rapid detection of constant-packet-rate flows
DESCRIPTION
The demand for effective VoIP and online gaming traffic management methods continues to increase for purposes such as QoS provisioning, usage accounting, and blocking VoIP calls or game connections. However, identifying such flows has become a significant administrative burden because many of the applications use proprietary signaling and transport protocols. The question of how to identify proprietary VoIP traffic has yet to be solved. In this paper, we propose using a deviation-based classifier to identify VoIP and gaming traffic, given that such real-time interactive services normally send out constant-packet-rate (CPR) traffic with a fixed interval, in order to maintain real-timeliness and interactivity. Our contribution is two-fold: 1) We show that scale-free variability measures are more appropriate than scaledependent ones for quantifying the network variability injected into CPR traffic. 2) Our proposed classifier is particularly lightweight in that it only requires a few inter-packet times to make a decision. The evaluation results show that by only analyzing 10 successive inter-packet times, we can distinguishbetween CPR and non-CPR traffic with approximately 90% accuracy.TRANSCRIPT
Rapid Detection of
Constant-Packet-Rate Flows
ARES 2008, 03/05 1
Jing-Kai Lou, Kuan-Ta ChenInstitute of Information Science, Academia Sinica
Talk Outline
MotivationInvestigationPerformance EvaluationSummary
ARES 2008, 03/05 2
Motivation
Popular real-time and interactive applications:VoIP, Real-time network games
Traffic management Need of flow identificationA distinct characteristic of such traffic: Constant Packet Rate
VoIP: Encoded continuous human voiceReal-time network game: game state updates
Key to identify VoIP and online gaming traffic:CPR flow identification
ARES 2008, 03/05 3
Key Contribution
A CPR traffic classifierLightweight
10 successive inter-packet timesHigh Accuracy90% identification rate
ARES 2008, 03/05 4
Client Client
Traffic stream
A Naive Method
Coefficient of Variation (CoV) of Inter-Packet Times (IPT)
IPT CoV small CPRIPT CoV large non-CPR
ARES 2008, 03/05 5
IPT1 IPT2 … IPTi
CPR Traffic IPT1= IPT1=…= IPTi
Ideal IPT Distribution
ARES 2008, 03/05 6Inter-packet time (ms)
0 200 400 600 800 1000
0
1
Den
sity
Collected Traces
ARES 2008, 03/05 7
Trace Flow IPT CoV Path Diversity
VoIP (Skype) 1739 0.37 1106 hosts / 1641 paths
Counter-Strike 1016 0.32 271 hosts / 270 paths
TELNET 276 1.53 140 hosts / 93 paths
HTTP 409 1.54 474 hosts / 325 paths
P2P 1303 1.63 645 hosts / 644 paths
World of Warcraft 1611 0.71 52 hosts / 39 paths
Real IPT Distributions
ARES 2008, 03/05 8
Why the IPT distributions of VoIP and Counter-Strike are not as we expect?
Difficulties: Network Impairment
Host delayChannel delayNetwork queueing delayNetwork packet loss
ARES 2008, 03/05 9
CPR traffic
Sender
packet lossdelayafter network impairment
More Difficulties
To do a decision with a few samplesshort timefew storage space
In short scale, non-CPR traffic could look like CPR
ARES 2008, 03/05 10
Non-CPR Flow
RefreshmentOur goal
To search a good metric of IPT deviations for CPR detection
ChallengesNetwork impairmentNeed of small sample size
ARES 2008, 03/05 11
Deviation Metric Design
Design factors for measuring variation Function (FUN)Sample Size (W)Smoother Size (S)
ARES 2008, 03/05 12
Deviation Metric: Function (1/3)
Standard Deviation (SD)
Coefficient of variation (CoV)
ARES 2008, 03/05 13
NIPTIPTSD i
Ni
21 )( −∑
= =
MEANSDCoV =
Deviation Metric: Function (2/3)
Mean absolute deviation (MD)
Median absolute deviation (MAD)
ARES 2008, 03/05 14
NIPTIPTMAD i
Ni |)(|1 −∑
= =
NIPTmedianIPTMAD i
Ni |))((|1 −∑
= =
Deviation Metric: Function (2/3)
Inter-quantile range (IQR)
Range
ARES 2008, 03/05 15
(25%) QuartileLower (75%) QuartileUpper IQR −=
min(IPT)max(IPT)Range −=
Deviation Metric: Sample Size
Sample size (W): Number of IPT samplesW increases
Accuracy increasesTime/space complexity increases
ARES 2008, 03/05 16
SampleSize
Time/SpacecomplexityAccuracy
Deviation Metric: Smoother Size
Smoother size (S): Window size to smooth (mean)W increases
Impairment effect decreasesFalse negative increases
ARES 2008, 03/05 17
WindowSize
FalseNegative
Impairmenteffect
FUN=CoV, W=10, S=1
ARES 2008, 03/05 18
Does this estimator setting achieve the best discriminative
power??
Performance Metric
ROC (Receiver Operating Characteristic):TPR: ratio of true positiveFPR: ratio of false positive
AUC (Area Under Curve): Area under the ROC curveAUC = 1, perfect classificationAUC > 0.8, generally goodAUC = 0.5 random guess
ARES 2008, 03/05 20
Effect of Deviation Metric
ARES 2008, 03/05 21
Dimensionless metric CoV performs the best!
Effect of Sample Size
ARES 2008, 03/05 22
Sample size increasesROC Curve shifts left AUC increases
Effect of Smoother Size
ARES 2008, 03/05 23
Improvement only for large samples
Discrimination Performance
ARES 2008, 03/05 24
Summary
Proposed using IPT constancy to identify CPR flows VoIPReal-time gaming
Studied various design issues of IPT deviation estimators
Our classifier (CoV-based) yields an accuracy rate 90% with only 10 IPT samples
ARES 2008, 03/05 25
ARES 2008, 03/05 26
ARES 2008, 03/05 28
packet loss
delay
after network impairment
Receiver