treatment-based traffic signatures
DESCRIPTION
Treatment-Based Traffic Signatures. Mark Claypool Robert Kinicki Craig Wills. Computer Science Department Worcester Polytechnic Institute. http://www.cs.wpi.edu/~claypool/papers/cube/. P2P File Sharing. Web Browsing. Jitter Insensitive. Jitter Sensitive. Loss Insensitive. - PowerPoint PPT PresentationTRANSCRIPT
Treatment-Based Traffic Signatures
Mark ClaypoolRobert Kinicki
Craig Wills
Computer Science DepartmentWorcester Polytechnic Institute
http://www.cs.wpi.edu/~claypool/papers/cube/
October 2007IMRG WACI, Cambridge, MA, USA 2
Diversity of Internet Applications in the Home
Web Browsing
Network Games
Video Streaming
Voice over IP
Remote Login
Instant Messaging
SensorsEmail
Delay Insensitive
Delay Sensitive
P2P File Sharing Lo
ss S
ensi
tive
Loss
Ins
ensi
tive
Jitt
er I
nsen
sitiv
e
Jitt
er S
ens
itive
October 2007IMRG WACI, Cambridge, MA, USA 3
Proliferation of Network Devices in the Home
WirelessAccess Point
Hand HeldGame Devices Personal
Computers
Printers andFaxes
MobilePhones
StreamingVideo Servers
GameConsoles
IP Phone
(to Internet)
Opportunity… “Smart” AP
• Automatically improves performance
• Interoperable, easy-to-use
But first… Need to classify
applications
• Then can apply treatment to improve QoS
October 2007IMRG WACI, Cambridge, MA, USA 4
Outline
•Introduction (done)
•Goals + (next)
•Classification
•Preliminary Results
•Ongoing Work
October 2007IMRG WACI, Cambridge, MA, USA 5
Goals
• Classification for purpose of QoS treatments (versus DoS prevention or billing or measurement or …)– Want match between signatures and potential
treatments• Not classifying applications instead
concentrate on nature of traffic for specific applications and devices– Different applications with same QoS
requirements should get equal network treatments •e.g. VoIP and network game
– Not all instances of a particular application yield the same signature, nor is that needed•e.g. Web for browsing, Web for download
October 2007IMRG WACI, Cambridge, MA, USA 6
Related Approaches
• Port classification alone does not work– Applications can share ports
•e.g. Non Web apps use port 80 around firewalls•e.g. scp and ssh both over port 22
– Users run applications on non-standard ports•e.g. Web server on different port since 80 restricted
– New applications not officially defined for ports
• Payload examination alone does not work– Increased encryption at application layer– Can be computationally expensive– New applications cannot be identified this way
• Machine learning alone does not work– Takes too long in real-time, so must be done offline first– Needs external validation, so does not work with new
apps
October 2007IMRG WACI, Cambridge, MA, USA 7
Domain
• Provide classification in wireless Access Point (AP), the same point that provides QoS treatment
• Home environment– Both directions of a flow travel through AP– Users are not trying to avoid classification– Can be customized and flexible per-flow treatments
•Home APs carry few flows compared to core router
• Needs to be real-time – Quick, so as to apply treatment to improve QoS
October 2007IMRG WACI, Cambridge, MA, USA 8
Outline
•Introduction (done)
•Goals + (done)
•Classification (next)
•Preliminary Results
•Ongoing Work
October 2007IMRG WACI, Cambridge, MA, USA 9
Treatment-Based Classification
Nature of Reverse TrafficResponse-based Non-response-
based
Pac
ket
Siz
e T
end
ency
Ful
lN
on-f
ull
Transm
ission
Spacin
g
As av
ailab
lePac
ed
Drop Packets
SpacePackets
ftpp2p
web
telnetssh
games
streaming
voip
sen
sors
PushPackets
DelayPackets
October 2007IMRG WACI, Cambridge, MA, USA 10
Outline
•Introduction (done)
•Goals + (done)
•Classification (done)
•Preliminary Results (next)
•Ongoing Work
October 2007IMRG WACI, Cambridge, MA, USA 11
Preliminary Results
•Captured 20-second traces from some representative applications
•Nature of reverse traffic– Response based or Non-response based
•Packet size tendency– Full or Non-full
•Transmission spacing– Paced or As-available
October 2007IMRG WACI, Cambridge, MA, USA 12
Nature of Reverse Traffic
• TCP automatically makes it response-based
• UDP is trickier - is a downstream packet sent in response to one upstream (or vice versa)?
• First, try simple up/down count:
Application Down UpStreaming video 11725 21Network game 393 1231VoIP 934 935
• More work needed …
October 2007IMRG WACI, Cambridge, MA, USA 13
Packet Size Tendency
http – browsing cnn
wsm – video
ssh – reading email
ftp – large file
October 2007IMRG WACI, Cambridge, MA, USA 14
Transmission Spacing (1 of 2)
wsm – video ssh – reading email
ftp – large file http – browsing cnn
October 2007IMRG WACI, Cambridge, MA, USA 15
Transmission Spacing (2 of 2)
http – browsing
http – download
http – streaming
October 2007IMRG WACI, Cambridge, MA, USA 16
Data for Some Other Applications
voip – packet size game – packet size
game – transmission spacingvoip – transmission spacing
October 2007IMRG WACI, Cambridge, MA, USA 17
Ongoing Work
• Differentiation of “paced” and “as available”
• Identification of “responsed-based” UDP– e.g. DNS or VoIP over DCCP
• Definition of “full” packets– e.g. Streaming video packets of 1400 bytes
• “Memory” of classification– e.g. in Second Life, interact on estate then
teleport– Statistics: continuous, weighted, or windowed– Across flows for the same device
•e.g. Game console (Xbox) versus PC
• Need for more traces of applications in the home
Treatment-Based Traffic Signatures
Mark ClaypoolRobert Kinicki
Craig Wills
Computer Science DepartmentWorcester Polytechnic Institute
http://www.cs.wpi.edu/~claypool/papers/cube/