| Internet-Draft | KG for traffic Monitoring and Analysis | July 2025 |
| Pang, et al. | Expires 8 January 2026 | [Page] |
This document extends the knowledge graph framework to the field of traffic monitoring, demonstrating how knowledge graphs can address long-standing traffic management challenges through semantic integration and automated reasoning.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 January 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Network traffic monitoring and analysis are crucial for ensuring service quality, detecting anomalies, and optimizing network performance. However, modern networks face increasingly severe challenges in managing traffic data from different sources, each with its own formats and schemas. These challenges align with broader operational issues identified in [I-D.mackey-nmop-kg-for-netops], such as data silos, loss of context, and complex correlation requirements.
The knowledge graph framework for network operations [I-D.mackey-nmop-kg-for-netops], based on semantic web technologies, provides a structured approach to integrating, correlating, and reasoning over heterogeneous data. This document extends the knowledge graph framework to the traffic monitoring domain, showing how knowledge graphs can solve long-standing traffic management challenges through semantic integration and automated reasoning.¶
There are pain points in traffic monitoring and analysis, such as complex cross-domain correlations and inefficient root-cause analysis. Therefore, the traffic monitoring system can serve as an input source for the knowledge engine to build a semantic network digital twin, mapping the physical network into a virtual knowledge graph and enabling closed-loop decision-making based on the inference engine.¶
+-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | Class | Definition | Key Subclasses | Critical Relationships | +===================+================================================+================================================+================================================+ | MonitoringObject | Entities observed in traffic monitoring | NetworkElement (routers, switches), | * isMonitoredBy (to DataSource), | | | (network components, terminals, apps). | Terminal (phones, ONTs), Application | * hasMetric (to MonitoringMetric) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | DataSource | Systems/tools collecting traffic data. | NetflowCollector, Probe, | * providesDataTo (to AnalysisScenario), | | | | ISPNetworkManager(interface designed by YANG | * collectsFrom (to MonitoringObject) | | | | models) | | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | MonitoringMetric | Quantifiable indicators of traffic | NetworkElementReadiness, ApplicationReadiness, | * measures (to MonitoringObject/to | | | characteristics. | NetworkReadiness, CloudReadiness, | AnalysisScenario), * hasThreshold (to | | | | ActiveConnections, IPv6Traffic | numerical value) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | AnalysisDimension | Perspectives for traffic analysis. | NetworkSideAnalysis(NetworkTrafficAnalysis, | * isUsedIn (to AnalysisScenario), | | | | InterNetworkAnalysis), UserSideAnalysis, | * includesMetric (to MonitoringMetric) | | | | ApplicationSideAnalysis, TrafficQualityAnalysis| | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | AnalysisScenario | Business-specific analysis scenarios. | HomeBroadbandAnalysis, MobileNetworkAnalysis, | * coversObject (to MonitoringObject), | | | | IPBearer NetwokAnalysis, ApplicationAnalysis | * usesDimension (to AnalysisDimension) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | Policy | Automated rules triggered by metrics or | TrafficLimitingPolicy, TerminalUpgradePolicy | * isTriggeredBy (to MonitoringMetric), | | | scenarios. | QualityOptimizationPolicy | * appliesTo (to MonitoringObject) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+¶
The MonitoringMetric refers to the indicator system in [I-D.pang-v6ops-ipv6-monitoring-deployment].
TBD.¶
Following the ETL-based approach in [I-D.marcas-nmop-kg-construct], the pipeline for traffic monitoring KG includes three stages:¶
Extract home broadband data from the ISP network management system, including:
* Terminal data: Home router model, IPv6 support status (NetworkElementReadiness).
* Traffic data: Daily IPv6 traffic ratio (IPv6TrafficRatio).¶
Convert raw data into knowledge graph triples using RDF mapping languages, with examples:¶
@prefix ont: <http://trafficmonitoring/ontology#> .
//Home router (terminal entity)
<Router/Home-001> a ont:Terminal;
ont:hasModel "HR-200";
ont:NetworkElementReadiness "IPv6 unsupported".
//IPv6 traffic metric (linked to analysis scenario)
<Metric/IPv6/Home-001> a ont:IPv6Traffic;
ont:value "6%";
ont:isUsedIn <Scenario/HomeBroadbandAnalysis>.
// Scenario-terminal association
<Scenario/HomeBroadbandAnalysis> ont:coversObject <Router/Home-001> .
¶
Construct a unified view through semantic associations: Link identical terminals across systems using owl:sameAs (e.g., MAC address and device ID); Establish "terminal-metric-scenario" association chains to enable cross-dimensional analysis.¶
## Rule-Based Reasoning¶
If "home router NetworkElementReadiness=IPv6 unsupported" and "IPv6TrafficRatio<10% in HomeBroadbandAnalysis scenario", then trigger TerminalUpgradePolicy.¶
Query "all scenarios where the IPv6 traffic proportion < 10% and the associated terminals":¶
PREFIX ont: <http://trafficmonitoring/ontology#>
SELECT ?scenario ?terminalModel
WHERE {
?scenario a ont:AnalysisScenario .
?scenario ont:coversObject ?terminal .
?terminal a ont:Terminal .
?terminal ont:hasModel ?terminalModel .
?terminal ont:hasMetric ?metric .
?metric a ont:IPv6Traffic .
?metric ont:value ?metricValue .
FILTER (xsd:decimal(?metricValue) < 10)
}
¶
Define policy execution conditions through SHACL to ensure the legality of rules:
Constraints for the terminal upgrade policy: It takes effect only when the terminal support rate < 30% and the scenario is home broadband.¶
ont:TerminalUpgradeShape a sh:NodeShape ;
sh:targetClass ont:TerminalUpgradePolicy ;
sh:property [
sh:path ont:appliesTo ;
sh:class ont:Terminal
] ;
sh:property [
sh:path ont:triggeredBy ;
sh:property [
sh:path ont:NetworkElementReadiness ;
sh:lessThan 30 ;
sh:datatype xsd:integer
] ;
sh:property [
sh:path ont:AnalysisScenario ;
sh:hasValue ont:HomeBroadband
]
] .
¶
Findability: Each class and instance is assigned a unique URI (e.g., http://trafficmonitoring/object/ONT10086).¶
Interoperability: Cross-system mapping of metrics and dimensions is achieved through attributes such as belongsToDimension.¶
Reusability: Sub-categories of AnalysisDimension (such as "traffic quality analysis") can be reused in multiple scenarios such as home broadband and mobile networks.¶
Supports knowledge evolution. Telemetry data can be real-time converted into RDF triples.¶
Incremental expansion mechanism.¶
Automatically expands the ontology structure when a new network domain is added.¶
Adaptive optimization. Dynamically adjusts rule thresholds based on historical data analysis. TBD.¶
IPv6 deployment bottleneck analysis¶
Metropolitan area network traffic flow direction optimization¶
Fault quick positioning¶
Traffic anomaly detection.¶
TBD.¶
TBD.¶