The present invention, in some embodiments thereof, relates to a media session identification method for IP networks and, more particularly, but not exclusively, to a media session identification method that identifies media sessions from the flow of packets and assigns specific packets to the media sessions. It is noted that the term “session” includes streaming of data, such as in for example a video stream.
The continuous increase in IP based media traffic over the Internet and other networks, supported by the continuous increase in the various media communication applications, emphasizes the need for IP traffic control tools to cope with the increasingly congested networks. These IP traffic control tools are required by Internet service providers (ISPs), IP-Telephony providers (mobile and fixed) and by Enterprises for implementing traffic shaping measures such as availability of service and quality of service, for firewall enhancements, for providing media session logs supporting billing capabilities and for meeting and supporting lawful interception guidelines set by governments and governmental bodies.
A media session, such as a voice or video session, is expected to have a continuous stream of sampled data so it can be reconstructed at its destination to produce smooth sound or images or both. This means that a minimum amount of data bandwidth has to be sustained on the network. As media at either end is sampled and de-assembled or re-assembled by symmetrical session CODECs (coder & decoder)—data streaming must comply with a certain bandwidth demand and packet-rate so that the human ear or eye at the destination does not experience any information gaps or distortions.
It is desirable to identify packets as belonging to a session to group the succession of IP packets and also to identify a particular application or type that the session belongs to in order to apply provisioning, quality of service and control actions to the session or stream; applications that are real time sensitive such as Voice-over-IP and/or Video-over-IP tend also to be bandwidth availability sensitive, therefore maintaining the quality of service for such application sessions require the identification, and possibly the classification, of their traffic streams. It may also be desirable to identify a session or a stream belonging to a particular application in order to implement and meet interception requirements by law enforcement authorities, as well as in the need to generate CDRs for billing and analysis purposes, and the like. In other cases, some applications may be perceived as prohibited or posing a security risk, that is creating ‘security holes’, and some networks may be interested in blocking such applications. Again, the best way to do so is to identify the session and the packets belonging to the session and then block packets belonging to the session. For example, many organizations treat Instant-Messaging (IM) applications as high security risks which might create a hole through which sensitive data can flow out of an organization. For those organizations, it is highly essential to identify data flow (e.g. file-transfers) within a media session.
Various methods for analyzing IP traffic are available. The traditional technologies for analyzing and identifying IP traffic (including IP media sessions) include packet header analysis. Packets whose headers indicate the same destination may be assumed to belong to the same session. Packet header analysis is however simplistic. The same user may be running several different sessions simultaneously and mere packet header analysis may not be able to distinguish between them. Thus there is also the so called ‘Deep Packet Inspection’ method, or the ‘Packet Content Analysis’. These known technologies require digging into and analyzing the content, or Payload, of the packets, with the aim of extrapolating signatures or fingerprints of the payloads. The signatures can then be identified with a specific protocol or application. More often than not, the identification process includes analysis of additional factors from the packet ‘Header’ (e.g. addresses and port numbers). There are several disadvantages of the Deep Packet Inspection approach, of which the major are known to be:                1. Alteration of Payloads: Packet Payloads can change due to changes in the application. Thus a signature that has been extrapolated and correlated to a specific protocol or application can be rendered invalid upon the alteration of the payload due say to a new version release.        2. Encryption of packet content: Certain media applications (e.g. Skype) encrypt the messages, which pose a difficulty in inspecting the Payload of its packets and obtaining a meaningful signature.        
In other words, the deep packet inspection method is dependant on elements that can be encrypted or altered by the application and can therefore be initially unreadable or the reading can become invalid if the application alters its content sequence.
In order to at least partly overcome the above problems, it is also known to use Complete Packet Inspection (CPI), which combines header analysis and deep packet inspection, otherwise known as payload pattern search. The header analysis provides additional information that complements the payload pattern search. Complete packet inspection is relatively widely used and applications include network monitoring, application discovery, behavioral analysis, network security, policy enforcement, test and measurement, lawful interception, and trouble shooting.
Nevertheless, both deep packet inspection and complete packet analysis require analysis of multiple packets and their sequence down to the payload. Thus, using deep packet inspection/content inspection on any sizeable network requires strong powerful monitoring processing power as well as huge memory resources, as many thousands of IP sessions occur simultaneously. This renders the solution unfeasible in many cases. In other cases the traffic throughput rate is limited by the inspection capacity. Where the aim is to ensure quality of service for the IP sessions that require it, the very attempt to solve the problem may be making things worse.
State-full inspection Firewalls, Session Border Controllers (SBC) and billing mediation systems each require inspection for their own needs. Thus in some cases the interest may be in blocking the session, in other cases in prioritizing the session and in yet other cases the interest may lie in creating billing records (CDR) for the session. Due to the heavy processing requirement, inspection thus tends to be limited to a relatively small number of simultaneous IP-sessions (e.g. calls) that can be managed, and this prohibits any effective inspection at perhaps the one place it could be most effective, namely at the operator's high-speed backbones.
Some existing data security systems detect and prevent intrusion using simple predefined behavioristic rules and thresholds to alert for abnormal traffic behavior which may indicate possible attacks on the network (customarily implemented in Firewall technologies). Such suspicious behavior may include indications of denial of service (DoS) attacks.
One of the characteristics of a media session is the tendency to consist of a packet stream having a low variation in packet length and/or inter-arrival periods. However, network delay & jittering as well as the fact that some codecs support silence suppression may lead to large inter-arrival period variations.
The existing technologies, including deep and complete packet inspections, do not help specifically in controlling these media sessions for the reasons given above, since the packets are not always recognized.