Treatment-Based Traffic Signatures

Mark ClaypoolRobert Kinicki

Craig Wills

Computer Science DepartmentWorcester Polytechnic Institute

http://www.cs.wpi.edu/~claypool/papers/cube/

October 2007IMRG WACI, Cambridge, MA, USA 2

Diversity of Internet Applications in the Home

Web Browsing

Network Games

Video Streaming

Voice over IP

Remote Login

Instant Messaging

SensorsEmail

Delay Insensitive

Delay Sensitive

P2P File Sharing Lo

ss S

ensi

tive

Loss

Ins

ensi

tive

Jitt

er I

nsen

sitiv

e

Jitt

er S

ens

itive

October 2007IMRG WACI, Cambridge, MA, USA 3

Proliferation of Network Devices in the Home

WirelessAccess Point

Hand HeldGame Devices Personal

Computers

Printers andFaxes

MobilePhones

StreamingVideo Servers

GameConsoles

IP Phone

(to Internet)

Opportunity… “Smart” AP

• Automatically improves performance

• Interoperable, easy-to-use

But first… Need to classify

applications

• Then can apply treatment to improve QoS

October 2007IMRG WACI, Cambridge, MA, USA 4

Outline

•Introduction (done)

•Goals + (next)

•Classification

•Preliminary Results

•Ongoing Work

October 2007IMRG WACI, Cambridge, MA, USA 5

Goals

• Classification for purpose of QoS treatments (versus DoS prevention or billing or measurement or …)– Want match between signatures and potential

treatments• Not classifying applications instead

concentrate on nature of traffic for specific applications and devices– Different applications with same QoS

requirements should get equal network treatments •e.g. VoIP and network game

– Not all instances of a particular application yield the same signature, nor is that needed•e.g. Web for browsing, Web for download

October 2007IMRG WACI, Cambridge, MA, USA 6

Related Approaches

• Port classification alone does not work– Applications can share ports

•e.g. Non Web apps use port 80 around firewalls•e.g. scp and ssh both over port 22

– Users run applications on non-standard ports•e.g. Web server on different port since 80 restricted

– New applications not officially defined for ports

• Payload examination alone does not work– Increased encryption at application layer– Can be computationally expensive– New applications cannot be identified this way

• Machine learning alone does not work– Takes too long in real-time, so must be done offline first– Needs external validation, so does not work with new

apps

October 2007IMRG WACI, Cambridge, MA, USA 7

Domain

• Provide classification in wireless Access Point (AP), the same point that provides QoS treatment

• Home environment– Both directions of a flow travel through AP– Users are not trying to avoid classification– Can be customized and flexible per-flow treatments

•Home APs carry few flows compared to core router

• Needs to be real-time – Quick, so as to apply treatment to improve QoS

October 2007IMRG WACI, Cambridge, MA, USA 8

Outline

•Introduction (done)

•Goals + (done)

•Classification (next)

•Preliminary Results

•Ongoing Work

October 2007IMRG WACI, Cambridge, MA, USA 9

Treatment-Based Classification

Nature of Reverse TrafficResponse-based Non-response-

based

Pac

ket

Siz

e T

end

ency

Ful

lN

on-f

ull

Transm

ission

Spacin

g

As av

ailab

lePac

ed

Drop Packets

SpacePackets

ftpp2p

web

telnetssh

games

streaming

voip

sen

sors

PushPackets

DelayPackets

October 2007IMRG WACI, Cambridge, MA, USA 10

Outline

•Introduction (done)

•Goals + (done)

•Classification (done)

•Preliminary Results (next)

•Ongoing Work

October 2007IMRG WACI, Cambridge, MA, USA 11

Preliminary Results

•Captured 20-second traces from some representative applications

•Nature of reverse traffic– Response based or Non-response based

•Packet size tendency– Full or Non-full

•Transmission spacing– Paced or As-available

October 2007IMRG WACI, Cambridge, MA, USA 12

Nature of Reverse Traffic

• TCP automatically makes it response-based

• UDP is trickier - is a downstream packet sent in response to one upstream (or vice versa)?

• First, try simple up/down count:

Application Down UpStreaming video 11725 21Network game 393 1231VoIP 934 935

• More work needed …

October 2007IMRG WACI, Cambridge, MA, USA 13

Packet Size Tendency

http – browsing cnn

wsm – video

ssh – reading email

ftp – large file

October 2007IMRG WACI, Cambridge, MA, USA 14

Transmission Spacing (1 of 2)

wsm – video ssh – reading email

ftp – large file http – browsing cnn

October 2007IMRG WACI, Cambridge, MA, USA 15

Transmission Spacing (2 of 2)

http – browsing

http – download

http – streaming

October 2007IMRG WACI, Cambridge, MA, USA 16

Data for Some Other Applications

voip – packet size game – packet size

game – transmission spacingvoip – transmission spacing

October 2007IMRG WACI, Cambridge, MA, USA 17

Ongoing Work

• Differentiation of “paced” and “as available”

• Identification of “responsed-based” UDP– e.g. DNS or VoIP over DCCP

• Definition of “full” packets– e.g. Streaming video packets of 1400 bytes

• “Memory” of classification– e.g. in Second Life, interact on estate then

teleport– Statistics: continuous, weighted, or windowed– Across flows for the same device

•e.g. Game console (Xbox) versus PC

• Need for more traces of applications in the home

Treatment-Based Traffic Signatures

Mark ClaypoolRobert Kinicki

Craig Wills

Computer Science DepartmentWorcester Polytechnic Institute

http://www.cs.wpi.edu/~claypool/papers/cube/