Silvio Valenti

Abacus: Accurate behavioral classification of P2P-TV traffic

Abstract Peer-to-Peer streaming (P2P-TV) applications offer the capability to watch real time video over the Internet at low cost. Some applications have started to become popular, raising the concern of Network Operators that fear the large amount of traffic they might generate. Unfortunately, most of P2P-TV applications are based on proprietary and unknown protocols, and this makes the detection of such traffic challenging per se. In this paper, we propose a novel methodology to accurately classify P2P-TV traffic and to identify the specific P2P-TV application which generated it. Our proposal relies only on the count of packets and bytes exchanged among peers during small time-windows: the rationale is that these two counts convey a wealth of useful information, concerning several aspects of the application and its inner workings, such as signaling activities and video chunk size. Our classification framework, which uses Support Vector Machines, accurately identifies P2P-TV traffic as well as traffic that is generated by other kinds of applications, so that the number of false classification events is negligible. By means of a large experimental campaign, which uses both testbed and real network traffic, we show that it is actually possible to reliably discriminate between different P2P-TV applications by simply counting packets.

Fine-grained traffic classification with netflow data

Nowadays Cisco Netflow is the de facto standard tool used by network operators and administrators for monitoring large edge and core networks. Implemented by all major vendors and recently a IETF standard, Netflow reports aggregated information about traffic traversing the routers in the form of flow-records. While this kind of data is already effectively used for accounting, monitoring and anomaly detection, the limited amount of information it conveys has until now hindered its employment for traffic classification purposes. In this paper, we present a behavioral algorithm which successfully exploits Netflow records for traffic classification. Since our classifier identifies an application by means of the simple counts of received packets and bytes, Netflow records contain all information required. We test our classification engine, based on a machine learning algorithm, over an extended set of traces containing a heterogeneous mix of applications ranging from P2P file-sharing and P2P live-streaming to traditional client-server services. Results show that our methodology correctly identifies the byte-wise traffic volume with an accuracy of 90% in the worst case, thus representing a first step towards the use of Netflow data for fine-grained classification of network traffic.

Reviewing traffic classification

Traffic classification has received increasing attention in the last years. It aims at offering the ability to automatically recognize the application that has generated a given stream of packets from the direct and passive observation of the individual packets, or stream of packets, flowing in the network. This ability is instrumental to a number of activities that are of extreme interest to carriers, Internet service providers and network administrators in general. Indeed, traffic classification is the basic block that is required to enable any traffic management operations, from differentiating traffic pricing and treatment (e.g., policing, shaping, etc.), to security operations (e.g., firewalling, filtering, anomaly detection, etc.). Up to few years ago, almost any Internet application was using well-known transport layer protocol ports that easily allowed its identification. More recently, the number of applications using random or non-standard ports has dramatically increased (e.g. Skype, BitTorrent, VPNs, etc.). Moreover, often network applications are configured to use well-known protocol ports assigned to other applications (e.g. TCP port 80 originally reserved for Web traffic) attempting to disguise their presence. For these reasons, and for the importance of correctly classifying traffic flows, novel approaches based respectively on packet inspection, statistical and machine learning techniques, and behavioral methods have been investigated and are becoming standard practice. In this chapter, we discuss the main trend in the field of traffic classification and we describe some of the main proposals of the research community. We complete this chapter by developing two examples of behavioral classifiers: both use supervised machine learning algorithms for classifications, but each is based on different features to describe the traffic. After presenting them, we compare their performance using a large dataset, showing the benefits and drawback of each approach.

Accurate, Fine-Grained Classification of P2P-TV Applications by Simply Counting Packets

We present a novel methodology to accurately classify the traffic generated by P2P-TV applications, relying only on the count of packets they exchange with other peers during small time-windows. The rationale is that even a raw count of exchanged packets conveys a wealth of useful information concerning several implementation aspects of a P2P-TV application --- such as network discovery and signaling activities, video content distribution and chunk size, etc. By validating our framework, which makes use of Support Vector Machines, on a large set of P2P-TV testbed traces, we show that it is actually possible to reliably discriminate among different applications by simply counting packets.

Fighting the bufferbloat: On the coexistence of AQM and low priority congestion control

Abstract Nowadays, due to excessive queuing, delays on the Internet can grow longer than the round trip time between the Moon and the Earth – for which the “bufferbloat” term was recently coined. Some point to active queue management (AQM) as the solution. Others propose end-to-end low-priority congestion control techniques (LPCC). Under both approaches, promising advances have been made in recent times: notable examples are CoDel for AQM, and LEDBAT for LPCC. In this paper, we warn of a potentially fateful interaction when AQM and LPCC techniques are combined: namely, AQM resets the relative level of priority between best-effort and low-priority congestion control protocols. We validate the generality of our findings by an extended set of experiments with packet-level ns2 simulation, considering 5 AQM techniques and 3 LPCC protocols, and carry on a thorough sensitivity analysis varying several parameters of the networking scenario. We complete the simulation via an experimental campaign conducted on both controlled testbeds and on the Internet, confirming the reprioritization issue to hold in the real world at least under all combination of AQM policies and LPCC protocols available in the Linux kernel. To promote cross-comparison, we make our scripts and dataset available to the research community.

Exploiting packet-sampling measurements for traffic characterization and classification

The use of packet sampling for traffic measurement has become mandatory for network operators to cope with the huge amount of data transmitted in todays networks, powered by increasingly faster transmission technologies. Therefore, many networking tasks must already deal with such reduced data, more available but less rich in information. In this work we assess the impact of packet sampling on various network monitoring-activities, with a particular focus on traffic characterization and classification. We process an extremely heterogeneous dataset composed of four packet-level traces (representative of different access technologies and operational environments) with a traffic monitor able to apply different sampling policies and rates to the traffic and extract several features both in aggregated and per-flow fashion, providing empirical evidences of the impact of packet sampling on both traffic measurement and traffic classification. First, we analyze feature distortion, quantified by means of two statistical metrics: most features appear already deteriorated under low sampling step, no matter the sampling policy, while only a few remain consistent under harsh sampling conditions, which may even cause some artifacts, undermining the correctness of measurements. Second, we evaluate the performance of traffic classification under sampling. The information content of features, even though deteriorated, still allows a good classification accuracy, provided that the classifier is trained with data obtained at the same sampling rate of the target data. The accuracy is also due to a thoughtful choice of a smart sampling policy which biases the sampling towards packets carrying the most useful information. Copyright

Rethinking the Low Extra Delay Background Transport (LEDBAT) Protocol

Abstract BitTorrent has recently introduced LEDBAT, a novel application-layer congestion control protocol for data exchange. The protocol design assumes that network bottlenecks are at the access of the network, and that thus user traffic competes creating self-induced congestion. To relieve this phenomenon, LEDBAT is designed to quickly infer when self-induced congestion is approaching (by detecting relative changes of the one-way delay in the transmission path), and to react promptly by reducing the sending rate prior to the congestion occurrence. Previous work has however shown LEDBAT to be affected by a latecomer advantage, where newly arriving connections can starve already existing flows. In this work, we propose modifications to the congestion window update mechanism of LEDBAT that solve this issue, thus guaranteeing intra-protocol fairness and efficiency. Closed-form expressions for the stationary throughput and queue occupancy are provided via a fluid model, whose accuracy is confirmed by means of ns2 packet level simulations. Our results show that the proposed change can effectively solve the latecomer issue, furthermore without affecting the other original LEDBAT goals.

Identifying Key Features for P2P Traffic Classification

Many researchers have recently dealt with P2P traffic classification, mainly because P2P applications are continuously growing in number as well as in traffic volume. Additionally, in response to the shift of the operational community from packet-level to flow-level monitoring, witnessed by the widespread use of NetFlow, a number of behavioral classifiers have been proposed. These techniques, usually having P2P applications as their main target, base the classification on the analysis of the pattern of traffic generated by a host and proved accurate even when using only flow-level data. Yet, all these approaches are very specific and the community lacks a broader view of the actual amount of information of behavioral features derived by flow-level data. The preliminary results presented in this paper try to fill this gap. First of all we define a comprehensive framework by means of which we systematically explore the space of behavioral properties and build a large set of potentially expressive features. Thanks to our general approach, most features already used by existing classifiers fall into this set. Then, by employing tools from information theory and data from packet-level traces captured on real networks, we evaluate the amount of information conveyed by each feature, ranking them according to their usefulness for application identification. Finally we show the classification performance of these set of features, using a supervised machine learning algorithm.

On the impact of sampling on traffic monitoring and analysis

Due to significant advances in transmission technology and to the corresponding increase of link rates, traffic sampling is becoming a normal way of operation in traffic monitoring. Given this trend, in this paper we aim to assess the impact of the sampling on a wide range of tasks which are typical of an operational network. We follow an experimental approach, exploiting passive analysis of network traffic flows, taking into account different sampling policies (e.g., systematic, uniform and stratified) and different sampling rates. To quantify the amount of degradation and bias that sampling introduces with respect to the unsampled traffic we use well-known statistical measures (i.e., Hellinger Distance, Fleiss Chi-Square). Unlike previous work, we consider a very large set of “features” (i.e., any kind of properties characterizing traffic flows, from packet size and inter-arrival time, to Round Trip Time, TCP congestion window size, number of out-of-order packets, etc.) which are typically exploited by a rather wide class of applications, such as traffic monitoring, analysis, accounting, and classification. Using three real traffic traces, representative of different operational networks, we find that (i) a significant degradation affects a wide number of features; (ii) the set of features less degraded is consistent across the three datasets; (iii) at the same time, some artifacts may arise, resulting in lower distortion scores at higher sampling rates, which are tied to both the specific metric, as well as the way in which the feature is computed (e.g., binning); (iv) no significant reduction of the estimation bias can be obtained by merely tweaking the sampling policy - which partly contrasts earlier observations concerning the better quality achievable with stratified sampling.

Pictures from the Skype

This paper focuses on the characterization and classification of Skype traffic, a nowadays very popular and fashionable VoIP application. Building over previous work, we develop a software tool which can be used to examine the evolution of Skype call classification in an interactive fashion. The demonstrator software focuses on the main aspects of Skype traffic characterization and presents the traffic patterns Skype generates during a call or while idle. In addition, the demonstrator shows the evolution of the internal indexes the Skype classifiers use. After describing the classification process and the demonstrator software, we use the tool to demonstrate the feasibility of online Skype traffic identification, considering both accuracy and computational costs. Experimental results show that few seconds of observation are enough to allow the classifier engines to correctly identify the presence of Skype flows. Moreover, results indicate that the classification engine can cope with multi-Gbps links in real-time using common off-the-shelf hardware.