Can multiscale traffic analysis be used to differentiate Internet applications?

An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. In this paper we will demonstrate that multiscale traffic analysis based on multi-order wavelet spectrum can be used as a discriminator of Internet applications traffic profiles. By performing clustering analysis over the multiscale wavelet spectrum coefficients that are inferred from the measured traffic, the proposed methodology is able to efficiently differentiate different IP applications without using any payload information. This characteristic will allow the differentiation of traffic flows in unencrypted and encrypted scenarios. In order to compare the differentiating potential of different traffic application data, upload, download and joint upload and download flow statistics are considered to evaluate the identification approach for each selected protocol. Moreover, we also evaluate which timescales and spectrum orders are more relevant for the traffic differentiation. From the analysis of the obtained results we can conclude that the proposed methodology is able to achieve good identification results using a small set of timescales of a single order wavelet spectrum of a general raw traffic statistic.     

Monitoring and controlling QoS network domains

Increased performance, fairness, and security remain important goals for service providers. In this work, we design an integrated distributed monitoring, traffic conditioning, and flow control system for higher performance and security of network domains. Edge routers monitor (using tomography techniques) a network domain to detect quality of service (QoS) violations—possibly caused by underprovisioning—as well as bandwidth theft attacks. To bound the monitoring overhead, a router only verifies service level agreement (SLA) parameters such as delay, loss, and throughput when anomalies are detected. The marking component of the edge router uses TCP flow characteristics to protect ‘fragile’ flows. Edge routers may also regulate unresponsive flows, and may propagate congestion information to upstream domains. Simulation results indicate that this design increases application‐level throughput of data applications such as large FTP transfers; achieves low packet delays and response times for Telnet and WWW traffic; and detects bandwidth theft attacks and service violations. Copyright © 2004 John Wiley & Sons, Ltd.     

A scalable monitoring approach based on aggregation and refinement

Network monitoring is an integral part of any network management system. In order to ensure end-to-end service quality stated in service level agreements (SLAs), managers of a service provider network need to gather quality-of-service (QoS) measurements from multiple nodes in the network. For a large network with over thousands of flows with end-to-end SLAs, the information exchanged between network nodes and a central network management system (NMS) could be substantial. We propose a mechanism called aggregation and refinement based monitoring (ARM) to reduce the amount of information exchange. ARM is a generic mechanism that can be configured to run with different objectives, including threshold-based, rank-based and percentile-based. The mechanism enables the NMS to collect data from network nodes using a dynamic QoS data aggregation/refinement technique, and to process these information differently depending on its measurement objective. Our simulation results show that for these various objectives, the selective refinement process is able to validate SLAs quickly, is an order of magnitude more efficient than a simple polling scheme, and performs well across a wide range of traffic loads     

Monitoring emerging IPv6 wireless access networks

Foreseeing a future where IPv6 and mobile terminals play an important role in public access communication networks, this article introduces a monitoring system capable of identifying relevant traffic flows and tracking them while terminal equipment moves between network attachment points. The mobile flows are characterized and represented so that individual users and flows can perceive the quality of service they receive, and operators can have global traffic views of their heterogeneous access networks.     

基于深度报文检测和深度流检测的骨干网流量特征分析

Based on the massive data collected with a passive network monitoring equipment placed in China's backbone, we present a deep insight into the network backbone traffic and evaluate various ways for improving traffic classifying efficiency in this paper. In particular, the study has scrutinized the network traffic in terms of protocol types and signatures, flow length, and port distribution, from which meaningful and interesting insights on the current Internet of China from the perspective of both the packet and flow levels are derived. We show that the classification efficiency can be greatly improved by using the information of preferred ports of the network applications. Quantitatively, we find two traffic duration thresholds, with which 40% of TCP flows and 70% of UDP flows can be excluded from classification processing while the impact on classification accuracy is trivial, i.e., the classification accuracy can still reach a high level by saving 85% of the resources.     

Transport of TCP/IP traffic over assured forwarding IP-differentiated services

The Internet is facing a twofold challenge: to increase network capacity in order to accommodate a steadily increasing number of users; to guarantee the quality of service for existing applications and for new multimedia applications requiring real-time network response. In order to meet these requirements, IETF is currently defining the differentiated service (DiffServ) architecture, which should offer a simple and scalable platform to guarantee differentiated QoS in the Internet. In the DiffServ domain, the assured forwarding service is designed to provide data applications with acceptable performance, overcoming the limits of the Internet's current best-effort service. Since data applications mostly rely on the TCP transport protocol, it is important to examine the interaction between the congestion avoidance and control mechanisms of TCP and assured forwarding. Our main purpose is to shed light on this interaction, and to show that, in the current DiffServ framework, poor performance of TCP traffic flows can result from the existing mismatch between the assured forwarding traffic conditioning procedures and the TCP congestion management. We propose a new adaptive packet marking policy to deal with congestion situations that may occur. We show that, with this policy, the provisioned rate for TCP flows can be achieved.     

Design and implementation of WAP‐based LAN segment management system using RMON MIB

Advances in LAN technology have enabled fast data transmission. However, without effective management of these resources, congestion of networks as well as waste of resources are inevitable. Therefore, it is necessary to supervise, report, and even control, if necessary, the network resource status so that the communication network can be effectively operated without service interruption by monitoring traffic among the hosts. Web‐based network management systems have been developed and applied for remote management without using specific applications. However, such web‐based network management systems have limited manager mobility and poor performance. To overcome such disadvantages, this paper proposes a network management system using wireless communication. Copyright © 2003 John Wiley & Sons, Ltd.     

A Per-Flow Based Node Architecture for Integrated Services Packet Networks

As the Internet transforms from the traditional best-effort service network into QoS-capable multi-service network, it is essential to have new architectural design and appropriate traffic control algorithms in place. This paper presents a network node architecture and several traffic management mechanisms that are capable of achieving QoS provisioning for the guaranteed service (GS), the controlled-load (CL) service, and the best-effort (BE) service for future integrated services networks. A key feature of our architecture is that it resolves the out-of-sequence problem associated with the traditional design. We also propose two novel packet discarding mechanisms called selective pushout (SP) and selective pushout plus (SP+). Simulation results show that, once admitted into the network, our architecture and traffic management algorithms provide, under all conditions, hard performance guarantees to GS flows and consistent (or soft) performance guarantees to CL flows, respectively; minimal negative impact to in-profile GS, CL and BE traffic should there be any out-of-profile behavior from some CL flows.     

Topology discovery services for monitoring the global grid

The dynamic joint optimization of both computational and network resources has the potential of guaranteeing optimal performance Io geographically distributed grid applications. A grid network information and monitoring service (NIMS) has been recently proposed to complement computational resource status information with network resource status information. NIMS information includes, but is not limited to, information already available in the network control plane (e.g., network topology, link capacity occupation, communication delay). This study first reviews some measurement methodologies and network sensors suitable for implementing NIMS components, and then describes some tools currently utilized for monitoring grid network infrastructures. Finally, two implementations of a NIMS component, called the topology discovery service (TDS), are proposed and evaluated. The TDS provides grid users (e.g., applications) or the programming environment middleware with up-to-date information on the grid network infrastructure topology and status. Both proposed implementations can be utilized in any global grid network based on commercial routers without requiring modifications of router management and control protocols.     

A hybrid association rule mining approach for characterizing network traffic behaviour

Understanding network traffic behaviour is crucial for managing and securing computer networks. One important technique is to mine frequent patterns or association rules from analysed traffic data. On the one hand, association rule mining usually generates a huge number of patterns and rules, many of them meaningless or user‐unwanted; on the other hand, association rule mining can miss some necessary knowledge if it does not consider the hierarchy relationships in the network traffic data. Aiming to address such issues, this paper proposes a hybrid association rule mining method for characterizing network traffic behaviour. Rather than frequent patterns, the proposed method generates non‐similar closed frequent patterns from network traffic data, which can significantly reduce the number of patterns. This method also proposes to derive new attributes from the original data to discover novel knowledge according to hierarchy relationships in network traffic data and user interests. Experiments performed on real network traffic data show that the proposed method is promising and can be used in real applications. Copyright © 2013 John Wiley & Sons, Ltd.     

Admission control in time-slotted multihop mobile networks

The emergence of nomadic applications have generated a lot of interest in next-generation wireless network infrastructures which provide differentiated service classes. So it is important to study how the quality of service (QoS), such as packet loss and bandwidth, should be guaranteed. To accomplish this, we develop am admission control scheme which can guarantee bandwidth for real-time applications in multihop mobile networks. In our scheme, a host need not discover and maintain any information of the network resources status on the routes to another host until a connection request is generated for the communication between the two hosts, unless the former host is offering its services as an intermediate forwarding station to maintain connectivity between two other hosts. This bandwidth guarantee feature is important for a mobile network to interconnect wired networks with QoS support. Our connection admission control scheme can also work in a stand-alone mobile ad hoc network for real-time applications. This control scheme contains end-to-end bandwidth calculation and bandwidth allocation. Under such a scheme, the source is informed of the bandwidth and QoS available to any destination in the mobile network. This knowledge enables the establishment of QoS connections within the mobile network and the efficient support of real time applications. In the case of ATM interconnection, the bandwidth information can be used to carry out an intelligent handoff between ATM gateways and/or to extend the ATM virtual circuit service to the mobile network with possible renegotiation of QoS parameters at the gateway. We examine via simulation the system performance in various QoS traffic flows and mobility environments     

Evaluating the impact of emerging streaming media applications onTCP/IP performance

Emerging streaming media applications in the Internet primarily use UDP transport. The difficulty with supporting this type of traffic on the Internet is that they not only generate large volumes of traffic, but they are also not as responsive to network congestion as TCP-based applications. As a result, streaming media UDP traffic can cause two major problems in the Internet: congestion collapse and unfair allocations of bandwidth among competing traffic flows. A solution to these problems is available in many Internet environments. The Internet backbone, various ISPs, and DSL access networks rely on ATM as their layer 2 transport technology, and in such environments, ATM's available bit rate service can efficiently address these problems. ABR is able to avoid congestion collapse and provide fair bandwidth allocations by distributing the unutilized bandwidth fairly among competing flows. This article presents simulation results and empirical measurements that illustrate the congestion collapse and unfairness problems, and ATM ABR's effectiveness in addressing those problems     

Queue Analysis and Multiplexing of Heavy-tailed Traffic in Wireless Packet Data Networks

Recent research based on traffic measurements shows that Internet traffic flows have a fractal nature (i.e., self-similarity property), which causes an underestimation of network engineering parameters when using the conventional Poisson model. Preliminary field measurements demonstrate that packet data traffic in wireless communications also exhibits self-similarity. In this paper, we investigate the queuing behavior of self-similar traffic flows for data applications in a packet-switching single-server wireless network. The traffic is generated by an on–off source with heavy-tailed on periods and exponentially distributed off periods. We extend previous analysis of a relation among the asymptotic distribution of loss probability, traffic specifications, and transmission rate for a wireline system to a wireless system, taking into account wireless propagation channel characteristics. We also investigate the multiplexing of heavy-tailed traffic flows with a finite buffer for the downlink transmission of a wireless network. Computer simulation results demonstrate that assumptions made in the theoretical analysis are reasonable and the derived relationships are accurate.     

A novel traffic identification approach based on multifractal analysis and combined neural network

An accurate identification of Internet traffic of different applications is highly relevant for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance monitoring, and security. Traditional traffic identification approaches have become increasingly inaccurate due to restrictions of port numbers, protocol signatures, traffic encryption, and etc. In this paper, a new traffic identification approach based on multifractal analysis of wavelet energy spectrum and classification of combined neural network models is proposed. The proposed approach is able to achieve the identification of different Internet application traffic by performing classification over the wavelet energy spectrum coefficients that were inferred from the original traffic. Without using any payload information, the proposed approach has more advantages over traditional methods. The experiment results illustrate that the proposed approach has satisfactory identification results.     

A generalized service deployment framework for OSPF networks using multi‐topology routing: Modeling and methodology

The exponential growth of various applications requires deploying an ever‐growing number of network services. A generalized service deployment framework for Open Shortest Path First (OSPF) networks is proposed in this paper. The framework includes placing programmable routers, distributing different types of services on these routers, and leading traffic flow through them according to the predetermined sequence order requirement. However, it is not possible to direct all the traffic flows through the required service nodes along the shortest path with a single and suitable set of link weights. To address the issue, multiple topology routing (MTR) technique is incorporated to have various logical topologies with multiple sets of link weights. Correspondingly, the problem of jointly optimizing Placement of programmable routers, Distribution of different types of services among these routers, and Link Weights setting based on MTR (shortened to PD‐LW‐MTR) and its mixed integer linear programming formulation are presented in this paper. A novel decomposition algorithm is also proposed to address this problem efficiently. Experiment results validate the correctness and feasibility of our algorithm. It is also shown that the optimization algorithm can obtain near‐optimal solution and just only a few logical topologies over multiple sets of link weights are necessary for traffic flows to guarantee service order requirements.     

无线Mesh网络中的自适应队列调度算法研究

针对无线mesh网络的网络特性,分析了无线网络中的队列调度算法,提出了一种自适应的队列调度算法AQSM,详细讨论了该算法的具体实现过程及参数变化规则,通过仿真验证了该算法在提高网络性能的同时还可以实现对不同业务流的业务区分。     

Survivable Monitoring in Dynamic Networks

We present a monitoring system for a dynamic network in which a set of domain nodes shares the responsibility for producing and storing monitoring information about a set of visitors. This information is stored persistently when the set of domain nodes grows and shrinks. Such a system can be used to store traffic or other logs for auditing or can be used as a subroutine for many applications to allow significant increases in functionality and reliability. The features of our system include authenticating visitors, monitoring their traffic through the domain, and storing this information in a persistent, efficient, and searchable manner. The storage process is O(log n){hbox{-}}{rm competitive} in the number of network messages with respect to an optimal offline algorithm; we show that this is as good as any online algorithm can achieve and significantly better than many commonly used strategies for distributed load balancing.     

Method of data cleaning for network traffic classification

Network traffic classification aims at identifying the application types of network packets. It is important for Internet service providers （ISPs） to manage bandwidth resources and ensure the quality of service for different network applications However, most classification techniques using machine learning only focus on high flow accuracy and ignore byte accuracy. The classifier would obtain low classification performance for elephant flows as the imbalance between elephant flows and mice flows on Internet. The elephant flows, however, consume much more bandwidth than mice flows. When the classifier is deployed for traffic policing, the network management system cannot penalize elephant flows and avoid network congestion effectively. This article explores the factors related to low byte accuracy, and secondly, it presents a new traffic classification method to improve byte accuracy at the aid of data cleaning. Experiments are carried out on three groups of real-world traffic datasets, and the method is compared with existing work on the performance of improving byte accuracy. Experiment shows that byte accuracy increased by about 22.31% on average. The method outperforms the existing one in most cases.     

A Traffic Engineering Approach for Placement and Selection of Network Services

Network services are provided by means of dedicated service gateways, through which traffic flows are directed. Existing work on service gateway placement has been primarily focused on minimizing the length of the routes through these gateways. Only limited attention has been paid to the effect these routes have on overall network performance. We propose a novel approach for the service placement problem, which takes into account traffic engineering considerations. Rather than trying to minimize the length of the traffic flow routes, we take advantage of these routes in order to enhance the overall network performance. We divide the problem into two subproblems: finding the best location for each service gateway, and selecting the best service gateway for each flow. We propose efficient algorithms for both problems and study their performance. Our main contribution is showing that placement and selection of network services can be used as effective tools for traffic engineering.     

Statistical service assurances for traffic scheduling algorithms

Network services for the most demanding advanced networked applications which require absolute, per-flow service assurances can be deterministic or statistical. By exploiting the statistical properties of traffic, statistical assurances can extract more capacity from a network than deterministic assurances. We consider statistical service assurances for traffic scheduling algorithms. We present functions, so-called effective envelopes, which are, with high certainty, upper bounds of multiplexed traffic. Effective envelopes can be used to obtain bounds on the amount of traffic on a link that can be provisioned with statistical service assurances. We show that our bounds can be applied to a variety of traffic scheduling algorithms. In fact, one can reuse existing admission control functions for scheduling algorithms with deterministic assurances. We present numerical examples which compare the number of flows with statistical assurances that can be admitted with our effective envelope approach to those achieved with existing methods