1. Field of the Invention
The present invention relates to communication and computer networks, and, in particular, to line-rate detection of real-time traffic.
2. Description of the Related Art
This section introduces aspects that may help facilitate a better understanding of the invention(s). Accordingly, the statements of this section are to be read in this light and are not to be understood as admissions about what is or is not in the prior art.
Network traffic classification is an important part of network quality-of-service (QoS) management. For example, in many cases, it is useful to identify which flows in a network belong to time-sensitive, real-time multimedia applications (e.g., streaming video, audio, or voice traffic) and which flows belong to non-time-sensitive, non-real-time applications (e.g., email). This information may then be used, for example, to selectively throttle non-time-sensitive flows to maintain QoS for time-sensitive flows.
With the recent increasing volume of time-sensitive traffic on the Internet, including voice-over-IP (VoIP) and Internet-protocol television (IPTV), network service providers and operators are demanding tools to effectively detect and manage such traffic in their networks. However, many applications that are responsible for such traffic are not easy to detect using conventional approaches that depend on well-known port association, packet header and payload inspections, and related methods. This is because these applications may use random port assignments and data encryption to defeat such detection methods. For example, it is well known that the VoIP application, Skype, a product of Skype Technologies S.A, Luxembourg, employs many carefully designed schemes to avoid detection and get around firewalls. In addition, packet inspection methods require line-rate processing and considerable memory, both of which are very costly.
As a result, extensive research has recently been directed to alternative methods for traffic classification and traffic-type identification based on statistics of traffic flow. Moore and Zuev, for example, have proposed a machine-learning approach based on Bayesian analysis to perform off-line classification of Internet traffic into categories such as peer-to-peer, multimedia, and webpage accesses. More information can be found in Andrew W. Moore, Denis Zuev, “Internet traffic classification using Bayesian analysis techniques,” ACM SIGMETRICS 2005, which has been incorporated herein by reference in its entirety. Other approaches have been proposed as well. A survey of traffic-classification techniques based on machine learning is given in Thuy T. T. Nguyen, Grenville Armitage, “A survey of techniques for Internet traffic classification using machine learning,” IEEE Communications Surveys and Tutorials, 2008, also incorporated herein by reference in its entirety.
In general, these machine-learning techniques are based on analysis of a subset of flow parameters that are assumed to vary between traffic types and can thus be used to differentiate the types. These machine-learning techniques are good for rough estimates of traffic type but usually have relatively poor accuracy overall. Skype, for example, has received much attention in recent years because it employs sophisticated mechanisms to conceal its traffic and avoid detection by machine-learning methods. Many studies have been done to analyze the running behavior and traffic patterns of Skype based on measurements and reverse engineering. More information can be found in S. A., Baset, H. Schulzrinne, “An analysis of the Skype peer-to-peer Internet telephony protocol,” IEEE Infocom '06, Barcelona, Spain, April 2006; P. Biondi, F. Desclaux, “Silver Needle in the Skype,” Black Hat Europe '06, Amsterdam, the Netherlands, March 2006; S. Guha, N. Daswani and R. Jain, “An experimental study of the Skype peer-to-peer VoIP system,” 5th Intl. Workshop on Peer-to-Peer Systems, Santa Barbara, Calif., February 2006; and Dario Bonfiglio, Marco Mellia, Michela Meo, Nicolo Riticca, Dario Rossi, “Tracking down Skype traffic,” IEEE/ACM INFOCOM 2008, each of which is incorporated by reference herein in its entirety.
Work has also been performed on detecting Skype traffic based on monitoring packets on network links. More information on this work can be found in K. Suh, D. R. Figuieredo, J. Kurose, D. Towsley, “Characterizing and detecting relayed traffic: A case study using Skype,” IEEE Infocom '06, Barcelona, Spain, April 2006 (“Suh et al.”), and Dario Bonfiglio, Marco Mellia, Michela Meo, Dario Rossi, Paolo Tofanelli, “Revealing skype traffic: when randomness plays with you,” ACM SIGCOMM 2007 (“Bonfiglio et al.”), each of which is incorporated by reference herein in its entirety.
For example, Suh et al. focuses on detection of relayed Skype traffic, while, in Dario et al., detection is based on characteristics of inter-packet gap, packet size, and randomness in payload. This latter method has been shown to work well for picking out Skype VoIP flows from the traces that were studied. However, inter-packet gap is not a good metric to differentiate real-time vs. non-real-time traffic in general. This is mainly because there is strong correlation between consecutive inter-packet gaps. As a result, flows with similar mean and variance of inter-packet gaps may be inherently very different, and yet mistakenly be judged to be the same. In addition, inter-packet gap analysis requires the maintenance of a fairly large state memory for each flow. This is primarily because statistical testing is done for all possible packet sizes. Skype may also use more than six different CODECs, each of which may have many different combinations of frame sizes and bit rates, and each packet may use any one of four “redundant factors.” As a result, the inter-gap algorithm may end up tracking hundreds of different packet sizes, using considerable resources, and taking long periods of time to classify flows. Finally, a pitfall of tracking packet size is that certain Skype calls may go through one or more super-node relay nodes, which may change packet sizes, making the packet sizes even harder to track.
Thus, it would be beneficial to have techniques for identifying real-time traffic flows, which techniques (a) are less computationally and memory intensive than existing techniques, (b) may be used to detect real-time flows in seconds, and (c) are not dependent on packet size.