idr R. Pang, Ed. Internet-Draft J. Zhao, Ed. Intended status: Standards Track S. Zhang, Ed. Expires: 8 January 2026 China Unicom 7 July 2025 Knowledge Graph for Network Traffic Monitoring and Analysis draft-pang-nmop-kg-for-traffic-monitoring-analysis-00 Abstract This document extends the knowledge graph framework to the field of traffic monitoring, demonstrating how knowledge graphs can address long-standing traffic management challenges through semantic integration and automated reasoning. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 January 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Pang, et al. Expires 8 January 2026 [Page 1] Internet-Draft KG for traffic Monitoring and Analysis July 2025 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 2 3. Formal Ontology Design . . . . . . . . . . . . . . . . . . . 3 3.1. Core Classes and Relationships . . . . . . . . . . . . . 3 4. Knowledge Graph Construction Pipeline . . . . . . . . . . . . 3 4.1. Ingestion . . . . . . . . . . . . . . . . . . . . . . . . 3 4.2. Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3. Integration . . . . . . . . . . . . . . . . . . . . . . . 4 5. Inference Engine and Policy Generation . . . . . . . . . . . 4 5.1. SPARQL Cross-Scenario Query . . . . . . . . . . . . . . . 4 5.2. Dynamic Policy Execution and Verification (SHACL Constraints) . . . . . . . . . . . . . . . . . . . . . . 5 6. Conformance with FAIR Principles . . . . . . . . . . . . . . 5 7. Future Dynamic Maintenance Mechanism . . . . . . . . . . . . 6 8. Application Scenario Examples . . . . . . . . . . . . . . . . 6 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 11. Informative References . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction Network traffic monitoring and analysis are crucial for ensuring service quality, detecting anomalies, and optimizing network performance. However, modern networks face increasingly severe challenges in managing traffic data from different sources, each with its own formats and schemas. These challenges align with broader operational issues identified in [I-D.mackey-nmop-kg-for-netops], such as data silos, loss of context, and complex correlation requirements. The knowledge graph framework for network operations [I-D.mackey-nmop-kg-for-netops], based on semantic web technologies, provides a structured approach to integrating, correlating, and reasoning over heterogeneous data. This document extends the knowledge graph framework to the traffic monitoring domain, showing how knowledge graphs can solve long-standing traffic management challenges through semantic integration and automated reasoning. 2. Problem Statement There are pain points in traffic monitoring and analysis, such as complex cross-domain correlations and inefficient root-cause analysis. Therefore, the traffic monitoring system can serve as an input source for the knowledge engine to build a semantic network digital twin, mapping the physical network into a virtual knowledge graph and enabling closed-loop decision-making based on the inference Pang, et al. Expires 8 January 2026 [Page 2] Internet-Draft KG for traffic Monitoring and Analysis July 2025 engine. 3. Formal Ontology Design 3.1. Core Classes and Relationships +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | Class | Definition | Key Subclasses | Critical Relationships | +===================+================================================+================================================+================================================+ | MonitoringObject | Entities observed in traffic monitoring | NetworkElement (routers, switches), | * isMonitoredBy (to DataSource), | | | (network components, terminals, apps). | Terminal (phones, ONTs), Application | * hasMetric (to MonitoringMetric) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | DataSource | Systems/tools collecting traffic data. | NetflowCollector, Probe, | * providesDataTo (to AnalysisScenario), | | | | ISPNetworkManager(interface designed by YANG | * collectsFrom (to MonitoringObject) | | | | models) | | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | MonitoringMetric | Quantifiable indicators of traffic | NetworkElementReadiness, ApplicationReadiness, | * measures (to MonitoringObject/to | | | characteristics. | NetworkReadiness, CloudReadiness, | AnalysisScenario), * hasThreshold (to | | | | ActiveConnections, IPv6Traffic | numerical value) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | AnalysisDimension | Perspectives for traffic analysis. | NetworkSideAnalysis(NetworkTrafficAnalysis, | * isUsedIn (to AnalysisScenario), | | | | InterNetworkAnalysis), UserSideAnalysis, | * includesMetric (to MonitoringMetric) | | | | ApplicationSideAnalysis, TrafficQualityAnalysis| | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | AnalysisScenario | Business-specific analysis scenarios. | HomeBroadbandAnalysis, MobileNetworkAnalysis, | * coversObject (to MonitoringObject), | | | | IPBearer NetwokAnalysis, ApplicationAnalysis | * usesDimension (to AnalysisDimension) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ | Policy | Automated rules triggered by metrics or | TrafficLimitingPolicy, TerminalUpgradePolicy | * isTriggeredBy (to MonitoringMetric), | | | scenarios. | QualityOptimizationPolicy | * appliesTo (to MonitoringObject) | +-------------------+------------------------------------------------+------------------------------------------------+------------------------------------------------+ The MonitoringMetric refers to the indicator system in [I-D.pang-v6ops-ipv6-monitoring-deployment]. TBD. 4. Knowledge Graph Construction Pipeline Following the ETL-based approach in [I-D.marcas-nmop-kg-construct], the pipeline for traffic monitoring KG includes three stages: 4.1. Ingestion Extract home broadband data from the ISP network management system, including: * Terminal data: Home router model, IPv6 support status (NetworkElementReadiness). * Traffic data: Daily IPv6 traffic ratio (IPv6TrafficRatio). Pang, et al. Expires 8 January 2026 [Page 3] Internet-Draft KG for traffic Monitoring and Analysis July 2025 4.2. Mapping Convert raw data into knowledge graph triples using RDF mapping languages, with examples: @prefix ont: . //Home router (terminal entity) a ont:Terminal; ont:hasModel "HR-200"; ont:NetworkElementReadiness "IPv6 unsupported". //IPv6 traffic metric (linked to analysis scenario) a ont:IPv6Traffic; ont:value "6%"; ont:isUsedIn . // Scenario-terminal association ont:coversObject . 4.3. Integration Construct a unified view through semantic associations: Link identical terminals across systems using owl:sameAs (e.g., MAC address and device ID); Establish "terminal-metric-scenario" association chains to enable cross-dimensional analysis. 5. Inference Engine and Policy Generation ## Rule-Based Reasoning If "home router NetworkElementReadiness=IPv6 unsupported" and "IPv6TrafficRatio<10% in HomeBroadbandAnalysis scenario", then trigger TerminalUpgradePolicy. 5.1. SPARQL Cross-Scenario Query Query "all scenarios where the IPv6 traffic proportion < 10% and the associated terminals": Pang, et al. Expires 8 January 2026 [Page 4] Internet-Draft KG for traffic Monitoring and Analysis July 2025 PREFIX ont: SELECT ?scenario ?terminalModel WHERE { ?scenario a ont:AnalysisScenario . ?scenario ont:coversObject ?terminal . ?terminal a ont:Terminal . ?terminal ont:hasModel ?terminalModel . ?terminal ont:hasMetric ?metric . ?metric a ont:IPv6Traffic . ?metric ont:value ?metricValue . FILTER (xsd:decimal(?metricValue) < 10) } 5.2. Dynamic Policy Execution and Verification (SHACL Constraints) Define policy execution conditions through SHACL to ensure the legality of rules: Constraints for the terminal upgrade policy: It takes effect only when the terminal support rate < 30% and the scenario is home broadband. ont:TerminalUpgradeShape a sh:NodeShape ; sh:targetClass ont:TerminalUpgradePolicy ; sh:property [ sh:path ont:appliesTo ; sh:class ont:Terminal ] ; sh:property [ sh:path ont:triggeredBy ; sh:property [ sh:path ont:NetworkElementReadiness ; sh:lessThan 30 ; sh:datatype xsd:integer ] ; sh:property [ sh:path ont:AnalysisScenario ; sh:hasValue ont:HomeBroadband ] ] . 6. Conformance with FAIR Principles * Findability: Each class and instance is assigned a unique URI (e.g., http://trafficmonitoring/object/ONT10086). * Interoperability: Cross-system mapping of metrics and dimensions is achieved through attributes such as belongsToDimension. Pang, et al. Expires 8 January 2026 [Page 5] Internet-Draft KG for traffic Monitoring and Analysis July 2025 * Reusability: Sub-categories of AnalysisDimension (such as "traffic quality analysis") can be reused in multiple scenarios such as home broadband and mobile networks. 7. Future Dynamic Maintenance Mechanism * Supports knowledge evolution. Telemetry data can be real-time converted into RDF triples. * Incremental expansion mechanism. * Automatically expands the ontology structure when a new network domain is added. * Adaptive optimization. Dynamically adjusts rule thresholds based on historical data analysis. TBD. 8. Application Scenario Examples * IPv6 deployment bottleneck analysis * Metropolitan area network traffic flow direction optimization * Fault quick positioning * Traffic anomaly detection. TBD. 9. Security Considerations TBD. 10. IANA Considerations TBD. 11. Informative References [I-D.mackey-nmop-kg-for-netops] Mackey, M., Claise, B., Graf, T., Keller, H., Voyer, D., Lucente, P., and I. D. Martinez-Casanueva, "Knowledge Graph Framework for Network Operations", Work in Progress, Internet-Draft, draft-mackey-nmop-kg-for-netops-02, 4 March 2025, . Pang, et al. Expires 8 January 2026 [Page 6] Internet-Draft KG for traffic Monitoring and Analysis July 2025 [I-D.marcas-nmop-kg-construct] Martinez-Casanueva, I. D., Rodríguez, L. C., and P. Martinez-Julia, "Knowledge Graph Construction from Network Data Sources", Work in Progress, Internet-Draft, draft- marcas-nmop-kg-construct-00, 26 February 2025, . [I-D.pang-v6ops-ipv6-monitoring-deployment] Pang, R., Zhao, J., Jin, M., and S. Zhang, "IPv6 Network Deployment Monitoring and Analysis", Work in Progress, Internet-Draft, draft-pang-v6ops-ipv6-monitoring- deployment-01, 4 July 2025, . Authors' Addresses Ran Pang (editor) China Unicom Beijing China Email: pangran@chinaunicom.cn Jing Zhao (editor) China Unicom Beijing China Email: zhaoj501@chinaunicom.cn Shuai Zhang (editor) China Unicom Beijing China Email: zhangs366@chinaunicom.cn Pang, et al. Expires 8 January 2026 [Page 7]