Transcript ppt - Computer Science - Worcester Polytechnic Institute

Treatment-Based Traffic
Signatures
Mark Claypool
Robert Kinicki
Craig Wills
Computer Science Department
Worcester Polytechnic Institute
http://www.cs.wpi.edu/~claypool/papers/cube/
Email
Sensors
Jitter Sensitive
Jitter Insensitive
Web
Browsing
Loss Insensitive
P2P File
Sharing
Loss Sensitive
Diversity of Internet Applications in
the Home
Video
Streaming
Delay Insensitive
Delay Sensitive
Remote Login
IMRG WACI, Cambridge, MA, USA
Network
Games
Instant
Messaging
2
October 2007
Voice
over IP
Proliferation of Network Devices in the
Home
Opportunity…
•
•
Printers and
Faxes
Wireless
Access Point
Streaming
Video Servers
(to Internet)
Mobile
Phones
IMRG WACI, Cambridge, MA, USA
Hand Held
Game Devices
Personal
Computers
3
Automatically improves
performance
Interoperable, easy-touse
But first…
IP Phone
Game
Consoles
 “Smart” AP
•
 Need to classify
applications
Then can apply
treatment to improve
QoS
October 2007
Outline
• Introduction
• Goals +
• Classification
• Preliminary Results
• Ongoing Work
IMRG WACI, Cambridge, MA, USA
(done)
(next)
4
October 2007
Goals
•
•
Classification for purpose of QoS treatments
(versus DoS prevention or billing or measurement
or …)
– Want match between signatures and potential
treatments
Not classifying applications  instead concentrate
on nature of traffic for specific applications and
devices
– Different applications with same QoS requirements
should get equal network treatments
• e.g. VoIP and network game
– Not all instances of a particular application yield the
same signature, nor is that needed
• e.g. Web for browsing, Web for download
IMRG WACI, Cambridge, MA, USA
5
October 2007
Related Approaches
•
Port classification alone does not work
– Applications can share ports
• e.g.
• e.g.
Non Web apps use port 80 around firewalls
scp and ssh both over port 22
• e.g.
Web server on different port since 80 restricted
– Users run applications on non-standard ports
– New applications not officially defined for ports
•
Payload examination alone does not work
•
Machine learning alone does not work
– Increased encryption at application layer
– Can be computationally expensive
– New applications cannot be identified this way
– Takes too long in real-time, so must be done offline first
– Needs external validation, so does not work with new apps
IMRG WACI, Cambridge, MA, USA
6
October 2007
Domain
•
•
•
Provide classification in wireless Access Point
(AP), the same point that provides QoS treatment
Home environment
– Both directions of a flow travel through AP
– Users are not trying to avoid classification
– Can be customized and flexible per-flow treatments
• Home APs carry few flows compared to core router
Needs to be real-time
– Quick, so as to apply treatment to improve QoS
IMRG WACI, Cambridge, MA, USA
7
October 2007
Outline
• Introduction
• Goals +
• Classification
• Preliminary Results
• Ongoing Work
IMRG WACI, Cambridge, MA, USA
(done)
(done)
(next)
8
October 2007
Treatment-Based Classification
Drop Packets
voip
Delay
Packets
sensors
Full
ftp
p2p
Space
Packets
web
Non-full
Packet Size Tendency
streaming
telnet
ssh
games
Push
Packets
Response-based Non-response-based
Nature of Reverse Traffic
IMRG WACI, Cambridge, MA, USA
9
October 2007
Outline
• Introduction
• Goals +
• Classification
• Preliminary Results
• Ongoing Work
IMRG WACI, Cambridge, MA, USA
(done)
(done)
(done)
(next)
10
October 2007
Preliminary Results
• Captured 20-second traces from some
•
representative applications
Nature of reverse traffic
– Response based or Non-response based
• Packet size tendency
– Full or Non-full
• Transmission spacing
– Paced or As-available
IMRG WACI, Cambridge, MA, USA
11
October 2007
Nature of Reverse Traffic
•
•
•
TCP automatically makes it response-based
UDP is trickier - is a downstream packet sent in
response to one upstream (or vice versa)?
First, try simple up/down count:
Application
Streaming video
Network game
VoIP
•
Down
11725
393
934
Up
21
1231
935
More work needed …
IMRG WACI, Cambridge, MA, USA
12
October 2007
Packet Size Tendency
http – browsing cnn
ftp – large file
wsm – video
ssh – reading email
IMRG WACI, Cambridge, MA, USA
13
October 2007
Transmission Spacing (1 of 2)
http – browsing cnn
ftp – large file
ssh – reading email
wsm – video
IMRG WACI, Cambridge, MA, USA
14
October 2007
Transmission Spacing (2 of 2)
http – browsing
http – download
http – streaming
IMRG WACI, Cambridge, MA, USA
15
October 2007
Data for Some Other Applications
voip – packet size
game – packet size
voip – transmission spacing
IMRG WACI, Cambridge, MA, USA
16
game – transmission spacing
October 2007
Ongoing Work
•
•
Differentiation of “paced” and “as available”
Identification of “responsed-based” UDP
•
Definition of “full” packets
•
“Memory” of classification
•
– e.g. DNS or VoIP over DCCP
– e.g. Streaming video packets of 1400 bytes
– e.g. in Second Life, interact on estate then teleport
– Statistics: continuous, weighted, or windowed
– Across flows for the same device
• e.g. Game console (Xbox) versus PC
Need for more traces of applications in the home
IMRG WACI, Cambridge, MA, USA
17
October 2007
Treatment-Based Traffic
Signatures
Mark Claypool
Robert Kinicki
Craig Wills
Computer Science Department
Worcester Polytechnic Institute
http://www.cs.wpi.edu/~claypool/papers/cube/