Alessandro D'Alconzo

The Logarithmic Nature of QoE and the Role of the Weber-Fechner Law in QoE Assessment

The Weber-Fechner Law (WFL) is an important principle in psychophysics which describes the relationship be- tween the magnitude of a physical stimulus and its perceived intensity. With the sensory system of the human body, in many cases this dependency turns out to be of logarithmic nature. Re- cent quantitative QoE research shows that in several different scenarios a similar logarithmic relationship can be observed be- tween the size of a certain QoS parameter of the communication system and the resulting QoE on the user side as observed during appropriate user trials. In this paper, we discuss this surprising link in more detail. After a brief survey on the background of the WFL, we review its basic implications with respect to related work on QoE assessment for VoIP, most notably the recently published IQX hypothesis, before we present results of our own trials on QoE assessment for mobile broadband scenarios which confirm this dependency also for data services. Finally, we point out some conclusions and directions for further research.

Exploiting Cellular Networks for Road Traffic Estimation: A Survey and a Research Roadmap

In this contribution we address the problem of using cellular network signaling for inferring real-time road traffic information. We survey and categorize the approaches that have been proposed in the literature for a cellular-based road monitoring system and identify advantages and limitations. We outline a unified framework that encompasses UMTS and GPRS data collection in addition to GSM, and prospectively combines passive and active monitoring techniques. We identify the main research challenges that must be faced in designing and implementing such an intelligent road traffic estimation system via third-generation cellular networks.

Review: A review of DoS attack models for 3G cellular networks from a system-design perspective

Third-generation cellular networks are exposed to novel forms of denial-of-service attacks that only recently have started to be recognized and documented by the scientific community. In this contribution, we review some recently published attack models specific for cellular networks. We review them collectively in order to identify the main system-design aspects that are ultimately responsible for the exposure to the attack. The goal of this contribution is to build awareness about the intrinsic weaknesses of 3G networks from a system-design perspective. In doing that we hope to inform the design practice of future generation networks, motivating the adoption of randomization, adaptation and prioritization as central ingredients of robust system design.

Network-Wide Measurements of TCP RTT in 3G

In this study we present network-wide measurements of Round-Trip-Time (RTT) from an operational 3G network, separately for GPRS/EDGE and UMTS/HSxPA sections. The RTTs values are estimated from passive monitoring based on the timestamps of TCP handshaking packets. Compared to a previous study in 2004, the measured RTT values have decreased considerably. We show that the network-wide RTT percentiles in UMTS/HSxPA are very stable in time and largely independent from the network load. Additionally, we present separate RTT statistics for handsets and laptops, finding that they are very similar in UMTS/HSxPA. During the study we identified a problem with the RTT measurement methodology -- mostly affecting GPRS/EDGE data -- due to early retransmission of SYNACK packets by some popular servers.

Distribution-based anomaly detection in 3G mobile networks: from theory to practice

The design of anomaly detection (AD) methods for network traffic has been intensively investigated by the research community in recent years. However, less attention has been devoted to the issues which eventually arise when deploying such tools in a real operational context. We designed a statistical based change detection algorithm for identifying deviations in distribution time series. The proposed method has been applied to the analysis of a large dataset from an operational 3G mobile network, in the perspective of the adoption of such a tool in production. Our algorithm is designed to cope with the marked non-stationarity and daily/weekly seasonality that characterize the traffic mix in a large public network. Several practical issues emerged during the study, including the need to handle incompleteness of the collected data, the difficulty in drilling down the cause of certain alarms, and the need for human assistance in resetting the algorithm after a persistent change in network configuration (e.g. a capacity upgrade). We report on our practical experience, highlighting the key lessons learned and the hands-on experience gained from such an analysis. Finally, we propose a novel methodology based on semisynthetic traces for tuning and performance assessment of the proposed AD algorithm. Copyright

A Distribution-Based Approach to Anomaly Detection and Application to 3G Mobile Traffic

In this work we present a novel scheme for statistical-based anomaly detection in 3G cellular networks. The traffic data collected by a passive monitoring system are reduced to a set of per-mobile user counters, from which time-series of unidimensional feature distributions are derived. An example of feature is the number of TCP SYN packets seen in uplink for each mobile user in fixed-length time bins. We design a changedetection algorithm to identify deviations in each distribution time-series. Our algorithm is designed specifically to cope with the marked non-stationarities, daily/weekly seasonality and longterm trend that characterize the global traffic in a real network. The proposed scheme was applied to the analysis of a large dataset from an operational 3G network. Here we present the algorithm and report on our practical experience with the analysis of real data, highlighting the key lessons learned in the perspective of the possible adoption of our anomaly detection tool on a production basis.

A methodological overview on anomaly detection

In this Chapter we give an overview of statistical methods for anomaly detection (AD), thereby targeting an audience of practitioners with general knowledge of statistics. We focus on the applicability of the methods by stating and comparing the conditions in which they can be applied and by discussing the parameters that need to be set.

On the Role of Flows and Sessions in Internet Traffic Modeling: An Explorative Toy-Model

In this work we present a simple toy-model that is able to explain certain empirical observations reported in a set of previous papers by Hohn et al. [1]-[3] about the wavelet spectrum of real traffic traces. Therein, the authors found that the wavelet spectrum is substantially invariant to flow scrambling and truncation. Such finding suggested that super-flow structures above the transport layer -- i.e., sessions -- can be ignored for modeling the packet arrival process. Based on the proposed toymodel, we offer an interpretation framework that goes in the opposite direction, indicating that sessions, not transport-layer flows, should be taken as the main structural entities in simplified on/off models.

On the ground truth problem of malicious DNS traffic analysis

DNS is often abused by Internet criminals in order to provide flexible and resilient hosting of malicious content and reliable communication within their network architecture. The majority of detection methods targeting malicious DNS traffic are data-driven, most commonly having machine learning algorithms at their core. These methods require accurate ground truth of both malicious and benign DNS traffic for model training as well as for the performance evaluation. This paper elaborates on the problem of obtaining such a ground truth and evaluates practices employed by contemporary detection methods. Building upon the evaluation results, we propose a novel semi-manual labeling practice targeting agile DNS mappings, i.e. DNS queries that are used to reach a potentially malicious server characterized by fast changing domain names or/and IP addresses. The proposed approach is developed with the purpose of obtaining ground truth by incorporating the operators insight in efficient and effective manner. We evaluate the proposed approach on a case study based on DNS traffic from an ISP network by comparing it with the popular labeling practices that rely on domain name and IP blacklists and whitelisting of popular domains. The evaluation indicates challenges and limitations of relying on existing labeling practices and shows a clear advantage of using the proposed approach in discovering a more complete set of potentially malicious domains and IP addresses. Furthermore, the novel approach attains time-efficient labeling with limited operators involvement, thus is promising in view of the adoption in operational ISP networks.

Characterizing Web Services Provisioning via CDNs: The Case of Facebook

Todays Internet consists of massive scale web services and Content Delivery Networks (CDNs). This paper sheds light on the way major Internet-scale web services content is hosted and delivered. By analyzing a full month of HTTP traffic traces collected at the mobile network of a major European ISP, we characterize the paradigmatic case of Facebook, considering not only the traffic flows but also the main organizations and CDNs providing them. Our study serves the main purpose of better understanding how major web services are provisioned in todays Internet, paying special attention to the temporal dynamics of the service delivery and the interplays between the involved hosting organizations. To the best of our knowledge, this is the first paper providing such an analysis in mobile networks.