered an anomaly. After using this method, we can identify anomalies points and recognize the datetime in which these anomalies occur. For example, in Fig. 8 anomalies at 15 o’clock are shown. the anomalies happened at 15 o’clock on March 4, 7, 14, and 20. These anomalies are happened because of nearness to the Iranian New Year.
3.7 Logistic Regression
Some features such as days, night, or day time, and the number of calls are chosen for finding the causes of anomalies and what features are effective, so hypothesis testing is exploited. These features are selected based on domain expert knowledge and existing work on anomaly detection in telecommunication data usage. The null hypothesis is that the coefficient of each element is zero. Likewise, the alternative hypothesis is that the coefficient of every feature is not zero. The coefficients in which pvalues are very low can be effective in the response variable.
By applying logistic regression on the number of calls in every hour, we conclude that two features of Friday (weekend of Iranian people) and number of calls are effective in anomalies. The effectiveness of the number of calls in anomaly is evident because the anomaly is defined based on this feature. On Friday, the coefficient was 2.397 that means odd ratio on Friday to other days is equal to , so most of the anomalies have happened on the days of the week except Friday.
3.8 Error
Literature  Accuracy  FPR 

Fist Mode  99.72%  0.01% 
Second Mode  99.68%  0.012% 
Inept accuracy and high false rates (FPR) are two main limitations of the latest approaches for anomaly detection in cellular networks. By comparing acquired anomaly points with data labels, the accuracy and ratio of false positive are calculated. These results are shown in table 2 for the first mode and the second mode. The preliminary results in table 1 clarify the facility and superiority of our hybrid model for anomaly detection in terms of the first mode and the second mode. table 3 and table 4 show the improvement in accuracy and FPR for the first mode and the second mode, respectively. These results are obtained due to compare our hybrid model with the results in table 1.
4 Conclusion
In this paper, we operated some CDR data (i.e., the hourly number of calls in the time series) to identify anomaly behavior patterns in subscribers’ usage. Three methods (i.e., GARCH, means, and Neural Networks) have been adapted to suggest a prediction method. This type of information is well studied in the literature in terms of anomaly detection, and the innovation of this paper is in using the prediction algorithm in a combination of these three methods. The decision is made based on the conclusion of the three used predictors. Solely, the algorithms have been used as a voting classifier to make the final decision if there is an anomaly usage or not. We called the new method as Hybrid model and investigated it in the first and second mode. We concluded that this method helps us to achieve high accuracy rates and low FPR. so by identification of unusual events, proper action such as resource distribution, sending small drone cells, etc. can be taken in advance and on time. Hence because of such actions, the users’ requirements will be fulfilled and will have the best QoS as well as network congestion will be avoided. Besides, by using logistic regression, we determined which features have a more significant role in the occurrence of the anomalies in this type of data. The restrictions in conducting this study were the limited set of data. For future work, we can predict and detect anomalies with diﬀerent methods such as bootstrapping, vector autoregressions, and complex seasonality.
References
 [1] V. Chandola, A. Banerjee and V. Kumar. Anomaly Detection: A Survey. ACM Computing Surveys, 2009, 41(3): 172.
 [2] M. S. Parwez, D. B. Rawat and M. Garuba. Big Data Analytics for UserActivity Analysis and UserAnomaly Detection in Mobile Wireless Network. IEEE Transactions on Industrial Informatics, 2017, 13(4): 20582065.
 [3] D. C. Montgomery, C. L. Jennings and M. Kulahci. Introduction to Time Series Analysis and Forecasting. New Jersey:Wiley, 2008.
 [4] K. Sultan, H. Ali, Z. Zhang. Call Detail Record Driven Anomaly Detection and Traffic Prediction in Mobile Cellular Networks. IEEE Access, 2018, (6): 4172841737.
 [5] A. Yaacob, I. Tan, S. Chien and H. Tan. ARIMA Based Network Anomaly Detection. In Second International Conference on Communication Software and Network, Mar 2010, pp.205209.
 [6] T. Andrysiak, L. Saganowski, M. Maszewski and A. Marchewka. Detection of Network Attacks Using Hybrid ARIMAGARCH Model. In Proceedings of the Twelfth International Conference on Dependability and Complex Systems DepCoSRELCOMEX, Jul 2018, pp.112.
 [7] D. Naboulsi, R. Stanica and M. Fiore. Classifying Call Profiles in LargeScale Mobile Traffic Datasets. In Proceeding of the IEEE Conference on Computer Communications, May 2014, pp.18061814.

[8]
Nithi and L. Dey. Anomaly Detection from Call Data Records. In
Proceeding of International Conference on Pattern Recognition and Machine Intelligence.
, Dec 2009, pp.237242.  [9] V. Soto and E. F. Martinez. Automated Land Use Identification Using CellPhone Records. In Proceedings of the 3rd ACM International Workshop on MobiArch, Jun 2011, pp.1722.

[10]
M. Amer. Comparison of Unsupervised Anomaly Detection Techniques [B.Sc Thesis]. Multimedia Analysis and Data Mining Competence Center German Research Center for Artificial Intelligence, 2011.
 [11] M. F. Lima, B. B. Zarpelao, L. H. Sampaio, J. JPC. Rodregues, T. Abrao and M. L. Proenca. Anomaly Detection Using Baseline and Kmeans Clustering. In International Conference on Software Telecommunications and Computer Networks., Sep 2010, pp.305309.
 [12] M. Ahmed, A. N. Mahmood and J. Hu. A Survey of Network Anomaly Detection Techniques. Journal of Network and Computer Applications, 2015, 60 :1931.
 [13] I. A. Karatepe and E. Zeydan. Anomaly Detection in Cellular Network Data Using Big Data Analytics. In 20th European Wireless Conference., May 2014.
 [14] S. Papadopoulous, A. Drosou and D. Tzovaras. A Novel GraphBased Descriptor for the Detection of Billing Related Anomalies in Cellular Mobile Networks. IEEE Transactions on Mobile Computing, 2016, 15(11): 26552668.
 [15] H. S. Wu. A Survey of Research on Anomaly Detection for Time Series. In International Computer Conference on Wavelet Active Media Technology and Information Processing, Dec 2016.
 [16] E. Geepalla, N. Abuhamoud and A. Abouda. Analysis of Call Detail Records for Understanding Users Behavior and Anomaly Detection Using Neo4j. 5th International Symposium on Data Mining Applications, March 2018, pp.74:83.
 [17] A. Imran, A. Zoha, and A. AbuDayya, "Challenges in 5G: how to empower SON with big data for enabling 5G," IEEE Netw., vol. 28, no. 6, pp. 2733, Nov.Dec. 2014

[18]
Hussain, Bilal, Qinghe Du, and Pinyi Ren. "Semisupervised learning based big datadriven anomaly detection in mobile wireless networks." China Communications 15.4 (2018): 4157.
 [19] Hussain, Bilal, Qinghe Du, and Pinyi Ren. "Deep learningbased big dataassisted anomaly detection in cellular networks." 2018 IEEE Global Communications Conference (GLOBECOM). IEEE, 2018.
 [20] Hussain, Bilal, et al. "Mobile Edge ComputingBased DataDriven Deep Learning Framework for Anomaly Detection." IEEE Access 7 (2019): 137656137667.
 [21] R. J. Hyndman, Athanasopoulos G. Forecasting Principle and Practice. OTexts, 2018.
 [22] D. M. Diez, C. D. Barr and M. C. Rundel. OpenIntro Statistics. CreateSpace, 2015.
Comments
There are no comments yet.