Download presentation
Presentation is loading. Please wait.
Published bySolomon Golden Modified over 6 years ago
1
On-line Detection of Real Time Multimedia Traffic
Fang Hao, Murali Kodialam, and T.V. Lakshman Bell Laboratories, Alcatel-Lucent October 16, 2009
2
Motivation Network operators need tools to manage traffic based on nature of applications Differentiated treatment based on application types QoS provisioning for real-time traffics New network services customized to applications Increasing volume of audio and video traffic demand better monitoring tools Need to detect real-time traffic in real-time VoIP, Internet radio, video conferencing, surveillance, streaming… Challenges: Random ports Streaming using HTTP/HTTPS Data encryption
3
Problem Definition Source Monitor Assumptions
Source: (near) constant packet rate Common reasons: CODEC, output smoothing buffer, … Network is “stable” during detection time (a few seconds) FIFO arrival Bound on network delay jitter Goal: Detect smoothness in packet timing
4
Inter-packet gap ? EX1 Non real-time Real-time EX2
Arrival time Gap Non real-time Real-time EX2 Stream 1 with gap: 3, 3, 3, 5, 5, 5, … Inter-packet gap may be misleading Smaller variance in inter-packet gap ≠ smoother traffic Strong correlation between consecutive gaps Stream 2 with gap: 3, 5, 3, 5, 3, 5, …
5
Smoothness Definition
Packet arrival time Measures deviation of X from constant rate stream with inter-arrival gap α θ-bounded: If exists α ≥ 0, s.t. S(α, X(k)) ≤ θ for all k = 1, 2, … n Example: constant rate stream is 0-bounded
6
Detecting smoothness of a stream
Given a θ, for each new arrival, calculate upper/lower bound of feasible inter- arrival gap α Track min upper bound & max lower bound upper Arrival Time lower Bound on α Non real-time Packet Index Detection terminates when either No feasible α exists ( non real-time), or Pre-defined detection time is over ( real-time) Algorithm suitable for on-line calculation: only need to track 5 numbers
7
Inferring Source Stream from Remote Observing Point
If observed stream is smooth, then source stream is smooth (with looser bound) S(α,A): smoothness of source stream S(α,T): smoothness of observed stream V(D): network delay jitter bound Proof details in paper
8
Engineering Twists Multiple thresholds for faster detection time
Tighter bound for shorter detection time Well-behaving streams can be detected fast Looser bound for longer detection time Looser bound can be tuned to accommodate border conditions, making detection more robust Allowing detection to reset and restart Irregularity during starting time Signaling messages at beginning may violate constant rate assumption Restart to skip initial unstable period CODEC changes form multiple “lines” (with different α) Restart when new line is detected
9
Case Study: Skype Detection
Methodology Customize the detection algorithm for Skype Setting parameters (bounds) based on trial experiments TCP PUSH flag Mean packet size Estimated α (based on known Skype CODEC) Test false negative – if it is Skype, do we miss it ? Traces from controlled clients (both LAN & WAN setup) Traces from field (one day traffic from access network) Only use Skype VoIP flows that we know for sure based on probe signatures and manual inspection Test false positive – do we take non-Skype as Skype ? Traces collected from internal corporate network Common corporate apps: web client/server, enterprise software, experimental apps No real-time apps during collection
10
Skype Detection Results
Comparison with Naïve Bayesian Classifier (NBC) from Sigcom’07 3 times smaller 2 orders of magnitude smaller Gap (α) Estimate Skype flow detection and CODEC rate estimation: an example CODEC rate: 1pkt/20ms Arrival Time
11
More Experiment Results
Gap (α) Estimate Gap (α) Estimate Arrival Time Arrival Time Internet radio over HTTP 1pkt/140ms VLC UDP Streaming (MPEG4/DivX) 1pkt/7ms Jagged line caused by I-frames
12
Conclusions To make statistical inference on real-time flows, inter-arrival gap is insufficient Packet arrival time gives more accurate picture Algorithm for detecting flow smoothness Formal analysis Experiments based on field and lab traces Skype Other VoIP app, Internet radio, various streaming apps Future work Hi-def video P2P TV
13
Backup
14
Existing methods Signature based detection
Carefully inspect/reverse engineer each application: ports, packet content, message sequence, “community behavior”, … Need to diligently follow each application updates Machine learning Based on chosen parameters of flows Lower accuracy; not suitable for on-line detection Statistical model based on inter-packet gap, packet size, and payload randomness for Skype detection (Bonfiglio et al. Sigcomm’07) Issues with packet size Many different sizes to track (depending on codec) Size can be changed by relay nodes
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.