The increasing mobile data traffic is driven by an increasing variety of network services, ranging from ordinary voice calls to advanced services based on client applications executed at mobile devices. An operator of a cellular network may want to optimize the network behavior for certain services or may want to treat certain services in a predefined way. For example, data of an e-mail service can be routed along predefined paths in the network for improving data security. Such a service-dependent behavior of the network requires that each of the network services, or the client applications corresponding to the network service, can be identified at the side of the network.
Deep Packet Inspection (DPI) is a common technique for classifying data traffic by identifying certain services within the data traffic routed by a node in the network. The DPI functionality can be provided by specific DPI nodes in the network or can be integrated into existing nodes of the network. DPI applies a set of rules when inspecting the data traffic. Each of the rules can be based on a data model for data packets in a dataflow associated with a certain network service. When the inspected data traffic matches the data model, the corresponding dataflow is assumed to originate from the client application of the service identified by the service-specific data model.
The reliability of service identification by means of DPI strongly depends on the accuracy of the rule associated to the service to be identified. With properly developed application behavior models, the DPI rules achieve satisfactory rates of correctly identifying which network service is provided and/or which client application is executed therefor at the mobile terminal. While DPI can theoretically provide full inside as to the network services underlying the data traffic in the network, developing such DPI rules is one of the main limiting factors for reliably identifying the large and increasing number of different mobile services.
Conventionally, the development of DPI rules requires collecting network data for known use-cases. For example, test network sessions are initiated for exchanging data of a certain service using the corresponding client application. When enough network data from a plurality of test sessions has been collected, the network data is analyzed and a DPI rule is manually developed for identifying the service, or the corresponding client application, based on the network data.
Furthermore, the laborious development of DPI rules has to be repeated, as new services come into existence or the behavior of existing services, in particular the behavior of the corresponding client applications, changes over time. The rules thus have to be maintained by continuously developing new rules and updating the developed rules. In practice, only a small fraction of the thousands or even millions of client applications relevant for optimizing the network behavior can be handled by the conventional manual DPI training.