Traffic generated by Voice over Internet Protocol (VoIP) and Internet video sources has been growing significantly in recent years. There is a pressing demand for network operators to identify and manage such traffic. First, such traffic often consumes a significant amount of bandwidth and may adversely affect the quality of other applications. Second, such applications may compete with a network operator's own service and result in lost revenue for the provider. Third, regulations in certain countries or regions require service providers to closely monitor voice calls. However, voice and video applications are often difficult to detect since they may use dynamic ports and encrypted payload. One prominent example is Skype, a VoIP application based on peer-to-peer technology.
Traditional approaches for application identification are typically based on one or more of the following characteristics:
(1) UDP/TCP ports. This does not work for applications that employ dynamic ports (e.g., most P2P traffic);
(2) Payload signature. Signature expires very quickly due to new application version updates. This also does not work for encrypted content; and
(3) Machine learning. This requires training the model by using existing data set. Such approaches may not always be reliable and have high run-time overhead.
(4) Naüve Bayes Classifier. This approach explores the packet inter-arrival gap and payload size information of VoIP flows, and builds hypothesis tests to detect VoIP flow. However, this approach also suffers from relatively high false identification rates. The reason is that this approach assumes the packet inter-arrival gaps are independent and fit a normal distribution. Unfortunately, this assumption is not correct.