| Internet-Draft | KG for traffic Monitoring and Analysis | July 2025 |
| Pang, et al. | Expires 8 January 2026 | [Page] |
- Workgroup:
- idr
- Internet-Draft:
- draft-pang-nmop-kg-for-traffic-monitoring-analysis-00
- Published:
- Intended Status:
- Standards Track
- Expires:
Knowledge Graph for Network Traffic Monitoring and Analysis
Abstract
This document extends the knowledge graph framework to the field of traffic monitoring, demonstrating how knowledge graphs can address long-standing traffic management challenges through semantic integration and automated reasoning.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 January 2026.¶
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
Network traffic monitoring and analysis are crucial for ensuring service quality, detecting anomalies, and optimizing network performance. However, modern networks face increasingly severe challenges in managing traffic data from different sources, each with its own formats and schemas. These challenges align with broader operational issues identified in [I-D.mackey-nmop-kg-for-netops], such as data silos, loss of context, and complex correlation requirements.
The knowledge graph framework for network operations [I-D.mackey-nmop-kg-for-netops], based on semantic web technologies, provides a structured approach to integrating, correlating, and reasoning over heterogeneous data. This document extends the knowledge graph framework to the traffic monitoring domain, showing how knowledge graphs can solve long-standing traffic management challenges through semantic integration and automated reasoning.¶
2. Problem Statement
There are pain points in traffic monitoring and analysis, such as complex cross-domain correlations and inefficient root-cause analysis. Therefore, the traffic monitoring system can serve as an input source for the knowledge engine to build a semantic network digital twin, mapping the physical network into a virtual knowledge graph and enabling closed-loop decision-making based on the inference engine.¶
3. Formal Ontology Design
3.1. Core Classes and Relationships
+-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | Class | Definition | Key Subclasses | Critical Relationships | +===================+================================================+================================================+================================================+ | MonitoringObject | Entities observed in traffic monitoring | NetworkElement (routers, switches), | * isMonitoredBy (to DataSource), | | | (network components, terminals, apps). | Terminal (phones, ONTs), Application | * hasMetric (to MonitoringMetric) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | DataSource | Systems/tools collecting traffic data. | NetflowCollector, Probe, | * providesDataTo (to AnalysisScenario), | | | | ISPNetworkManager(interface designed by YANG | * collectsFrom (to MonitoringObject) | | | | models) | | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | MonitoringMetric | Quantifiable indicators of traffic | NetworkElementReadiness, ApplicationReadiness, | * measures (to MonitoringObject/to | | | characteristics. | NetworkReadiness, CloudReadiness, | AnalysisScenario), * hasThreshold (to | | | | ActiveConnections, IPv6Traffic | numerical value) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | AnalysisDimension | Perspectives for traffic analysis. | NetworkSideAnalysis(NetworkTrafficAnalysis, | * isUsedIn (to AnalysisScenario), | | | | InterNetworkAnalysis), UserSideAnalysis, | * includesMetric (to MonitoringMetric) | | | | ApplicationSideAnalysis, TrafficQualityAnalysis| | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | AnalysisScenario | Business-specific analysis scenarios. | HomeBroadbandAnalysis, MobileNetworkAnalysis, | * coversObject (to MonitoringObject), | | | | IPBearer NetwokAnalysis, ApplicationAnalysis | * usesDimension (to AnalysisDimension) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | Policy | Automated rules triggered by metrics or | TrafficLimitingPolicy, TerminalUpgradePolicy | * isTriggeredBy (to MonitoringMetric), | | | scenarios. | QualityOptimizationPolicy | * appliesTo (to MonitoringObject) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+¶
The MonitoringMetric refers to the indicator system in [I-D.pang-v6ops-ipv6-monitoring-deployment].
TBD.¶
4. Knowledge Graph Construction Pipeline
Following the ETL-based approach in [I-D.marcas-nmop-kg-construct], the pipeline for traffic monitoring KG includes three stages:¶
4.1. Ingestion
Extract home broadband data from the ISP network management system, including:
* Terminal data: Home router model, IPv6 support status (NetworkElementReadiness).
* Traffic data: Daily IPv6 traffic ratio (IPv6TrafficRatio).¶
4.2. Mapping
Convert raw data into knowledge graph triples using RDF mapping languages, with examples:¶
@prefix ont: <http://trafficmonitoring/ontology#> .
//Home router (terminal entity)
<Router/Home-001> a ont:Terminal;
ont:hasModel "HR-200";
ont:NetworkElementReadiness "IPv6 unsupported".
//IPv6 traffic metric (linked to analysis scenario)
<Metric/IPv6/Home-001> a ont:IPv6Traffic;
ont:value "6%";
ont:isUsedIn <Scenario/HomeBroadbandAnalysis>.
// Scenario-terminal association
<Scenario/HomeBroadbandAnalysis> ont:coversObject <Router/Home-001> .
¶
4.3. Integration
Construct a unified view through semantic associations: Link identical terminals across systems using owl:sameAs (e.g., MAC address and device ID); Establish "terminal-metric-scenario" association chains to enable cross-dimensional analysis.¶
5. Inference Engine and Policy Generation
## Rule-Based Reasoning¶
If "home router NetworkElementReadiness=IPv6 unsupported" and "IPv6TrafficRatio<10% in HomeBroadbandAnalysis scenario", then trigger TerminalUpgradePolicy.¶
5.1. SPARQL Cross-Scenario Query
Query "all scenarios where the IPv6 traffic proportion < 10% and the associated terminals":¶
PREFIX ont: <http://trafficmonitoring/ontology#>
SELECT ?scenario ?terminalModel
WHERE {
?scenario a ont:AnalysisScenario .
?scenario ont:coversObject ?terminal .
?terminal a ont:Terminal .
?terminal ont:hasModel ?terminalModel .
?terminal ont:hasMetric ?metric .
?metric a ont:IPv6Traffic .
?metric ont:value ?metricValue .
FILTER (xsd:decimal(?metricValue) < 10)
}
¶
5.2. Dynamic Policy Execution and Verification (SHACL Constraints)
Define policy execution conditions through SHACL to ensure the legality of rules:
Constraints for the terminal upgrade policy: It takes effect only when the terminal support rate < 30% and the scenario is home broadband.¶
ont:TerminalUpgradeShape a sh:NodeShape ;
sh:targetClass ont:TerminalUpgradePolicy ;
sh:property [
sh:path ont:appliesTo ;
sh:class ont:Terminal
] ;
sh:property [
sh:path ont:triggeredBy ;
sh:property [
sh:path ont:NetworkElementReadiness ;
sh:lessThan 30 ;
sh:datatype xsd:integer
] ;
sh:property [
sh:path ont:AnalysisScenario ;
sh:hasValue ont:HomeBroadband
]
] .
¶
6. Conformance with FAIR Principles
-
Findability: Each class and instance is assigned a unique URI (e.g., http://trafficmonitoring/object/ONT10086).¶
-
Interoperability: Cross-system mapping of metrics and dimensions is achieved through attributes such as belongsToDimension.¶
-
Reusability: Sub-categories of AnalysisDimension (such as "traffic quality analysis") can be reused in multiple scenarios such as home broadband and mobile networks.¶
7. Future Dynamic Maintenance Mechanism
-
Supports knowledge evolution. Telemetry data can be real-time converted into RDF triples.¶
-
Incremental expansion mechanism.¶
-
Automatically expands the ontology structure when a new network domain is added.¶
-
Adaptive optimization. Dynamically adjusts rule thresholds based on historical data analysis. TBD.¶
8. Application Scenario Examples
-
IPv6 deployment bottleneck analysis¶
-
Metropolitan area network traffic flow direction optimization¶
-
Fault quick positioning¶
-
Traffic anomaly detection.¶
TBD.¶
10. IANA Considerations
TBD.¶
11. Informative References
- [I-D.mackey-nmop-kg-for-netops]
- Mackey, M., Claise, B., Graf, T., Keller, H., Voyer, D., Lucente, P., and I. D. Martinez-Casanueva, "Knowledge Graph Framework for Network Operations", Work in Progress, Internet-Draft, draft-mackey-nmop-kg-for-netops-02, , <https://datatracker.ietf.org/doc/html/draft-mackey-nmop-kg-for-netops-02>.
- [I-D.marcas-nmop-kg-construct]
- Martinez-Casanueva, I. D., Rodríguez, L. C., and P. Martinez-Julia, "Knowledge Graph Construction from Network Data Sources", Work in Progress, Internet-Draft, draft-marcas-nmop-kg-construct-00, , <https://datatracker.ietf.org/doc/html/draft-marcas-nmop-kg-construct-00>.
- [I-D.pang-v6ops-ipv6-monitoring-deployment]
- Pang, R., Zhao, J., Jin, M., and S. Zhang, "IPv6 Network Deployment Monitoring and Analysis", Work in Progress, Internet-Draft, draft-pang-v6ops-ipv6-monitoring-deployment-01, , <https://datatracker.ietf.org/doc/html/draft-pang-v6ops-ipv6-monitoring-deployment-01>.